Here is a quick one: access.log example: 1095314931.769 109912 192.168.X.X TCP_MISS/200 12387 CONNECT mbn.microsoft.com:443 - DIRECT/207.68.167.45 - [Proxy-Connection: Keep-Alive\r\nHost: mbn.micr osoft.com:443\r\n] []
This a real example from our access.log and in the squid.conf file: ##### CONNECT proto - allow goodsites acl goodsslsites dstdom_regex "/tmp/ssl_sites" http_access deny !goodsslsites goodhttps ##### Protocol restrictions acl goodhttp proto HTTP acl goodftp proto FTP acl goodhttps proto CONNECT http_access deny !goodhttp httpstand_ports http_access deny !goodftp ftpstand_ports http_access deny !goodhttps SSL_ports This only allows access over HTTPS (port 443) to domains listed in the /tmp/ssl_sites file and only allows certain protocols over certain ports. Michael. On Thu, 16 Sep 2004 17:20:32 -0300 (ART) Giancarlo Boaron <[EMAIL PROTECTED]> wrote: > Ok. That's a good idea. So, using the connect method > is possible to register all of the HTTPS activity in > access.log, right? > Could you please send me some example about how to set > up ACLs based on the CONNECT method? > > Thank you > Giancarlo > > --- Michael Gale <[EMAIL PROTECTED]> > escreveu: > > Hello, > > > > Squid can not filter the content of a HTTPS > > connection or the URL but it can still act as a > > proxy for HTTPS connections > > using the CONNECT method. Using squid for this will > > provide logging information on who is connecting to > > what IP / > > domain. > > > > This can be use full because there are a lot of > > tunnel software on the web designed to bypass proxy > > servers using this > > method. For example some people may want to run MSN > > messenger on the network which is blocked ... so > > they install this > > simple tunnelling software allowing them to to have > > the MSN client make a connection over the tunnel to > > a socks proxy > > externally for MSN. > > > > We only allow HTTPS connections to a list of > > domains. > > > > Michael. > > > > On Thu, 16 Sep 2004 16:54:48 -0300 (ART) > > Giancarlo Boaron <[EMAIL PROTECTED]> wrote: > > > > > Hello! > > > I'm planning to use squid as a transparent proxy > > for > > > my LAN. > > > I now squid can't act as a transparent proxy when > > > using the HTTPS protocol and it even registers > > this > > > kind of access in my access.log file. > > > So, can I register this kind of access in my > > > access.log file or I just have to let this > > protocol go > > > in and out on my iptables script (using FORWARD). > > > > > > Besides, what are the advantages and disadvantages > > of > > > using transparent proxy when concerning about > > > security, configuration facilities, network > > > performances, etc ?? > > > > > > Thank you. > > > Giancarlo > > > > > > > > > > > > > > > > > > > > > _______________________________________________________ > > > Yahoo! Messenger 6.0 - jogos, emoticons sonoros e > > muita divers�o. Instale agora! > > > http://br.download.yahoo.com/messenger/ > > > > > > > > > > > > > > > > > > -- > > Michael Gale > > Network Administrator > > Utilitran Corporation > > > > > > > > _______________________________________________________ > Yahoo! Messenger 6.0 - jogos, emoticons sonoros e muita divers�o. Instale agora! > http://br.download.yahoo.com/messenger/ > > > > -- Michael Gale Network Administrator Utilitran Corporation
