> > Hi all, > > I've been seeing users start to tunnel thru my squid > caches, especially for connecting to IRC servers. I > get CONNECT lines in my log either going to 6667 (irc > default) or more sneakily, 443. As there are is a > sizable number of irc servers my users are connecting > to, and the fact CONNECT is used for regular https > websites, i can't block the method or the > hostnames/ip's. I recompiled squid to log user-agents, > but again, anything coming in on a CONNECT does not > show up - i thought at least i could identify the irc > clients and block them with an "browser" ACL. > > So i guess what i am asking, is there an easier, more > maintainable way to stop this rather than spending day > after day compiling ip lists for multiple servers - > I'm really hoping for a one-liner here. > > Many thanks in advance, > The default squid.conf will not allow connections to 6667; in order to have a 'strict' config :
acl SSL_ports port 443 http_access deny CONNECT !SSL_ports If you block 443, then valid SSL sites will be blocked too; and your users will no longer be able to access those. If you want further control on access to malicous '443-sites' then you need to make use of access controls in SQUID (see the FAQ). M.
