Re: [squid-users] squid 3 acl browser

From: Erwann PENCREACH <erwann.pencreach_at_ch-chaumont.fr>
Date: Wed, 24 Jun 2009 15:43:07 +0200

Amos Jeffries a écrit :
> Erwann PENCREACH wrote:
>> Ralf Hildebrandt a écrit :
>>> * Erwann PENCREACH <erwann.pencreach_at_ch-chaumont.fr>:
>>>> ok, I made changes
>>>>
>>>> nodst and contenttype acl works fine (I'll look later for squidguard
>>>> and dansguardian)
>>>>
>>>> browser filtering doesn't work at all
>>>>
>>>> external_acl works fine
>>>>
>>>> I don't understand what I'm doing wrong with User-agent filtering
>>>
>>> But I already told you. MSIE says it's Mozilla. Your regular
>>> expression is wrong.
>> You're right I've just checked both User agents :
>>
>> # MSIE : User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
>> 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
>> # Mozilla : User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr;
>> rv:1.9.0.1; .NET CLR 2.0.50727; ffco7) Gecko/2008070208 Firefox/3.0.1
>>
>> acl becomes :
>>
>> acl checkua browser Gecko/ ^Keyvelop$ ^ClamWin/
>>
>
> Mozilla and Gecko are both engines that generate HTTP requests and parse
> HTTP replies on demand. Along with various other HTTP related
> activities. They are both used in a vast number of browsers and browser
> clones and fake agents.
>
> I would guess you actually want the "Firefox" branding interface for
> Gecko. Commonly known as the Mozilla Firefox web browser.
>
> User-Agent: is easily forged, so don't hang your security on it please.
> It's best to use it only in deny (ie for unknowns and non-matching) and
> leave the allow permissions to more strict ACL types.
>
> Amos

you're right, that's why I deny all but those three UA

firefox, isn't the solution, cause the debian port is called Iceweasel

filtering on gecko allows Firefox, Thunderbird, Iceweasel and Icedove to
go through this acl, and let the following acl do the rest of filtering.

All the security, isn't done by the proxy. Our users aren't able to
install any software on the computers so chance to have an other browser
is minimal

-- Ce courrier ˙lectronique a ˙t˙ v˙rifi˙ et est exempt de virus connus ˙ ce jour. Contactez votre administrateur pour plus de renseignement. postmaster_at_ch-chaumont.fr

Received on Wed Jun 24 2009 - 13:43:16 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 25 2009 - 12:00:04 MDT