Tim Bates wrote:
> Can someone tell me if it's possible to block "CONNECT" attempts that
> only specify an IP address (rather than a hostname)?
>
> I can see no legitimate reason to CONNECT to an IP, and I've just caught
> students using this method to bypass the filters.
>
> TB
Try the default squid configuration of:
acl SSL_Port port 443
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_Port
that will deny any obviously non-https uses.
Beyond that this is one of the rare cases here domain regex is useful,
having an ACL that tests for numeric-only domains.
NP: do note that skype uses https CONNECT to raw IP numbers. If you want
skype to work handle CONNECT restrictions carefully.
Amos
Received on Fri Aug 03 2007 - 07:50:03 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT