Re: [squid-users] Can ANyone Help Me Re: [squid-users] ACL Question - (urlpath_r

From: Vadim Pushkin <wiskbroom@dont-contact.us>
Date: Fri, 19 Oct 2007 09:40:12 -0400

>From: "Amos Jeffries" <squid3@treenet.co.nz>

> >>From: Chris Robertson <crobertson@gci.net>
> >
> >>> > Hello All;
> >>> >
> >>> > I have a rule which blocks the use of CONNECT based on the
> >>> > user calling an IP address vs. FQDN, this works great!
> >>> >
> >>> > I am able to specify allowed IP addresses by adding them into
> >>> > /squid/etc/allow-ip-addresses.
> >>> >
> >>> > I am in need of adding entire subnets, or parts of a network
> >>> > as well, which I am unable to figure out.
> >>> >
> >>> > I have within my squid.conf, the following:
> >>> >
> >>> > acl Safe_ports port 80 # http
> >>> > acl Safe_ports port 21 # ftp
> >>> > acl Safe_ports port 22 # ssh
> >>> >
> >>> > acl SSL_ports port 443
> >>> >
> >>> > acl CONNECT method CONNECT
> >>> >
> >>> > # Should I use dstdomain versus something else here?
> >>> > acl allowed-CONNECT dstdomain "/squid/etc/allow-ip-addresses"
> >>
> >>I have to ask... Why did you call the file "allow-ip-addresses" when
> >> you
> >>are using domain names? Personally, I'd call this file
>"allowed-domains"
> >>and set up another ACL:
> >
> > The file contains IP addresses, not hostnames and/or domains.
>
>dtsdomain matches against the requested hostname. As text.
> So that acl matches only if the client requests with an IP where it
>should have a hostname (ie CONNECT 10.0.0.0:443 HTTP/1.1)

Precisely what I am trying to do, stop CONNECT to requests which use an IP
vs a hostname.

> >>acl allowed-CONNECT-IP dst "/squid/etc/allow-ip-addresses"
> >>
> >>In that file you can specify IP addresses, IP addresses with netmask or
> >> use
> >>CIDR notation.
> >
> > OK, I haven't tried the CIDR method, but assuming I do, shall I continue
> > to
> > use url_regex?
>
>With CIDR you use "dst" and it matches whenever the IPA resolves to one
>listed.

Sorry for the dumb question, but where do I specify dst? In place of
dstdomain?

> > As I've said, when I use urlpath_regex, I block nothing at all.
>
>You have already been told several times there is no path in "CONNECT
>10.0.0.0:443 HTTP/1.0" etc.

Sorry again, still not clear :-(

> >>> > # When I use urlpath_regex, it allows *everything* through.
> >>> > acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
> >>> >
> >>> > http_access deny !Safe_ports
> >>> > http_access deny CONNECT !SSL_ports
> >>> > http_access deny CONNECT numeric_IPs !allowed-CONNECT
> >>
> >>Of course having two ACLs would require re-working the http_access rules
> >>you have here. Something like:
> >>
> >>http_access deny !Safe_ports
> >>http_access deny CONNECT !SSL_ports
> >>http_access allow CONNECT allowed-CONNECT
> >>http_access allow CONNECT allowed-CONNECT-IP
> >>http_access deny CONNECT
> >
> > Yes, your method does look alot cleaner, and while at some point I may
> > wish
> > to block CONNECT for hostnames, I can't right now. I've tried and the
> > phones didn't stop ringing :-) Seems everyone, from legit usage to
> > webmail,
> > all needed to be in the allow list. Since I can't inspect traffic for
> > illegal P2P/file-transfers, I just left it open and am settling for
> > blocking
> > CONNECT to outbound sites that use an IP address vs. FQDN.
> >
>
>Sounds more like you turned off CONNECT altogether that time.
> Did you use "url_regex ^([a-z]+\.?)+$" or similar by chance?

Wouldn't this block anything with a hostname as well? I only wish to
prevent IP addresses for now.

>Allowing port 443 in both Safe_ports and SSL_ports should let all those
>webmail etc get through with no problems.
>Unless your entire client base is doing weird non-standard things with
>their wemail. Which you should know about anyway.

No, for instance, unless I've added .hotmail.com, I am unable to gain access
to my webmail as well.

Many thank you's again,

.vp
Received on Fri Oct 19 2007 - 07:40:24 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT