OK, so now I have these questions:
1. Which ones of these regex'es is the right one to use?
acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
OR.
acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
2. The following will first allow all IP's as per acl numeric_IPs so as long
as they are a member of allowed-CONNECT, then afterwards do a deny for acl
numeric_IPs, which will be all other IP's?
http_access allow CONNECT numeric_IPs allowed-CONNECT
http_access deny CONNECT numeric_IPs
Again, since I have not actually done this, I am hoping to get it right the
first time.
Many thanks,
.vp
From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>
>
> How about:
>
> acl SSL_Port port 443
> acl CONNECT method CONNECT
>
> # /etc/squid/good-connect-ip-addresses is one IP address per line.
> acl allowed-CONNECT dstdomain "/etc/squid/good-connect-ip-addresses"
>
> # One or the other, not sure which and I haven't tested it yet.
> acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
> acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>
> # One or more of these three, again, I haven't tested yet.
> http_access deny CONNECT !SSL_Port
> http_access deny CONNECT numeric_IPs
> http_access deny CONNECT numeric_IPs !allowed-CONNECT
The bypass permission needs to be allow and ahead of the global deny.
Like so:
http_access allow CONNECT numeric_IPs allowed-CONNECT
http_access deny CONNECT numeric_IPs
>
>
> The goal is to:
>
> 1. Prevent CONNECT to non-SSL ports.
> 2. Block to IP addresses which use CONNECT vs. FQDN.
> 3. Allow a way to place exclusions to the IP blocks just in case there
is
> a
> legit need.
>
> Please feel free to correct or comment anything I've stated above.
>
> .vp
>
>>From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
>>To: Squid <squid-users@xxxxxxxxxxxxxxx>
>
>>Tim Bates wrote:
>>>Can someone tell me if it's possible to block "CONNECT" attempts that
>>> only
>>>specify an IP address (rather than a hostname)?
>>>
>>>I can see no legitimate reason to CONNECT to an IP, and I've just
caught
>>>students using this method to bypass the filters.
>>>
>>>TB
>>
>>Try the default squid configuration of:
>>
>> acl SSL_Port port 443
>> acl CONNECT method CONNECT
>> http_access deny CONNECT !SSL_Port
>>
>>that will deny any obviously non-https uses.
>>
>>Beyond that this is one of the rare cases here domain regex is useful,
>>having an ACL that tests for numeric-only domains.
>>
>>NP: do note that skype uses https CONNECT to raw IP numbers. If you want
>>skype to work handle CONNECT restrictions carefully.
>>
>>Amos
