Re: [squid-users] squid 3 acl browser

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 25 Jun 2009 14:27:39 +1200

On Wed, 24 Jun 2009 15:43:07 +0200, Erwann PENCREACH
<erwann.pencreach_at_ch-chaumont.fr> wrote:
> Amos Jeffries a écrit :
>> Erwann PENCREACH wrote:
>>> Ralf Hildebrandt a écrit :
>>>> * Erwann PENCREACH <erwann.pencreach_at_ch-chaumont.fr>:
>>>>> ok, I made changes
>>>>>
>>>>> nodst and contenttype acl works fine (I'll look later for squidguard
>>>>> and dansguardian)
>>>>>
>>>>> browser filtering doesn't work at all
>>>>>
>>>>> external_acl works fine
>>>>>
>>>>> I don't understand what I'm doing wrong with User-agent filtering
>>>>
>>>> But I already told you. MSIE says it's Mozilla. Your regular
>>>> expression is wrong.
>>> You're right I've just checked both User agents :
>>>
>>> # MSIE : User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
>>> 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
>>> # Mozilla : User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr;
>>> rv:1.9.0.1; .NET CLR 2.0.50727; ffco7) Gecko/2008070208 Firefox/3.0.1
>>>
>>> acl becomes :
>>>
>>> acl checkua browser Gecko/ ^Keyvelop$ ^ClamWin/
>>>
>>
>> Mozilla and Gecko are both engines that generate HTTP requests and parse

>> HTTP replies on demand. Along with various other HTTP related
>> activities. They are both used in a vast number of browsers and browser
>> clones and fake agents.
>>
>> I would guess you actually want the "Firefox" branding interface for
>> Gecko. Commonly known as the Mozilla Firefox web browser.
>>
>> User-Agent: is easily forged, so don't hang your security on it please.
>> It's best to use it only in deny (ie for unknowns and non-matching) and
>> leave the allow permissions to more strict ACL types.
>>
>> Amos
>
> you're right, that's why I deny all but those three UA
>
> firefox, isn't the solution, cause the debian port is called Iceweasel
>
> filtering on gecko allows Firefox, Thunderbird, Iceweasel and Icedove to
> go through this acl, and let the following acl do the rest of filtering.
>
> All the security, isn't done by the proxy. Our users aren't able to
> install any software on the computers so chance to have an other browser
> is minimal
>

Cool. You do seem a lot more clued in than previous posts would suggest :)

Amos
Received on Thu Jun 25 2009 - 02:27:51 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 25 2009 - 12:00:04 MDT