[squid-users] block user agent

[Vieri]

________________________________
From: Amos Jeffries <squid3 at treenet.co.nz>
>
> If you are decrypting the traffic, then it works as I said exactly the 
> same as for HTTP messages.
>
> If you are not decrypting the traffic, but receiving forward-proxy 
> traffic then you are probably blocking the CONNECT messages that setup 
> tunnels for HTTPS - it has a User-Agent header *if* it was generated by 
> a UA instead of an intermediary like Squid.


So I would need to allow CONNECT messages.
Something like:
http_access allow CONNECT allowed_useragent

Anyway, I'm not sure what "decrypting the traffic" implies. If I want an ssl-bumped setup to fully handle all HTTPS connections, and be able to detect the user-agent on https connections, how should I configure Squid? Should I allow all CONNECT messages?

> AFAIK that feature is part of a different regex grammar than the one 
> Squid uses.


I think I read something about Squid being built with a user-defined regex grammar/lib. Anyway, I take it it's not feasible for now.
> PS. you do know the UA strings of modern browsers all reference each 
> other right?  "Chrome like-Gecko like Firefox" etc.


Yes, but... We require IE for some Intranet apps, and Firefox for other Extranet apps.
We can set a custom user agent string for the Firefox browser. We also have other http user agents with customized UA strings. So we're 99% sure that all browser clients going through Squid will be tagged correctly. That's the reason why I would prefer to "deny all user agents" except one ("my custom UA string"). Most users will not try to tamper with this.
I do not want to "allow all except a list of substrings" because it would be a nightmare.

Vieri