From: Fabian K. <fk...@fa...> - 2015-11-12 13:07:10
|
Black Rider <sof...@us...> wrote: > Following a recent discussion about certain web service providers with > bad practices, I have been looking at the possibility of blocking those > providers. > > This leads to the need of blocking content by IP address. Ideally, I > would do such a thing using privoxy for redirecting the users to a page > that displays a message such as "This website is blocked because the > website operator is untrusted". > > A practical example: CloudFlare offers the following list of IPs at their > site: > [...] > The problem is that Privoxy does not offer a clean way of working with > IPs instead of domain names. I don't know how I could accomplish the goal > stated without turning to firewall trickstery. > > Any sugegstions for accomplishing the objetive with Privoxy only? ACLs work with IP addresses: http://www.privoxy.org/user-manual/config.html#ACLS The main disadvantage for your use case is that denied connections get dropped without providing a reason to the client and that Privoxy only looks at the IP address of the next hop (which may be another proxy). This could also be done with external filters (which can do DNS lookups etc.) but the "block" would only occur after CloudFlare's response arrived. Once such a "block" is triggered, the external filter could add the domain to a block section in one of the action files though. While dynamic filters currently have no $next-hop-address variable, implementing it shouldn't be too much work and would allow to use tags for this. Fabian |