Hi friends:
I'm running Squid on server running Debian Etch for a customer of mine.
I'm using sarg to generate reports of each user behing Squid accesing
Internet.
There are a lot of restriction about non-related to work websites like
music on line, webchats, MSN, Yahoo, hi5, among other sites goods for
wasting time. All of my rules are blocking them perfectly except for
some users that I do not how connect to "random" IP addresses and port
443 using (I asume) SSL tunnels.
Those connections are too long, they have a duration of 1 minute, 1 hour
even 5 o 8 hours as I see in my sarg reports.
I was working with a bash script that parses access.log and detects
those IP address to block them later but the same users always find
different IP address to "bypass" Squid.
I believe they're using some kind of tunneling software like hopster,
ultrasurfer, freegate or who know what!
I'm not allowing any traffic to pass my firewall, users only can reach
Internet through Squid exclusively.
Is there a way to detect these kind of tunneling software? I was
thinking on limit the duration of a SSL connection since a normal SSL
request in https it takes just a few seconds, right? Is squid able to
limit how long can a SSL connection be?
Thanks,... and sorry .. My english isn't good
