That's pretty similar to what I went with.
I ended up coming across a post on this list with similar goals, and
used the suggested regex from there.
TB
Vadim Pushkin wrote:
>
> How about:
>
> acl SSL_Port port 443
> acl CONNECT method CONNECT
>
> # /etc/squid/good-connect-ip-addresses is one IP address per line.
> acl allowed-CONNECT dstdomain "/etc/squid/good-connect-ip-addresses"
>
> # One or the other, not sure which and I haven't tested it yet.
> acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
> acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>
> # One or more of these three, again, I haven't tested yet.
> http_access deny CONNECT !SSL_Port
> http_access deny CONNECT numeric_IPs
> http_access deny CONNECT numeric_IPs !allowed-CONNECT
>
>
> The goal is to:
>
> 1. Prevent CONNECT to non-SSL ports.
> 2. Block to IP addresses which use CONNECT vs. FQDN.
> 3. Allow a way to place exclusions to the IP blocks just in case
> there is a legit need.
>
> Please feel free to correct or comment anything I've stated above.
>
> .vp
>
>> From: Amos Jeffries <squid3@treenet.co.nz>
>> To: Squid <squid-users@squid-cache.org>
>
>> Tim Bates wrote:
>>> Can someone tell me if it's possible to block "CONNECT" attempts
>>> that only specify an IP address (rather than a hostname)?
>>>
>>> I can see no legitimate reason to CONNECT to an IP, and I've just
>>> caught students using this method to bypass the filters.
>>>
>>> TB
>>
>> Try the default squid configuration of:
>>
>> acl SSL_Port port 443
>> acl CONNECT method CONNECT
>> http_access deny CONNECT !SSL_Port
>>
>> that will deny any obviously non-https uses.
>>
>> Beyond that this is one of the rare cases here domain regex is
>> useful, having an ACL that tests for numeric-only domains.
>>
>> NP: do note that skype uses https CONNECT to raw IP numbers. If you
>> want skype to work handle CONNECT restrictions carefully.
>>
>> Amos
>
>
>
Received on Mon Aug 06 2007 - 17:44:56 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT