1

I have a node.js web application running on a docker container on a redhat server and I want to force my users to not use Internet explorer to access my website. I deployed a Squid proxy and was able to block traffic coming from IE but the problem with this solution is that I had to configure my browser to use the proxy and I can't really force my users to configure a proxy on their computers just like I cannot force them to use Firefox or Chrome.

Is there a way to block IE using simple tools like iptables or firewall-cmd?

dirtandfilth
  • 160
  • 1
  • 1
  • 7
  • 1
    Why you want to block user with IE to communicate with your nodejs app? The best way is to add a message in your frontend in javascript instead. – jmaitrehenry May 27 '20 at 14:02
  • @jmaitrehenry my app is quite buggy when accessed from IE because it is not optimized. – dirtandfilth May 27 '20 at 14:18
  • Maybe this is similar to your approach with Squid but for nginx: [How to block a specific user agent in nginx config](https://stackoverflow.com/questions/22144092/how-to-block-a-specific-user-agent-in-nginx-config) – tgogos May 27 '20 at 14:24

2 Answers2

1

If anyone is interested, this is how I worked around the issue using Squid proxy and iptables.

I configured Squid proxy to deny traffic coming from any browser except Firefox. Then used iptables to redirect all incoming traffic destined to port 80 to the squid proxy.

Squid Proxy config:

acl block_browser browser Firefox
http_access deny !block_browser
http_port 3128 intercept

iptables rules:

-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination x.x.x.x:3128
dirtandfilth
  • 160
  • 1
  • 1
  • 7
0

No. Firewall tools like iptables can only block packets based on IP-level metadata (for example, refuse all connections except those apparently coming from a specific IP address range). The only identity you have for what browser a caller claims to be is the HTTP User-Agent: header, and processing that involves a tool that actually knows how to handle the HTTP protocol. A reverse proxy built with a standard HTTP server like Nginx or Apache in principle could accomplish this.

From a security point of view, this isn't especially reliable. A command-line client tool like curl can provide any User-Agent: header it likes; if you look at Mozilla's documentation for User-Agent: you'll notice that most popular browsers claim to be "Mozilla". MDN has an extended warning against checking this header value, which properly notes:

It's worth re-iterating: it's very rarely a good idea to use user agent sniffing. You can almost always find a better, more broadly compatible way to solve your problem!

If you really can't work around this problem in any other way, the MDN Browser detection using the user agent page describes how to do it. It also has good reasons to not do it, and some typical workarounds.

David Maze
  • 130,717
  • 29
  • 175
  • 215