match-browser
Applicable in all stage directives.
The match-browser SAF matches specific strings
in the User-Agent string supplied by the browser match-browser then modifies the behavior of the Sun Java
System Web Proxy Server based upon the results by setting values for
specified variables.
Syntax
stage fn="match-browser" browser="string" name="value" [name="value" ...]
Parameters
The following table describes the parameter values for the match-browser function.
Table 5–35
match-browser Parameter
Values
Value
|
Description
|
stage
|
Stage directive used in obj.conf processing
(NameTrans, PathCheck, and so
on). The match-browser function is applicable in
all stage directives.
|
string
|
Wildcard pattern to compare against the User-Agent header,
for example, "*Mozilla*".
|
name
|
Variable to be changed. The match-browser SAF
indirectly invokes the set-variable SAF.
For a list of valid variables, see set-variable.
|
value
|
New value for the specified variable.
|
Example
The following AuthTrans directive instructs
the Sun Java System Web Proxy Server to when the browser’s User-Agent header contains the string Broken or broken:
-
Not send the SSL3 and TLS close_notify packet
(see set-variable).
-
Not honor requests for HTTP Keep-Alive (see set-variable).
-
Use the HTTP/1.0 protocol rather than HTTP/1.1 (see set-variable).
AuthTrans fn="match-browser" browser="*[Bb]roken*" ssl-unclean-shutdown="true"
keep-alive="disabled" http-downgrade="1.0"
|
The following table describes the variables used in the example.
Table 5–36 Description of variables
Variable
|
Description
|
ssl-unclean-shutdown
|
Microsoft Internet Explorer (MSIE) handling of SSL version 3
(SSLv3) and Transport Layer Security (TLS) keep-alive connections
causes interoperability problems with non-Microsoft web servers such
as iPlanet Web Server. When accessing a web server over SSL (https://)
connections, Internet Explorer may display error messages or blank
pages. iPlanet Web Server 6.0 SP2 introduces new functionality to
work around this problem.
Add the following line immediately below the <object
name="default"> line in the server's obj.conf files:
AuthTrans fn="match-browser" browser="*MSIE*"
ssl-unclean-shutdown="true"
|
This line instructs the server not send a close_notify alert
when it closes SSLv3 connections from MSIE browsers. The close_notify packet is a required component of the SSLv3 and TLS specifications,
but it is misinterpreted by MSIE.
Note –
Instructing iPlanet Web Server not send the close_notify packet may make MSIE vulnerable to a truncation attack.
|
keep-alive
|
Microsoft Internet Explorer (MSIE) handling of SSL version 3
(SSLv3) and Transport Layer Security (TLS) keep-alive connections
causes interoperability problems with non-Microsoft web servers such
as iPlanet Web Server. When accessing a web server over SSL (https://)
connections, Internet Explorer may display error messages or blank
pages. iPlanet Web Server 6.0 SP2 introduces new functionality to
work around this problem.
Add the following line immediately below the <object
name="default"> line in the server's obj.conf files:
AuthTrans fn="match-browser" browser="*MSIE*" keep-alive="disabled"
|
This line instructs the server to disable keep-alive connections
for Internet Explorer browsers.
Note –
Disabling keep-alive connections may
decrease your server's performance.
|
http-downgrade
|
Use the following methods to downgrade the HTTP version to 1.0:
-
To downgrade requests for Microsoft Internet Explorer
to HTTP/1.0 version, add the following to the obj.conf file:
AuthTrans fn="match-browser" browser="*MSIE*" http-downgrade="1.0"
|
-
To downgrade all requests to HTTP/1.0 version, add
the following to the magnus.conf file:
|
See Also
set-variable