That's pretty similar to what I went with.
I ended up coming across a post on this list with similar goals, and
used the suggested regex from there.
TB
Vadim Pushkin wrote:
How about:
acl SSL_Port port 443
acl CONNECT method CONNECT
# /etc/squid/good-connect-ip-addresses is one IP address per line.
acl allowed-CONNECT dstdomain "/etc/squid/good-connect-ip-addresses"
# One or the other, not sure which and I haven't tested it yet.
acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
# One or more of these three, again, I haven't tested yet.
http_access deny CONNECT !SSL_Port
http_access deny CONNECT numeric_IPs
http_access deny CONNECT numeric_IPs !allowed-CONNECT
The goal is to:
1. Prevent CONNECT to non-SSL ports.
2. Block to IP addresses which use CONNECT vs. FQDN.
3. Allow a way to place exclusions to the IP blocks just in case
there is a legit need.
Please feel free to correct or comment anything I've stated above.
.vp
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
To: Squid <squid-users@xxxxxxxxxxxxxxx>
Tim Bates wrote:
Can someone tell me if it's possible to block "CONNECT" attempts
that only specify an IP address (rather than a hostname)?
I can see no legitimate reason to CONNECT to an IP, and I've just
caught students using this method to bypass the filters.
TB
Try the default squid configuration of:
acl SSL_Port port 443
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_Port
that will deny any obviously non-https uses.
Beyond that this is one of the rare cases here domain regex is
useful, having an ACL that tests for numeric-only domains.
NP: do note that skype uses https CONNECT to raw IP numbers. If you
want skype to work handle CONNECT restrictions carefully.
Amos