Search squid archive

Re: Can ANyone Help Me Re: [squid-users] ACL Question - (urlpath_r

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>

>>From: Chris Robertson <crobertson@xxxxxxx>
>
>>> > Hello All;
>>> >
>>> > I have a rule which blocks the use of CONNECT based on the
>>> > user calling an IP address vs. FQDN, this works great!
>>> >
>>> > I am able to specify allowed IP addresses by adding them into
>>> > /squid/etc/allow-ip-addresses.
>>> >
>>> > I am in need of adding entire subnets, or parts of a network
>>> > as well, which I am unable to figure out.
>>> >
>>> > I have within my squid.conf, the following:
>>> >
>>> > acl Safe_ports port 80 # http
>>> > acl Safe_ports port 21 # ftp
>>> > acl Safe_ports port 22 # ssh
>>> >
>>> > acl SSL_ports port 443
>>> >
>>> > acl CONNECT method CONNECT
>>> >
>>> > # Should I use dstdomain versus something else here?
>>> > acl allowed-CONNECT dstdomain "/squid/etc/allow-ip-addresses"
>>
>>I  have to ask...  Why did you call the file "allow-ip-addresses" when
>> you
>>are using domain names? Personally, I'd call this file "allowed-domains"
>>and set up another ACL:
>
> The file contains IP addresses, not hostnames and/or domains.

dtsdomain matches against the requested hostname. As text.
 So that acl matches only if the client requests with an IP where it
should have a hostname (ie CONNECT 10.0.0.0:443 HTTP/1.1)

Precisely what I am trying to do, stop CONNECT to requests which use an IP vs a hostname.

>>acl allowed-CONNECT-IP dst "/squid/etc/allow-ip-addresses"
>>
>>In that file you can specify IP addresses, IP addresses with netmask or
>> use
>>CIDR notation.
>
> OK, I haven't tried the CIDR method, but assuming I do, shall I continue
> to
> use url_regex?

With CIDR you use "dst" and it matches whenever the IPA resolves to one
listed.

Sorry for the dumb question, but where do I specify dst? In place of dstdomain?

> As I've said, when I use urlpath_regex, I block nothing at all.

You have already been told several times there is no path in "CONNECT
10.0.0.0:443 HTTP/1.0" etc.

Sorry again, still not clear :-(

>>> > # When I use urlpath_regex, it allows *everything* through.
>>> > acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>>> >
>>> > http_access deny !Safe_ports
>>> > http_access deny CONNECT !SSL_ports
>>> > http_access deny CONNECT numeric_IPs !allowed-CONNECT
>>
>>Of course having two ACLs would require re-working the http_access rules
>>you have here.  Something like:
>>
>>http_access deny !Safe_ports
>>http_access deny CONNECT !SSL_ports
>>http_access allow CONNECT allowed-CONNECT
>>http_access allow CONNECT allowed-CONNECT-IP
>>http_access deny CONNECT
>
> Yes, your method does look alot cleaner, and while at some point I may
> wish
> to block CONNECT for hostnames, I can't right now.  I've tried and the
> phones didn't stop ringing :-)  Seems everyone, from legit usage to
> webmail,
> all needed to be in the allow list.  Since I can't inspect traffic for
> illegal P2P/file-transfers, I just left it open and am settling for
> blocking
> CONNECT to outbound sites that use an IP address vs. FQDN.
>

Sounds more like you turned off CONNECT altogether that time.
 Did you use "url_regex ^([a-z]+\.?)+$" or similar by chance?

Wouldn't this block anything with a hostname as well? I only wish to prevent IP addresses for now.

Allowing port 443 in both Safe_ports and SSL_ports should let all those
webmail etc get through with no problems.
Unless your entire client base is doing weird non-standard things with
their wemail. Which you should know about anyway.

No, for instance, unless I've added .hotmail.com, I am unable to gain access to my webmail as well.

Many thank you's again,

.vp



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux