On Thu, 10 Mar 2005, squidrunner team wrote:
>> How might I write an ACL to catch all numeric IP
>> destdomain addresses so that I may
>> deny attempts to circumvent URL regex filters?
>
> Try with the acl settings as,
>
> acl ipdomain urlpath_regex [0-9]*.[0-9]*.[0-9]*.[0-9]*
This will match any URL of 4 characters or more after the host name..
probably not what you want.
urlpath_regex == regex match against the path after the hostname:port.
[0-9]* == zero or more digits
. == any character
and the pattern is not bound to beginning (^) or or end ($) of the
requested URL
A more appropriate pattern:
acl ipdomain url_regex ^[^:]*://([^/@]*@)?[0-9\.]*(:|/|$|\?) ^[0-9\.]*$
url_regex == regex pattern match on whole URL
^ beginning of URL
[^:]* any text not including :
:// ://
([^/@]*@)? optionally a text up to and including @ (login)
[0-9\.]* some text consisting of only digits and dots
(:|/|\?|$) either : / ? or the end of the URL
^[0-9\.:]*$ only digits, dots and :, for CONNECT
This would obviously be a lot easier to do this if dstdomain_regex had an
option to not reverse lookup IP addresses, but it does not have any such
option..
Regards
Henrik
Received on Thu Mar 10 2005 - 06:04:24 MST
This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST