[squid-users] Youtube "challenges"
Steve Hill
steve at opendium.com
Thu Feb 25 14:45:18 UTC 2016
On 25/02/16 03:52, Darren wrote:
> The user visits a page on my server with the YouTube links. Visiting
> this page triggers a state based ACL (something like the captive portal
> login).
>
> The user then clicks a YouTube link and squid checks this ACL to see if
> the user is originating the request from my local page and if it is,
> allows the splice to YouTube and the video can play.
Squid can't tell that the requests were referred by your page - the
iframe itself may have your page as the referrer (although that
certainly isn't guaranteed), but the objects that are referred within
that iframe won't have a useful referrer string.
You could dynamically create an ACL that allows the whole of youtube
when the user has your page open, but that is fairly insecure since they
could just open the page and then they would be allowed to access
anything through youtube.
In my experience (and this is what we do), to be at all secure you have
to analyse the page itself in order to figure out which specific URIs to
whitelist (or at least, have those URIs hard-coded somewhere else).
Either way, YouTube uses https, so unless you're going to blindly allow
the whole of youtube whenever a user visits your page, you're going to
need to ssl bump the requests in order to have an ACL based on the
referrer and path. And as you know, ssl bumping involves sticking a
certificate on each device.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:steve at opendium.com
Email: steve at opendium.com
Phone: sip:steve at opendium.com
Sales / enquiries contacts:
Email: sales at opendium.com
Phone: +44-1792-824568 / sip:sales at opendium.com
Support contacts:
Email: support at opendium.com
Phone: +44-1792-825748 / sip:support at opendium.com
More information about the squid-users
mailing list