On 25/02/16 03:52, Darren wrote:
The user visits a page on my server with the YouTube links. Visiting
this page triggers a state based ACL (something like the captive portal
login).
The user then clicks a YouTube link and squid checks this ACL to see if
the user is originating the request from my local page and if it is,
allows the splice to YouTube and the video can play.
Squid can't tell that the requests were referred by your page - the
iframe itself may have your page as the referrer (although that
certainly isn't guaranteed), but the objects that are referred within
that iframe won't have a useful referrer string.
You could dynamically create an ACL that allows the whole of youtube
when the user has your page open, but that is fairly insecure since they
could just open the page and then they would be allowed to access
anything through youtube.
In my experience (and this is what we do), to be at all secure you have
to analyse the page itself in order to figure out which specific URIs to
whitelist (or at least, have those URIs hard-coded somewhere else).
Either way, YouTube uses https, so unless you're going to blindly allow
the whole of youtube whenever a user visits your page, you're going to
need to ssl bump the requests in order to have an ACL based on the
referrer and path. And as you know, ssl bumping involves sticking a
certificate on each device.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email: st...@opendium.com
Phone: sip:st...@opendium.com
Sales / enquiries contacts:
Email: sa...@opendium.com
Phone: +44-1792-824568 / sip:sa...@opendium.com
Support contacts:
Email: supp...@opendium.com
Phone: +44-1792-825748 / sip:supp...@opendium.com
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
