Re: [squid-users] block usres who create their own proxy behind main proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 26 Jul 2010 20:41:26 +1200

Marcello Romani wrote:
> goody goody ha scritto:
>> Marcello Romani,
>>
>>
>> 1) Ports are blocked on network firewall.
>>
>> 2) Siblings are also not allowed in main proxy.
>>
>> 3) We can stop the users only when we come to know what they are doing
>> which is really difficult to identify presently.
>>
>> I am monitoring his browsing logs to get a break through but if there
>> is some capability in squid then it would be nice to know and implement.
>>
>>
>> Regards,
>> .Goody.
>>
>>
>
> Hi,
> first remember to respond also to the mailing list, otherwise other
> people won't see your response and you'll loose potential help.
>
> Back to the topic. I think you should investigate the header inspection
> capabilities of squid, to detect requests that come from proxies (e.g.
> Via headers), and stop them or at least make them appear in the logs.
>

There are a few headers which proxies are supposed to pass on.
X-Forwarded-For, X-Client-IP and Via being the obvious ones.

The problem you then face is users trying to go anonymous and stripping
headers.

You can also infer proxies by looking at the variance in Accept-* and
User-Agent headers (ie two IE or Firefox with different plugins from the
same IP interleaved is a dead giveaway, though its not uncommon now for
users to have several of different browsers.)
  These inference headers are less well known, and less easy to avoid,
since non proxies that strip them or replace can be inferred by their
mistakes in grabbing things the fake UA does not naturally get (Firefox
or Opera doing windows update requests is one of my favourites).

You could also do active port scans of suspiciously high traffic users.

Rule #1 though before any technical measures are worth more than sand is
  good enforcement of violation penalties.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.5
Received on Mon Jul 26 2010 - 08:41:38 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 26 2010 - 12:00:03 MDT