Tim Bates wrote:
Can someone tell me if it's possible to block "CONNECT" attempts that
only specify an IP address (rather than a hostname)?
I can see no legitimate reason to CONNECT to an IP, and I've just caught
students using this method to bypass the filters.
TB
Try the default squid configuration of:
acl SSL_Port port 443
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_Port
that will deny any obviously non-https uses.
Beyond that this is one of the rare cases here domain regex is useful,
having an ACL that tests for numeric-only domains.
NP: do note that skype uses https CONNECT to raw IP numbers. If you want
skype to work handle CONNECT restrictions carefully.
Amos