> Hi friends:
>
> I'm running Squid on server running Debian Etch for a customer of mine.
> I'm using sarg to generate reports of each user behing Squid accesing
> Internet.
> There are a lot of restriction about non-related to work websites like
> music on line, webchats, MSN, Yahoo, hi5, among other sites goods for
> wasting time. All of my rules are blocking them perfectly except for
> some users that I do not how connect to "random" IP addresses and port
> 443 using (I asume) SSL tunnels.
>
> Those connections are too long, they have a duration of 1 minute, 1 hour
> even 5 o 8 hours as I see in my sarg reports.
>
> I was working with a bash script that parses access.log and detects
> those IP address to block them later but the same users always find
> different IP address to "bypass" Squid.
> I believe they're using some kind of tunneling software like hopster,
> ultrasurfer, freegate or who know what!
Sounds a bit like skype. What does access.log show for one of these
connections?
ie "CONNECT 1.2.3.4:443 HTTP/1.0" ??
http://wiki.squid-cache.org/KnowledgeBase/FilteringChat
>
> I'm not allowing any traffic to pass my firewall, users only can reach
> Internet through Squid exclusively.
>
> Is there a way to detect these kind of tunneling software? I was
> thinking on limit the duration of a SSL connection since a normal SSL
> request in https it takes just a few seconds, right?
No, as long as the clients web browser needs it to take. I've had sessions
with my bank in excess of an hour at times.
> Is squid able to
> limit how long can a SSL connection be?
Looks like you want client_lifetime, but take note of the WARNING...
http://www.squid-cache.org/Versions/v3/3.0/cfgman/client_lifetime.html
>
> Thanks,... and sorry .. My english isn't good
>
Amos
Received on Wed Sep 24 2008 - 04:55:16 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 24 2008 - 12:00:03 MDT