Re: [squid-users] Can ANyone Help Me Re: [squid-users] ACL Question - (urlpath_r

From: Vadim Pushkin <wiskbroom@dont-contact.us>
Date: Wed, 31 Oct 2007 10:55:30 -0500

By the way, the longer, second example, does not work at all. It allows
everything through.

.vp

>From: "Vadim Pushkin" <wiskbroom@hotmail.com>
>To: crobertson@gci.net, squid-users@squid-cache.org
>Subject: Re: [squid-users] Can ANyone Help Me Re: [squid-users] ACL
>Question - (urlpath_r
>Date: Wed, 31 Oct 2007 10:14:05 -0500
>
>Thanks Chris;
>
>Based on your excellent example:
>
>>acl DenyIP_CONNECT url_regex ^[a-z]{1-5}://[0-9]
>
>Would I still be required to write IP addresses with a netmask? Or can I
>mix them, which is my preference.
>
>Your other regex example:
>
>>acl DenyIP_CONNECT url_regex
>>-i^[a-z]{1,5}://((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
>>
>
>Does seem rather lengthy and I do not want to impede the squid ability to
>function, or at least keep it to a minimum.
>
>Thanks again,
>
>.vadim
>
>>From: Chris Robertson <crobertson@gci.net>
>>To: squid-users@squid-cache.org
>>Subject: Re: [squid-users] Can ANyone Help Me Re: [squid-users] ACL
>>Question - (urlpath_r
>>Date: Fri, 26 Oct 2007 12:32:12 -0800
>>
>>Vadim Pushkin wrote:
>>>>
>>>>
>>>>Let me see if I have this straight... You want to block CONNECT to IP
>>>>address, except those that are explicitly allowed, but allow CONNECT to
>>>>any FQDN. Is this correct?
>>>>
>>>>Chris
>>>yes, for now, because I see no reason that they should be allowed. The
>>>FQDN ones are a nightmare to maintain, it seems every webmail, banking
>>>site, etc wants it.
>>>
>>>.vp
>>>
>>
>>Simple enough then...
>>
>>acl AllowIP_CONNECT dst /squid/etc/allow-ip-addresses
>># The next regex is ugly and may cause poor performance, but it will match
>>IP addresses only*
>>acl DenyIP_CONNECT url_regex
>>-i^[a-z]{1,5}://((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
>>
>>
>>http_access allow CONNECT AllowIP_CONNECT
>>http_access deny CONNECT DenyIP_CONNECT
>>http_access allow CONNECT all # Just for clarity's sake
>>
>>These lines of course should be below the defaults that deny CONNECT to
>>non-SSL ports. The file /squid/etc/allow-ip-addresses would be of the
>>form:
>>
>>192.168.2.1/32
>>192.168.1.0/24
>>172.16.0.0/16
>>10.0.0.0/8
>>
>>Chris
>>
>>* Since domain names adhering to RFC1035 MUST start with a letter, a
>>simpler, but less exact acl would be:
>>
>>acl DenyIP_CONNECT url_regex ^[a-z]{1-5}://[0-9]
>
>
Received on Wed Oct 31 2007 - 09:55:38 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:02 MDT