[squid-users] Regular expressions with dstdom_regex ACL

Fri May 13 11:46:53 UTC 2016

On 13/05/2016 8:22 p.m., Walter H. wrote:
> On Fri, May 13, 2016 07:32, Amos Jeffries wrote:
>> On 13/05/2016 3:44 p.m., Walter H. wrote:
>>> p.s.
>>> the sample here
>>> http://wiki.squid-cache.org/ConfigExamples/Chat/Skype
>>> doesn't work, too
>>>
>>
>> The skype pattern is matching the port Skype uses. You need to drop that
>> off the pattern. But it should match if you use just the raw-IP part.
> 
> it is somewhat weired, because
> wget http://[2a00:1a68:3:1::c5a5:8590]/
> isn't blocked and the following are
> all blocked as they should:
> wget http://[2a00:1a68:3::c5a5:8590]/
> wget http://[2a00:1a68:3:1::c5a:8590]/
> wget http://[2a00:1a68:3:1::c5a5:859]/
> wget http://[2a00:1a68:2:1::c5a5:8590]/
> 
> here this part in access.log
> 
> parentproxy.local - - [13/May/2016:09:44:10 +0200] "GET
> http://[2a00:1a68:2:1::c5a5:8590]/ HTTP/1.0" 403 1578
> "-" "Wget/1.12 (linux-gnu)" TCP_DENIED:HIER_NONE
> parentproxy.local - - [13/May/2016:09:46:53 +0200] "GET
> http://[2a00:1a68:3:1::c5a5:8590]/ HTTP/1.0" 301 590 "
> -" "Wget/1.12 (linux-gnu)" TCP_MISS:HIER_DIRECT
> parentproxy.local - - [13/May/2016:09:46:54 +0200] "GET
> http://mathemainzel.info/ HTTP/1.0" 200 2662 "-" "Wget
> /1.12 (linux-gnu)" TCP_MISS:HIER_DIRECT
> parentproxy.local - - [13/May/2016:09:47:03 +0200] "GET
> http://[2a00:1a68:2:1::c5a5:8590]/ HTTP/1.0" 403 1578
> "-" "Wget/1.12 (linux-gnu)" TCP_DENIED:HIER_NONE
> parentproxy.local - - [13/May/2016:09:47:14 +0200] "GET
> http://[2a00:1a68:3::c5a5:8590]/ HTTP/1.0" 403 1574 "-
> " "Wget/1.12 (linux-gnu)" TCP_DENIED:HIER_NONE
> parentproxy.local - - [13/May/2016:09:47:37 +0200] "GET
> http://[2a00:1a68:3:1::c5a:8590]/ HTTP/1.0" 403 1576 "
> -" "Wget/1.12 (linux-gnu)" TCP_DENIED:HIER_NONE
> parentproxy.local - - [13/May/2016:09:47:45 +0200] "GET
> http://[2a00:1a68:3:1::c5a5:859]/ HTTP/1.0" 403 1576 "
> -" "Wget/1.12 (linux-gnu)" TCP_DENIED:HIER_NONE
> 
> here the ACL
> 
> acl block_domains_iphost dstdom_regex "/etc/squid/iphost-acl.squid"
> deny_info ERR_DOMAIN_IPHOST_BLOCKED block_domains_iphost
> http_access deny block_domains_iphost
> 
> and iphost-acl.squid has the following content:
> 
> ^[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}$
> ^\[([0-9a-f]{0,4})(:|[0-9a-f]{0,4}){1,7}\]$
> ^\[::1\]$
> ^\[.*\]$
> ^([0-9a-f]{0,4})(:|[0-9a-f]{0,4}){1,7}$
> ^::1$
> ^.*$

This last pattern overlaps with all the previous ones and any possible
following as well. Squid takes short patterns and merges them in to one
pattern if it can to pass to that optimizer. They might all just be
optimized away by the regex compile step.

Your block_domains_iphost should thus be an alias for "all".

> 
> some part above I have this in squid.conf
> 
> acl allow_domains dstdom_regex "/etc/squid/domain_regex-acl.squid"
> http_access allow allow_domains
> 
> and domain_regex-acl.squid has the following content:
> 
> ...
> \.mathemainzel\.info$
> ...
> 
> what is this mystic, that
> wget http://[2a00:1a68:3:1::c5a5:8590]/
> isn't blocked, even it should ...
> 
> by the way  wget http://81.19.145.52/ is blocked as you see in the log
> 
> parentproxy.local - - [13/May/2016:10:12:53 +0200] "GET
> http://81.19.145.52/ HTTP/1.0" 403 1550 "-" "Wget/1.12 (li
> nux-gnu)" TCP_DENIED:HIER_NONE
> 
> just as an experiment, if I remove this one entry of domain_regex-acl.squid
> then
> wget http://[2a00:1a68:3:1::c5a5:8590]/
> is blocked, why not with this entry?

Nobody can answer that question without actually seeing your whole
squid.conf http_access set and all ACLs used there.

You are correct in that those regex patterns should match the domains an
URLs passed to the proxy. But we have no way to know if those particular
lines are even relevant / reachable when processing those requests.
 Since these ACL types are very old and well tested logic. I suggest
that they are probably not.

Amos