RE: [squid-users] Blocking proxies

From: Amos Jeffries <squid3@dont-contact.us>
Date: Thu, 9 Aug 2007 10:13:24 +1200 (NZST)

> How will going through squid prevent the users from connecting to an
> outside proxy in order to avoid being blocked?

Most normal web anon proxy connections are standard HTTP requests, these
if redirected to the local proxy, can be processed by its ACLs.

There's no magic bullet for everything. But it gives the squid admin a
much better chance of catching unwanted links based on HTTP (L3)
information than a raw TCP (L2) connection and firewall would.

Wholesale blocking of "CONNECT example.com:25", for example will only work
if the requests are passed to squid or similar for the processing.

Amos

>
> Please clarify.
>
> Thank you for responding.
>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3@treenet.co.nz]
> Sent: Tuesday, August 07, 2007 8:18 PM
> To: Thomas Raef
> Cc: squid-users@squid-cache.org
> Subject: RE: [squid-users] Blocking proxies
>
>>> -----Original Message-----
>>> From: Peter Albrecht [mailto:peter.albrecht@novell.com]
>>> Sent: Tuesday, August 07, 2007 10:04 AM
>>> To: squid-users@squid-cache.org
>>> Subject: Re: [squid-users] Blocking proxies
>>>
>>> Hi Thomas,
>>>
>>> On Tuesday 07 August 2007 15:41, Thomas Raef wrote:
>>> > How can we block open proxy use?
>>> >
>>> > Either transparent or non-transparent. We looked at using l7-filter
>> but
>>> > there must be an acl or some config option to block users from
>> accessing
>>> > outside proxy servers. We have a school in need of this.
>>>
>>> What do you want to block?
>>>
>>> 1) Users from the school accessing another proxy somewhere? Then you
>> need
>>> to block all http/https requests on your router. I.e., every
>> connection
>>> that does not come from your proxy needs to be blocked.
>> [Tom replied with:]
>> I am detecting all http/https connections with l7-filter and
>> forcing the use of the squid box. Will that block access to all
>> anonymous proxies?
>>
>> Do I need to use:
>>
>> header_access X-Forwarded-For deny all
>
> Proxies that provide/send X-Forwarded-For are by definition NOT
> anonymous.
> There is no way you can detect proper anon proxies without a specific
> test.
>
> To properly block access to them all you will need a full list. Which is
> impossible to create and very hard to maintain.
>
>> Or some other such acl?
>
> It sounds more like you want to use an ACL that prevents abuse of the
> CONNECT method. Used to make your proxy connect to some other service as
> a
> tunnel. It's useful for https, but often abused.
>
> You say you are already redirecting outbound port 80, 81, and 8080
> requests to your own squid? That should cover anyone trying to bypass
> you.
>
>
> Amos
>
>
>
Received on Wed Aug 08 2007 - 16:13:27 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT