Search squid archive

Re: Can ANyone Help Me Re: [squid-users] ACL Question - (urlpath_r

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



By the way, the longer, second example, does not work at all. It allows everything through.

.vp


From: "Vadim Pushkin" <wiskbroom@xxxxxxxxxxx>
To: crobertson@xxxxxxx, squid-users@xxxxxxxxxxxxxxx
Subject: Re: Can ANyone Help Me Re: [squid-users] ACL Question - (urlpath_r
Date: Wed, 31 Oct 2007 10:14:05 -0500

Thanks Chris;

Based on your excellent example:

acl DenyIP_CONNECT url_regex ^[a-z]{1-5}://[0-9]

Would I still be required to write IP addresses with a netmask? Or can I mix them, which is my preference.

Your other regex example:

acl DenyIP_CONNECT url_regex -i^[a-z]{1,5}://((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)


Does seem rather lengthy and I do not want to impede the squid ability to function, or at least keep it to a minimum.

Thanks again,

.vadim

From: Chris Robertson <crobertson@xxxxxxx>
To: squid-users@xxxxxxxxxxxxxxx
Subject: Re: Can ANyone Help Me Re: [squid-users] ACL Question - (urlpath_r
Date: Fri, 26 Oct 2007 12:32:12 -0800

Vadim Pushkin wrote:


Let me see if I have this straight... You want to block CONNECT to IP address, except those that are explicitly allowed, but allow CONNECT to any FQDN. Is this correct?

Chris
yes, for now, because I see no reason that they should be allowed. The FQDN ones are a nightmare to maintain, it seems every webmail, banking site, etc wants it.

.vp


Simple enough then...

acl AllowIP_CONNECT dst /squid/etc/allow-ip-addresses
# The next regex is ugly and may cause poor performance, but it will match IP addresses only* acl DenyIP_CONNECT url_regex -i^[a-z]{1,5}://((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)


http_access allow CONNECT AllowIP_CONNECT
http_access deny CONNECT DenyIP_CONNECT
http_access allow CONNECT all # Just for clarity's sake

These lines of course should be below the defaults that deny CONNECT to non-SSL ports. The file /squid/etc/allow-ip-addresses would be of the form:

192.168.2.1/32
192.168.1.0/24
172.16.0.0/16
10.0.0.0/8

Chris

* Since domain names adhering to RFC1035 MUST start with a letter, a simpler, but less exact acl would be:

acl DenyIP_CONNECT url_regex ^[a-z]{1-5}://[0-9]





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux