Search squid archive

Re: Can I block CONNECT to any IP (but allow hostnames)?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tim Bates wrote:
Can someone tell me if it's possible to block "CONNECT" attempts that only specify an IP address (rather than a hostname)?

I can see no legitimate reason to CONNECT to an IP, and I've just caught students using this method to bypass the filters.

TB

Try the default squid configuration of:

 acl SSL_Port port 443
 acl CONNECT method CONNECT
 http_access deny CONNECT !SSL_Port

that will deny any obviously non-https uses.

Beyond that this is one of the rare cases here domain regex is useful, having an ACL that tests for numeric-only domains.

NP: do note that skype uses https CONNECT to raw IP numbers. If you want skype to work handle CONNECT restrictions carefully.

Amos

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux