Fixing Yleisradio (The Finnish Broadcasting Company) HTTP proxy Fail
Monday, March 23. 2015
When it comes to unlimited supply of failures, one of my absolute favorites is YLE. Whatever they try, they seem to fail at it.
They have stumbled with their on-line service (Areena) a number of times. It took them years and years, but recently it has been at level, semi-decent service, no major failures, works even on iPad.
As they are having an uphill fight with piracy and people not obeying the country limitations they are forced by distribution agreements, they did the only sensible thing anybody can do: if you're using a HTTP proxy, then you're out! The only natural ruling can be that anybody using a proxy is accessing their service from abroad.
The license of this radio show says that they will apply geo IP restrictions to it to limit audience in Finland only "( Kuunneltavissa vain Suomessa )". It will result in sorry-you're-not-in-Finland ("Ohjelma ei ole kuunneltavissa ulkomailla") and a refusal to play. However I am in Finland, I should be allowed access to that.
These guys are known for their inability to think smart. It is impossible to know if somebody abroad is using a Finnish proxy or not. The only possible detection method is checking for X-Forwarded-For HTTP-header.
That should be an easy fix. Let's see:
# host areena.yle.fi
areena.yle.fi has address 91.229.138.2
areena.yle.fi has address 91.229.138.6
Whois information for their IP-block is:
% Information related to '91.229.138.0/23AS57066'
route: 91.229.138.0/23
descr: Yleisradio Oy
origin: AS57066
mnt-by: DATANET-NOC
source: RIPE # Filtered
Adding this to /etc/squid/squid.conf
:
# Forwarded-for -stuff off for YLE
acl yle_areena dst 91.229.138.0/23
request_header_access X-Forwarded-For deny yle_areena
... and restart will do the trick! Squid-proxy fully supports this kind of behavior with acl
and request_header_access
-directives. Now YLE-people are blissfully ignorant about you using a proxy or not.
Update 24th Mar 2015 and 1st Jan 2016:
Also MTV katsomo.fi has gone for this stupidity. The fix is obviously:
acl mtv_katsomo dst 23.54.11.0/24 # Katsomo.fi (Akamai)
acl akamai dst 23.32.0.0/11 # Akamai
request_header_access X-Forwarded-For deny mtv_katsomo
request_header_access X-Forwarded-For deny akamai
Now they allow you to watch via proxy.