[squid-users] Block WebRTC Leak using Squid

Eliezer Croitoru eliezer at ngtech.co.il
Mon Aug 28 15:24:11 UTC 2017 

Thanks for this useful site.
This site cannot be used to test squid in any environment but only in a specific one.
What the links I gave you shows?
http://myip.net.il/
http://ngtech.co.il/ip.php

??
If you want to bullet proof you network and you have full control over it then you should use the next methods:
- Block any outgoing traffic to the internet from the internal network using a simple FireWall
- Intercept any traffic on port 53(both tcp and udp) into a local dns proxy and\or caching service

I have a running lab with a restricted access to the internet and I will try to see what the results will be there.

Don't mistake squid for being "un-usable" since it does what it can, but, if you or another person is the network admin you should consider the required and relevant solutions for your environment.
For example I have worked on servers which are connected to the Internet but have a very restrictive policy which do not allow installation of software or access to the network.
Either by iptables or selinux or group policies.

I am here if you need some advice about the next move with the issue.

All The Bests,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



-----Original Message-----
From: Sekar Duraisamy [mailto:sekarit at gmail.com] 
Sent: Monday, August 28, 2017 12:20
To: Eliezer Croitoru <eliezer at ngtech.co.il>
Cc: Amos Jeffries <squid3 at treenet.co.nz>; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Block WebRTC Leak using Squid

browserleaks.com/ip . I am testing through Mozilla Browser

On Mon, Aug 28, 2017 at 12:47 PM, Eliezer Croitoru <eliezer at ngtech.co.il> wrote:
> I remembered something so please also try:
> http://ngtech.co.il/ip.php
>
> and compare it to the output of:
> http://myip.net.il/
>
> and please let us know what browsers have you tested this with.
>
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>
>
>
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Sekar Duraisamy
> Sent: Monday, August 28, 2017 09:26
> To: Amos Jeffries <squid3 at treenet.co.nz>
> Cc: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Block WebRTC Leak using Squid
>
> Hi,
>
> I have tried the below.
>
> via on
> forwarded_for delete
> visible_hostname localhost
> request_header_access User-Agent deny all
>
> But still I am able to see original client local IP address and Client
> Public IP address instead of tcp_outgoing_address as original client
> IP.
>
> Am i missed anything here?
>
> On Fri, Aug 25, 2017 at 2:11 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>> On 25/08/17 14:00, Sekar Duraisamy wrote:
>>>
>>> Thanks Amos, Can i use the above configuration even though I am using
>>> tcp_outgoing_address in the squid conf?
>>>
>>> I want to make visible only tcp_outgoing_address only visible to
>>> outside and not real client IP.
>>>
>>
>> The second set of directives to hide the client will work.
>>
>> The first set to hide the proxy are kind of pointless when using a
>> proxy-specific IP address / identifier on all traffic out of the proxy.
>>
>> Amos
>>
>>
>>
>>> On Fri, Aug 25, 2017 at 4:11 AM, Amos Jeffries wrote:
>>>>
>>>> On 25/08/17 03:21, Sekar Duraisamy wrote:
>>>>>
>>>>>
>>>>> I am using http_port 3128 ( direct proxy )
>>>>>
>>>>
>>>> Then:
>>>>
>>>>   # to hide the proxy
>>>>   via off
>>>>   forwarded_for transparent
>>>>
>>>>   # to hide the client
>>>>   via on
>>>>   forwarded_for delete
>>>>   request_header_access User-Agent deny all
>>>>
>>>>
>>>> As you may be able to tell from those you cannot hide both at once.
>>>>
>>>> Amos
>>>>
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list