[squid-users] http request header must use hostname
xxiao8
xxiao8 at fosiao.com
Mon Dec 7 00:13:28 UTC 2015
On 7/12/2015 7:38 a.m., Walter H. wrote:
> On 06.12.2015 11:07, Yuri Voinov wrote:
>> # Numeric IP's acl
>> acl numeric_IPs dstdom_regex [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>>
>> # Deny access to numeric IP's
>> http_access deny CONNECT numeric_IPs
>> deny_info TCP_RESET numeric_IPs
>>
> and not to forget IPv6 ...
>
> acl numeric_IPs_ipv4 dstdom_regex [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>
> acl numeric_IPs_ipv6 dstdom_regex ([0-9A-Fa-f]+|\:)+[0-9A-Fa-f]+
>
> http_access deny CONNECT numeric_IPs_ipv4
> deny_info TCP_RESET numeric_IPs_ipv4
>
> http_access deny CONNECT numeric_IPs_ipv6
> deny_info TCP_RESET numeric_IPs_ipv6
OR IPv4-mapped address format,
OR that port can be included,
OR the fact that raw-IP can be used on any request..
acl ips
^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9a-f]+)?:([0-9a-f:]+)?:([0-9a-f]+|[0-9\.]+)?\]))(:[0-9])?$
http_access deny CONNECT ips
deny_info TCP_RESET ips
Getting complicated...
So xxiao8, why does one want to censor these requests anyway?
Amos
---
Thanks for all the replies. The reason is to enforce dns-based filtering
so you can't type in IP to bypass it easily.
xxiao
More information about the squid-users
mailing list