Re: [squid-users] Can ANyone Help Me Re: [squid-users] ACL Question - (urlpath_r

From: Chris Robertson <[email protected]>
Date: Thu, 01 Nov 2007 14:01:23 -0800

Vadim Pushkin wrote:
> Thanks Chris;
>
> Based on your excellent example:
>
>> acl DenyIP_CONNECT url_regex ^[a-z]{1-5}://[0-9]
>
> Would I still be required to write IP addresses with a netmask? Or
> can I mix them, which is my preference.

If I remember correctly, the dst acl prefers a netmask these days. It
used to assume that any IP address ending with dot zero octets meant it
should mask the dot zeros (i.e. 127.1.0.0 was equivalent to
127.1.0.0/16), but I think that masking is required or assumed to be /32.

>
> Your other regex example:
>
>> acl DenyIP_CONNECT url_regex
>> -i^[a-z]{1,5}://((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
>>
>>
>
> Does seem rather lengthy and I do not want to impede the squid ability
> to function, or at least keep it to a minimum.

And apparently doesn't work. Huh. Well, there should be a space
between the -i and the caret (^)... And apparently url_regex doesn't
include the protocol type (http://, https://, etc.) on connect
requests. But that would preclude the short form from working either.
Testing with Squid-2.6-Stable16 indicates this to be the case:

Given...

acl DenyIP_CONNECT url_regex -i ^[a-z]{1,5}://[0-9]
http_access deny CONNECT DenyIP_CONNECT

...and...

debug_options ALL,1 33,2 28,9

...accessing https://www.wellsfargo.com/...

2007/11/01 13:56:41| aclMatchAclList: checking DenyIP_CONNECT
2007/11/01 13:56:41| aclMatchAcl: checking 'acl DenyIP_CONNECT url_regex
-i ^[a-z]{1,5}://[0-9]'
2007/11/01 13:56:41| aclMatchRegex: checking 'www.wellsfargo.com:443'
2007/11/01 13:56:41| aclMatchRegex: looking for '^[a-z]{1,5}://[0-9]'
2007/11/01 13:56:41| aclMatchAclList: no match, returning 0

...works. But so does accessing https://151.151.13.133/...

2007/11/01 13:53:44| aclMatchAclList: checking DenyIP_CONNECT
2007/11/01 13:53:44| aclMatchAcl: checking 'acl DenyIP_CONNECT url_regex
-i ^[a-z]{1,5}://[0-9]'
2007/11/01 13:53:44| aclMatchRegex: checking '151.151.13.133:443'
2007/11/01 13:53:44| aclMatchRegex: looking for '^[a-z]{1,5}://[0-9]'
2007/11/01 13:53:44| aclMatchAclList: no match, returning 0

So, in closing (finally!)...

acl DenyIP_CONNECT url_regex ^[0-9]
or
acl DenyIP_CONNECT url_regex
^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)

should work with...

http_access deny CONNECT DenyIP_CONNECT

...to deny CONNECT to numeric IP addresses. The former would of course
be less processor intensive, the latter more specific.

>
> Thanks again,
>
> .vadim

Chris
Received on Thu Nov 01 2007 - 16:01:34 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:01 MST