Search squid archive

Re: Can ANyone Help Me Re: [squid-users] ACL Question - (urlpath_r

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Vadim Pushkin wrote:


Let me see if I have this straight... You want to block CONNECT to IP address, except those that are explicitly allowed, but allow CONNECT to any FQDN. Is this correct?

Chris
yes, for now, because I see no reason that they should be allowed. The FQDN ones are a nightmare to maintain, it seems every webmail, banking site, etc wants it.

.vp


Simple enough then...

acl AllowIP_CONNECT dst /squid/etc/allow-ip-addresses
# The next regex is ugly and may cause poor performance, but it will match IP addresses only* acl DenyIP_CONNECT url_regex -i^[a-z]{1,5}://((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)


http_access allow CONNECT AllowIP_CONNECT
http_access deny CONNECT DenyIP_CONNECT
http_access allow CONNECT all # Just for clarity's sake

These lines of course should be below the defaults that deny CONNECT to non-SSL ports. The file /squid/etc/allow-ip-addresses would be of the form:

192.168.2.1/32
192.168.1.0/24
172.16.0.0/16
10.0.0.0/8

Chris

* Since domain names adhering to RFC1035 MUST start with a letter, a simpler, but less exact acl would be:

acl DenyIP_CONNECT url_regex ^[a-z]{1-5}://[0-9]

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux