Milos Prudek wrote:
>
> When users are prevented to access certain URLs thru acl regex, can they
> still go there using IP addresses? Can I prevent it?
>
> --
> Milos Prudek
Yes, and yes. You can do this the hard way, or the _really_ hard way.
Neither method is entirely effective.
The hard way is to set up a redirector which does all your
regular-expression matching. For numeric addresses, get it to do a
reverse-lookup on the site and apply the regular expressions to that
name. If the regular expressions match, redirect the user to a rejection
page. Otherwise let them through to the original URL.
Read the FAQ about how redirectors work, and be prepared to write some
software.
Pro: This actually _isn't_ terribly hard, unless you aren't a good
coder.
Cons:
* Not 100% effective.
* Reverse DNS lookup can be a BIG bottleneck.
* Not all names can be resolved (if you block all those that can't you
will break some sites)
* Not all names resolve to the actual domain/host name.
The _really_ hard way:
Same basic procedure, but do it in the squid code itself.
Pro:
* You get to make use of squid's internal DNS/fqdn cache. This helps a
lot compared to the above solution.
Cons: The same, but bottlenecking is much reduced, as noted above.
D
PS: There is also an 'easy' way: Carefully explain all of this to your
boss, and give him a real estimate of how much time and money it will
take to achieve a solution that can be (at best) no more than 80%
effective. He'll probably tell you to forget it.
Received on Fri Sep 10 1999 - 01:55:06 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:48:23 MST