blocking browser using user agent in squid proxy - squid

I want to block browsers using their user-agent in squid proxy.Recently i am working on blocking certain browser's like chrome, Mozilla,Firefox and to allow only internet explorer in my working environment.
Is there any to do this?

On your squid config file
acl rule_name browser ^user_agent_name
then
http_access deny rule_name
see this for user agent names User Agents
Note ^user_agent_name is a regular expression, so the caret means match any string starting with ^user_agent_name
e.g. ^Mozilla will block most browsers

Related

What is the correct way to render absolute URLs behind a reverse proxy?

I have a web application running on a server (let's say on localhost:8000) behind a reverse proxy on that same server (on myserver.example:80). Because of the way the reverse proxy works, the application sees an incoming request targeted at localhost:8000 and the framework I'm using therefore tries to generate absolute URLs that look like localhost:8000/some/ressource instead of myserver.example/some/ressource.
What would be "the correct way" of generating an absolute URL (namely, determining what hostname to use) from behind a proxy server like that? The specific proxy server, framework and language don't matter, I mean this more in an HTTP sense.
From my initial research:
RFC7230 explicitly says that proxies MUST change the Host header when passing the request along to make it look like the request came from them, so it would look like using Host to determine what hostname to use for the URL, yet in most places where I have looked, the general advice seems to be to configure your reverse proxy to not change the Host header (counter to the spec) when passing the request along.
RFC7230 also says that "request URI reconstruction" should use the following fields in order to find what "authority component" to use, though that seems to also only apply from the point-of-view of the agent that emitted that request, such as the proxy:
Fixed URI authority component from the server or outbound gateway config
The authority component from the request's firsr line if it's a complete URI instead of a path
The Host header if it's present and not empty
The listening address or hostname, alongside with the incoming port number if it's not the default one for the protocol
HTTP 1.0 didn't have a Host header at all, and that header was added for routing purposes, not for URL authority resolution.
There are headers that are made specifically to let proxies to send the old value of Host after routing, such as Via, Forwarded and the unofficial X-Forwarded-Host, which some servers and frameworks will check, but not all, and it's unclear which one should even take priority given how there's 3 of them.
EDIT: I also don't know whether HTTPS would work differently in that regard, given that the headers are part of the encrypted payload and routing has to be performed another way because of this.
In general I find it’s best to set the real host and port explicitly in the application rather than try to guess these from the incoming request.
So for example Jira allows you to set the Base URL through which Jira will be accessed (which may be different to the one that it is actually run as). This means you can have Jira running on port 8080 and have Apache or Nginx in front of it (on the same or even a different server) on port 80 and 443.

Does a Firewall "see" the Query string of a URL

I currently have the problem that I don't know whether a firewall has access to the query string of a URL, for example:
www.example.com/muster.html?Name=Max+Mustermann&Ort=Musterstadt&PLZ=1234
If it checks the URL, does it only see www.examle.com or the rest of the URL as well?
The reason behind my question is that I don't want the metadata that I send in the URL as a query string to be blocked by the firewall.
Depends on the layer your firewall operates.
Wiki https://en.wikipedia.org/wiki/Firewall_(computing)#Network_layer_or_packet_filters:
Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP protocol stack.
They basically check IP address and port.
Many modern products also work at application layer and with technologies like content filters - they can see the entire request - including the request parameters (but they would also see your post body).
By using HTTPS your query parameters are encrypted (check Is an HTTPS query string secure?). In this case the firewall can't access these parameters. In practice there are e.g. corporate proxy scenarios where even HTTPS requests are intercepted, checked and re-signed by a trusted certificate. In these scenarios content filters can even see encrypted query parameters/ request information.
Hope that helps!
A Firewall is here to protect computer, he can check url and of course the data passed through URL.

Dev site redirected to https because of STS rule in production

we have activated HTTP Strict Transport Security in production. It works well. But now, when wanting to use a subdomain to develop, the website is automatically redirected to https:
https://dev.tokeeen.com/app_dev.php/my-habits
Event if the host is set to 127.0.0.1
127.0.0.1 dev.tokeeen.com
Is there something to avoid this behavior? Of course I don't want to force the host for the main domain.
You are currently setting this on your main site:
Strict-Transport-Security max-age=63072000; includeSubDomain
If you change this to remove the includeSubDomain bit then it will only apply to your top level domain and not the dev sub domain:
Strict-Transport-Security max-age=63072000;
You then need to visit your production site to load this header and overwrite the existing one in your browser’s cache.
However this is less secure (for example someone could set up www.tokeeen.com and pretend to be your site with a bit of DNS manipulation for example).
But to be honest you should just use https on you’re dev site. The Internet is moving towards HTTPS and many new features do not work under plain HTTP. Additionally what you are developing is not similar to your production site so if you include http:// links instead of https:// for example you’ll suddenly see this failing when you release to production.
You look to use LetsEncrypt on your site so the cert is free. Do yourself a favour and just get another free one for your dev subdomain.
You have to get yourself a wildcard certificate as the ssl certificate is only for that domain. That's the whole point of having a secure site.
I'm not sure what server system you are using but in case you don't want to use wildcards and are ok with less secure, you can bind the other domains to
port 80 with the binding type http`

How to configure squid to be a Transparent proxy?

I am working with Squid Proxy Server as I have also used cyberoam,Sonicwall and Clear OS.
I want to setup my own proxy like above products ie authentication in transparent proxy.
Actually I setup transparent proxy but at that time my HTTPS site is not working.Then I configure one iptables rule that redirect all http & https traffic to 3128(squid port) only. but here I can access all my https websites but I cant block them.
My requirement is when I am going to access any website at first time it will ask me to authentication and then and only i can access internet. In log reports also I can show its Username and one more thing it will also possible in thinclient(terminal service).
Anybody help me short-out this problem ?
Proxy authentication doesn't work in transparent proxies setups. The browser should have the proxy configured to catch the authentication request from a proxy and to request the credentials to an user.
Another thing is that you can create a transparent proxy for HTTPS. Why? Because when the browser connects, it's connected to the proxy, not the real server. The browser will try to negotiate SSL which is a thing that Squid won't support. There are tricks to do this, but you'll break the SSL security, browser will complain, etc. There are one tool that I used to get this working: u2nl, but it's a hack that tunnels HTTPS trought the proxy.
The best option, is to use a non-transparent proxy. If you want to avoid browsers configuration, have a look at WPAD
As said before, you can't really block HTTPS sites with Squid, and you can't really use authentication with the proxy running at his transparent mode.
As far as I could use and cofigure, you can use an external acl to force a kind of login, but the login requests will not be treated by the proxy, but you can work it with some PERL.
And about the HTTPS thing, you could work it with some hacks, but it is a very sensible question, because the server performance with be punished with this kind of use and you could be pointed as a fraudulent service, which isn't cool... Believe me.

How to make an Squid-Cache internal URL rewrite?

url_rewrite_program by squid-cache really redirects the URL. In other words, the end-user gets a response back that says "redirectted page from foo to bar", and then the user makes another request to the redirected address. I don't want this.
what I want to achieve is similar to apache's mod_rewrite. I want an abselutely transparent rewriting mechanism. So that the user requests for a spefific content, and he gets it as a response (regardless of his initial requested URL) without any HTTP redirection.
the reason I want to avoid redirection via http is because I don't want the end-user to see internal application structures. For example, he requests "application1.foo.com", and he gets content of a URL that's much lengthier. So if the end-user bookmarks it, he bookmarks my clean little URL (application1.foo.com", this is good to keep users away from such details, it eventually gives them a uniform URL for the service even if I change it in the future. For example, I might map application1.foo.com to badprovider.com/path/to/file.php initially, and then change it to goodprovider.com/file.php and the user won't notice that. The advantage is, for example, end-user bookmarks would remain correct, as well as regulating their behaviour in a more guided manner.
Did you try setting squid as a reverse proxy with the 'accel' mode ? It worked for me:
acl all src all
http_port 3128 accel vhost
cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel
acl our_sites dstdomain your_domain.net
http_access allow our_sites
http_access deny all
cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all
negative_ttl 0
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts
coredump_dir /var/spool/squid
your_domain.net is the domain you want to redirect

Resources