How about:
acl SSL_Port port 443
acl CONNECT method CONNECT
# /etc/squid/good-connect-ip-addresses is one IP address per line.
acl allowed-CONNECT dstdomain "/etc/squid/good-connect-ip-addresses"
# One or the other, not sure which and I haven't tested it yet.
acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
# One or more of these three, again, I haven't tested yet.
http_access deny CONNECT !SSL_Port
http_access deny CONNECT numeric_IPs
http_access deny CONNECT numeric_IPs !allowed-CONNECT
The goal is to:
1. Prevent CONNECT to non-SSL ports.
2. Block to IP addresses which use CONNECT vs. FQDN.
3. Allow a way to place exclusions to the IP blocks just in case there is a
legit need.
Please feel free to correct or comment anything I've stated above.
.vp
>From: Amos Jeffries <squid3@treenet.co.nz>
>To: Squid <squid-users@squid-cache.org>
>Tim Bates wrote:
>>Can someone tell me if it's possible to block "CONNECT" attempts that only
>>specify an IP address (rather than a hostname)?
>>
>>I can see no legitimate reason to CONNECT to an IP, and I've just caught
>>students using this method to bypass the filters.
>>
>>TB
>
>Try the default squid configuration of:
>
> acl SSL_Port port 443
> acl CONNECT method CONNECT
> http_access deny CONNECT !SSL_Port
>
>that will deny any obviously non-https uses.
>
>Beyond that this is one of the rare cases here domain regex is useful,
>having an ACL that tests for numeric-only domains.
>
>NP: do note that skype uses https CONNECT to raw IP numbers. If you want
>skype to work handle CONNECT restrictions carefully.
>
>Amos
Received on Mon Aug 06 2007 - 07:51:47 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT