[squid-users] Help with UA filtering in https connections
Alex Rousskov
rousskov at measurement-factory.com
Thu Dec 28 23:18:18 UTC 2017
On 12/28/2017 03:59 PM, squidnoob wrote:
> Here are my goals:
> - i only want a handful of domains to be accessible.
> - i want to allow certain UA's to bypass the whitelist rules.
Since you appear to have full control over the environment, have you
tried bumping everything and applying your access rules to bumped (or
plain) traffic?
# bump everything
ssl_bump stare all
ssl_bump bump all
# delay filtering decisions until we get to bumped requests
http_access allow CONNECT toSafePorts
http_access deny CONNECT
# filter plain and bumped requests
http_access allow certainUserAgents
http_access allow handfulOfDomains
http_access deny all
The above allows all (safe) CONNECTs in case some CONNECT requests do
not have User-Agent headers or lack other details important for your
certainUserAgents and handfulOfDomains ACLs. Since you are bumping all
those allowed CONNECTs and validating all "real" requests inside bumped
tunnels, allowing all (safe) CONNECTs does not contradict your goals AFAICT.
HTH,
Alex.
More information about the squid-users
mailing list