Thanks,
.vp
From: "Vadim Pushkin" <wiskbroom@xxxxxxxxxxx>
To: sven.frommholz@xxxxxxxxxx
Hi Sven;
I am unable to use:
acl allowed-CONNECT dst 192.168.0.0/24
Well, I could, but then I would have to add one for each host and or subnet
in my list, far too inefficient.
squid will not see URLs at all during SSL traffic, so url_regex will not
work.
Yes, since it is in the URL, it *will* see this. In fact, it does and it
works with url_regex right now.
The problem that I am having is that I need to maintain a list, defined
below, which can use either wildcards or something else that would allow me
to state subnets.
Thanks all in advance, this is getting frustrating for me :-(
.vp
Vadim Anatoly Pushkin
-- The Ukranian Stallion --
From: "Sven Frommholz - Konexxo GmbH" <sven.frommholz@xxxxxxxxxx>
Vadim Pushkin wrote
> Hello All;
>
> I have a rule which blocks the use of CONNECT based on the
> user calling an
> IP address vs. FQDN, this works great!
>
> I am able to specify allowed IP addresses by adding them into
> /squid/etc/allow-ip-addresses.
>
> I am in need of adding entire subnets, or parts of a network
> as well, which
> I am unable to figure out.
>
> I have within my squid.conf, the following:
>
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 22 # ssh
>
> acl SSL_ports port 443
>
> acl CONNECT method CONNECT
>
> # Should I use dstdomain versus something else here?
> acl allowed-CONNECT dstdomain "/squid/etc/allow-ip-addresses"
>
> # When I use urlpath_regex, it allows *everything* through.
> acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny CONNECT numeric_IPs !allowed-CONNECT
>
> Please help,
>
> .vp
squid will not see URLs at all during SSL traffic, so url_regex will not
work.
Try "acl allowed-CONNECT dst 192.168.0.0/24" for subnets.
Sven
