RE: [squid-users] Blocking proxies

>> -----Original Message-----
>> From: Peter Albrecht [mailto:peter.albrecht@novell.com]
>> Sent: Tuesday, August 07, 2007 10:04 AM
>> To: squid-users@squid-cache.org
>> Subject: Re: [squid-users] Blocking proxies
>>
>> Hi Thomas,
>>
>> On Tuesday 07 August 2007 15:41, Thomas Raef wrote:
>> > How can we block open proxy use?
>> >
>> > Either transparent or non-transparent. We looked at using l7-filter
> but
>> > there must be an acl or some config option to block users from
> accessing
>> > outside proxy servers. We have a school in need of this.
>>
>> What do you want to block?
>>
>> 1) Users from the school accessing another proxy somewhere? Then you
> need
>> to block all http/https requests on your router. I.e., every
> connection
>> that does not come from your proxy needs to be blocked.
> [Tom replied with:]
> I am detecting all http/https connections with l7-filter and
> forcing the use of the squid box. Will that block access to all
> anonymous proxies?
>
> Do I need to use:
>
> header_access X-Forwarded-For deny all

Proxies that provide/send X-Forwarded-For are by definition NOT anonymous.
There is no way you can detect proper anon proxies without a specific test.

To properly block access to them all you will need a full list. Which is
impossible to create and very hard to maintain.

> Or some other such acl?

It sounds more like you want to use an ACL that prevents abuse of the
CONNECT method. Used to make your proxy connect to some other service as a
tunnel. It's useful for https, but often abused.

You say you are already redirecting outbound port 80, 81, and 8080
requests to your own squid? That should cover anyone trying to bypass you.

Amos
Received on Tue Aug 07 2007 - 19:17:36 MDT