proxy.cgi: drop options for faking Referer and User-Agent HTTP headers
While maintaining privacy when accessing web sites probably has never
been more important than it is today, faking Referer and User-Agent
headers is both obsolete and counterproductive:
(a) Most web sites require HTTPS, thwarting manipulation attempts to
HTTP headers in transit. Given todays' internet landscape, faking
these headers is unlikely to work for the vast majority of web
sites.
(b) It is trivial to detect faked HTTP User-Agent headers by obtaining
corresponding browser information via JavaScript. Any difference
most likely indicates (trivial) header manipulation attempts, hence
rendering this feature useless if browsers do not behave in the same
manner, which we cannot control on IPFire.
(c) Especially static Referer headers make users stick out like a sore
thumb, as nobody else in the world is likely to have the same
Referer set _all the time_.
Modern browsers attempt to strip sensitive information from Referer
headers, or ditch them completely, particularly to 3rd party sites.
Given the state of the web ecosystem as we know it today, enforcing
privacy in a centralised manner does not even come close to being
sufficient. Without gaining control over users' browsers, their
settings, and their infrastructure (such as setting up terminal
environments for accessing the web, preventing hardware
fingerprinting), a centralised attempt will at best fail, if not making
things worse, as highlighted in (c).
Therefore, removing these features from the Squid GUI is the least worse
option we have. We should not give our users a false sense of privacy.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Peter Müller
Michael Tremer
parent
7d72dba39d
commit
6323e9086f
|
|
@ -2,7 +2,7 @@
|
|||
###############################################################################
|
||||
# #
|
||||
# IPFire.org - A linux based firewall #
|
||||
# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
|
||||
# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> #
|
||||
# #
|
||||
# This program is free software: you can redistribute it and/or modify #
|
||||
# it under the terms of the GNU General Public License as published by #
|
||||
|
|
@ -226,8 +226,6 @@ $proxysettings{'THROTTLING_GREEN_HOST'} = 'unlimited';
|
|||
$proxysettings{'THROTTLING_BLUE_TOTAL'} = 'unlimited';
|
||||
$proxysettings{'THROTTLING_BLUE_HOST'} = 'unlimited';
|
||||
$proxysettings{'ENABLE_MIME_FILTER'} = 'off';
|
||||
$proxysettings{'FAKE_USERAGENT'} = '';
|
||||
$proxysettings{'FAKE_REFERER'} = '';
|
||||
$proxysettings{'AUTH_METHOD'} = 'none';
|
||||
$proxysettings{'AUTH_REALM'} = '';
|
||||
$proxysettings{'AUTH_MAX_USERIP'} = '';
|
||||
|
|
@ -1629,21 +1627,6 @@ END
|
|||
print <<END
|
||||
</table>
|
||||
|
||||
<hr size='1'>
|
||||
|
||||
<table width='100%'>
|
||||
<tr>
|
||||
<td><b>$Lang::tr{'advproxy privacy'}</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class='base'>$Lang::tr{'advproxy fake useragent'}:</td>
|
||||
<td class='base'>$Lang::tr{'advproxy fake referer'}:</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><input type='text' name='FAKE_USERAGENT' value='$proxysettings{'FAKE_USERAGENT'}' size='40%' /></td>
|
||||
<td><input type='text' name='FAKE_REFERER' value='$proxysettings{'FAKE_REFERER'}' size='40%' /></td>
|
||||
</tr>
|
||||
</table>
|
||||
<hr size='1'>
|
||||
END
|
||||
;
|
||||
|
|
@ -3846,8 +3829,7 @@ END
|
|||
|
||||
print FILE "http_access deny all\n\n";
|
||||
|
||||
if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FORWARD_VIA'} eq 'off') ||
|
||||
(!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FAKE_REFERER'} eq '')))
|
||||
if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FORWARD_VIA'} eq 'off'))
|
||||
{
|
||||
print FILE "#Strip HTTP Header\n";
|
||||
|
||||
|
|
@ -3861,31 +3843,9 @@ END
|
|||
print FILE "request_header_access Via deny all\n";
|
||||
print FILE "reply_header_access Via deny all\n";
|
||||
}
|
||||
if (!($proxysettings{'FAKE_USERAGENT'} eq ''))
|
||||
{
|
||||
print FILE "request_header_access User-Agent deny all\n";
|
||||
print FILE "reply_header_access User-Agent deny all\n";
|
||||
}
|
||||
if (!($proxysettings{'FAKE_REFERER'} eq ''))
|
||||
{
|
||||
print FILE "request_header_access Referer deny all\n";
|
||||
print FILE "reply_header_access Referer deny all\n";
|
||||
}
|
||||
|
||||
print FILE "\n";
|
||||
|
||||
if ((!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FAKE_REFERER'} eq '')))
|
||||
{
|
||||
if (!($proxysettings{'FAKE_USERAGENT'} eq ''))
|
||||
{
|
||||
print FILE "header_replace User-Agent $proxysettings{'FAKE_USERAGENT'}\n";
|
||||
}
|
||||
if (!($proxysettings{'FAKE_REFERER'} eq ''))
|
||||
{
|
||||
print FILE "header_replace Referer $proxysettings{'FAKE_REFERER'}\n";
|
||||
}
|
||||
print FILE "\n";
|
||||
}
|
||||
}
|
||||
|
||||
if ($proxysettings{'SUPPRESS_VERSION'} eq 'on') { print FILE "httpd_suppress_version_string on\n\n" }
|
||||
|
|
|
|||
|
|
@ -326,8 +326,6 @@
|
|||
'advproxy errmsg wpad invalid ip or mask' => 'WPAD: Ungültige IP oder Subnetz für ausgenommenes IP-Subnetz',
|
||||
'advproxy error design' => 'Design der Fehlermeldungen',
|
||||
'advproxy error language' => 'Sprache der Fehlermeldungen',
|
||||
'advproxy fake referer' => 'Gefälschter Referer für externe Webseiten',
|
||||
'advproxy fake useragent' => 'Gefälschter User-Agent für externe Webseiten',
|
||||
'advproxy friday' => 'Fr',
|
||||
'advproxy from' => 'Von',
|
||||
'advproxy group access control' => 'Gruppenbasierte Zugriffskontrolle',
|
||||
|
|
@ -357,7 +355,6 @@
|
|||
'advproxy off' => 'Proxy aus',
|
||||
'advproxy offline mode' => 'Aktiviere Offline-Modus',
|
||||
'advproxy on' => 'Proxy ein',
|
||||
'advproxy privacy' => 'Datenschutz',
|
||||
'advproxy proxy port' => 'Proxyport',
|
||||
'advproxy proxy port transparent' => 'Transparenter Port',
|
||||
'advproxy ram cache size' => 'Cachegröße im Arbeitsspeicher (MB)',
|
||||
|
|
|
|||
|
|
@ -323,8 +323,6 @@
|
|||
'advproxy errmsg wpad invalid ip or mask' => 'WPAD: Invalid IP or subnet for excluded IP subnet',
|
||||
'advproxy error design' => 'Error messages design',
|
||||
'advproxy error language' => 'Error messages language',
|
||||
'advproxy fake referer' => 'Fake referer submitted to external sites',
|
||||
'advproxy fake useragent' => 'Fake useragent submitted to external sites',
|
||||
'advproxy friday' => 'Fri',
|
||||
'advproxy from' => 'From',
|
||||
'advproxy group access control' => 'Group based access control',
|
||||
|
|
@ -354,7 +352,6 @@
|
|||
'advproxy off' => 'Proxy off',
|
||||
'advproxy offline mode' => 'Enable offline mode',
|
||||
'advproxy on' => 'Proxy on',
|
||||
'advproxy privacy' => 'Privacy',
|
||||
'advproxy proxy port' => 'Proxy port',
|
||||
'advproxy proxy port transparent' => 'Transparent port',
