[squid-users] block visit 80/443 browsing via IP(no domain name)

Amos Jeffries squid3 at treenet.co.nz
Mon Jul 30 05:20:18 UTC 2018


On 30/07/18 04:59, Walter H. wrote:
> skype was blocking every raw-ip:443 instead of just its own IPs, a bit
> too restricted, though it can have a list of its own IPs and dst might
> just work.

That was the point. Skype is P2P software. Certain versions use raw-IP
to connect to arbitrary IPs. There are no "its IPs" to restrict the
match to. And the more recent versions owned by MS use the Azure cloud -
so any IP in Azure is valid raw-IP for Skype to connect to.


> 
> I'm trying to see if some chat can be blocked as they uses raw-IP
> without DNS at all(similar to what skype did)
> 
> yes I know ssl-bump uses IP from TCP-SYN to do fake-CONNECT (intercept
> mode), that is still different from a raw-IP with 443/ssl, the latter
> will warn because rarely any ssl certificate will have CN in IP format.

That does not make sense. There is a very good reason why we keep
dstdomain ans ssl:server_name as separate ACL types.

That reason is that both can exist simultaneously with different values.
The CN value is never part of https:// URLs.

I think you may be confusing the TLS SNI with X.509 certificate CN
Subject names.
 The former is used in http:// URLs reported by Squid, and the latter is
not.

> 
> there might be some vpn over 443 port that uses raw-IP that I hope to
> block, if any.

Use ssl::server_name_regex with the raw-IP pattern to match raw-IP in
certificate CN fields.

Please be aware that CN contains *multiple* values which may be (often
is) any combination of domain name, raw-IP, arbitrary text strings and
regex patterns. So take extreme care with your regex matching into it.

Your lack of certainty about what VPNs are actually doing indicates that
you probably do not know what you are dealing with here. Please base
your rules and config around what is *actually* happening on your
network. Half-way rules based on guesses are not sufficient protection
by any means if you intend paranoid levels of protection, and harmful if
you intend for opening useful holes in advance of a need existing.

Amos


More information about the squid-users mailing list