[squid-users] block user agent
Vieri
rentorbuy at yahoo.com
Thu Nov 16 08:29:08 UTC 2017
________________________________
From: Amos Jeffries <squid3 at treenet.co.nz>
>
>> The following works:
>>
>> acl denied_useragent browser Chrome
>> acl denied_useragent browser MSIE
>> acl denied_useragent browser Opera
>> acl denied_useragent browser Trident
>> [...]
>> http_access deny denied_useragent
>> http_reply_access deny denied_useragent
>> deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_useragent denied_useragent
>>
>> The following works for HTTP sites, but not for HTTPS sites in an ssl-bumped setup:
>>
>> acl allowed_useragent browser Firefox/
>> [...]
>> http_access deny !allowed_useragent
>> deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=allowed_useragent allowed_useragent
>>
> The User-Agent along with all HTTP layer details in HTTPS are hidden
> behind the encryption layer. TO do anything with them you must decrypt
> the traffic first. If you can decrypt it turns into regular HTTP traffic
> - the normal access controls should then work as-is.
So why does my first example actually work even for https sites?
acl denied_useragent browser Chrome
acl denied_useragent browser MSIE
acl denied_useragent browser Opera
acl denied_useragent browser Trident
[...]
http_access deny denied_useragent
http_reply_access deny denied_useragent
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_useragent denied_useragent
If the above "works" then another way would be to use a negated regular expression such as:
acl denied_useragent browser (?!Firefox)
but I don't think it's allowed.
Vieri
More information about the squid-users
mailing list