Search squid archive

Re: Can ANyone Help Me Re: [squid-users] ACL Question - (urlpath_r

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Vadim Pushkin wrote:
Thanks Chris;

Based on your excellent example:

acl DenyIP_CONNECT url_regex ^[a-z]{1-5}://[0-9]

Would I still be required to write IP addresses with a netmask? Or can I mix them, which is my preference.

If I remember correctly, the dst acl prefers a netmask these days. It used to assume that any IP address ending with dot zero octets meant it should mask the dot zeros (i.e. 127.1.0.0 was equivalent to 127.1.0.0/16), but I think that masking is required or assumed to be /32.


Your other regex example:

acl DenyIP_CONNECT url_regex -i^[a-z]{1,5}://((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)


Does seem rather lengthy and I do not want to impede the squid ability to function, or at least keep it to a minimum.

And apparently doesn't work. Huh. Well, there should be a space between the -i and the caret (^)... And apparently url_regex doesn't include the protocol type (http://, https://, etc.) on connect requests. But that would preclude the short form from working either. Testing with Squid-2.6-Stable16 indicates this to be the case:

Given...

acl DenyIP_CONNECT url_regex -i ^[a-z]{1,5}://[0-9]
http_access deny CONNECT DenyIP_CONNECT

...and...

debug_options ALL,1 33,2 28,9

...accessing https://www.wellsfargo.com/...

2007/11/01 13:56:41| aclMatchAclList: checking DenyIP_CONNECT
2007/11/01 13:56:41| aclMatchAcl: checking 'acl DenyIP_CONNECT url_regex -i ^[a-z]{1,5}://[0-9]'
2007/11/01 13:56:41| aclMatchRegex: checking 'www.wellsfargo.com:443'
2007/11/01 13:56:41| aclMatchRegex: looking for '^[a-z]{1,5}://[0-9]'
2007/11/01 13:56:41| aclMatchAclList: no match, returning 0

...works.  But so does accessing https://151.151.13.133/...

2007/11/01 13:53:44| aclMatchAclList: checking DenyIP_CONNECT
2007/11/01 13:53:44| aclMatchAcl: checking 'acl DenyIP_CONNECT url_regex -i ^[a-z]{1,5}://[0-9]'
2007/11/01 13:53:44| aclMatchRegex: checking '151.151.13.133:443'
2007/11/01 13:53:44| aclMatchRegex: looking for '^[a-z]{1,5}://[0-9]'
2007/11/01 13:53:44| aclMatchAclList: no match, returning 0

So, in closing (finally!)...

acl DenyIP_CONNECT url_regex ^[0-9]
or
acl DenyIP_CONNECT url_regex ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)

should work with...

http_access deny CONNECT DenyIP_CONNECT

...to deny CONNECT to numeric IP addresses. The former would of course be less processor intensive, the latter more specific.


Thanks again,

.vadim

Chris

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux