RE: [squid-users] Blocking proxies

From: Thomas Raef <[email protected]>
Date: Wed, 8 Aug 2007 16:03:11 -0500

How will going through squid prevent the users from connecting to an
outside proxy in order to avoid being blocked?

Please clarify.

Thank you for responding.

-----Original Message-----
From: Amos Jeffries [mailto:squid3@treenet.co.nz]
Sent: Tuesday, August 07, 2007 8:18 PM
To: Thomas Raef
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] Blocking proxies

>> -----Original Message-----
>> From: Peter Albrecht [mailto:peter.albrecht@novell.com]
>> Sent: Tuesday, August 07, 2007 10:04 AM
>> To: squid-users@squid-cache.org
>> Subject: Re: [squid-users] Blocking proxies
>>
>> Hi Thomas,
>>
>> On Tuesday 07 August 2007 15:41, Thomas Raef wrote:
>> > How can we block open proxy use?
>> >
>> > Either transparent or non-transparent. We looked at using l7-filter
> but
>> > there must be an acl or some config option to block users from
> accessing
>> > outside proxy servers. We have a school in need of this.
>>
>> What do you want to block?
>>
>> 1) Users from the school accessing another proxy somewhere? Then you
> need
>> to block all http/https requests on your router. I.e., every
> connection
>> that does not come from your proxy needs to be blocked.
> [Tom replied with:]
> I am detecting all http/https connections with l7-filter and
> forcing the use of the squid box. Will that block access to all
> anonymous proxies?
>
> Do I need to use:
>
> header_access X-Forwarded-For deny all

Proxies that provide/send X-Forwarded-For are by definition NOT
anonymous.
There is no way you can detect proper anon proxies without a specific
test.

To properly block access to them all you will need a full list. Which is
impossible to create and very hard to maintain.

> Or some other such acl?

It sounds more like you want to use an ACL that prevents abuse of the
CONNECT method. Used to make your proxy connect to some other service as
a
tunnel. It's useful for https, but often abused.

You say you are already redirecting outbound port 80, 81, and 8080
requests to your own squid? That should cover anyone trying to bypass
you.

Amos
Received on Wed Aug 08 2007 - 15:03:26 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT