Re: [squid-users] Can ANyone Help Me Re: [squid-users] ACL Question - (urlpath_r from Vadim Pushkin on 2007-10-31 (squid-users)

From: Vadim Pushkin <wiskbroom@dont-contact.us>
Date: Wed, 31 Oct 2007 10:14:05 -0500

Thanks Chris;

Based on your excellent example:

>acl DenyIP_CONNECT url_regex ^[a-z]{1-5}://[0-9]

Would I still be required to write IP addresses with a netmask? Or can I
mix them, which is my preference.

Your other regex example:

>acl DenyIP_CONNECT url_regex
>-i^[a-z]{1,5}://((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
>

Does seem rather lengthy and I do not want to impede the squid ability to
function, or at least keep it to a minimum.

Thanks again,

.vadim

>From: Chris Robertson <crobertson@gci.net>
>To: squid-users@squid-cache.org
>Subject: Re: [squid-users] Can ANyone Help Me Re: [squid-users] ACL
>Question - (urlpath_r
>Date: Fri, 26 Oct 2007 12:32:12 -0800
>
>Vadim Pushkin wrote:
>>>
>>>
>>>Let me see if I have this straight... You want to block CONNECT to IP
>>>address, except those that are explicitly allowed, but allow CONNECT to
>>>any FQDN. Is this correct?
>>>
>>>Chris
>>yes, for now, because I see no reason that they should be allowed. The
>>FQDN ones are a nightmare to maintain, it seems every webmail, banking
>>site, etc wants it.
>>
>>.vp
>>
>
>Simple enough then...
>
>acl AllowIP_CONNECT dst /squid/etc/allow-ip-addresses
># The next regex is ugly and may cause poor performance, but it will match
>IP addresses only*
>acl DenyIP_CONNECT url_regex
>-i^[a-z]{1,5}://((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
>
>
>http_access allow CONNECT AllowIP_CONNECT
>http_access deny CONNECT DenyIP_CONNECT
>http_access allow CONNECT all # Just for clarity's sake
>
>These lines of course should be below the defaults that deny CONNECT to
>non-SSL ports. The file /squid/etc/allow-ip-addresses would be of the
>form:
>
>192.168.2.1/32
>192.168.1.0/24
>172.16.0.0/16
>10.0.0.0/8
>
>Chris
>
>* Since domain names adhering to RFC1035 MUST start with a letter, a
>simpler, but less exact acl would be:
>
>acl DenyIP_CONNECT url_regex ^[a-z]{1-5}://[0-9]
Received on Wed Oct 31 2007 - 09:14:13 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:02 MDT