> > > >>From: Chris Robertson <crobertson@xxxxxxx> > >>> > Hello All; >>> > >>> > I have a rule which blocks the use of CONNECT based on the >>> > user calling an IP address vs. FQDN, this works great! >>> > >>> > I am able to specify allowed IP addresses by adding them into >>> > /squid/etc/allow-ip-addresses. >>> > >>> > I am in need of adding entire subnets, or parts of a network >>> > as well, which I am unable to figure out. >>> > >>> > I have within my squid.conf, the following: >>> > >>> > acl Safe_ports port 80 # http >>> > acl Safe_ports port 21 # ftp >>> > acl Safe_ports port 22 # ssh >>> > >>> > acl SSL_ports port 443 >>> > >>> > acl CONNECT method CONNECT >>> > >>> > # Should I use dstdomain versus something else here? >>> > acl allowed-CONNECT dstdomain "/squid/etc/allow-ip-addresses" >> >>I have to ask... Why did you call the file "allow-ip-addresses" when >> you >>are using domain names? Personally, I'd call this file "allowed-domains" >>and set up another ACL: > > The file contains IP addresses, not hostnames and/or domains. dtsdomain matches against the requested hostname. As text. So that acl matches only if the client requests with an IP where it should have a hostname (ie CONNECT 10.0.0.0:443 HTTP/1.1) >>acl allowed-CONNECT-IP dst "/squid/etc/allow-ip-addresses" >> >>In that file you can specify IP addresses, IP addresses with netmask or >> use >>CIDR notation. > > OK, I haven't tried the CIDR method, but assuming I do, shall I continue > to > use url_regex? With CIDR you use "dst" and it matches whenever the IPA resolves to one listed. > As I've said, when I use urlpath_regex, I block nothing at all. You have already been told several times there is no path in "CONNECT 10.0.0.0:443 HTTP/1.0" etc. > >>> > # When I use urlpath_regex, it allows *everything* through. >>> > acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ >>> > >>> > http_access deny !Safe_ports >>> > http_access deny CONNECT !SSL_ports >>> > http_access deny CONNECT numeric_IPs !allowed-CONNECT >> >>Of course having two ACLs would require re-working the http_access rules >>you have here. Something like: >> >>http_access deny !Safe_ports >>http_access deny CONNECT !SSL_ports >>http_access allow CONNECT allowed-CONNECT >>http_access allow CONNECT allowed-CONNECT-IP >>http_access deny CONNECT > > Yes, your method does look alot cleaner, and while at some point I may > wish > to block CONNECT for hostnames, I can't right now. I've tried and the > phones didn't stop ringing :-) Seems everyone, from legit usage to > webmail, > all needed to be in the allow list. Since I can't inspect traffic for > illegal P2P/file-transfers, I just left it open and am settling for > blocking > CONNECT to outbound sites that use an IP address vs. FQDN. > Sounds more like you turned off CONNECT altogether that time. Did you use "url_regex ^([a-z]+\.?)+$" or similar by chance? Allowing port 443 in both Safe_ports and SSL_ports should let all those webmail etc get through with no problems. Unless your entire client base is doing weird non-standard things with their wemail. Which you should know about anyway. Amos
