[squid-users] block visit 80/443 browsing via IP(no domain name)

Gordon Hsiao capcoding at gmail.com
Sun Jul 29 13:45:53 UTC 2018


skype was blocking every raw-ip:443 instead of just its own IPs, a bit too
restricted, though it can have a list of its own IPs and dst might just
work.

I'm trying to see if some chat can be blocked as they uses raw-IP without
DNS at all(similar to what skype did)

yes I know ssl-bump uses IP from TCP-SYN to do fake-CONNECT (intercept
mode), that is still different from a raw-IP with 443/ssl, the latter will
warn because rarely any ssl certificate will have CN in IP format.

there might be some vpn over 443 port that uses raw-IP that I hope to
block, if any.

Thanks,
Gordon

On Sun, Jul 29, 2018 at 7:00 AM <squid-users-request at lists.squid-cache.org>
wrote:

> Send squid-users mailing list submissions to
>         squid-users at lists.squid-cache.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.squid-cache.org/listinfo/squid-users
> or, via email, send a message with subject or body 'help' to
>         squid-users-request at lists.squid-cache.org
>
> You can reach the person managing the list at
>         squid-users-owner at lists.squid-cache.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of squid-users digest..."
>
>
> Today's Topics:
>
>    1. block visit 80/443 browsing via IP(no domain name) (Gordon Hsiao)
>    2. Re: block visit 80/443 browsing via IP(no domain name)
>       (Amos Jeffries)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 28 Jul 2018 23:11:43 -0500
> From: Gordon Hsiao <capcoding at gmail.com>
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] block visit 80/443 browsing via IP(no domain
>         name)
> Message-ID:
>         <
> CAK0iFYzxwt2gQ-+wM9bsrnJF3uLAhhRtpE4pU0Wb4O1qgp3yOA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> is there a way to block any attempt to visit http/https by _any_ IP
> directly, i.e.
>
> http://my-IP or https://my-IP (yes this will give a warning for SSL most
> likely). here my-IP could be any IPv4 address, for example.
>
> Basically I want to have Squid to enforce all 80/443 access should be done
> via a FQDN instead of an IP, is this possible? or should this be handled in
> a redirector instead?
>
> Thanks,
> Gordon
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.squid-cache.org/pipermail/squid-users/attachments/20180728/a65bf67a/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Sun, 29 Jul 2018 18:32:45 +1200
> From: Amos Jeffries <squid3 at treenet.co.nz>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] block visit 80/443 browsing via IP(no
>         domain name)
> Message-ID: <8883cf05-af98-6788-b42d-c1edd764a116 at treenet.co.nz>
> Content-Type: text/plain; charset=utf-8
>
> On 29/07/18 16:11, Gordon Hsiao wrote:
> > is there a way to block any attempt to visit http/https by _any_ IP
> > directly, i.e.
> >
> > http://my-IP or https://my-IP (yes this will give a warning for SSL most
> > likely
>
> Er, what makes you think that? Squid intercepting HTTPS has to already
> be decrypting the TLS in order to see any https:// from the client.
>
>
> > ). here my-IP could be any IPv4 address, for example.
>
> To match transactions with raw-IP in their HTTP request-line URL use a
> dstdom_regex ACL with -n parameter and regex that matches raw-IP.
> <http://www.squid-cache.org/Doc/config/acl/>
>
> You should use a regex that matches both IPv4 and IPv6 because they
> *will* both be presented at times regardless of whether your systems are
> IPv4-only.
>
> You can find an example of a regex and how to use it in this page:
> <https://wiki.squid-cache.org/ConfigExamples/Chat/Skype>. Though note
> that Skype regex includes the port number ":443" at the end of the
> pattern which you may not want.
>
> Also, be aware that intercepted traffic does not operate with domain
> names. It often only has access to the IP:port details from TCP SYN
> packets. That especially includes intercepted port 443 traffic at the
> early stages of SSL-Bump processing.
>
> Is there something in particular you want to achieve with this blocking?
>
> Amos
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> ------------------------------
>
> End of squid-users Digest, Vol 47, Issue 58
> *******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180729/76cfd4be/attachment.html>


More information about the squid-users mailing list