Hi list, I have been using the following squid.conf snippet for a while: #---------------------------- acl thisisanip url_regex ^[^:]*://([^/@]*@)?[0-9\.]*(:|/|$|\?) ^[0-9\.]*$ acl whitelist dstdomain "/etc/squid/whitelist.txt" acl whitelist_ip dst "/etc/squid/whitelist_ip.txt" #Check IP Whitelist http_access allow thisisanip whitelist_ip http_access deny thisisanip #Check Domain Whitelist http_access allow whitelist # And finally deny all other access to this proxy http_access deny all #---------------------------- I believe the url_regex snippet was even provided by Henrik in <http://www.mail-archive.com/squid-users@xxxxxxxxxxxxxxx/msg26777.html> The reason for adding the thisisanip acl was that squid took a loooooong time accessing IPs. I'm not*exactly* sure why, but I believe squid tries a reverse DNS lookup for each IP and tries to compare the result with the names listed in the domain-name-based whitelist, which is time-consuming, especially if there is no name associated with the IP in question. With the above setup, squid will check: 1) a) it is an IP and 1) b) it is in the whitelist ==>Allow, no need for DNS lookups 2) it is an IP ==> since it wasn't in the allowed list from above, deny it, no need for DNS lookups 3) it is a domain listed in the whitelist ==> Allow 4) catch-all ==> Deny This has worked like a charm so far, but now I am running into the issue that I need SSL/HTTPS connects to IPs. When using SSL/HTTPS, url_regex doesn't work. Any suggestions how I can emulate that behavior? I understand that url_regex'ing is not supported because the URL may contain sensitive information and/or is encrypted, and that's a Good Thing [TM] - but I wouldn't need the entire URL anyway, just the host part. Kind Regards, Stefan
