Re: [squid-users] Detecting and blocking child proxy servers

From: Tek Bahadur Limbu <[email protected]>
Date: Thu, 26 Jul 2007 13:16:34 +0545

Juraj Sakala wrote:
> On Wednesday 25 July 2007 14:42, Tek Bahadur Limbu wrote:
>> Juraj Sakala wrote:
>>> On Tuesday 24 July 2007 12:56, Tek Bahadur Limbu wrote:
>>>> Is this possible? In other words, I want my proxy servers to detect
>>>> squid or other proxy severs which are being used or operated by others
>>>> besides me.
>>> May it is bepossible:
>>> - if you know your network you can use header x_forwarded_for to detect
>>> unknown networks.
>>> - if you wont to allow only your proxy servers use http_access directive
>>> with acl which contains only your proxy's
>>> - try something like this:
>>> acl myproxy req_header Via MyProxy
>>> http_access allow myproxy
>>> http_access deny all
>>> - use authentication
>> Hi Juraj,
>>
>> Thanks for sharing your tips.
>>
>> Suppose I have the following:
>>
>> acl myproxy req_header Via 192.168.100.0/24
>> http_access allow myproxy
>> http_access deny all
>
> It was only tip. I am not sure, but i think squid puts in this header his
> visible hostname and port in format 1.1 <vysible_hostname>:<port>. So if
> someone use Squid in default configuration you can block it easily. But it
> is true, that headers are easily spoofable
>
>> Now if I use this, my normal clients (192.168.101.0/24) won't be able to
>> access my proxy server right?
>
> There is question if normal client sends Via header in request, I am sure that
> not.
>
> So we need acl that permits requists from our proxy's with correct Via header
> or clients with no header and denies all other requests.
>
> It will be hard, maybe external acl will be useful.
>
>
>

Hi Juraj,

Thanks once again for sharing light on this. Do you have any examples
where I can use req_header to detect if my clients have their own proxy
servers?

Any clue, web links or posts will highly be appreciated.

Also is req_header the only option whereby we can detect child proxies?
Or do we also have other options for detecting child proxies?

I googled and found the Follow X-Forwarded-For headers (follow_xff) tag.
Do you have any ideas regarding this?

Thanking you...

-- 
With best regards and good wishes,
Yours sincerely,
Tek Bahadur Limbu
(TAG/TDG Group)
Jwl Systems Department
Worldlink Communications Pvt. Ltd.
Jawalakhel, Nepal
http://www.wlink.com.np
Received on Thu Jul 26 2007 - 01:32:12 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:04 MDT