On Thu, Jun 06, 2002 at 04:04:42PM +0200, Henrik Nordstrom wrote:
> Frank Neumann wrote:
> > I'd like to configure squid-2.4 to deny requests with private IP
> > addresses in the URL and respond with a customized error message. How
> > could such an acl look like? Any pointers are welcome.
> acl private_ip dst 192.168.0.0/16 ....
> http_access deny private_ip
> deny_info ERR_PRIVATE_IP private_ip
>
> And put your custom error message in errors/ERR_PRIVATE_IP
Beware. I tried this once, thinking "no-one should be trying to access
RFC1918 space". Unfortunately, there are some sites out there for which
DNS lookups return multiple addresses, some in RFC1918space and some in
routable-space.
If squid's DNS lookup gets the RFC1918 address first, the request will be
denied (ordinarily the client will get a destination unreachable and try a
different address). Unfortunately, users generally blame the proxy rather
than the remote site with its misconfigured DNS...
-- --------------- Robin Stevens <robin.stevens@oucs.ox.ac.uk> ----------------- Oxford University Computing Services ----------- Web: http://www.cynic.org.uk/ ------- (+44)(0)1865: 273212 (work) 273275 (fax) Mobile: 07776 235326 -------Received on Thu Jun 27 2002 - 08:23:55 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:51 MST