From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH] proxy.cgi: drop options for faking Referer and User-Agent HTTP headers Date: Tue, 15 Jun 2021 22:29:34 +0200 Message-ID: <426cc5cd-c490-2a5a-031f-45c10af50cca@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4683920616047395376==" List-Id: --===============4683920616047395376== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable While maintaining privacy when accessing web sites probably has never been more important than it is today, faking Referer and User-Agent headers is both obsolete and counterproductive: (a) Most web sites require HTTPS, thwarting manipulation attempts to HTTP headers in transit. Given todays' internet landscape, faking these headers is unlikely to work for the vast majority of web sites. (b) It is trivial to detect faked HTTP User-Agent headers by obtaining corresponding browser information via JavaScript. Any difference most likely indicates (trivial) header manipulation attempts, hence rendering this feature useless if browsers do not behave in the same manner, which we cannot control on IPFire. (c) Especially static Referer headers make users stick out like a sore thumb, as nobody else in the world is likely to have the same Referer set _all the time_. Modern browsers attempt to strip sensitive information from Referer headers, or ditch them completely, particularly to 3rd party sites. Given the state of the web ecosystem as we know it today, enforcing privacy in a centralised manner does not even come close to being sufficient. Without gaining control over users' browsers, their settings, and their infrastructure (such as setting up terminal environments for accessing the web, preventing hardware fingerprinting), a centralised attempt will at best fail, if not making things worse, as highlighted in (c). Therefore, removing these features from the Squid GUI is the least worse option we have. We should not give our users a false sense of privacy. Signed-off-by: Peter M=C3=BCller --- html/cgi-bin/proxy.cgi | 44 ++---------------------------------------- langs/de/cgi-bin/de.pl | 3 --- langs/en/cgi-bin/en.pl | 3 --- langs/es/cgi-bin/es.pl | 3 --- langs/fr/cgi-bin/fr.pl | 3 --- langs/it/cgi-bin/it.pl | 3 --- langs/nl/cgi-bin/nl.pl | 3 --- langs/pl/cgi-bin/pl.pl | 3 --- langs/ru/cgi-bin/ru.pl | 3 --- langs/tr/cgi-bin/tr.pl | 3 --- 10 files changed, 2 insertions(+), 69 deletions(-) diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index b6d71db84..b3c2d0713 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -2,7 +2,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2020 IPFire Team = # +# Copyright (C) 2007-2021 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -226,8 +226,6 @@ $proxysettings{'THROTTLING_GREEN_HOST'} =3D 'unlimited'; $proxysettings{'THROTTLING_BLUE_TOTAL'} =3D 'unlimited'; $proxysettings{'THROTTLING_BLUE_HOST'} =3D 'unlimited'; $proxysettings{'ENABLE_MIME_FILTER'} =3D 'off'; -$proxysettings{'FAKE_USERAGENT'} =3D ''; -$proxysettings{'FAKE_REFERER'} =3D ''; $proxysettings{'AUTH_METHOD'} =3D 'none'; $proxysettings{'AUTH_REALM'} =3D ''; $proxysettings{'AUTH_MAX_USERIP'} =3D ''; @@ -1629,21 +1627,6 @@ END print < =20 -
