Vadim Pushkin wrote:
> > Hello All;
> >
> > I have a rule which blocks the use of CONNECT based on the
> > user calling an
> > IP address vs. FQDN, this works great!
> >
> > I am able to specify allowed IP addresses by adding them into
> > /squid/etc/allow-ip-addresses.
> >
> > I am in need of adding entire subnets, or parts of a network
> > as well, which
> > I am unable to figure out.
> >
> > I have within my squid.conf, the following:
> >
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 22 # ssh
> >
> > acl SSL_ports port 443
> >
> > acl CONNECT method CONNECT
> >
> > # Should I use dstdomain versus something else here?
> > acl allowed-CONNECT dstdomain "/squid/etc/allow-ip-addresses"
I have to ask... Why did you call the file "allow-ip-addresses" when
you are using domain names? Personally, I'd call this file
"allowed-domains" and set up another ACL:
acl allowed-CONNECT-IP dst "/squid/etc/allow-ip-addresses"
In that file you can specify IP addresses, IP addresses with netmask or
use CIDR notation.
> >
> > # When I use urlpath_regex, it allows *everything* through.
> > acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
> >
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access deny CONNECT numeric_IPs !allowed-CONNECT
Of course having two ACLs would require re-working the http_access rules
you have here. Something like:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow CONNECT allowed-CONNECT
http_access allow CONNECT allowed-CONNECT-IP
http_access deny CONNECT
> >
> > Please help,
> >
> > .vp
Chris
Received on Thu Oct 18 2007 - 18:59:45 MDT
This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT