Re: [squid-users] ACL Question - (urlpath_regex OR url_regex)

From: Sven Frommholz - Konexxo GmbH <[email protected]>
Date: Tue, 16 Oct 2007 21:47:40 +0200

 

Vadim Pushkin wrote
> Hello All;
>
> I have a rule which blocks the use of CONNECT based on the
> user calling an
> IP address vs. FQDN, this works great!
>
> I am able to specify allowed IP addresses by adding them into
> /squid/etc/allow-ip-addresses.
>
> I am in need of adding entire subnets, or parts of a network
> as well, which
> I am unable to figure out.
>
> I have within my squid.conf, the following:
>
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 22 # ssh
>
> acl SSL_ports port 443
>
> acl CONNECT method CONNECT
>
> # Should I use dstdomain versus something else here?
> acl allowed-CONNECT dstdomain "/squid/etc/allow-ip-addresses"
>
> # When I use urlpath_regex, it allows *everything* through.
> acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny CONNECT numeric_IPs !allowed-CONNECT
>
> Please help,
>
> .vp

squid will not see URLs at all during SSL traffic, so url_regex will not
work.
Try "acl allowed-CONNECT dst 192.168.0.0/24" for subnets.

Sven
Received on Tue Oct 16 2007 - 13:47:39 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT