>
> Hi all,
>
> I've been seeing users start to tunnel thru my squid
> caches, especially for connecting to IRC servers. I
> get CONNECT lines in my log either going to 6667 (irc
> default) or more sneakily, 443. As there are is a
> sizable number of irc servers my users are connecting
> to, and the fact CONNECT is used for regular https
> websites, i can't block the method or the
> hostnames/ip's. I recompiled squid to log user-agents,
> but again, anything coming in on a CONNECT does not
> show up - i thought at least i could identify the irc
> clients and block them with an "browser" ACL.
>
> So i guess what i am asking, is there an easier, more
> maintainable way to stop this rather than spending day
> after day compiling ip lists for multiple servers -
> I'm really hoping for a one-liner here.
>
> Many thanks in advance,
>
The default squid.conf will not allow connections to 6667;
in order to have a 'strict' config :
acl SSL_ports port 443
http_access deny CONNECT !SSL_ports
If you block 443, then valid SSL sites will be blocked too;
and your users will no longer be able to access those.
If you want further control on access to malicous
'443-sites' then you need to make use of access controls
in SQUID (see the FAQ).
M.
Received on Tue Mar 23 2004 - 23:48:34 MST
This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:02 MST