Re: [squid-users] ACL and http_access Confusion

From: <squid3@dont-contact.us>
Date: Fri, 6 Jul 2007 11:18:22 +1200 (NZST)

>>From: Emilio Casbas <ecasbas@unav.es>
>
>>Vadim Pushkin escribió:
>>>Hello;
>>>
>>>I have an ACL which contains IP addresses that I want to allow outbound
>>>requests to.
>>>
>>>acl allowed_IPs dstdomain "/net/squid/allowed-IP-Dests"
>>>
>>>I have another ACL which is intended to capture all destinations which
>>> use
>>>an IP address versus FQDN, which one of these two is correct for this
>>>purpose?
>>>
>>>acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>>>or
>>>acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>>>
>>>Finally, I want to deny all outbound requests to ACL numeric IP's (IP
>>>addresses only), *unless* the requested IP address is contained in my
>>> ACL
>>>"allowed_IPs".
>>>
>>>Would the below work for this?
>>>
>>>http_access deny CONNECT numeric_IPs !allowed_IPs
>>>
>>
>>If you are going to use in CONNECT you have to use dstdom_regex.
>>CONNECT only have hostname and port.
>>
>>Emilio C.
>
> So, replace
>
> acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>
> with
>
> acl numeric_IPs dstdom_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>
> and
>
> will this work?
>
> http_access deny CONNECT numeric_IPs !allowed_IPs
>

Um, I'm starting to get a little confused here myself after that reply.

When you are wanting to test the actual destination IP you can use the
'dst' type ACL (squid will do any DNS lokoup needed to find it before
testing).

When you are wanting to test for people sending "CONNECT 1.2.3.4 HTTP/1.1"
etc. then dstdomain (for pre-known IPA), or dstdom_regex (to catch all
IPA) is needed.

Amos
Received on Thu Jul 05 2007 - 17:18:24 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:03 MDT