Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Modify SSL User Agent Header

    Cache/Proxy
    2
    6
    1.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      Hello forum,

      I've successfully setup up Squid as a transparent proxy so both http and https traffic is filtered. I have verified both protocols are being filtered by looking at squid's logs… hurray, great news indeed.

      So along the way, I successfully configured squid to modify User Agent but this configuration seems limited to only modifying headers for HTTP traffic only (not HTTPS). If i venture over to (http)www.proxydetect.com, my HTTP_USER_AGENT is modified to the string I've configured request_header_replace User-Agent with.

      I set up a script on my own https on a client's server hosted with godaddy but the user agent it is reporting is my actual user agent and not the string I've assigned.

      So that leads me to this question…. how do I modify the User Agent HTTP header for SSL traffic? I have googled the answer and what I found was this... I need to add "intercept" or "transparent to my http_port option in squid.conf, ie:

      FROM

      http_port 192.168.4.1.1:3128 ssl-bump generate-host-certificates=on dynamic_........

      TO

      http_port 192.168.1.1:3128 intercept [or transparent] ssl-bump generate-host-certificates=on dynamic_........

      ok, fine, easy enough.

      so via ssh, I manually modified squid.conf and added intercept (as above), restarted server, tested, but user agent unmodified. I modified squid.conf again and tried 'transparent' (as above), restarted server, tested, and again, user agent still unmodified.

      Am I shooting for something that isn't possible?

      Any input appreciated.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Any changes need to go to squid.inc file, otherwise they'll be gone on save.

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          good to know… I didn't know about squid.inc. However, I was restarting the server from ssh, not the web gui so my changes were sticking..

          thanks

          1 Reply Last reply Reply Quote 0
          • ?
            A Former User
            last edited by

            turns out that http_port is configured correctly so no modifications are needed to squid.inc.

            the reason why headers are not be modified for https connections is because i have the following added to the Custom Options (SSL/MITM) input box:

            ssl_bump splice all

            When I change it to:

            ssl_bump bump all

            user agent header is modified for https connections, however….

            however, it breaks security with some sites. other sites, i can set my browser to always trust the certificate. some sites won't even load, period. My guess is due to self-signed CA.

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              "splice all" cannot modify any content sent, what's spliced becomes a TCP tunnel.

              1 Reply Last reply Reply Quote 0
              • ?
                A Former User
                last edited by

                that's correct.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.