As Henrik said 1,2 & 3 can all be accomplished with standard ACLs.
Windows Messenger and Yahoo use standard HTTP or Socks proxies, so the
connect method doesn't really come into play.
Windows Messenger (currently at least) has a distinct user-agent string
that can be blocked. When tunneling over http, Yahoo and AIM
user-agent strings claim Mozilla/4.01 & Mozilla/4.08. Depending on your
user mix, those strings may be blockable as well.
The problem with #2 is AIM works quite happily over standard SSL
ports, making it effectively useless. The user-agent header isn't passed
for https sessions. The only effective way I've found is to block
login.oscar.aol.com.
AIM also supports using authentication over HTTP/HTTPS proxies, possibly
making #1 useless.
#3 seems a bit draconian and a sure way to really piss off your users.
Jerry
----- Original Message -----
From: "George J. Jahchan, Eng." <Squid-Users@Tech.InteractiveNetworks.net>
To: "Squid Users" <squid-users@squid-cache.org>
Sent: Monday, November 11, 2002 3:39 AM
Subject: RE: [squid-users] Squid as proxy for aol im
Henrik,
I need to prevent users from tunneling MSN & Yahoo Messengers (+ others)
through squid, without resorting to clumsy URL blocking. I am thinking of
three possible scenarios (ordered by decreasing desirability):
1) Authentication for CONNECT method: users cannot use the CONNECT method
until explicitly authenticated to access the CONNECT method.
2) Disable the CONNECT method for everything but SSL traffic.
3) Disable the CONNECT method altogether.
Are any of the above scenarios possible in current or forthcoming versions
of Squid?
TIA
Received on Mon Nov 11 2002 - 07:42:13 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:17 MST