[squid-users] block user agent
Vieri
rentorbuy at yahoo.com
Thu Nov 16 10:53:25 UTC 2017
________________________________
From: Amos Jeffries <squid3 at treenet.co.nz>
>
> If you are decrypting the traffic, then it works as I said exactly the
> same as for HTTP messages.
>
> If you are not decrypting the traffic, but receiving forward-proxy
> traffic then you are probably blocking the CONNECT messages that setup
> tunnels for HTTPS - it has a User-Agent header *if* it was generated by
> a UA instead of an intermediary like Squid.
So I would need to allow CONNECT messages.
Something like:
http_access allow CONNECT allowed_useragent
Anyway, I'm not sure what "decrypting the traffic" implies. If I want an ssl-bumped setup to fully handle all HTTPS connections, and be able to detect the user-agent on https connections, how should I configure Squid? Should I allow all CONNECT messages?
> AFAIK that feature is part of a different regex grammar than the one
> Squid uses.
I think I read something about Squid being built with a user-defined regex grammar/lib. Anyway, I take it it's not feasible for now.
> PS. you do know the UA strings of modern browsers all reference each
> other right? "Chrome like-Gecko like Firefox" etc.
Yes, but... We require IE for some Intranet apps, and Firefox for other Extranet apps.
We can set a custom user agent string for the Firefox browser. We also have other http user agents with customized UA strings. So we're 99% sure that all browser clients going through Squid will be tagged correctly. That's the reason why I would prefer to "deny all user agents" except one ("my custom UA string"). Most users will not try to tamper with this.
I do not want to "allow all except a list of substrings" because it would be a nightmare.
Vieri
More information about the squid-users
mailing list