|
||||
'advproxy ram cache size' => 'Memory cache size (MB)',
|
||||
|
|
|
|||
|
|
@ -297,8 +297,6 @@
|
|||
'advproxy errmsg time restriction' => 'Restricción de tiempo no válida',
|
||||
'advproxy error design' => 'Diseño de mensajes de error',
|
||||
'advproxy error language' => 'Idioma de Mensajes de error',
|
||||
'advproxy fake referer' => 'Referer falso enviado a sitios externos',
|
||||
'advproxy fake useragent' => 'Useragent falso enviado a sitios externos',
|
||||
'advproxy friday' => 'Vie',
|
||||
'advproxy from' => 'De',
|
||||
'advproxy hdd cache size' => 'Tamaño del caché en disco duro (MB)',
|
||||
|
|
@ -326,7 +324,6 @@
|
|||
'advproxy off' => 'Proxy Apagado',
|
||||
'advproxy offline mode' => 'Activar modo fuera de línea',
|
||||
'advproxy on' => 'Proxy Encendido',
|
||||
'advproxy privacy' => 'Privacidad',
|
||||
'advproxy proxy port' => 'Puerto del proxy',
|
||||
'advproxy ram cache size' => 'Tamaño de memoria caché',
|
||||
'advproxy redirector children' => 'Número de procesos filtrados',
|
||||
|
|
|
|||
|
|
@ -330,8 +330,6 @@
|
|||
'advproxy errmsg wpad invalid ip or mask' => 'WPAD : IP ou sous-réseau invalide pour le sous-réseau IP exclu',
|
||||
'advproxy error design' => 'Construction messages erronés ',
|
||||
'advproxy error language' => 'Langage des messages erronés ',
|
||||
'advproxy fake referer' => 'Fausses références soumises aux sites externes ',
|
||||
'advproxy fake useragent' => 'Faux useragent soumis aux sites externes ',
|
||||
'advproxy friday' => 'Ven',
|
||||
'advproxy from' => 'De',
|
||||
'advproxy group access control' => 'Contrôle d\'accès basé sur le groupe',
|
||||
|
|
@ -361,7 +359,6 @@
|
|||
'advproxy off' => 'Proxy inactif',
|
||||
'advproxy offline mode' => 'Autoriser le mode hors connexion ',
|
||||
'advproxy on' => 'Proxy actif',
|
||||
'advproxy privacy' => 'Privé',
|
||||
'advproxy proxy port' => 'Port proxy ',
|
||||
'advproxy proxy port transparent' => 'Port transparent ',
|
||||
'advproxy ram cache size' => 'Taille cache mémoire (Mo) ',
|
||||
|
|
|
|||
|
|
@ -257,8 +257,6 @@
|
|||
'advproxy errmsg time restriction' => 'Invalid time restriction',
|
||||
'advproxy error design' => 'Design dei messaggi di errore',
|
||||
'advproxy error language' => 'Lingua dei messaggi di errore',
|
||||
'advproxy fake referer' => 'Fake referer submitted to external sites',
|
||||
'advproxy fake useragent' => 'Fake useragent submitted to external sites',
|
||||
'advproxy friday' => 'Ven',
|
||||
'advproxy from' => 'Da',
|
||||
'advproxy hdd cache size' => 'Harddisk cache size (MB)',
|
||||
|
|
@ -286,7 +284,6 @@
|
|||
'advproxy off' => 'Proxy off',
|
||||
'advproxy offline mode' => 'Attiva modalità offline',
|
||||
'advproxy on' => 'Proxy Acceso',
|
||||
'advproxy privacy' => 'Privacy',
|
||||
'advproxy proxy port' => 'Porta Proxy',
|
||||
'advproxy proxy port transparent' => 'Porta Transparente',
|
||||
'advproxy ram cache size' => 'Dimensione della Memoria di cache (MB)',
|
||||
|
|
|
|||
|
|
@ -256,8 +256,6 @@
|
|||
'advproxy errmsg time restriction' => 'Ongeldige tijdsbeperking',
|
||||
'advproxy error design' => 'Opmaak foutmeldingen',
|
||||
'advproxy error language' => 'Taal foutmeldingen',
|
||||
'advproxy fake referer' => 'Nepverwijzing die wordt gestuurd naar externe sites',
|
||||
'advproxy fake useragent' => 'Nep useragent die wordt gestuurd naar externe sites',
|
||||
'advproxy friday' => 'Vri',
|
||||
'advproxy from' => 'Van',
|
||||
'advproxy hdd cache size' => 'Harddisk cache-grootte (MB)',
|
||||
|
|
@ -285,7 +283,6 @@
|
|||
'advproxy off' => 'Proxy uit',
|
||||
'advproxy offline mode' => 'Schakel offline modus in',
|
||||
'advproxy on' => 'Proxy aan',
|
||||
'advproxy privacy' => 'Privacy',
|
||||
'advproxy proxy port' => 'Proxy poort',
|
||||
'advproxy proxy port transparent' => 'Transparante poort',
|
||||
'advproxy ram cache size' => 'Geheugen cache-grootte (MB)',
|
||||
|
|
|
|||
|
|
@ -245,8 +245,6 @@
|
|||
'advproxy errmsg time restriction' => 'Niepoprawne ograniczenia czase',
|
||||
'advproxy error design' => 'Styl komunikatów o błędach',
|
||||
'advproxy error language' => 'Język komunikatów o błędach',
|
||||
'advproxy fake referer' => 'Fake referer submitted to external sites',
|
||||
'advproxy fake useragent' => 'Fake useragent submitted to external sites',
|
||||
'advproxy friday' => 'Pią',
|
||||
'advproxy from' => 'Od',
|
||||
'advproxy hdd cache size' => 'Rozmiar cache na dysku (MB)',
|
||||
|
|
@ -274,7 +272,6 @@
|
|||
'advproxy off' => 'Proxy wyłączone',
|
||||
'advproxy offline mode' => 'Włącz tryb offline',
|
||||
'advproxy on' => 'Proxy wł',
|
||||
'advproxy privacy' => 'Prywatność',
|
||||
'advproxy proxy port' => 'Port proxy',
|
||||
'advproxy ram cache size' => 'Rozmiar RAM cache (MB)',
|
||||
'advproxy redirector children' => 'Liczba procesów filtrujących',
|
||||
|
|
|
|||
|
|
@ -243,8 +243,6 @@
|
|||
'advproxy errmsg time restriction' => 'Неверное ограничение по времени',
|
||||
'advproxy error design' => 'Оформление ошибок',
|
||||
'advproxy error language' => 'Язык, на котором отображаются ошибки',
|
||||
'advproxy fake referer' => 'Липовый referer Для внешних сайтов',
|
||||
'advproxy fake useragent' => 'Липовый useragent для внешних сайтов',
|
||||
'advproxy friday' => 'Пт',
|
||||
'advproxy from' => 'C',
|
||||
'advproxy hdd cache size' => 'Размер кэша жёсткого диска (MB)',
|
||||
|
|
@ -272,7 +270,6 @@
|
|||
'advproxy off' => 'Proxy выкл',
|
||||
'advproxy offline mode' => 'Включить автономный режим',
|
||||
'advproxy on' => 'Proxy вкл',
|
||||
'advproxy privacy' => 'Приватность',
|
||||
'advproxy proxy port' => 'Порт Proxy',
|
||||
'advproxy ram cache size' => 'Размер памяти кэша (MB)',
|
||||
'advproxy redirector children' => 'Количество фильтруемых процессов',
|
||||
|
|
|
|||
|
|
@ -318,8 +318,6 @@
|
|||
'advproxy errmsg time restriction' => 'Geçersiz zaman kısıtlaması',
|
||||
'advproxy error design' => 'Hata mesajları tasarımı',
|
||||
'advproxy error language' => 'Hata mesajları dili',
|
||||
'advproxy fake referer' => 'Sahte referansı harici sitelere gönder',
|
||||
'advproxy fake useragent' => 'Sahte yönlendiriciyi harici sitelere gönder',
|
||||
'advproxy friday' => 'Cum',
|
||||
'advproxy from' => 'Başlangıç',
|
||||
'advproxy group access control' => 'Grup tabanlı erişim kontrolü',
|
||||
|
|
@ -349,7 +347,6 @@
|
|||
'advproxy off' => 'Vekil sunucu kapalı',
|
||||
'advproxy offline mode' => 'Çevrimdışı yöntemi aktifleştir',
|
||||
'advproxy on' => 'Vekil sunucu',
|
||||
'advproxy privacy' => 'Gizlilik',
|
||||
'advproxy proxy port' => 'Vekil sunucu bağlantı noktası',
|
||||
'advproxy proxy port transparent' => 'Şeffaf bağlantı noktası',
|
||||
'advproxy ram cache size' => 'Bellek önbellek boyutu (MB)',
|
||||
|
|
|
|||
Loading…
Reference in New Issue