Vadim Pushkin wrote:
>>
>>
>> Let me see if I have this straight... You want to block CONNECT to
>> IP address, except those that are explicitly allowed, but allow
>> CONNECT to any FQDN. Is this correct?
>>
>> Chris
> yes, for now, because I see no reason that they should be allowed.
> The FQDN ones are a nightmare to maintain, it seems every webmail,
> banking site, etc wants it.
>
> .vp
>
Simple enough then...
acl AllowIP_CONNECT dst /squid/etc/allow-ip-addresses
# The next regex is ugly and may cause poor performance, but it will
match IP addresses only*
acl DenyIP_CONNECT url_regex
-i^[a-z]{1,5}://((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
http_access allow CONNECT AllowIP_CONNECT
http_access deny CONNECT DenyIP_CONNECT
http_access allow CONNECT all # Just for clarity's sake
These lines of course should be below the defaults that deny CONNECT to
non-SSL ports. The file /squid/etc/allow-ip-addresses would be of the form:
192.168.2.1/32
192.168.1.0/24
172.16.0.0/16
10.0.0.0/8
Chris
* Since domain names adhering to RFC1035 MUST start with a letter, a
simpler, but less exact acl would be:
acl DenyIP_CONNECT url_regex ^[a-z]{1-5}://[0-9]
Received on Fri Oct 26 2007 - 14:32:31 MDT
This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:02 MDT