[squid-users] Help with UA filtering in https connections

Alex Rousskov rousskov at measurement-factory.com
Thu Dec 28 23:18:18 UTC 2017


On 12/28/2017 03:59 PM, squidnoob wrote:

> Here are my goals:
> - i only want a handful of domains to be accessible. 
> - i want to allow certain UA's to bypass the whitelist rules.

Since you appear to have full control over the environment, have you
tried bumping everything and applying your access rules to bumped (or
plain) traffic?


  # bump everything
  ssl_bump stare all
  ssl_bump bump all

  # delay filtering decisions until we get to bumped requests
  http_access allow CONNECT toSafePorts
  http_access deny CONNECT

  # filter plain and bumped requests
  http_access allow certainUserAgents
  http_access allow handfulOfDomains
  http_access deny all


The above allows all (safe) CONNECTs in case some CONNECT requests do
not have User-Agent headers or lack other details important for your
certainUserAgents and handfulOfDomains ACLs. Since you are bumping all
those allowed CONNECTs and validating all "real" requests inside bumped
tunnels, allowing all (safe) CONNECTs does not contradict your goals AFAICT.


HTH,

Alex.


More information about the squid-users mailing list