By the way, the longer, second example, does not work at all. It allows
everything through.
.vp
From: "Vadim Pushkin" <wiskbroom@xxxxxxxxxxx>
To: crobertson@xxxxxxx, squid-users@xxxxxxxxxxxxxxx
Subject: Re: Can ANyone Help Me Re: [squid-users] ACL
Question - (urlpath_r
Date: Wed, 31 Oct 2007 10:14:05 -0500
Thanks Chris;
Based on your excellent example:
acl DenyIP_CONNECT url_regex ^[a-z]{1-5}://[0-9]
Would I still be required to write IP addresses with a netmask? Or can I
mix them, which is my preference.
Your other regex example:
acl DenyIP_CONNECT url_regex
-i^[a-z]{1,5}://((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
Does seem rather lengthy and I do not want to impede the squid ability to
function, or at least keep it to a minimum.
Thanks again,
.vadim
From: Chris Robertson <crobertson@xxxxxxx>
To: squid-users@xxxxxxxxxxxxxxx
Subject: Re: Can ANyone Help Me Re: [squid-users] ACL
Question - (urlpath_r
Date: Fri, 26 Oct 2007 12:32:12 -0800
Vadim Pushkin wrote:
Let me see if I have this straight... You want to block CONNECT to IP
address, except those that are explicitly allowed, but allow CONNECT to
any FQDN. Is this correct?
Chris
yes, for now, because I see no reason that they should be allowed. The
FQDN ones are a nightmare to maintain, it seems every webmail, banking
site, etc wants it.
.vp
Simple enough then...
acl AllowIP_CONNECT dst /squid/etc/allow-ip-addresses
# The next regex is ugly and may cause poor performance, but it will match
IP addresses only*
acl DenyIP_CONNECT url_regex
-i^[a-z]{1,5}://((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
http_access allow CONNECT AllowIP_CONNECT
http_access deny CONNECT DenyIP_CONNECT
http_access allow CONNECT all # Just for clarity's sake
These lines of course should be below the defaults that deny CONNECT to
non-SSL ports. The file /squid/etc/allow-ip-addresses would be of the
form:
192.168.2.1/32
192.168.1.0/24
172.16.0.0/16
10.0.0.0/8
Chris
* Since domain names adhering to RFC1035 MUST start with a letter, a
simpler, but less exact acl would be:
acl DenyIP_CONNECT url_regex ^[a-z]{1-5}://[0-9]
