Re: [squid-users] Controlling all HTTP traffic

From: Henrik K <hege_at_hege.li>
Date: Sun, 12 Oct 2008 13:05:51 +0300

On Sun, Oct 12, 2008 at 12:31:45PM +0300, Ali Hardogan wrote:
> Hello,
>
> What is the best way to have full control over HTTP traffic that goes
> through a Squid-enabled firewall?

Don't allow outside connections from clients, don't use transparent. Force
users to configure proxy in browser.

> On the firewall, we intercept TCP traffic destined to ports 80, 3128,
> and 8080 and redirect them to the local Squid port, and they get
> filtered.
>
> But HTTP traffic is not limited to use those ports. Especially in case
> the PCs behind the firewall are using HTTP-based proxies, depending on
> the ports used by the proxies on the Internet they may escape the
> Squid filtering (e.g., say they are using port 45001).

What is your goal with "full HTTP control"? If your clients are allowed to
connect to any port anywhere they want, I guess it's not security (though
you wanting to stop proxies would suggest it). Also they can simply use SSL
or such to escape any filtering.

> How can we make sure "any HTTP traffic -- irrespective of the TCP
> destination port number" that goes through the firewall gets filtered
> by the Squid?

Depending on your OS/firewall, you may have ability search packets for HTTP
traffic. But it is intensive, not foolproof and unnecessary kludge.
Received on Sun Oct 12 2008 - 10:06:00 MDT

This archive was generated by hypermail 2.2.0 : Mon Oct 13 2008 - 12:00:02 MDT