skype was blocking every raw-ip:443 instead of just its own IPs, a bit too restricted, though it can have a list of its own IPs and dst might just work.
I'm trying to see if some chat can be blocked as they uses raw-IP without DNS at all(similar to what skype did) yes I know ssl-bump uses IP from TCP-SYN to do fake-CONNECT (intercept mode), that is still different from a raw-IP with 443/ssl, the latter will warn because rarely any ssl certificate will have CN in IP format. there might be some vpn over 443 port that uses raw-IP that I hope to block, if any. Thanks, Gordon On Sun, Jul 29, 2018 at 7:00 AM <squid-users-requ...@lists.squid-cache.org> wrote: > Send squid-users mailing list submissions to > squid-users@lists.squid-cache.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.squid-cache.org/listinfo/squid-users > or, via email, send a message with subject or body 'help' to > squid-users-requ...@lists.squid-cache.org > > You can reach the person managing the list at > squid-users-ow...@lists.squid-cache.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of squid-users digest..." > > > Today's Topics: > > 1. block visit 80/443 browsing via IP(no domain name) (Gordon Hsiao) > 2. Re: block visit 80/443 browsing via IP(no domain name) > (Amos Jeffries) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 28 Jul 2018 23:11:43 -0500 > From: Gordon Hsiao <capcod...@gmail.com> > To: squid-users@lists.squid-cache.org > Subject: [squid-users] block visit 80/443 browsing via IP(no domain > name) > Message-ID: > < > cak0ifyzxwt2gq-+wm9bsrnjf3ulahhrtpe4pu0wb4o1qgp3...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > is there a way to block any attempt to visit http/https by _any_ IP > directly, i.e. > > http://my-IP or https://my-IP (yes this will give a warning for SSL most > likely). here my-IP could be any IPv4 address, for example. > > Basically I want to have Squid to enforce all 80/443 access should be done > via a FQDN instead of an IP, is this possible? or should this be handled in > a redirector instead? > > Thanks, > Gordon > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.squid-cache.org/pipermail/squid-users/attachments/20180728/a65bf67a/attachment-0001.html > > > > ------------------------------ > > Message: 2 > Date: Sun, 29 Jul 2018 18:32:45 +1200 > From: Amos Jeffries <squ...@treenet.co.nz> > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] block visit 80/443 browsing via IP(no > domain name) > Message-ID: <8883cf05-af98-6788-b42d-c1edd764a...@treenet.co.nz> > Content-Type: text/plain; charset=utf-8 > > On 29/07/18 16:11, Gordon Hsiao wrote: > > is there a way to block any attempt to visit http/https by _any_ IP > > directly, i.e. > > > > http://my-IP or https://my-IP (yes this will give a warning for SSL most > > likely > > Er, what makes you think that? Squid intercepting HTTPS has to already > be decrypting the TLS in order to see any https:// from the client. > > > > ). here my-IP could be any IPv4 address, for example. > > To match transactions with raw-IP in their HTTP request-line URL use a > dstdom_regex ACL with -n parameter and regex that matches raw-IP. > <http://www.squid-cache.org/Doc/config/acl/> > > You should use a regex that matches both IPv4 and IPv6 because they > *will* both be presented at times regardless of whether your systems are > IPv4-only. > > You can find an example of a regex and how to use it in this page: > <https://wiki.squid-cache.org/ConfigExamples/Chat/Skype>. Though note > that Skype regex includes the port number ":443" at the end of the > pattern which you may not want. > > Also, be aware that intercepted traffic does not operate with domain > names. It often only has access to the IP:port details from TCP SYN > packets. That especially includes intercepted port 443 traffic at the > early stages of SSL-Bump processing. > > Is there something in particular you want to achieve with this blocking? > > Amos > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > > > ------------------------------ > > End of squid-users Digest, Vol 47, Issue 58 > ******************************************* >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
