[squid-users] block visit 80/443 browsing via IP(no domain name)
Amos Jeffries
squid3 at treenet.co.nz
Mon Jul 30 05:00:46 UTC 2018
On 30/07/18 04:59, Walter H. wrote:
> On 29.07.2018 06:11, Gordon Hsiao wrote:
>> is there a way to block any attempt to visit http/https by _any_ IP
>> directly, i.e.
>>
>> http://my-IP or https://my-IP (yes this will give a warning for SSL
>> most likely). here my-IP could be any IPv4 address, for example.
>>
>> Basically I want to have Squid to enforce all 80/443 access should be
>> done via a FQDN instead of an IP, is this possible? or should this be
>> handled in a redirector instead?
>>
> Hi,
>
> I use this
>
> /etc/squid/blockdomains-iphost-acl.squid contains this
>
> ^[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}\.[12]?[0-9]{1,2}$
> ^\[([0-9a-f]{0,4})(:|:[0-9a-f]{0,4}){1,7}\]$
>
FWIW, these patterns incorrectly match the following strings as valid
raw-IP:
[:]
[:::::::]
[2]
0.0.0.0
Walter is using them for a blacklist, so no particular harm done AFAIK.
But do not think they are useful to detect valid raw-IPs.
Also, keep in mind that regex is much slower than dstdomain, and risks
manual mistakes like the above pattern match.
> /etc/squid/squid.conf contains this
>
> acl allow_domains_iphost dstdom_regex
> "/etc/squid/allowdomains-iphost-acl.squid"
> acl block_domains_iphost dstdom_regex
> "/etc/squid/blockdomains-iphost-acl.squid"
> ...
> deny_info ERR_DOMAIN_IPHOST_BLOCKED block_domains_iphost
> ...
> http_access allow allow_domains_iphost
> http_access deny block_domains_iphost
>
Amos
More information about the squid-users
mailing list