Vadim Pushkin wrote:
Thanks Chris;
Based on your excellent example:
acl DenyIP_CONNECT url_regex ^[a-z]{1-5}://[0-9]
Would I still be required to write IP addresses with a netmask? Or
can I mix them, which is my preference.
If I remember correctly, the dst acl prefers a netmask these days. It
used to assume that any IP address ending with dot zero octets meant it
should mask the dot zeros (i.e. 127.1.0.0 was equivalent to
127.1.0.0/16), but I think that masking is required or assumed to be /32.
Your other regex example:
acl DenyIP_CONNECT url_regex
-i^[a-z]{1,5}://((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
Does seem rather lengthy and I do not want to impede the squid ability
to function, or at least keep it to a minimum.
And apparently doesn't work. Huh. Well, there should be a space
between the -i and the caret (^)... And apparently url_regex doesn't
include the protocol type (http://, https://, etc.) on connect
requests. But that would preclude the short form from working either.
Testing with Squid-2.6-Stable16 indicates this to be the case:
Given...
acl DenyIP_CONNECT url_regex -i ^[a-z]{1,5}://[0-9]
http_access deny CONNECT DenyIP_CONNECT
...and...
debug_options ALL,1 33,2 28,9
...accessing https://www.wellsfargo.com/...
2007/11/01 13:56:41| aclMatchAclList: checking DenyIP_CONNECT
2007/11/01 13:56:41| aclMatchAcl: checking 'acl DenyIP_CONNECT url_regex
-i ^[a-z]{1,5}://[0-9]'
2007/11/01 13:56:41| aclMatchRegex: checking 'www.wellsfargo.com:443'
2007/11/01 13:56:41| aclMatchRegex: looking for '^[a-z]{1,5}://[0-9]'
2007/11/01 13:56:41| aclMatchAclList: no match, returning 0
...works. But so does accessing https://151.151.13.133/...
2007/11/01 13:53:44| aclMatchAclList: checking DenyIP_CONNECT
2007/11/01 13:53:44| aclMatchAcl: checking 'acl DenyIP_CONNECT url_regex
-i ^[a-z]{1,5}://[0-9]'
2007/11/01 13:53:44| aclMatchRegex: checking '151.151.13.133:443'
2007/11/01 13:53:44| aclMatchRegex: looking for '^[a-z]{1,5}://[0-9]'
2007/11/01 13:53:44| aclMatchAclList: no match, returning 0
So, in closing (finally!)...
acl DenyIP_CONNECT url_regex ^[0-9]
or
acl DenyIP_CONNECT url_regex
^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
should work with...
http_access deny CONNECT DenyIP_CONNECT
...to deny CONNECT to numeric IP addresses. The former would of course
be less processor intensive, the latter more specific.
Thanks again,
.vadim
Chris