ACLs / filter features about forwardproxy HOT 10 CLOSED

Yep, it's possible. But first I think we want to focus on ensuring the implementation of what we've already got is correct. But I don't think @sergeyfrolov would be opposed to pull requests!

from forwardproxy.

Just a nit, I'd prefer whitelist file instead of whitelist fromfile. Otherwise, looks good enough to me.

from forwardproxy.

Yes, IP-based whitelist and blacklist is going to be available.
As I mentioned, domain blacklist doesn't seem to be able to do its job. Not sure how safe domain whitelist is either: say you whitelisted somewebsite.com, and then all of a sudden it resolves to 127.0.0.1 or 192.168.x.x or other prohibited by you IP, overriding IP blacklist, which is something we don't want to happen. (If domain whitelist doesn't override IP white/blacklist, then it's not useful, as you still have to whitelist/not prohibit the IPs).
I'll start with IP-based policies, which we can reliably enforce, and then consider domain whitelisting(with a warning in README about how much trust is being put into domains): I see how it's useful, but there are potential security issues.

from forwardproxy.

With accordance to our policy of not overloading forwardproxy with features, I do not intend to implement access control list, that is half as powerful as squid. You can always use newly implemented upstream feature to upstream your requests to local squid.

EDIT: Initial design replaced with #11 (comment)

from forwardproxy.

whitelist inline github.com:443 example.org:80 medium.com // port not specified => not restricted by port. Existing mechanism to whitelist ports proxy-wide remains.

I think your approach is good, but it would also be reasonable to make this list be only hostnames, no ports. I don't think ports are necessary here, and the interaction with port whitelisting could get confusing.

I also think we do need to allow the user to specify an IP address in this list. The only complexity I see there is that IPv6 addresses can be represented in multiple ways, so we can't just use string equality to check against the list.

from forwardproxy.

I think whitelist and blacklist is needed based in the default policy you try to set up. Port whitelist / restriction would be fine too. Die example to just allow default web ports (80,443,8080) and sind more custom ports?

from forwardproxy.

EDIT: redesign again!! 😬
Just look at the README

from forwardproxy.

Is ip and domain based whitelist possible?

from forwardproxy.

Some times I would whitelist / blacklist domain based because I don't know all the ip addresses Behinderung a domain :)

from forwardproxy.

Implemented (see documentation in README).

from forwardproxy.