Re: [squid-users] block usres who create their own proxy behind main proxy

From: Marcello Romani <mromani_at_ottotecnica.com>
Date: Mon, 26 Jul 2010 09:33:46 +0200

goody goody ha scritto:
> Hi,
>
>
> In our organization we have restricted access to only limited IPs as per company
> policy, but what some users are doing that they are building their own proxy
> servers on any single allowed IP addresses and distribute access to their
> locally formed group.
>
> In this way our main proxy thinks that it is allowing access to only one IP
> whereas in real it is not the case.
>
> This has become a challenge and if there is any solution / work around to this
> please let me know.
>
> I am using squid 2.7 stable 6 on freebsd 7 release # 6
>
> An early response is much appreciated.
>
> Regards,
> .Goody.
>
>
>

I'm not an expert, but I'll throw in my 2 cents anyway.

The user built proxies have to reach the internet somehow.

If they do directly, then at the firewall level only the official proxy
ip should be allowed to reach ports 80, 443, etc. This restriction
should be in place anyway, or the clients could bypass the proxy...

If they go out via the offical proxy instead, they may appear as
siblings, so I'd look at the cache hierarchy directives to disallow
siblings.
If they look like normal clients to the main squid instead, then I
suppose disallowing access to those IPs should be a good argument to
convince them to stop running local proxies.
One last idea: is it possibile to detect if a cache client is a proxy or
a normal browser by analyzing the request headers ? If so, some
specially crafted acl rules could block the proxies but allow the FFs
and IEs without completely blocking the IPs.

HTH

-- 
Marcello Romani
Received on Mon Jul 26 2010 - 07:33:54 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 26 2010 - 12:00:03 MDT