I based mine on the one from this old message...
http://www.squid-cache.org/mail-archive/squid-users/200503/0373.html
I actually only used the ^[0-9\.:]*$ part because I wasn't interested in
IP address based URLs for plain HTTP.
Just watch out for the typo in the acl line. It's missing the colon (:)
in the last section (check the bit below that explains it, which does
have the colon).
Hope that helps a bit :-)
TB
Vadim Pushkin wrote:
> OK, so now I have these questions:
>
> 1. Which ones of these regex'es is the right one to use?
>
> acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>
> OR.
>
> acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>
> 2. The following will first allow all IP's as per acl numeric_IPs so
> as long as they are a member of allowed-CONNECT, then afterwards do a
> deny for acl numeric_IPs, which will be all other IP's?
>
> http_access allow CONNECT numeric_IPs allowed-CONNECT
> http_access deny CONNECT numeric_IPs
>
> Again, since I have not actually done this, I am hoping to get it
> right the first time.
>
> Many thanks,
>
> .vp
>
>> From: "Amos Jeffries" <squid3@treenet.co.nz>
>
>> >
>> > How about:
>> >
>> > acl SSL_Port port 443
>> > acl CONNECT method CONNECT
>> >
>> > # /etc/squid/good-connect-ip-addresses is one IP address per line.
>> > acl allowed-CONNECT dstdomain "/etc/squid/good-connect-ip-addresses"
>> >
>> > # One or the other, not sure which and I haven't tested it yet.
>> > acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>> > acl numeric_IPs urlpath_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>> >
>> > # One or more of these three, again, I haven't tested yet.
>> > http_access deny CONNECT !SSL_Port
>> > http_access deny CONNECT numeric_IPs
>> > http_access deny CONNECT numeric_IPs !allowed-CONNECT
>>
>> The bypass permission needs to be allow and ahead of the global deny.
>> Like so:
>>
>> http_access allow CONNECT numeric_IPs allowed-CONNECT
>> http_access deny CONNECT numeric_IPs
>>
>> >
>> >
>> > The goal is to:
>> >
>> > 1. Prevent CONNECT to non-SSL ports.
>> > 2. Block to IP addresses which use CONNECT vs. FQDN.
>> > 3. Allow a way to place exclusions to the IP blocks just in case
>> there is
>> > a
>> > legit need.
>> >
>> > Please feel free to correct or comment anything I've stated above.
>> >
>> > .vp
>> >
>> >>From: Amos Jeffries <squid3@treenet.co.nz>
>> >>To: Squid <squid-users@squid-cache.org>
>> >
>> >>Tim Bates wrote:
>> >>>Can someone tell me if it's possible to block "CONNECT" attempts that
>> >>> only
>> >>>specify an IP address (rather than a hostname)?
>> >>>
>> >>>I can see no legitimate reason to CONNECT to an IP, and I've just
>> caught
>> >>>students using this method to bypass the filters.
>> >>>
>> >>>TB
>> >>
>> >>Try the default squid configuration of:
>> >>
>> >> acl SSL_Port port 443
>> >> acl CONNECT method CONNECT
>> >> http_access deny CONNECT !SSL_Port
>> >>
>> >>that will deny any obviously non-https uses.
>> >>
>> >>Beyond that this is one of the rare cases here domain regex is useful,
>> >>having an ACL that tests for numeric-only domains.
>> >>
>> >>NP: do note that skype uses https CONNECT to raw IP numbers. If you
>> want
>> >>skype to work handle CONNECT restrictions carefully.
>> >>
>> >>Amos
>
>
>
**********************************************************************
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**********************************************************************
Received on Tue Aug 07 2007 - 17:14:51 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT