Re: [squid-users] Controlling all HTTP traffic

From: Ali Hardogan <alihardogan_at_gmail.com>
Date: Mon, 13 Oct 2008 01:40:06 +0300

Hello,

Thank you for the response.

>> What is the best way to have full control over HTTP traffic that goes
>> through a Squid-enabled firewall?
>
> Don't allow outside connections from clients, don't use transparent. Force
> users to configure proxy in browser.

I have some constraints:

I cannot use non-transparent proxy as I cannot modify every client.
I also shall not be filtering any other traffic but HTTP. Having
intentional or accidental impact on any other traffic is not
acceptable.

>> On the firewall, we intercept TCP traffic destined to ports 80, 3128,
>> and 8080 and redirect them to the local Squid port, and they get
>> filtered.
>>
>> But HTTP traffic is not limited to use those ports. Especially in case
>> the PCs behind the firewall are using HTTP-based proxies, depending on
>> the ports used by the proxies on the Internet they may escape the
>> Squid filtering (e.g., say they are using port 45001).
>
> What is your goal with "full HTTP control"? If your clients are allowed to
> connect to any port anywhere they want, I guess it's not security (though
> you wanting to stop proxies would suggest it). Also they can simply use SSL
> or such to escape any filtering.

Under the aforementioned constraints, SSL traffic cannot be inspected
for URL filtering. I can only block known IP addresses by the
firewall. That's somewhat acceptable for me.

But if someone is using a simple HTTP-proxy, that I should be able to
catch. Such traffic appears as "clear-text" HTTP. The difficulty with
that is, the destination port can be anything.

>> How can we make sure "any HTTP traffic -- irrespective of the TCP
>> destination port number" that goes through the firewall gets filtered
>> by the Squid?
>
> Depending on your OS/firewall, you may have ability search packets for HTTP
> traffic. But it is intensive, not foolproof and unnecessary kludge.

Right. And I cannot be using Squid for that. Instead I need to rely on
another instance of the blacklist enforced by the OS/firewall.

...

Another approach could be to direct all port 80/3128/8080 TCP
connections to Squid, and drop any packet that carries any HTTP
payload through any other port. This approach relies on the assumption
that the only HTTP traffic that uses one of those other ports is a
proxy HTTP that is trying to "evade" the filter. How valid would this
assumption be?
Received on Sun Oct 12 2008 - 22:40:09 MDT

This archive was generated by hypermail 2.2.0 : Mon Oct 13 2008 - 12:00:02 MDT