Re: Can ANyone Help Me Re: [squid-users] ACL Question - (urlpath_r

[Chris Robertson <crobertson@xxxxxxx>]

Vadim Pushkin wrote:
> Thanks Chris;
>
> Based on your excellent example:
>
> > acl DenyIP_CONNECT url_regex ^[a-z]{1-5}://[0-9]
>
> Would I still be required to write IP addresses with a netmask?  Or 
> can I mix them, which is my preference.

If I remember correctly, the dst acl prefers a netmask these days.  It 
used to assume that any IP address ending with dot zero octets meant it 
should mask the dot zeros (i.e. 127.1.0.0 was equivalent to 
127.1.0.0/16), but I think that masking is required or assumed to be /32.

> Your other regex example:
>
> > acl DenyIP_CONNECT url_regex 
> > -i^[a-z]{1,5}://((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?) 
>
> Does seem rather lengthy and I do not want to impede the squid ability 
> to function, or at least keep it to a minimum.

And apparently doesn't work.  Huh.  Well, there should be a space 
between the -i and the caret (^)... And apparently url_regex doesn't 
include the protocol type (http://, https://, etc.) on connect 
requests.  But that would preclude the short form from working either.  
Testing with Squid-2.6-Stable16 indicates this to be the case:

Given...

acl DenyIP_CONNECT url_regex -i ^[a-z]{1,5}://[0-9]
http_access deny CONNECT DenyIP_CONNECT

...and...

debug_options ALL,1 33,2 28,9

...accessing https://www.wellsfargo.com/...

2007/11/01 13:56:41| aclMatchAclList: checking DenyIP_CONNECT
2007/11/01 13:56:41| aclMatchAcl: checking 'acl DenyIP_CONNECT url_regex 
-i ^[a-z]{1,5}://[0-9]'
2007/11/01 13:56:41| aclMatchRegex: checking 'www.wellsfargo.com:443'
2007/11/01 13:56:41| aclMatchRegex: looking for '^[a-z]{1,5}://[0-9]'
2007/11/01 13:56:41| aclMatchAclList: no match, returning 0

...works.  But so does accessing https://151.151.13.133/...

2007/11/01 13:53:44| aclMatchAclList: checking DenyIP_CONNECT
2007/11/01 13:53:44| aclMatchAcl: checking 'acl DenyIP_CONNECT url_regex 
-i ^[a-z]{1,5}://[0-9]'
2007/11/01 13:53:44| aclMatchRegex: checking '151.151.13.133:443'
2007/11/01 13:53:44| aclMatchRegex: looking for '^[a-z]{1,5}://[0-9]'
2007/11/01 13:53:44| aclMatchAclList: no match, returning 0

So, in closing (finally!)...

acl DenyIP_CONNECT url_regex ^[0-9]
or
acl DenyIP_CONNECT url_regex 
^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)

should work with...

http_access deny CONNECT DenyIP_CONNECT

...to deny CONNECT to numeric IP addresses.  The former would of course 
be less processor intensive, the latter more specific.

> Thanks again,
>
> .vadim

Chris