OK, so now I have these questions:
1. Which ones of these regex'es is the right one to use?
acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
OR.
acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
2. The following will first allow all IP's as per acl numeric_IPs so as long
as they are a member of allowed-CONNECT, then afterwards do a deny for acl
numeric_IPs, which will be all other IP's?
http_access allow CONNECT numeric_IPs allowed-CONNECT
http_access deny CONNECT numeric_IPs
Again, since I have not actually done this, I am hoping to get it right the
first time.
Many thanks,
.vp
>From: "Amos Jeffries" <squid3@treenet.co.nz>
> >
> > How about:
> >
> > acl SSL_Port port 443
> > acl CONNECT method CONNECT
> >
> > # /etc/squid/good-connect-ip-addresses is one IP address per line.
> > acl allowed-CONNECT dstdomain "/etc/squid/good-connect-ip-addresses"
> >
> > # One or the other, not sure which and I haven't tested it yet.
> > acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
> > acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
> >
> > # One or more of these three, again, I haven't tested yet.
> > http_access deny CONNECT !SSL_Port
> > http_access deny CONNECT numeric_IPs
> > http_access deny CONNECT numeric_IPs !allowed-CONNECT
>
>The bypass permission needs to be allow and ahead of the global deny.
>Like so:
>
>http_access allow CONNECT numeric_IPs allowed-CONNECT
>http_access deny CONNECT numeric_IPs
>
> >
> >
> > The goal is to:
> >
> > 1. Prevent CONNECT to non-SSL ports.
> > 2. Block to IP addresses which use CONNECT vs. FQDN.
> > 3. Allow a way to place exclusions to the IP blocks just in case there
>is
> > a
> > legit need.
> >
> > Please feel free to correct or comment anything I've stated above.
> >
> > .vp
> >
> >>From: Amos Jeffries <squid3@treenet.co.nz>
> >>To: Squid <squid-users@squid-cache.org>
> >
> >>Tim Bates wrote:
> >>>Can someone tell me if it's possible to block "CONNECT" attempts that
> >>> only
> >>>specify an IP address (rather than a hostname)?
> >>>
> >>>I can see no legitimate reason to CONNECT to an IP, and I've just
>caught
> >>>students using this method to bypass the filters.
> >>>
> >>>TB
> >>
> >>Try the default squid configuration of:
> >>
> >> acl SSL_Port port 443
> >> acl CONNECT method CONNECT
> >> http_access deny CONNECT !SSL_Port
> >>
> >>that will deny any obviously non-https uses.
> >>
> >>Beyond that this is one of the rare cases here domain regex is useful,
> >>having an ACL that tests for numeric-only domains.
> >>
> >>NP: do note that skype uses https CONNECT to raw IP numbers. If you want
> >>skype to work handle CONNECT restrictions carefully.
> >>
> >>Amos
Received on Tue Aug 07 2007 - 09:03:37 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT