Search squid archive

Re: block usres who create their own proxy behind main proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



goody goody ha scritto:
Hi,


In our organization we have restricted access to only limited IPs as per company policy, but what some users are doing that they are building their own proxy servers on any single allowed IP addresses and distribute access to their locally formed group.

In this way our main proxy thinks that it is allowing access to only one IP whereas in real it is not the case.

This has become a challenge and if there is any solution / work around to this please let me know.

I am using squid 2.7 stable 6 on freebsd 7 release # 6

An early response is much appreciated.

Regards,
.Goody.



I'm not an expert, but I'll throw in my 2 cents anyway.

The user built proxies have to reach the internet somehow.

If they do directly, then at the firewall level only the official proxy ip should be allowed to reach ports 80, 443, etc. This restriction should be in place anyway, or the clients could bypass the proxy...

If they go out via the offical proxy instead, they may appear as siblings, so I'd look at the cache hierarchy directives to disallow siblings. If they look like normal clients to the main squid instead, then I suppose disallowing access to those IPs should be a good argument to convince them to stop running local proxies. One last idea: is it possibile to detect if a cache client is a proxy or a normal browser by analyzing the request headers ? If so, some specially crafted acl rules could block the proxies but allow the FFs and IEs without completely blocking the IPs.

HTH

--
Marcello Romani


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux