Search squid archive

Re: Controlling all HTTP traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Oct 12, 2008 at 12:31:45PM +0300, Ali Hardogan wrote:
> Hello,
> 
> What is the best way to have full control over HTTP traffic that goes
> through a Squid-enabled firewall?

Don't allow outside connections from clients, don't use transparent. Force
users to configure proxy in browser.

> On the firewall, we intercept TCP traffic destined to ports 80, 3128,
> and 8080 and redirect them to the local Squid port, and they get
> filtered.
> 
> But HTTP traffic is not limited to use those ports. Especially in case
> the PCs behind the firewall are using HTTP-based proxies, depending on
> the ports used by the proxies on the Internet they may escape the
> Squid filtering (e.g., say they are using port 45001).

What is your goal with "full HTTP control"? If your clients are allowed to
connect to any port anywhere they want, I guess it's not security (though
you wanting to stop proxies would suggest it). Also they can simply use SSL
or such to escape any filtering.

> How can we make sure "any HTTP traffic -- irrespective of the TCP
> destination port number" that goes through the firewall gets filtered
> by the Squid?

Depending on your OS/firewall, you may have ability search packets for HTTP
traffic. But it is intensive, not foolproof and unnecessary kludge.


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux