Discussion:
[squid-users] Allowing/Unblocking Skype with Squid
(too old to reply)
Jon Joyce
2006-06-06 08:01:21 UTC
Permalink
Hi all,

We currently have a Squid box set up to only allow secure https
traffic through a manually updated whitelist. So now, all clients
must provide the name and 443 port of our Proxy server before they
can access secure sites (i.e. Internet Banking, Hotmail etc.)

We now have the problem that Skype wants to use the outgoing secure
443 port which is not allowed through our Proxy...

Is there anyway around this??

Anyone's help is much appretiated

Jon
Emilio Casbas
2006-06-06 08:27:03 UTC
Permalink
Post by Jon Joyce
Hi all,
We currently have a Squid box set up to only allow secure https
traffic through a manually updated whitelist. So now, all clients must
provide the name and 443 port of our Proxy server before they can
access secure sites (i.e. Internet Banking, Hotmail etc.)
We now have the problem that Skype wants to use the outgoing secure
443 port which is not allowed through our Proxy...
Is there anyway around this??
Skype will attempt to tunnel the traffic over port 443 using the SSL
protocol as you said,
In order to permit access to skype through squid, you would have to know
the "random" destination
IPs that skype use with the CONNECT method.

One possibility could be you can try permit numeric IPs with the CONNECT
method, but be careful regard to security.

acl N_IPS urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl connect method CONNECT

http_access allow connect N_IPS all

Thanks
Emilio C.
Post by Jon Joyce
Anyone's help is much appretiated
Jon
Jon Joyce
2006-06-07 08:05:52 UTC
Permalink
Hi Emilio,

Many thanks for your reply.

When you say careful regards to security, do you mean that anyone who
knows the IP of a host will get through our content filter? We have
mainly set our squid up like this to stop people using Proxy
Tunneling software....

Jon
Post by Emilio Casbas
Post by Jon Joyce
Hi all,
We currently have a Squid box set up to only allow secure https
traffic through a manually updated whitelist. So now, all clients
must provide the name and 443 port of our Proxy server before they
can access secure sites (i.e. Internet Banking, Hotmail etc.)
We now have the problem that Skype wants to use the outgoing
secure 443 port which is not allowed through our Proxy...
Is there anyway around this??
Skype will attempt to tunnel the traffic over port 443 using the
SSL protocol as you said,
In order to permit access to skype through squid, you would have to
know the "random" destination
IPs that skype use with the CONNECT method.
One possibility could be you can try permit numeric IPs with the
CONNECT method, but be careful regard to security.
acl N_IPS urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl connect method CONNECT
http_access allow connect N_IPS all
Thanks
Emilio C.
Post by Jon Joyce
Anyone's help is much appretiated
Jon
Emilio Casbas
2006-06-07 09:13:19 UTC
Permalink
Post by Jon Joyce
Hi Emilio,
Many thanks for your reply.
When you say careful regards to security, do you mean that anyone who
knows the IP of a host will get through our content filter?
Yes if you have modified the CONNECT tags in the default squid.conf.

The most serious companies having a web presence (such as Internet
Banking, E-commerce, loggin applications from trusted sites...) will
have registered
domains referenced by their FQDN URLs. so you can't trust in "all" IP
connections through the method CONNECT.

Thanks
Emilio C.
Post by Jon Joyce
We have mainly set our squid up like this to stop people using Proxy
Tunneling software....
Jon
Post by Emilio Casbas
Post by Jon Joyce
Hi all,
We currently have a Squid box set up to only allow secure https
traffic through a manually updated whitelist. So now, all clients
must provide the name and 443 port of our Proxy server before they
can access secure sites (i.e. Internet Banking, Hotmail etc.)
We now have the problem that Skype wants to use the outgoing secure
443 port which is not allowed through our Proxy...
Is there anyway around this??
Skype will attempt to tunnel the traffic over port 443 using the SSL
protocol as you said,
In order to permit access to skype through squid, you would have to
know the "random" destination
IPs that skype use with the CONNECT method.
One possibility could be you can try permit numeric IPs with the
CONNECT method, but be careful regard to security.
acl N_IPS urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl connect method CONNECT
http_access allow connect N_IPS all
Thanks
Emilio C.
Post by Jon Joyce
Anyone's help is much appretiated
Jon
Philipp Nyffenegger
2006-06-06 13:13:48 UTC
Permalink
Post by Emilio Casbas
acl N_IPS urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl connect method CONNECT
http_access allow connect N_IPS all
Why do all these tipps refer to "urlpath_regex" ? This is IMHO false.
At least it does not match at my site. There is no URL-Path in the
CONNECT-Method, iirc.

This works fine in blocking Skype via Squid at my site :

acl CONNECT method CONNECT
acl skype url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
.
deny_info ERR_CLIENT_HTTPS2IP_DENIED skype
http_access deny CONNECT skype
.
.
.

Cheers,
Philipp
Kinkie
2006-06-06 14:02:49 UTC
Permalink
Post by Philipp Nyffenegger
Post by Emilio Casbas
acl N_IPS urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl connect method CONNECT
http_access allow connect N_IPS all
Why do all these tipps refer to "urlpath_regex" ? This is IMHO false.
At least it does not match at my site. There is no URL-Path in the
CONNECT-Method, iirc.
acl CONNECT method CONNECT
acl skype url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
.
deny_info ERR_CLIENT_HTTPS2IP_DENIED skype
http_access deny CONNECT skype
I might have read the ACL wrong, but aren't you blocking all HTTPS
access when the server address is specified as an IP this way?

Kinkie
Emilio Casbas
2006-06-07 08:30:40 UTC
Permalink
Post by Kinkie
Post by Philipp Nyffenegger
Post by Emilio Casbas
acl N_IPS urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
acl connect method CONNECT
http_access allow connect N_IPS all
Why do all these tipps refer to "urlpath_regex" ? This is IMHO false.
At least it does not match at my site. There is no URL-Path in the
CONNECT-Method, iirc.
Yes, you are right.
Post by Kinkie
Post by Philipp Nyffenegger
acl CONNECT method CONNECT
acl skype url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
.
deny_info ERR_CLIENT_HTTPS2IP_DENIED skype
http_access deny CONNECT skype
I might have read the ACL wrong, but aren't you blocking all HTTPS
access when the server address is specified as an IP this way?
Kinkie
Yes, but the original post was for the opposite purpose,
they wanted to unblocked the skype connections, and a pattern for
these connections type through squid is by this way, although isnĀ“t 100%
effective.


Thanks
Emilio C.
Loading...