Re: Detecting and blocking child proxy servers

[Tek Bahadur Limbu <teklimbu@xxxxxxxxxxxx>]

Juraj Sakala wrote:
> On Wednesday 25 July 2007 14:42, Tek Bahadur Limbu wrote:
> > Juraj Sakala wrote:
> > > On Tuesday 24 July 2007 12:56, Tek Bahadur Limbu wrote:
> > > > Is this possible? In other words, I want my proxy servers to detect
> > > > squid or other proxy severs which are being used or operated by others
> > > > besides me.
> > > May it is bepossible:
> > > - if you know your network you can use header x_forwarded_for to detect
> > > unknown networks.
> > > - if you wont to allow only your proxy servers use http_access directive
> > > with acl which contains only your proxy's
> > > - try something like this:
> > > 	acl  myproxy req_header Via MyProxy
> > > 	http_access allow myproxy
> > > 	http_access deny all
> > > - use authentication
> > Hi Juraj,
> >
> > Thanks for sharing your tips.
> >
> > Suppose I have the following:
> >
> > acl myproxy req_header Via 192.168.100.0/24
> > http_access allow myproxy
> > http_access deny all
>
> It was only tip. I am not sure, but i think squid puts in this header his 
> visible hostname and port in format 1.1 <vysible_hostname>:<port>. So if 
> someone use Squid in default configuration you can block it easily. But it 
> is true, that headers are easily spoofable
>
> > Now if I use this, my normal clients (192.168.101.0/24) won't be able to
> > access my proxy server right?
>
> There is question if normal client sends Via header in request, I am sure that 
> not.
>
> So we need acl that permits requists from our proxy's with correct Via header 
> or clients with no header and denies all other requests.
>
> It will be hard, maybe external acl will be useful.

Hi Juraj,

Thanks once again for sharing light on this. Do you have any examples 
where I can use req_header to detect if my clients have their own proxy 
servers?

Any clue, web links or posts will highly be appreciated.

Also is req_header the only option whereby we can detect child proxies? 
Or do we also have other options for detecting child proxies?

I googled and found the Follow X-Forwarded-For headers (follow_xff) tag. 
Do you have any ideas regarding this?

Thanking you...


--

With best regards and good wishes,

Yours sincerely,

Tek Bahadur Limbu

(TAG/TDG Group)
Jwl Systems Department

Worldlink Communications Pvt. Ltd.

Jawalakhel, Nepal

http://www.wlink.com.np