> > How about: > > acl SSL_Port port 443 > acl CONNECT method CONNECT > > # /etc/squid/good-connect-ip-addresses is one IP address per line. > acl allowed-CONNECT dstdomain "/etc/squid/good-connect-ip-addresses" > > # One or the other, not sure which and I haven't tested it yet. > acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ > acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ > > # One or more of these three, again, I haven't tested yet. > http_access deny CONNECT !SSL_Port > http_access deny CONNECT numeric_IPs > http_access deny CONNECT numeric_IPs !allowed-CONNECT The bypass permission needs to be allow and ahead of the global deny. Like so: http_access allow CONNECT numeric_IPs allowed-CONNECT http_access deny CONNECT numeric_IPs > > > The goal is to: > > 1. Prevent CONNECT to non-SSL ports. > 2. Block to IP addresses which use CONNECT vs. FQDN. > 3. Allow a way to place exclusions to the IP blocks just in case there is > a > legit need. > > Please feel free to correct or comment anything I've stated above. > > .vp > >>From: Amos Jeffries <squid3@xxxxxxxxxxxxx> >>To: Squid <squid-users@xxxxxxxxxxxxxxx> > >>Tim Bates wrote: >>>Can someone tell me if it's possible to block "CONNECT" attempts that >>> only >>>specify an IP address (rather than a hostname)? >>> >>>I can see no legitimate reason to CONNECT to an IP, and I've just caught >>>students using this method to bypass the filters. >>> >>>TB >> >>Try the default squid configuration of: >> >> acl SSL_Port port 443 >> acl CONNECT method CONNECT >> http_access deny CONNECT !SSL_Port >> >>that will deny any obviously non-https uses. >> >>Beyond that this is one of the rare cases here domain regex is useful, >>having an ACL that tests for numeric-only domains. >> >>NP: do note that skype uses https CONNECT to raw IP numbers. If you want >>skype to work handle CONNECT restrictions carefully. >> >>Amos > > >
