Re: [squid-users] Can I block CONNECT to any IP (but allow hostnames)?

From: Amos Jeffries <squid3@dont-contact.us>
Date: Sat, 04 Aug 2007 01:49:49 +1200

Tim Bates wrote:
> Can someone tell me if it's possible to block "CONNECT" attempts that
> only specify an IP address (rather than a hostname)?
>
> I can see no legitimate reason to CONNECT to an IP, and I've just caught
> students using this method to bypass the filters.
>
> TB

Try the default squid configuration of:

  acl SSL_Port port 443
  acl CONNECT method CONNECT
  http_access deny CONNECT !SSL_Port

that will deny any obviously non-https uses.

Beyond that this is one of the rare cases here domain regex is useful,
having an ACL that tests for numeric-only domains.

NP: do note that skype uses https CONNECT to raw IP numbers. If you want
skype to work handle CONNECT restrictions carefully.

Amos
Received on Fri Aug 03 2007 - 07:50:03 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT