[squid-users] block user agent
Amos Jeffries
squid3 at treenet.co.nz
Wed Nov 22 12:41:30 UTC 2017
On 22/11/17 23:48, Vieri wrote:
> ________________________________
> From: Amos Jeffries <squid3 at treenet.co.nz>
>>
>> If you place that after the default "deny CONNECT !SSL_ports", and
>> before your UA checks, AND if you are using ssl_bump on the allowed
>> tunnels then you can relatively safely use "allow CONNECT".
>>
>> Just be careful that the CONNECT allowed by that are always handled
>> safely by the ssl_bump rules you have.
>> Meaning that you either bump or terminate traffic you are not sure is
>> okay, splice if you are reasonably sure, etc. it is a balancing effort
>> between "splice as much as possible" and "terminate if unsure of the
>> traffic" advice.
>
>
> As you say, I placed "allow CONNECT" after the default "deny CONNECT !SSL_ports", and before my UA checks. I'm also using:
> ssl_bump stare all
> ssl_bump bump all
>
>
> Considering the following (taken from previous e-mail):
>
> http_access deny intercepted !localnet
> http_access deny interceptedssl !localnet
> http_access deny explicit !ORG_all
> http_access deny explicit SSL_ports
>
> Would it be "safer" or "indifferent" to use the following right before the UA checks?
>
> http_access allow CONNECT interceptedssl SSL_ports
>
All CONNECT transactions that get past that earlier line with !SSL_Ports
will match SSL_Ports. So that part of the line is redundant.
The "CONNECT interceptedssl" is more restricted than just "CONNECT" - so
is safer due to that yes. But also leaves some traffic open to the same
denial problem you had earlier if non-UA CONNECT happen other ways. Up
to you whether that is wanted or acceptible.
Amos
More information about the squid-users
mailing list