Re: Can ANyone Help Me Re: [squid-users] ACL Question - (urlpath_r

["Vadim Pushkin" <wiskbroom@xxxxxxxxxxx>]

> From: Chris Robertson <crobertson@xxxxxxx>

> > > Hello All;
> > >
> > > I have a rule which blocks the use of CONNECT based on the
> > > user calling an IP address vs. FQDN, this works great!
> > >
> > > I am able to specify allowed IP addresses by adding them into
> > > /squid/etc/allow-ip-addresses.
> > >
> > > I am in need of adding entire subnets, or parts of a network
> > > as well, which I am unable to figure out.
> > >
> > > I have within my squid.conf, the following:
> > >
> > > acl Safe_ports port 80 # http
> > > acl Safe_ports port 21 # ftp
> > > acl Safe_ports port 22 # ssh
> > >
> > > acl SSL_ports port 443
> > >
> > > acl CONNECT method CONNECT
> > >
> > > # Should I use dstdomain versus something else here?
> > > acl allowed-CONNECT dstdomain "/squid/etc/allow-ip-addresses"
>
> I  have to ask...  Why did you call the file "allow-ip-addresses" when you 
> are using domain names?  Personally, I'd call this file "allowed-domains" 
> and set up another ACL:

The file contains IP addresses, not hostnames and/or domains.

> acl allowed-CONNECT-IP dst "/squid/etc/allow-ip-addresses"
>
> In that file you can specify IP addresses, IP addresses with netmask or use 
> CIDR notation.

OK, I haven't tried the CIDR method, but assuming I do, shall I continue to 
use url_regex?
As I've said, when I use urlpath_regex, I block nothing at all.


> > > # When I use urlpath_regex, it allows *everything* through.
> > > acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
> > >
> > > http_access deny !Safe_ports
> > > http_access deny CONNECT !SSL_ports
> > > http_access deny CONNECT numeric_IPs !allowed-CONNECT
>
> Of course having two ACLs would require re-working the http_access rules 
> you have here.  Something like:
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow CONNECT allowed-CONNECT
> http_access allow CONNECT allowed-CONNECT-IP
> http_access deny CONNECT

Yes, your method does look alot cleaner, and while at some point I may wish 
to block CONNECT for hostnames, I can't right now.  I've tried and the 
phones didn't stop ringing :-)  Seems everyone, from legit usage to webmail, 
all needed to be in the allow list.  Since I can't inspect traffic for 
illegal P2P/file-transfers, I just left it open and am settling for blocking 
CONNECT to outbound sites that use an IP address vs. FQDN.

Thanks again,

.vp