On 30/07/18 04:59, Walter H. wrote: > On 29.07.2018 06:11, Gordon Hsiao wrote: >> is there a way to block any attempt to visit http/https by _any_ IP >> directly, i.e. >> >> http://my-IP or https://my-IP (yes this will give a warning for SSL >> most likely). here my-IP could be any IPv4 address, for example. >> >> Basically I want to have Squid to enforce all 80/443 access should be >> done via a FQDN instead of an IP, is this possible? or should this be >> handled in a redirector instead? >> > Hi, > > I use this > > /etc/squid/blockdomains-iphost-acl.squid contains this > > ^[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}$ > ^\[([0-9a-f]{0,4})(:|:[0-9a-f]{0,4}){1,7}\]$ > FWIW, these patterns incorrectly match the following strings as valid raw-IP: [:] [:::::::] [2] 0.0.0.0 Walter is using them for a blacklist, so no particular harm done AFAIK. But do not think they are useful to detect valid raw-IPs. Also, keep in mind that regex is much slower than dstdomain, and risks manual mistakes like the above pattern match. > /etc/squid/squid.conf contains this > > acl allow_domains_iphost dstdom_regex > "/etc/squid/allowdomains-iphost-acl.squid" > acl block_domains_iphost dstdom_regex > "/etc/squid/blockdomains-iphost-acl.squid" > ... > deny_info ERR_DOMAIN_IPHOST_BLOCKED block_domains_iphost > ... > http_access allow allow_domains_iphost > http_access deny block_domains_iphost > Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users