Vadim Pushkin wrote:
Let me see if I have this straight... You want to block CONNECT to
IP address, except those that are explicitly allowed, but allow
CONNECT to any FQDN. Is this correct?
Chris
yes, for now, because I see no reason that they should be allowed.
The FQDN ones are a nightmare to maintain, it seems every webmail,
banking site, etc wants it.
.vp
Simple enough then...
acl AllowIP_CONNECT dst /squid/etc/allow-ip-addresses
# The next regex is ugly and may cause poor performance, but it will
match IP addresses only*
acl DenyIP_CONNECT url_regex
-i^[a-z]{1,5}://((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
http_access allow CONNECT AllowIP_CONNECT
http_access deny CONNECT DenyIP_CONNECT
http_access allow CONNECT all # Just for clarity's sake
These lines of course should be below the defaults that deny CONNECT to
non-SSL ports. The file /squid/etc/allow-ip-addresses would be of the form:
192.168.2.1/32
192.168.1.0/24
172.16.0.0/16
10.0.0.0/8
Chris
* Since domain names adhering to RFC1035 MUST start with a letter, a
simpler, but less exact acl would be:
acl DenyIP_CONNECT url_regex ^[a-z]{1-5}://[0-9]