Re: [squid-users] Anonymous Proxyies

From: Amos Jeffries <squid3@dont-contact.us>
Date: Fri, 01 Jun 2007 18:02:24 +1200

Munawar Zeeshan wrote:
> Hi.
>
> I am using Squid Guard to block unwantws sites. But my users now using
> anonymous proxies to by pass my squid guard restriction.

You have a serious problem then. The best solution will come from
considering *why* they are wanting those sites. And finding ways to make
the users not want them anymore. This may need to be an education thing
rather than or in addition to blocking.

>
> There are a lot of anonymous proxy websites.i have manually blocked
> some of them but mu users search out more others every day.
>
> I am unable to find any black list of anonymous proxies from internet.
>
> Can anybody help ???
>

I use a few techniques combined to reduce this, there is some slipway
still though.

1) Block outbound port 80 to users, use .PAC or transparency to get them
going through your squid. (Some other ports may also need to be blocked
as you find them).

2) Block CONNECT access to anything except SSL in squid.

3) Blocking any redirectors. (website that accepts http://.* in path part).

4) Block replies (http_reply_access) which include a forwarded-For
header or sometimes there are other headers specific to the remote proxies.

5) ERR pages that are clear the visited site is a high-risk are of the
internet, with some info on why.

If all else fails you should have contracts with the ultimate options of
dismissal (for employees) or account termination (for abusive clients).

Amos
Received on Fri Jun 01 2007 - 00:02:27 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:03 MDT