- - - - - - - - - - - - - -
$Lang::tr{'advproxy privacy'}
$Lang::tr{'advproxy fake useragent'}:$Lang::tr{'advproxy fake referer'}:
END ; @@ -3846,8 +3829,7 @@ END =20 print FILE "http_access deny all\n\n"; =20 - if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FORW= ARD_VIA'} eq 'off') || - (!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FAKE_REF= ERER'} eq ''))) + if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FORW= ARD_VIA'} eq 'off')) { print FILE "#Strip HTTP Header\n"; =20 @@ -3861,31 +3843,9 @@ END print FILE "request_header_access Via deny all\n"; print FILE "reply_header_access Via deny all\n"; } - if (!($proxysettings{'FAKE_USERAGENT'} eq '')) - { - print FILE "request_header_access User-Agent deny all\n"; - print FILE "reply_header_access User-Agent deny all\n"; - } - if (!($proxysettings{'FAKE_REFERER'} eq '')) - { - print FILE "request_header_access Referer deny all\n"; - print FILE "reply_header_access Referer deny all\n"; - } =20 print FILE "\n"; =20 - if ((!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FAKE= _REFERER'} eq ''))) - { - if (!($proxysettings{'FAKE_USERAGENT'} eq '')) - { - print FILE "header_replace User-Agent $proxysettings{'FAKE_USERAGENT'}\n= "; - } - if (!($proxysettings{'FAKE_REFERER'} eq '')) - { - print FILE "header_replace Referer $proxysettings{'FAKE_REFERER'}\n"; - } - print FILE "\n"; - } } =20 if ($proxysettings{'SUPPRESS_VERSION'} eq 'on') { print FILE "httpd_suppres= s_version_string on\n\n" } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index eee51575b..0d2228ede 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -326,8 +326,6 @@ 'advproxy errmsg wpad invalid ip or mask' =3D> 'WPAD: Ung=C3=BCltige IP oder= Subnetz f=C3=BCr ausgenommenes IP-Subnetz', 'advproxy error design' =3D> 'Design der Fehlermeldungen', 'advproxy error language' =3D> 'Sprache der Fehlermeldungen', -'advproxy fake referer' =3D> 'Gef=C3=A4lschter Referer f=C3=BCr externe Webs= eiten', -'advproxy fake useragent' =3D> 'Gef=C3=A4lschter User-Agent f=C3=BCr externe= Webseiten', 'advproxy friday' =3D> 'Fr', 'advproxy from' =3D> 'Von', 'advproxy group access control' =3D> 'Gruppenbasierte Zugriffskontrolle', @@ -357,7 +355,6 @@ 'advproxy off' =3D> 'Proxy aus', 'advproxy offline mode' =3D> 'Aktiviere Offline-Modus', 'advproxy on' =3D> 'Proxy ein', -'advproxy privacy' =3D> 'Datenschutz', 'advproxy proxy port' =3D> 'Proxyport', 'advproxy proxy port transparent' =3D> 'Transparenter Port', 'advproxy ram cache size' =3D> 'Cachegr=C3=B6=C3=9Fe im Arbeitsspeicher (MB)= ', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index a48deeeca..2ba6961f3 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -323,8 +323,6 @@ 'advproxy errmsg wpad invalid ip or mask' =3D> 'WPAD: Invalid IP or subnet f= or excluded IP subnet', 'advproxy error design' =3D> 'Error messages design', 'advproxy error language' =3D> 'Error messages language', -'advproxy fake referer' =3D> 'Fake referer submitted to external sites', -'advproxy fake useragent' =3D> 'Fake useragent submitted to external sites', 'advproxy friday' =3D> 'Fri', 'advproxy from' =3D> 'From', 'advproxy group access control' =3D> 'Group based access control', @@ -354,7 +352,6 @@ 'advproxy off' =3D> 'Proxy off', 'advproxy offline mode' =3D> 'Enable offline mode', 'advproxy on' =3D> 'Proxy on', -'advproxy privacy' =3D> 'Privacy', 'advproxy proxy port' =3D> 'Proxy port', 'advproxy proxy port transparent' =3D> 'Transparent port', 'advproxy ram cache size' =3D> 'Memory cache size (MB)', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index e76c987bc..1080afdea 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -297,8 +297,6 @@ 'advproxy errmsg time restriction' =3D> 'Restricci=C3=B3n de tiempo no v=C3= =A1lida', 'advproxy error design' =3D> 'Dise=C3=B1o de mensajes de error', 'advproxy error language' =3D> 'Idioma de Mensajes de error', -'advproxy fake referer' =3D> 'Referer falso enviado a sitios externos', -'advproxy fake useragent' =3D> 'Useragent falso enviado a sitios externos', 'advproxy friday' =3D> 'Vie', 'advproxy from' =3D> 'De', 'advproxy hdd cache size' =3D> 'Tama=C3=B1o del cach=C3=A9 en disco duro (MB= )', @@ -326,7 +324,6 @@ 'advproxy off' =3D> 'Proxy Apagado', 'advproxy offline mode' =3D> 'Activar modo fuera de l=C3=ADnea', 'advproxy on' =3D> 'Proxy Encendido', -'advproxy privacy' =3D> 'Privacidad', 'advproxy proxy port' =3D> 'Puerto del proxy', 'advproxy ram cache size' =3D> 'Tama=C3=B1o de memoria cach=C3=A9', 'advproxy redirector children' =3D> 'N=C3=BAmero de procesos filtrados', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index 840292f9c..1b6d30111 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -330,8 +330,6 @@ 'advproxy errmsg wpad invalid ip or mask' =3D> 'WPAD : IP ou sous-r=C3=A9sea= u invalide pour le sous-r=C3=A9seau IP exclu', 'advproxy error design' =3D> 'Construction messages erron=C3=A9s ', 'advproxy error language' =3D> 'Langage des messages erron=C3=A9s ', -'advproxy fake referer' =3D> 'Fausses r=C3=A9f=C3=A9rences soumises aux site= s externes ', -'advproxy fake useragent' =3D> 'Faux useragent soumis aux sites externes ', 'advproxy friday' =3D> 'Ven', 'advproxy from' =3D> 'De', 'advproxy group access control' =3D> 'Contr=C3=B4le d\'acc=C3=A8s bas=C3=A9 = sur le groupe', @@ -361,7 +359,6 @@ 'advproxy off' =3D> 'Proxy inactif', 'advproxy offline mode' =3D> 'Autoriser le mode hors connexion ', 'advproxy on' =3D> 'Proxy actif', -'advproxy privacy' =3D> 'Priv=C3=A9', 'advproxy proxy port' =3D> 'Port proxy ', 'advproxy proxy port transparent' =3D> 'Port transparent ', 'advproxy ram cache size' =3D> 'Taille cache m=C3=A9moire (Mo) ', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index 57585dd27..e9bd157a3 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -257,8 +257,6 @@ 'advproxy errmsg time restriction' =3D> 'Invalid time restriction', 'advproxy error design' =3D> 'Design dei messaggi di errore', 'advproxy error language' =3D> 'Lingua dei messaggi di errore', -'advproxy fake referer' =3D> 'Fake referer submitted to external sites', -'advproxy fake useragent' =3D> 'Fake useragent submitted to external sites', 'advproxy friday' =3D> 'Ven', 'advproxy from' =3D> 'Da', 'advproxy hdd cache size' =3D> 'Harddisk cache size (MB)', @@ -286,7 +284,6 @@ 'advproxy off' =3D> 'Proxy off', 'advproxy offline mode' =3D> 'Attiva modalità offline', 'advproxy on' =3D> 'Proxy Acceso', -'advproxy privacy' =3D> 'Privacy', 'advproxy proxy port' =3D> 'Porta Proxy', 'advproxy proxy port transparent' =3D> 'Porta Transparente', 'advproxy ram cache size' =3D> 'Dimensione della Memoria di cache (MB)', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index fb5a932f9..d607e4f89 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -256,8 +256,6 @@ 'advproxy errmsg time restriction' =3D> 'Ongeldige tijdsbeperking', 'advproxy error design' =3D> 'Opmaak foutmeldingen', 'advproxy error language' =3D> 'Taal foutmeldingen', -'advproxy fake referer' =3D> 'Nepverwijzing die wordt gestuurd naar externe = sites', -'advproxy fake useragent' =3D> 'Nep useragent die wordt gestuurd naar extern= e sites', 'advproxy friday' =3D> 'Vri', 'advproxy from' =3D> 'Van', 'advproxy hdd cache size' =3D> 'Harddisk cache-grootte (MB)', @@ -285,7 +283,6 @@ 'advproxy off' =3D> 'Proxy uit', 'advproxy offline mode' =3D> 'Schakel offline modus in', 'advproxy on' =3D> 'Proxy aan', -'advproxy privacy' =3D> 'Privacy', 'advproxy proxy port' =3D> 'Proxy poort', 'advproxy proxy port transparent' =3D> 'Transparante poort', 'advproxy ram cache size' =3D> 'Geheugen cache-grootte (MB)', diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl index d3540cc62..a44f43fa4 100644 --- a/langs/pl/cgi-bin/pl.pl +++ b/langs/pl/cgi-bin/pl.pl @@ -245,8 +245,6 @@ 'advproxy errmsg time restriction' =3D> 'Niepoprawne ograniczenia czase', 'advproxy error design' =3D> 'Styl komunikat=C3=B3w o b=C5=82=C4=99dach', 'advproxy error language' =3D> 'J=C4=99zyk komunikat=C3=B3w o b=C5=82=C4=99d= ach', -'advproxy fake referer' =3D> 'Fake referer submitted to external sites', -'advproxy fake useragent' =3D> 'Fake useragent submitted to external sites', 'advproxy friday' =3D> 'Pi=C4=85', 'advproxy from' =3D> 'Od', 'advproxy hdd cache size' =3D> 'Rozmiar cache na dysku (MB)', @@ -274,7 +272,6 @@ 'advproxy off' =3D> 'Proxy wy=C5=82=C4=85czone', 'advproxy offline mode' =3D> 'W=C5=82=C4=85cz tryb offline', 'advproxy on' =3D> 'Proxy w=C5=82', -'advproxy privacy' =3D> 'Prywatno=C5=9B=C4=87', 'advproxy proxy port' =3D> 'Port proxy', 'advproxy ram cache size' =3D> 'Rozmiar RAM cache (MB)', 'advproxy redirector children' =3D> 'Liczba proces=C3=B3w filtruj=C4=85cych', diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl index 12afa0b92..c0342eb25 100644 --- a/langs/ru/cgi-bin/ru.pl +++ b/langs/ru/cgi-bin/ru.pl @@ -243,8 +243,6 @@ 'advproxy errmsg time restriction' =3D> '=D0=9D=D0=B5=D0=B2=D0=B5=D1=80=D0= =BD=D0=BE=D0=B5 =D0=BE=D0=B3=D1=80=D0=B0=D0=BD=D0=B8=D1=87=D0=B5=D0=BD=D0=B8= =D0=B5 =D0=BF=D0=BE =D0=B2=D1=80=D0=B5=D0=BC=D0=B5=D0=BD=D0=B8', 'advproxy error design' =3D> '=D0=9E=D1=84=D0=BE=D1=80=D0=BC=D0=BB=D0=B5=D0= =BD=D0=B8=D0=B5 =D0=BE=D1=88=D0=B8=D0=B1=D0=BE=D0=BA', 'advproxy error language' =3D> '=D0=AF=D0=B7=D1=8B=D0=BA, =D0=BD=D0=B0 =D0= =BA=D0=BE=D1=82=D0=BE=D1=80=D0=BE=D0=BC =D0=BE=D1=82=D0=BE=D0=B1=D1=80=D0=B0= =D0=B6=D0=B0=D1=8E=D1=82=D1=81=D1=8F =D0=BE=D1=88=D0=B8=D0=B1=D0=BA=D0=B8', -'advproxy fake referer' =3D> '=D0=9B=D0=B8=D0=BF=D0=BE=D0=B2=D1=8B=D0=B9 ref= erer =D0=94=D0=BB=D1=8F =D0=B2=D0=BD=D0=B5=D1=88=D0=BD=D0=B8=D1=85 =D1=81=D0= =B0=D0=B9=D1=82=D0=BE=D0=B2', -'advproxy fake useragent' =3D> '=D0=9B=D0=B8=D0=BF=D0=BE=D0=B2=D1=8B=D0=B9 u= seragent =D0=B4=D0=BB=D1=8F =D0=B2=D0=BD=D0=B5=D1=88=D0=BD=D0=B8=D1=85 =D1=81= =D0=B0=D0=B9=D1=82=D0=BE=D0=B2', 'advproxy friday' =3D> '=D0=9F=D1=82', 'advproxy from' =3D> 'C', 'advproxy hdd cache size' =3D> '=D0=A0=D0=B0=D0=B7=D0=BC=D0=B5=D1=80 =D0=BA= =D1=8D=D1=88=D0=B0 =D0=B6=D1=91=D1=81=D1=82=D0=BA=D0=BE=D0=B3=D0=BE =D0=B4=D0= =B8=D1=81=D0=BA=D0=B0 (MB)', @@ -272,7 +270,6 @@ 'advproxy off' =3D> 'Proxy =D0=B2=D1=8B=D0=BA=D0=BB', 'advproxy offline mode' =3D> '=D0=92=D0=BA=D0=BB=D1=8E=D1=87=D0=B8=D1=82=D1= =8C =D0=B0=D0=B2=D1=82=D0=BE=D0=BD=D0=BE=D0=BC=D0=BD=D1=8B=D0=B9 =D1=80=D0=B5= =D0=B6=D0=B8=D0=BC', 'advproxy on' =3D> 'Proxy =D0=B2=D0=BA=D0=BB', -'advproxy privacy' =3D> '=D0=9F=D1=80=D0=B8=D0=B2=D0=B0=D1=82=D0=BD=D0=BE=D1= =81=D1=82=D1=8C', 'advproxy proxy port' =3D> '=D0=9F=D0=BE=D1=80=D1=82 Proxy', 'advproxy ram cache size' =3D> '=D0=A0=D0=B0=D0=B7=D0=BC=D0=B5=D1=80 =D0=BF= =D0=B0=D0=BC=D1=8F=D1=82=D0=B8 =D0=BA=D1=8D=D1=88=D0=B0 (MB)', 'advproxy redirector children' =3D> '=D0=9A=D0=BE=D0=BB=D0=B8=D1=87=D0=B5=D1= =81=D1=82=D0=B2=D0=BE =D1=84=D0=B8=D0=BB=D1=8C=D1=82=D1=80=D1=83=D0=B5=D0=BC= =D1=8B=D1=85 =D0=BF=D1=80=D0=BE=D1=86=D0=B5=D1=81=D1=81=D0=BE=D0=B2', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index 83416ebe7..f90bee0ea 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -318,8 +318,6 @@ 'advproxy errmsg time restriction' =3D> 'Ge=C3=A7ersiz zaman k=C4=B1s=C4=B1t= lamas=C4=B1', 'advproxy error design' =3D> 'Hata mesajlar=C4=B1 tasar=C4=B1m=C4=B1', 'advproxy error language' =3D> 'Hata mesajlar=C4=B1 dili', -'advproxy fake referer' =3D> 'Sahte referans=C4=B1 harici sitelere g=C3=B6nd= er', -'advproxy fake useragent' =3D> 'Sahte y=C3=B6nlendiriciyi harici sitelere g= =C3=B6nder', 'advproxy friday' =3D> 'Cum', 'advproxy from' =3D> 'Ba=C5=9Flang=C4=B1=C3=A7', 'advproxy group access control' =3D> 'Grup tabanl=C4=B1 eri=C5=9Fim kontrol= =C3=BC', @@ -349,7 +347,6 @@ 'advproxy off' =3D> 'Vekil sunucu kapal=C4=B1', 'advproxy offline mode' =3D> '=C3=87evrimd=C4=B1=C5=9F=C4=B1 y=C3=B6ntemi ak= tifle=C5=9Ftir', 'advproxy on' =3D> 'Vekil sunucu', -'advproxy privacy' =3D> 'Gizlilik', 'advproxy proxy port' =3D> 'Vekil sunucu ba=C4=9Flant=C4=B1 noktas=C4=B1', 'advproxy proxy port transparent' =3D> '=C5=9Eeffaf ba=C4=9Flant=C4=B1 nokta= s=C4=B1', 'advproxy ram cache size' =3D> 'Bellek =C3=B6nbellek boyutu (MB)', --=20 2.26.2 --===============4683920616047395376==--