# Block http tunnels on squid

## IvanZD

Hi?

What can be done to block these types of traffic through squid: http://www.your-freedom.net ? I disabled CONNECT method which is not perfect because now SSL doesn't work, but.. I think that this disabled only tunnels through https, not http.. looking at FAQ's at YF site it looks like that... Any more idea to allow only http browsing through squid?

Thx

----------

## think4urs11

mhh, not an easy issue

implement a white-list with domains/sites where your users can connect to, deny everything else   :Arrow:  high administrative burden

OR

implement a black-list with domains/sites where your users should not connect to, allow everything else   :Arrow:  sooner or later they'll find a way out

----------

## IvanZD

Ummm..

but are all tunnels blocked if CONNECT methos is disabled or not? If they are, then I can make rules to allow CONNECT method to only few needed sites. But I am not sure if tunnel can't be done on some other way which is not using CONNECT method? Not found this answer on google yet..   :Confused: 

----------

## think4urs11

unfortunately.... NO

see e.g. net-misc/httptunnel

just uses http, no CONNECT.

The only known (to me) way to block all (well ... 99.999%) tunnels is the white-list (until one single page is overseen before whitelisted).

Additional to force your users to us an authenticating proxy, no NAT at all, filter on browser ID/user agent ID, highly restrictive list of allowed/accepted software to use on clients etc. that is....

----------

## IvanZD

 *Think4UrS11 wrote:*   

> filter on browser ID/user agent ID, highly restrictive list of allowed/accepted software to use on clients

 

OK, thank you for your time; quoted above seems nice to me (restrict clients to only IE, FF and Opera will be good idea).. but how to do this? Can it be done in squid.conf or I need adittional software?

----------

## IvanZD

Found it. Thx!

----------

## Mythos

Hey hello, what have you done to block that type of services ? in squid ?

----------

## IvanZD

For now, I disabled CONNECT method:

```

#http_access deny CONNECT !SSL_ports

http_access deny CONNECT all

```

and allowed only these browser ID's:

```

acl safe_browser browser -i OPERA MSIE MOZILLA

http_access deny !safe_browser

```

For now, I will check access.log and tcpdump traffic to search for any suspicious traffic that passes near these rules.. for example now I have tons of DENIED CONNECT requests in access.log to "your-freedom" domain.. will see if this helps, if not then I will implement more rules that Think4UrS11 recommended.

----------

## Mythos

Welli can't block mirc conections trhough your freedom :'( ...

what the hack i am doing rong ...

```
http_port 3128

icp_port 0

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

acl all src 0.0.0.0/0.0.0.0

acl proibido url_regex "/etc/squid/proibido.cfg"

http_access deny proibido

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl local-network src 192.168.100.0/255.255.255.0

acl safe_browser browser -i OPERA MSIE MOZILLA

#Portas com direito de acesso através do proxy:

acl SSL_ports port 443 # https

acl Safe_ports port 21          # ftp

acl Safe_ports port 80

acl Safe_ports port 443         # http

acl Safe_ports port 1022        # sshd

acl Dangerous_ports port 135

acl day time 09:00-16:59

acl day2 time 17:00-23:59

acl night time 00:00-08:59

acl magic_words1 url_regex -i 192.168.

acl magic_words2 url_regex .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg.mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .t$

delay_pools 3

delay_class 1 2

delay_parameters 1 -1/-1 -1/-1

delay_access 1 allow magic_words1

delay_class 2 2

delay_parameters 2 1024000/1024000 20200/1000000

delay_access 2 allow day

delay_access 2 deny !day

delay_access 2 allow magic_words2

delay_class  3 3

delay_parameters 3 1024000/1024000 4200/1000000 3200/1100000

delay_access 3 allow day2 night

delay_access 3 deny !day2 !night

delay_access 3 allow magic_words2

acl purge method PURGE

acl CONNECT method CONNECT

acl hotmail_domains dstdomain .hotmail.msn.com

acl ie6 browser MSIE[[:space:]]6

header_access Accept-Encoding deny ie6 hotmail_domains

cache_mem 150 MB

cache_dir ufs /var/cache/squid 512 16 256

redirect_rewrites_host_header off

cache_replacement_policy GDSF

cache_mgr admin@xpto.com

httpd_accel_host virtual

httpd_accel_port 80

log_icp_queries off

buffered_logs on

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

httpd_accel_single_host off

logfile_rotate 10

visible_hostname xpto

cache_access_log /var/log/squid/access.log

cache_log /var/log/squid/cache.log

cache_store_log none

cache_swap_log none

emulate_httpd_log on

useragent_log /var/log/squid/user-agent.log

## HTTP ACCESS RULES

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access allow local-network

#http_access deny CONNECT !SSL_ports

http_access deny CONNECT all

http_access deny !safe_browser

http_access allow localhost

http_access deny all

forwarded_for off

http_reply_access allow all

icp_access allow all

miss_access allow all

coredump_dir /var/spool/squid

ie_refresh on

error_directory /usr/lib/squid/errors/Portuguese/

forwarded_for off

always_direct deny all

cache_effective_user squid

cache_effective_group squid

```

----------

## Mythos

here is my squid.conf:

#Now is working  :Razz: 

```
http_port 3128

icp_port 0

# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

## ACCESS CONTROL LIST

acl all src 0.0.0.0/0.0.0.0

# --------------------- BLOQUEIO DE SITES --------------

#caso queiram criar uma lista de sites ou keywords negras, criem algo #deste género

acl proibido url_regex "/etc/squid/proibido.cfg"

http_access deny proibido

#Acesso ao squid

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl local-network src 192.168.1.0/255.255.255.0

acl safe_browser browser -i OPERA MSIE MOZILLA

acl Safe_ports port 21          # ftp

acl Safe_ports port 80

acl Safe_ports port 443         # http

acl Safe_ports port 1022        # sshd

acl Dangerous_ports port 135

#Caso queiram limitar a largura de banda por X-Horário:

acl day time 09:00-16:59

acl day2 time 17:00-23:59

acl night time 00:00-08:59

acl magic_words1 url_regex -i 192.168.

acl magic_words2 url_regex .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg.mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .$

delay_pools 3

delay_class 1 2

delay_parameters 1 -1/-1 -1/-1

delay_access 1 allow magic_words1

delay_class 2 2

delay_parameters 2 1024000/1024000 20200/1000000

delay_access 2 allow day

delay_access 2 deny !day

delay_access 2 allow magic_words2

delay_class  3 3

delay_parameters 3 1024000/1024000 4200/1000000 3200/1100000

delay_access 3 allow day2 night

delay_access 3 deny !day2 !night

delay_access 3 allow magic_words2

acl purge method PURGE

acl CONNECT method CONNECT

#Caso tenham problemas com o hotmail no IE:

acl hotmail_domains dstdomain .hotmail.msn.com

acl ie6 browser MSIE[[:space:]]6

header_access Accept-Encoding deny ie6 hotmail_domains

#OPTIONS WHICH AFFECT THE CACHE SIZE

#Tamanho da Cache

cache_mem 150 MB

#gestão de cache em blocos

cache_dir ufs /var/cache/squid 512 16 256

redirect_rewrites_host_header off

cache_replacement_policy GDSF

cache_mgr admin@xpto.com

httpd_accel_host virtual

httpd_accel_port 80

log_icp_queries off

#cachemgr_passwd all

buffered_logs on

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

httpd_accel_single_host off

logfile_rotate 10

visible_hostname xpto

cache_access_log /var/log/squid/access.log

cache_log /var/log/squid/cache.log

cache_store_log none

cache_swap_log none

emulate_httpd_log on

useragent_log /var/log/squid/user-agent.log

## HTTP ACCESS RULES

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access allow localhost

http_access allow safe_browser

http_access deny CONNECT all

http_access deny !local-network

http_access allow localhost

http_access deny all

forwarded_for off

## OTHER OPTIONS

http_reply_access allow all

icp_access allow all

miss_access allow all

coredump_dir /var/spool/squid

ie_refresh on

error_directory /usr/lib/squid/errors/Portuguese/

forwarded_for off

always_direct deny all

cache_effective_user squid

cache_effective_group squid

```

----------

## Mythos

Stuipd question but what is the id for Putty ...

i want to conect remotely to my home pc what is the id for putty ?

-i browser putty ???

----------

## IvanZD

 *Mythos wrote:*   

> Stuipd question but what is the id for Putty ...
> 
> i want to conect remotely to my home pc what is the id for putty ?
> 
> -i browser putty ???

 

Hm not sure if putty sends some identification like browsers do.... but, why do you connect through squid to ssh?!?

----------

## Mythos

You are right no need to pass trough proxy, i will change my firewall rules  :Smile: 

Thank you

----------

