From: Chris Robertson <crobertson@xxxxxxx>
> Hello All;
>
> I have a rule which blocks the use of CONNECT based on the
> user calling an IP address vs. FQDN, this works great!
>
> I am able to specify allowed IP addresses by adding them into
> /squid/etc/allow-ip-addresses.
>
> I am in need of adding entire subnets, or parts of a network
> as well, which I am unable to figure out.
>
> I have within my squid.conf, the following:
>
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 22 # ssh
>
> acl SSL_ports port 443
>
> acl CONNECT method CONNECT
>
> # Should I use dstdomain versus something else here?
> acl allowed-CONNECT dstdomain "/squid/etc/allow-ip-addresses"
I have to ask... Why did you call the file "allow-ip-addresses" when you
are using domain names? Personally, I'd call this file "allowed-domains"
and set up another ACL:
The file contains IP addresses, not hostnames and/or domains.
acl allowed-CONNECT-IP dst "/squid/etc/allow-ip-addresses"
In that file you can specify IP addresses, IP addresses with netmask or use
CIDR notation.
OK, I haven't tried the CIDR method, but assuming I do, shall I continue to
use url_regex?
As I've said, when I use urlpath_regex, I block nothing at all.
> # When I use urlpath_regex, it allows *everything* through.
> acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny CONNECT numeric_IPs !allowed-CONNECT
Of course having two ACLs would require re-working the http_access rules
you have here. Something like:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow CONNECT allowed-CONNECT
http_access allow CONNECT allowed-CONNECT-IP
http_access deny CONNECT
Yes, your method does look alot cleaner, and while at some point I may wish
to block CONNECT for hostnames, I can't right now. I've tried and the
phones didn't stop ringing :-) Seems everyone, from legit usage to webmail,
all needed to be in the allow list. Since I can't inspect traffic for
illegal P2P/file-transfers, I just left it open and am settling for blocking
CONNECT to outbound sites that use an IP address vs. FQDN.
Thanks again,
.vp