skype was blocking every raw-ip:443 instead of just its own IPs, a bit too restricted, though it can have a list of its own IPs and dst might just work.
I'm trying to see if some chat can be blocked as they uses raw-IP without DNS at all(similar to what skype did)
yes I know ssl-bump uses IP from TCP-SYN to do fake-CONNECT (intercept mode), that is still different from a raw-IP with 443/ssl, the latter will warn because rarely any ssl certificate will have CN in IP format.
there might be some vpn over 443 port that uses raw-IP that I hope to block, if any.
Thanks,
Gordon
On Sun, Jul 29, 2018 at 7:00 AM <squid-users-request@xxxxxxxxxxxxxxxxxxxxx> wrote:
Send squid-users mailing list submissions to
squid-users@xxxxxxxxxxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
squid-users-request@xxxxxxxxxxxxxxxxxxxxx
You can reach the person managing the list at
squid-users-owner@xxxxxxxxxxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."
Today's Topics:
1. block visit 80/443 browsing via IP(no domain name) (Gordon Hsiao)
2. Re: block visit 80/443 browsing via IP(no domain name)
(Amos Jeffries)
----------------------------------------------------------------------
Message: 1
Date: Sat, 28 Jul 2018 23:11:43 -0500
From: Gordon Hsiao <capcoding@xxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: block visit 80/443 browsing via IP(no domain
name)
Message-ID:
<CAK0iFYzxwt2gQ-+wM9bsrnJF3uLAhhRtpE4pU0Wb4O1qgp3yOA@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"
is there a way to block any attempt to visit http/https by _any_ IP
directly, i.e.
http://my-IP or https://my-IP (yes this will give a warning for SSL most
likely). here my-IP could be any IPv4 address, for example.
Basically I want to have Squid to enforce all 80/443 access should be done
via a FQDN instead of an IP, is this possible? or should this be handled in
a redirector instead?
Thanks,
Gordon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180728/a65bf67a/attachment-0001.html>
------------------------------
Message: 2
Date: Sun, 29 Jul 2018 18:32:45 +1200
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: block visit 80/443 browsing via IP(no
domain name)
Message-ID: <8883cf05-af98-6788-b42d-c1edd764a116@xxxxxxxxxxxxx>
Content-Type: text/plain; charset=utf-8
On 29/07/18 16:11, Gordon Hsiao wrote:
> is there a way to block any attempt to visit http/https by _any_ IP
> directly, i.e.
>
> http://my-IP or https://my-IP (yes this will give a warning for SSL most
> likely
Er, what makes you think that? Squid intercepting HTTPS has to already
be decrypting the TLS in order to see any https:// from the client.
> ). here my-IP could be any IPv4 address, for example.
To match transactions with raw-IP in their HTTP request-line URL use a
dstdom_regex ACL with -n parameter and regex that matches raw-IP.
<http://www.squid-cache.org/Doc/config/acl/>
You should use a regex that matches both IPv4 and IPv6 because they
*will* both be presented at times regardless of whether your systems are
IPv4-only.
You can find an example of a regex and how to use it in this page:
<https://wiki.squid-cache.org/ConfigExamples/Chat/Skype>. Though note
that Skype regex includes the port number ":443" at the end of the
pattern which you may not want.
Also, be aware that intercepted traffic does not operate with domain
names. It often only has access to the IP:port details from TCP SYN
packets. That especially includes intercepted port 443 traffic at the
early stages of SSL-Bump processing.
Is there something in particular you want to achieve with this blocking?
Amos
------------------------------
Subject: Digest Footer
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
------------------------------
End of squid-users Digest, Vol 47, Issue 58
*******************************************
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
