Re: [squid-users] Can I block CONNECT to any IP (but allow hostnames)?

From: Amos Jeffries <[email protected]>
Date: Tue, 7 Aug 2007 15:06:56 +1200 (NZST)

>
> How about:
>
> acl SSL_Port port 443
> acl CONNECT method CONNECT
>
> # /etc/squid/good-connect-ip-addresses is one IP address per line.
> acl allowed-CONNECT dstdomain "/etc/squid/good-connect-ip-addresses"
>
> # One or the other, not sure which and I haven't tested it yet.
> acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
> acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>
> # One or more of these three, again, I haven't tested yet.
> http_access deny CONNECT !SSL_Port
> http_access deny CONNECT numeric_IPs
> http_access deny CONNECT numeric_IPs !allowed-CONNECT

The bypass permission needs to be allow and ahead of the global deny.
Like so:

http_access allow CONNECT numeric_IPs allowed-CONNECT
http_access deny CONNECT numeric_IPs

>
>
> The goal is to:
>
> 1. Prevent CONNECT to non-SSL ports.
> 2. Block to IP addresses which use CONNECT vs. FQDN.
> 3. Allow a way to place exclusions to the IP blocks just in case there is
> a
> legit need.
>
> Please feel free to correct or comment anything I've stated above.
>
> .vp
>
>>From: Amos Jeffries <squid3@treenet.co.nz>
>>To: Squid <squid-users@squid-cache.org>
>
>>Tim Bates wrote:
>>>Can someone tell me if it's possible to block "CONNECT" attempts that
>>> only
>>>specify an IP address (rather than a hostname)?
>>>
>>>I can see no legitimate reason to CONNECT to an IP, and I've just caught
>>>students using this method to bypass the filters.
>>>
>>>TB
>>
>>Try the default squid configuration of:
>>
>> acl SSL_Port port 443
>> acl CONNECT method CONNECT
>> http_access deny CONNECT !SSL_Port
>>
>>that will deny any obviously non-https uses.
>>
>>Beyond that this is one of the rare cases here domain regex is useful,
>>having an ACL that tests for numeric-only domains.
>>
>>NP: do note that skype uses https CONNECT to raw IP numbers. If you want
>>skype to work handle CONNECT restrictions carefully.
>>
>>Amos
>
>
>
Received on Mon Aug 06 2007 - 21:07:00 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT