How can i make a browse template only accessible to a specific useragent and give a 403 denied or similar error msg to non permissible useragent ?
You can leverage a conditional rewrite
to achieve this.
example.com {
root /var/www/html
browse
rewrite {
if {>User-Agent} not "some user agent"
to /forbidden
}
status 403 /forbidden
}
https://caddyserver.com/docs/rewrite
https://caddyserver.com/docs/placeholders
https://caddyserver.com/docs/status
Thank you so much, I used “not_has” for my purposes.
How would I account for versioning in a useragent ? i.e 12 , 12.4 , 16.X …
I would break the expected User-Agent string on any expected variant and individually test for the presence of each substring.
Since we’re effectively whitelisting, we use if_op OR
, or we might accidentally let through a User-Agent that passes any one of our tests individually.
For example, with a Firefox-style UA: Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefoxversion
rewrite {
if_op OR
if {>User-Agent} not_starts_with "Mozilla/5.0 ("
if {>User-Agent} not_has "; rv:"
if {>User-Agent} not_has ") Gecko/"
if {>User-Agent} not_has " Firefox/"
to /forbidden
}
Alternately, use not_match
with a regex string. This will be slower, especially if you’re testing all requests for this.
rewrite {
if {>User-Agent} not_match ^Mozilla\/.+\s\(.+;\srv:.+\)\sGecko\/.+\sFirefox\/.+$
to /forbidden
}
A user agent can easily be spoofed. There are popular plugins available to do so for Firefox or Chrome.
Such security can easily be circumvented by a tech-savvy user. Relative security may be limited.
A great point - this is not effective first-line security for a sensitive service. If it needs to be protected, secure it with some other authentication!
I’m aware of this and I’m using basic auth as well. I used a useragent switcher addon to test the implementation.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.