[squid-users] block user agent

Vieri rentorbuy at yahoo.com
Thu Nov 16 08:29:08 UTC 2017


________________________________
From: Amos Jeffries <squid3 at treenet.co.nz>
>
>> The following works:
>> 
>> acl denied_useragent browser Chrome
>> acl denied_useragent browser MSIE
>> acl denied_useragent browser Opera
>> acl denied_useragent browser Trident
>> [...]
>> http_access deny denied_useragent
>> http_reply_access deny denied_useragent
>> deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_useragent denied_useragent
>> 
>> The following works for HTTP sites, but not for HTTPS sites in an ssl-bumped setup:
>> 
>> acl allowed_useragent browser Firefox/
>> [...]
>> http_access deny !allowed_useragent
>> deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=allowed_useragent allowed_useragent
>>
> The User-Agent along with all HTTP layer details in HTTPS are hidden 
> behind the encryption layer. TO do anything with them you must decrypt 
> the traffic first. If you can decrypt it turns into regular HTTP traffic 
> - the normal access controls should then work as-is.


So why does my first example actually work even for https sites?

acl denied_useragent browser Chrome
acl denied_useragent browser MSIE
acl denied_useragent browser Opera
acl denied_useragent browser Trident
[...]
http_access deny denied_useragent
http_reply_access deny denied_useragent
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_useragent denied_useragent

If the above "works" then another way would be to use a negated regular expression such as:
acl denied_useragent browser (?!Firefox)
but I don't think it's allowed.

Vieri


More information about the squid-users mailing list