-
-
Notifications
You must be signed in to change notification settings - Fork 8
Squid proxy: block direct IP requests
If you're using Squid as an outgoing proxy and want to block direct IP requests (both HTTP and HTTPS) while only allowing client requests with host headers, you can achieve this by adding specific access control lists (ACLs) and http_access rules in your Squid configuration.
Here are the steps to configure Squid to achieve this:
- Edit the Squid Configuration File:
Open the Squid configuration file (squid.conf) in a text editor:
sudo nano /etc/squid/squid.conf- Define ACLs for Requests with Host Headers:
Define an ACL for requests that have host headers:
acl with_host_header dstdomain . # Matches requests with a domain name
acl ip_request dstdom_regex ^\d+\.\d+\.\d+\.\d+$ # Matches requests with IP addresses- Block Direct IP Requests:
Now, allow requests with host headers while denying those with direct IP addresses:
http_access deny ip_request
http_access allow with_host_header- Other Required Access Controls:
You'll probably have other http_access lines in your configuration for various rules. Make sure that the order of these rules does not conflict with the rules you just added. In Squid, the first matching rule wins, so more specific rules should come before more general ones.
- Save and Restart Squid:
After making these changes, save the configuration file and restart Squid to apply the changes:
sudo systemctl restart squidWith these changes, Squid will deny requests made directly to IP addresses and will only allow requests with host headers. Ensure you test the configuration after applying the changes to make sure it works as intended and to identify if there are any other conflicting rules.