Re: [squid-users] Preventing private IP's in URL's

From: Robin Stevens <robin.stevens@dont-contact.us>
Date: Thu, 27 Jun 2002 15:23:50 +0100

On Thu, Jun 06, 2002 at 04:04:42PM +0200, Henrik Nordstrom wrote:
> Frank Neumann wrote:
> > I'd like to configure squid-2.4 to deny requests with private IP
> > addresses in the URL and respond with a customized error message. How
> > could such an acl look like? Any pointers are welcome.
> acl private_ip dst 192.168.0.0/16 ....
> http_access deny private_ip
> deny_info ERR_PRIVATE_IP private_ip
>
> And put your custom error message in errors/ERR_PRIVATE_IP
 
Beware. I tried this once, thinking "no-one should be trying to access
RFC1918 space". Unfortunately, there are some sites out there for which
DNS lookups return multiple addresses, some in RFC1918space and some in
routable-space.

If squid's DNS lookup gets the RFC1918 address first, the request will be
denied (ordinarily the client will get a destination unreachable and try a
different address). Unfortunately, users generally blame the proxy rather
than the remote site with its misconfigured DNS...

-- 
--------------- Robin Stevens  <robin.stevens@oucs.ox.ac.uk> -----------------
Oxford University Computing Services ----------- Web: http://www.cynic.org.uk/
------- (+44)(0)1865: 273212 (work) 273275 (fax)  Mobile: 07776 235326 -------
Received on Thu Jun 27 2002 - 08:23:55 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:51 MST