On 30/07/18 04:59, Walter H. wrote: > skype was blocking every raw-ip:443 instead of just its own IPs, a bit > too restricted, though it can have a list of its own IPs and dst might > just work. That was the point. Skype is P2P software. Certain versions use raw-IP to connect to arbitrary IPs. There are no "its IPs" to restrict the match to. And the more recent versions owned by MS use the Azure cloud - so any IP in Azure is valid raw-IP for Skype to connect to. > > I'm trying to see if some chat can be blocked as they uses raw-IP > without DNS at all(similar to what skype did) > > yes I know ssl-bump uses IP from TCP-SYN to do fake-CONNECT (intercept > mode), that is still different from a raw-IP with 443/ssl, the latter > will warn because rarely any ssl certificate will have CN in IP format. That does not make sense. There is a very good reason why we keep dstdomain ans ssl:server_name as separate ACL types. That reason is that both can exist simultaneously with different values. The CN value is never part of https:// URLs. I think you may be confusing the TLS SNI with X.509 certificate CN Subject names. The former is used in http:// URLs reported by Squid, and the latter is not. > > there might be some vpn over 443 port that uses raw-IP that I hope to > block, if any. Use ssl::server_name_regex with the raw-IP pattern to match raw-IP in certificate CN fields. Please be aware that CN contains *multiple* values which may be (often is) any combination of domain name, raw-IP, arbitrary text strings and regex patterns. So take extreme care with your regex matching into it. Your lack of certainty about what VPNs are actually doing indicates that you probably do not know what you are dealing with here. Please base your rules and config around what is *actually* happening on your network. Half-way rules based on guesses are not sufficient protection by any means if you intend paranoid levels of protection, and harmful if you intend for opening useful holes in advance of a need existing. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users