Re: Simple way to bypass squid ACLs

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: James Sneeringer: "Re: Serious bug in "radius" dialup authentication software"
• Previous message: Theo de Raadt: "Re: Race conditions - patch."
• Maybe in reply to: Vitaly V. Fedrushkov: "Simple way to bypass squid ACLs"

You can also replace the URL by its numerical IP address(at least this
works for the proxy of my company) eg.:

netscape http://www.playboy.com -> Access denied
nslookup www.playboy.com
...
Non-authoritative answer:
Name: wdc.express.playboy.com
Addresses: 206.251.29.12, 205.216.146.201
Aliases: www.playboy.com, www.express.playboy.com

netscape http://206.251.29.12 -> OK!
or
netscape http://205.216.146.201 -> OK!

> ...
> Workaround
> ~~~~~~~~~~
> 1. Rewrite regexps to match any valid URL rewriting. Seems tricky
> and result is unreadable by human (== easy to mistype).
>
> 2. Use some request-rewriting software at proxy port to canonify
> request and forward it to squid. This breaks port- and IDENT-based
> rules.
>

I suppose that in this case you have to add the numerical IP of the URL
in the ACL.
eg.:
PornoURLs.acl:
...
www.playboy.com
206.251.29.12
205.216.146.201
...

Everybody: please don't tell my company sysadmin. :-))

> - - --
> "No easy hope or lies | Vitaly "Willy the Pooh" Fedrushkov
> Shall bring us to our goal, | Information Technology Division
> But iron sacrifice | Chelyabinsk State University
> Of Body, Will and Soul." | mailto:willy@csu.ac.ru +7 3512 156770
> R.Kipling | http://www.csu.ac.ru/~willy VVF1-RIPE

I agree.

Mauro

--
Mauro Lacy                   -              mauro@inter-soft.com
Intersoft Argentina          -              http://www.inter-soft.com

• Next message: James Sneeringer: "Re: Serious bug in "radius" dialup authentication software"
• Previous message: Theo de Raadt: "Re: Race conditions - patch."
• Maybe in reply to: Vitaly V. Fedrushkov: "Simple way to bypass squid ACLs"