Vadim Pushkin wrote > Hello All; > > I have a rule which blocks the use of CONNECT based on the > user calling an > IP address vs. FQDN, this works great! > > I am able to specify allowed IP addresses by adding them into > /squid/etc/allow-ip-addresses. > > I am in need of adding entire subnets, or parts of a network > as well, which > I am unable to figure out. > > I have within my squid.conf, the following: > > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 22 # ssh > > acl SSL_ports port 443 > > acl CONNECT method CONNECT > > # Should I use dstdomain versus something else here? > acl allowed-CONNECT dstdomain "/squid/etc/allow-ip-addresses" > > # When I use urlpath_regex, it allows *everything* through. > acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access deny CONNECT numeric_IPs !allowed-CONNECT > > Please help, > > .vp squid will not see URLs at all during SSL traffic, so url_regex will not work. Try "acl allowed-CONNECT dst 192.168.0.0/24" for subnets. Sven
