Re: [squid-users] Can ANyone Help Me Re: [squid-users] ACL Question - (urlpath_r

From: Vadim Pushkin <[email protected]>
Date: Fri, 19 Oct 2007 01:53:54 +0000

>From: Chris Robertson <crobertson@gci.net>

>> > Hello All;
>> >
>> > I have a rule which blocks the use of CONNECT based on the
>> > user calling an IP address vs. FQDN, this works great!
>> >
>> > I am able to specify allowed IP addresses by adding them into
>> > /squid/etc/allow-ip-addresses.
>> >
>> > I am in need of adding entire subnets, or parts of a network
>> > as well, which I am unable to figure out.
>> >
>> > I have within my squid.conf, the following:
>> >
>> > acl Safe_ports port 80 # http
>> > acl Safe_ports port 21 # ftp
>> > acl Safe_ports port 22 # ssh
>> >
>> > acl SSL_ports port 443
>> >
>> > acl CONNECT method CONNECT
>> >
>> > # Should I use dstdomain versus something else here?
>> > acl allowed-CONNECT dstdomain "/squid/etc/allow-ip-addresses"
>
>I have to ask... Why did you call the file "allow-ip-addresses" when you
>are using domain names? Personally, I'd call this file "allowed-domains"
>and set up another ACL:

The file contains IP addresses, not hostnames and/or domains.

>acl allowed-CONNECT-IP dst "/squid/etc/allow-ip-addresses"
>
>In that file you can specify IP addresses, IP addresses with netmask or use
>CIDR notation.

OK, I haven't tried the CIDR method, but assuming I do, shall I continue to
use url_regex?
As I've said, when I use urlpath_regex, I block nothing at all.

>> > # When I use urlpath_regex, it allows *everything* through.
>> > acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>> >
>> > http_access deny !Safe_ports
>> > http_access deny CONNECT !SSL_ports
>> > http_access deny CONNECT numeric_IPs !allowed-CONNECT
>
>Of course having two ACLs would require re-working the http_access rules
>you have here. Something like:
>
>http_access deny !Safe_ports
>http_access deny CONNECT !SSL_ports
>http_access allow CONNECT allowed-CONNECT
>http_access allow CONNECT allowed-CONNECT-IP
>http_access deny CONNECT

Yes, your method does look alot cleaner, and while at some point I may wish
to block CONNECT for hostnames, I can't right now. I've tried and the
phones didn't stop ringing :-) Seems everyone, from legit usage to webmail,
all needed to be in the allow list. Since I can't inspect traffic for
illegal P2P/file-transfers, I just left it open and am settling for blocking
CONNECT to outbound sites that use an IP address vs. FQDN.

Thanks again,

.vp
Received on Thu Oct 18 2007 - 19:54:57 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT