[squid-users] block visit 80/443 browsing via IP(no domain name)
Amos Jeffries
squid3 at treenet.co.nz
Sun Jul 29 06:32:45 UTC 2018
On 29/07/18 16:11, Gordon Hsiao wrote:
> is there a way to block any attempt to visit http/https by _any_ IP
> directly, i.e.
>
> http://my-IP or https://my-IP (yes this will give a warning for SSL most
> likely
Er, what makes you think that? Squid intercepting HTTPS has to already
be decrypting the TLS in order to see any https:// from the client.
> ). here my-IP could be any IPv4 address, for example.
To match transactions with raw-IP in their HTTP request-line URL use a
dstdom_regex ACL with -n parameter and regex that matches raw-IP.
<http://www.squid-cache.org/Doc/config/acl/>
You should use a regex that matches both IPv4 and IPv6 because they
*will* both be presented at times regardless of whether your systems are
IPv4-only.
You can find an example of a regex and how to use it in this page:
<https://wiki.squid-cache.org/ConfigExamples/Chat/Skype>. Though note
that Skype regex includes the port number ":443" at the end of the
pattern which you may not want.
Also, be aware that intercepted traffic does not operate with domain
names. It often only has access to the IP:port details from TCP SYN
packets. That especially includes intercepted port 443 traffic at the
early stages of SSL-Bump processing.
Is there something in particular you want to achieve with this blocking?
Amos
More information about the squid-users
mailing list