Re: [squid-users] Can I block CONNECT to any IP (but allow hostnames)? from Henrik Nordstrom on 2007-08-09 (squid-users)

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Thu, 09 Aug 2007 11:46:43 +0200

On tis, 2007-08-07 at 15:03 +0000, Vadim Pushkin wrote:
> OK, so now I have these questions:
>
> 1. Which ones of these regex'es is the right one to use?
>
> acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>
> OR.
>
> acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+

neither. dstdom_regex is the right acl type.

> 2. The following will first allow all IP's as per acl numeric_IPs so
> as long
> as they are a member of allowed-CONNECT, then afterwards do a deny for
> acl
> numeric_IPs, which will be all other IP's?
>
> http_access allow CONNECT numeric_IPs allowed-CONNECT
> http_access deny CONNECT numeric_IPs

I would recommend to just deny unwanted stuff here, and let the allows
go down to where you normally allow stuff.

http_access deny CONNECT !allowed-CONNECT numeric_IPs

Regards
Henrik

application/pgp-signature attachment: This is a digitally signed message part

Received on Thu Aug 09 2007 - 03:46:57 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT