Re: [squid-users] Squid access control based on browser agents.

From: Henrik Nordstrom <[email protected]>
Date: Wed, 28 Apr 2004 18:14:44 +0200 (CEST)

On Wed, 28 Apr 2004, Mr. S M Thakor wrote:

> I want to put access control on user's browsers. Can squid accept
> requests only from Internet Explorer, Netscape Navigator and Opena ?

Yes, as long as the user is not lying about what browser he is using. Se
the browser acl.

> If a user allowed to use squid proxy installs on client PC a proxy
> server like analogue-x, proxyi, winproxy or naviscope, his request
> should be rejected.

This is harder. If the proxy used kindly enough adds information about the
proxy to the request headers it is possible, but there is no guarantee the
proxy will do so, and as soon as you start doing this kind of access
controls your users will start looking for ways around it..

Best way is to use authentication. This way the user must share hist
login+password to make it possible for others to use the proxy, but even
this is not foolprof as

  a) The user may willingly give away hist login+password
  b) Some proxies (Squid included) allow configuring of a login+password
to use in forwarded requests

> My organisation has strict regulation on internet
> access. I am providing internet access based on MAC address od client pc
> ( --enable-arp-acl) for allowed URLs.

And what you are looking for is best addressed by having an enforceable
polixy. The proxy can only help you to in best case detect when people
attempt to bypass the regulations, but without having support in those
regulations for actions truly noticeable to the responsible end-user you
will be fighting in vein as each measure you take to enforce the
regulation will soon be bypassed by your users if they are intent on it.

Regards
Henrik
Received on Wed Apr 28 2004 - 10:14:49 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Apr 30 2004 - 12:00:03 MDT