Search squid archive

Re: block visit 80/443 browsing via IP(no domain name)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 30/07/18 04:59, Walter H. wrote:
> On 29.07.2018 06:11, Gordon Hsiao wrote:
>> is there a way to block any attempt to visit http/https by _any_ IP
>> directly, i.e. 
>>
>> http://my-IP or https://my-IP (yes this will give a warning for SSL
>> most likely). here my-IP could be any IPv4 address, for example.
>>
>> Basically I want to have Squid to enforce all 80/443 access should be
>> done via a FQDN instead of an IP, is this possible? or should this be
>> handled in a redirector instead?
>>
> Hi,
> 
> I use this
> 
> /etc/squid/blockdomains-iphost-acl.squid  contains this
> 
> ^[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}$
> ^\[([0-9a-f]{0,4})(:|:[0-9a-f]{0,4}){1,7}\]$
> 

FWIW, these patterns incorrectly match the following strings as valid
raw-IP:
 [:]
 [:::::::]
 [2]
 0.0.0.0

Walter is using them for a blacklist, so no particular harm done AFAIK.
But do not think they are useful to detect valid raw-IPs.

Also, keep in mind that regex is much slower than dstdomain, and risks
manual mistakes like the above pattern match.


> /etc/squid/squid.conf contains this
> 
> acl allow_domains_iphost dstdom_regex
> "/etc/squid/allowdomains-iphost-acl.squid"
> acl block_domains_iphost dstdom_regex
> "/etc/squid/blockdomains-iphost-acl.squid"
> ...
> deny_info ERR_DOMAIN_IPHOST_BLOCKED block_domains_iphost
> ...
> http_access allow allow_domains_iphost
> http_access deny block_domains_iphost
> 

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux