match-browser
Applicable in all stage directives.
The match-browser SAF matches specific strings in
the User-Agent string supplied by the browser match-browser then modifies the behavior of Proxy Server based upon the results
by setting values for specified variables.
Syntax
stage fn="match-browser" browser="string" name="value" [name="value" ...]
Parameters
The following table describes the parameter values for the match-browser function.
Table 5–35
match-browser Parameter
Values
|
Value
|
Description
|
|
stage
|
Stage directive used in obj.conf processing (NameTrans, PathCheck, and so on). The match-browser function
is applicable in all stage directives.
|
|
string
|
Wildcard pattern to compare against the User-Agent header,
for example, "*Mozilla*".
|
|
name
|
Variable to be changed. The match-browser SAF indirectly
invokes the set-variable SAF. For a list
of valid variables, see set-variable.
|
|
value
|
New value for the specified variable.
|
Example
The following AuthTrans directive instructs Proxy Server to
when the browser’s User-Agent header contains the
string Broken or broken:
-
Not send the SSL3 and TLS close_notify packet
(see set-variable).
-
Not honor requests for HTTP Keep-Alive (see set-variable).
-
Use the HTTP/1.0 protocol rather than HTTP/1.1 (see set-variable).
AuthTrans fn="match-browser" browser="*[Bb]roken*" ssl-unclean-shutdown="true"
keep-alive="disabled" http-downgrade="1.0"
|
The following table describes the variables used in the example.
Table 5–36 Description of variables
|
Variable
|
Description
|
|
ssl-unclean-shutdown
|
Microsoft Internet Explorer (MSIE) handling of SSL version 3 (SSLv3)
and Transport Layer Security (TLS) keep-alive connections
causes interoperability problems with non-Microsoft web servers such as iPlanet Web Server.
When accessing a web server over SSL (https://) connections, Internet Explorer
may display error messages or blank pages. iPlanet Web Server 6.0 SP2 introduces new
functionality to work around this problem.
Add the following line immediately below the <object name="default"> line in the server's obj.conf files:
AuthTrans fn="match-browser" browser="*MSIE*"
ssl-unclean-shutdown="true"
|
This line instructs the server not send a close_notify alert
when it closes SSLv3 connections from MSIE browsers. The close_notify packet
is a required component of the SSLv3 and TLS specifications, but it is misinterpreted
by MSIE.
Note –
Instructing iPlanet Web Server not send the close_notify packet
may make MSIE vulnerable to a truncation attack.
|
|
keep-alive
|
Microsoft Internet Explorer (MSIE) handling of SSL version 3 (SSLv3)
and Transport Layer Security (TLS) keep-alive connections
causes interoperability problems with non-Microsoft web servers such as iPlanet Web Server.
When accessing a web server over SSL (https://) connections, Internet Explorer
may display error messages or blank pages. iPlanet Web Server 6.0 SP2 introduces
new functionality to work around this problem.
Add the following line immediately below the <object name="default"> line in the server's obj.conf files:
AuthTrans fn="match-browser" browser="*MSIE*" keep-alive="disabled"
|
This line instructs the server to disable keep-alive connections
for Internet Explorer browsers.
Note –
Disabling keep-alive connections may decrease
your server's performance.
|
|
http-downgrade
|
Use the following methods to downgrade the HTTP version to 1.0:
-
To downgrade requests for Microsoft Internet Explorer to HTTP/1.0
version, add the following to the obj.conf file:
AuthTrans fn="match-browser" browser="*MSIE*" http-downgrade="1.0"
|
-
To downgrade all requests to HTTP/1.0 version, add the following
to the magnus.conf file:
|
See Also
set-variable
