On 29/07/18 16:11, Gordon Hsiao wrote: > is there a way to block any attempt to visit http/https by _any_ IP > directly, i.e. > > http://my-IP or https://my-IP (yes this will give a warning for SSL most > likely Er, what makes you think that? Squid intercepting HTTPS has to already be decrypting the TLS in order to see any https:// from the client. > ). here my-IP could be any IPv4 address, for example. To match transactions with raw-IP in their HTTP request-line URL use a dstdom_regex ACL with -n parameter and regex that matches raw-IP. <http://www.squid-cache.org/Doc/config/acl/> You should use a regex that matches both IPv4 and IPv6 because they *will* both be presented at times regardless of whether your systems are IPv4-only. You can find an example of a regex and how to use it in this page: <https://wiki.squid-cache.org/ConfigExamples/Chat/Skype>. Though note that Skype regex includes the port number ":443" at the end of the pattern which you may not want. Also, be aware that intercepted traffic does not operate with domain names. It often only has access to the IP:port details from TCP SYN packets. That especially includes intercepted port 443 traffic at the early stages of SSL-Bump processing. Is there something in particular you want to achieve with this blocking? Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
