Securing Instant Messengers
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
Contents
Outline
Administrators often need to permit or block the use of IM (Instant Messengers) within Enterprises. While most use proprietary protocols and do not enter the Squid proxy at all, some have a port-80 failover mode, or may be explicitly configured to use a non-transparent proxy.
Applications
AOL Instant Messenger (AIM)
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
Details
AIM natively uses TCP port 5190 and bypasses the Squid proxy. When configured to use an explicit proxy, it will use CONNECT tunneling to go through squid.
Squid Configuration File
# Permit AOL Instant Messenger to connect to the OSCAR service acl AIM_ports port 5190 443 acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com acl AIM_domains dstdomain .messaging.aol.com .aim.com acl AIM_nets dst 64.12.0.0/16 205.188.0.0/16 http_access allow CONNECT AIM_ports AIM_nets http_access allow CONNECT AIM_ports AIM_domains
AOL
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
Squid Configuration File
Configuration file to Include:
![/!\](/National_Library/20160521004321im_/http://wiki.squid-cache.org/wiki/squidtheme/img/alert.png "/!\")
AOL are known to change their Server IPs. The list below cannot be confirmed.
# AOL acl aol dst 64.12.200.89/32 64.12.161.153/32 64.12.161.185/32 acl aol dst 205.188.153.121/32 205.188.179.233/32 http_access deny aol
Gizmo Project (Pidgeon IM, Fring, Taler, ICQ, IRC, AOL)
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
Gizmo Project include software to connect to a wide range of messaging protocols and VoIP services. This config does not include settings to block those IM which are not Gizmo Project provided services.
see Also:
If you know of other IM services available through Gizmo software please inform us.
Squid Configuration File
Configuration file to Include:
# Gizmo Project acl gizmo dstdomain .gizmoproject.com # Gizmo VoIP acl gizmo dstdomain .talqer.com .gizmocall.com .fring.com # Gizmo Chat acl gizmo dstdomain .pidgin.im http_access deny gizmo
ICQ ("I Seek You")
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
Squid Configuration File
Configuration file to Include:
# ICQ acl icq dstdomain .icq.com http_access deny icq
MSN Messenger and Windows Live Messenger
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
Details
Natively uses port 1863 and bypasses the Squid proxy. But when that has been locked down by the firewall admin it will failover to port 80 and enter Squid.
|
Microsoft This is only confirmed to work with MSN Messenger and Windows Live Messenger if there is any other parts to the formal name its maybe another program completely with different access needs. |
Squid Configuration File
Configuration file to Include:
# MSN Messenger acl msn urlpath_regex -i gateway.dll acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com acl msn1 req_mime_type application/x-msn-messenger http_access deny msnd http_access deny msn http_access deny msn1
by YuriVoinov
Signal Messenger
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
Outline
The default configuration file for Squid only permits only HTTPS port 443 to be used with CONNECT tunnels.
Signal Messenger uses custom ports 4433 and 8443.
Usage
This configuration is useful to pass Signal Messenger traffic through a Squid proxy.
More
As described above, Squid (in most cases) deny Signal bootstrap connect.
How initial Signal bootstrap works?
Signal Messenger tries to perform an HTTP CONNECT to textsecure-service-ca.whispersystems.org via port 80, 4433, 8443. When two or more attempts are successful, it initiates a WebSocket connection to the available server port.
Squid Configuration File
Paste the configuration file like this:
acl SSL_ports port 4433 8443 # Signal Messenger
With the above your regular access permissions for any given client are applied to Signal. Just the same as if it were performing HTTPS connections.
Note that port 80 is still too unsafe to allow generic CONNECT to happen on it. However, Signal client often can't do initial connect without permission CONNECT to port 80 at textsecure-service-ca.whispersystems.org. You are warned.
If your proxy is configured to use Features/SslPeekAndSplice, also add this to configuration:
acl DiscoverSNIHost at_step SslBump1 acl NoSSLIntercept ssl::server_name textsecure-service-ca.whispersystems.org ssl_bump peek DiscoverSNIHost ssl_bump splice NoSSLIntercept # other SSL-bump rules ...
On the other hand, to prevent access to the Internet for Signal removing the above configuration is sufficient.
Skype Access Controls
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
Squid Configuration File
Configuration file to include.
- Since FTP uses numeric IPs the Skype ACL must be exact including the port.
Blocking
# Skype acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9a-f]+)?:([0-9a-f:]+)?:([0-9a-f]+|0-9\.]+)?\])):443 acl Skype_UA browser ^skype http_access deny numeric_IPS http_access deny Skype_UA
- Recent releases of Skype have been evading the above restriction by not sending their User-Agent headers and using domain names. The following can be used to catch those installs, but be aware it will likely also catch other agents.
acl validUserAgent browser \S+ http_access deny !validUserAgent
Permitting
- This needs to be done before any restrictive CONNECT http_access controls.
acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9a-f]+)?:([0-9a-f:]+)?:([0-9a-f]+|0-9\.]+)?\])):443 acl Skype_UA browser ^skype http_access allow CONNECT localnet numeric_IPS Skype_UA
Note that Skype prefers the port 443 which is by default enabled in Squid anyway so this configuration is only needed when you block HTTPS access through the proxy.
If you limit HTTPS access to known sites only, then permitting Skype will break that policy.
by YuriVoinov
Telegram Messenger
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
Contents
How to pass Telegram
Starting from version 0.10.11 (for tdesktop) Telegram client uses a pinned TLS connection during bootstrap connection to 149.154.164.0/22 or 149.154.172.0/22. So SSL-Bump proxy must be configured to splice initial connection from Telegram to server:
# SSL-bump rules acl DiscoverSNIHost at_step SslBump1 # Splice Telegram bootstrap acl NoSSLIntercept ssl::server_name_regex 149\.154\.16[4-7]\. 149\.154\.17[2-5]\. ssl_bump peek DiscoverSNIHost ssl_bump splice NoSSLIntercept ssl_bump bump all
It also can be used as a block tool for Telegram - just remove Telegram net from splice ACL.
How to block Telegram
Telegram uses own protocol (MProto) which can utilize TCP, SOCKS, or HTTP tunneling. To block Telegram you must use a complex configuration blocking all of those channels.
NOTE: Telegram is really difficult to block. It can use 80 port with own tunnelling, SOCKS4/5, Tor, etc. AFAIK, Tor is impossible to completely block in any way if you can't block Tor's SOCKS entry point and/or any SOCKS proxies.
SOCKS
To block Telegram you need to block SOCKS protocol (by any way) in your network, and ban Telegram access point with 149.154.164.0/22 and 149.154.172.0/22 networks.
TCP
The simplest way to block Telegram is use Cisco and write ACL:
remark Ban Telegram deny ip any 149.154.164.0 255.255.252.0 deny ip any 149.154.172.0 255.255.252.0
This prevents Telegram clients from authenticating so it fails to connect.
Squid Configuration File
Paste the configuration file like this:
acl Telegram dst 149.154.164.0/22 acl Telegram dst 149.154.172.0/22 http_access deny Telegram
This only affects Telegram clients using HTTP proxy settings.
Trillian
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
Squid Configuration File
Configuration file to Include:
- Trillian may change their Server IPs. If you know of others please inform us.
# Trillian acl trillian dst 66.216.70.167/32 http_access deny trillian
Yahoo! Messenger
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
Squid Configuration File
Configuration file to Include:
# Yahoo! Messenger acl ym dstdomain .messenger.yahoo.com .psq.yahoo.com acl ym dstdomain .us.il.yimg.com .msg.yahoo.com .pager.yahoo.com acl ym dstdomain .rareedge.com .ytunnelpro.com .chat.yahoo.com acl ym dstdomain .voice.yahoo.com acl ymregex url_regex yupdater.yim ymsgr myspaceim # Other protocols Yahoo!Messenger uses ?? acl ym dstdomain .skype.com .imvu.com http_access deny ym http_access deny ymregex