Re: [squid-users] Detecting and blocking child proxy servers

From: Juraj Sakala <juraj.sakala@dont-contact.us>
Date: Thu, 26 Jul 2007 08:06:03 +0200

On Wednesday 25 July 2007 14:42, Tek Bahadur Limbu wrote:
> Juraj Sakala wrote:
> > On Tuesday 24 July 2007 12:56, Tek Bahadur Limbu wrote:
> >> Is this possible? In other words, I want my proxy servers to detect
> >> squid or other proxy severs which are being used or operated by others
> >> besides me.
> >
> > May it is bepossible:
> > - if you know your network you can use header x_forwarded_for to detect
> > unknown networks.
> > - if you wont to allow only your proxy servers use http_access directive
> > with acl which contains only your proxy's
> > - try something like this:
> > acl myproxy req_header Via MyProxy
> > http_access allow myproxy
> > http_access deny all
> > - use authentication
>
> Hi Juraj,
>
> Thanks for sharing your tips.
>
> Suppose I have the following:
>
> acl myproxy req_header Via 192.168.100.0/24
> http_access allow myproxy
> http_access deny all

It was only tip. I am not sure, but i think squid puts in this header his
visible hostname and port in format 1.1 <vysible_hostname>:<port>. So if
someone use Squid in default configuration you can block it easily. But it
is true, that headers are easily spoofable

> Now if I use this, my normal clients (192.168.101.0/24) won't be able to
> access my proxy server right?

There is question if normal client sends Via header in request, I am sure that
not.

So we need acl that permits requists from our proxy's with correct Via header
or clients with no header and denies all other requests.

It will be hard, maybe external acl will be useful.
Received on Thu Jul 26 2007 - 00:06:14 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:04 MDT