Jon Joyce wrote:
Hi Emilio,
Many thanks for your reply.
When you say careful regards to security, do you mean that anyone who
knows the IP of a host will get through our content filter?
Yes if you have modified the CONNECT tags in the default squid.conf.
The most serious companies having a web presence (such as Internet
Banking, E-commerce, loggin applications from trusted sites...) will
have registered
domains referenced by their FQDN URLs. so you can't trust in "all" IP
connections through the method CONNECT.
Thanks
Emilio C.
We have mainly set our squid up like this to stop people using Proxy
Tunneling software....
Jon
On 6 Jun 2006, at 09:27, Emilio Casbas wrote:
Jon Joyce wrote:
Hi all,
We currently have a Squid box set up to only allow secure https
traffic through a manually updated whitelist. So now, all clients
must provide the name and 443 port of our Proxy server before they
can access secure sites (i.e. Internet Banking, Hotmail etc.)
We now have the problem that Skype wants to use the outgoing secure
443 port which is not allowed through our Proxy...
Is there anyway around this??
Skype will attempt to tunnel the traffic over port 443 using the SSL
protocol as you said,
In order to permit access to skype through squid, you would have to
know the "random" destination
IPs that skype use with the CONNECT method.
One possibility could be you can try permit numeric IPs with the
CONNECT method, but be careful regard to security.
acl N_IPS urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl connect method CONNECT
http_access allow connect N_IPS all
Thanks
Emilio C.
Anyone's help is much appretiated
Jon