Re: [squid-users] ACL for numeric IP addresses

From: Henrik Nordstrom <[email protected]>
Date: Thu, 10 Mar 2005 14:04:22 +0100 (CET)

On Thu, 10 Mar 2005, squidrunner team wrote:

>> How might I write an ACL to catch all numeric IP
>> destdomain addresses so that I may
>> deny attempts to circumvent URL regex filters?
>
> Try with the acl settings as,
>
> acl ipdomain urlpath_regex [0-9]*.[0-9]*.[0-9]*.[0-9]*

This will match any URL of 4 characters or more after the host name..
probably not what you want.

  urlpath_regex == regex match against the path after the hostname:port.

  [0-9]* == zero or more digits

  . == any character

  and the pattern is not bound to beginning (^) or or end ($) of the
requested URL

A more appropriate pattern:

acl ipdomain url_regex ^[^:]*://([^/@]*@)?[0-9\.]*(:|/|$|\?) ^[0-9\.]*$

   url_regex == regex pattern match on whole URL

   ^ beginning of URL
   [^:]* any text not including :
   :// ://
   ([^/@]*@)? optionally a text up to and including @ (login)
   [0-9\.]* some text consisting of only digits and dots
   (:|/|\?|$) either : / ? or the end of the URL

   ^[0-9\.:]*$ only digits, dots and :, for CONNECT

This would obviously be a lot easier to do this if dstdomain_regex had an
option to not reverse lookup IP addresses, but it does not have any such
option..

Regards
Henrik
Received on Thu Mar 10 2005 - 06:04:24 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST