kevin band wrote:
> I've managed to get this working, but I'm not happy because in doing
> so I've created a different issue.
>
> My problems all started a few weeks ago when I was trying to tighten
> up the rules.
> Basically we have two squid proxy servers which are supposed to
> contain the same configuration.
> I noticed that on one of the servers, there was an extra rule that
> wasn't there on the other :-
>
> http_access allow CONNECT SSL_ports
>
> The net effect of this rule was that anyone requesting any URL via
> https would be allowed through the squid proxy server regardless of
> the settings in my whitelist files.
>
> I've now put this rule back in place and I now can get to the
> 63.130.82.113 address using https.
> The problem is that I can now get to any URL via https, even though I
> have rules in place which are supposed to only allow access to the
> websites that I have put into my whitelist files.
>
> Is this a bug in the way squid is handling the CONNECT method?
>
> Any suggestions as to how I can tighten things up again but still
> allow through the 63.130.82.113 request via https? As I've said
> before the rules work OK for http.
The IP pattern you had was off:
.*.63.130.82.113
Redux:
** regex assumes all patterns not beginning with ^ have an implicit
.* prefix.
Therefore: .*.63.130.82.113 == .63.130.82.113
** regex '.' means any character.
Therefore: .63.130.82.113 ==
[a-zA-Z0-9\.]163[a-zA-Z0-9\.]130[a-zA-Z0-9\.]82[a-zA-Z0-9\.]113
** you have that pattern seeking IP addresses
Therefore: .63.130.82.113 == [0-9\.]63\.130\.82\.113
IMO you need to write the regex as: ^63\.130\.82\.113
I'm not sure why the raw-IP got through in regular requests. Possibly
some other pattern or ACL matched and permitted it.
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20 Current Beta Squid 3.1.0.15Received on Tue Dec 08 2009 - 11:07:34 MST
This archive was generated by hypermail 2.2.0 : Tue Dec 08 2009 - 12:00:02 MST