MikroTik RouterOS v2.9 Reference Manual page 570

Home menu level: /ip web-proxy access
Description
Access list is configured in the same way as MikroTik RouterOS firewall rules. Rules are processed
from the top to the bottom. First matching rule specifies decision of what to do with this connection.
There is a total of 6 classifiers that specify matching constraints. If none of these classifiers is
specified, the particular rule will match every connection.
If connection is matched by a rule, action property of this rule specifies whether connection will be
allowed or not. If the particular connection does not match any rule, it will be allowed.
By default, there is one rule, which prevents connect requests to ports other then 443 and 563.
Property Description
action ( allow | deny ; default: allow ) - specifies whether to pass or deny matched packets
dst-address ( IP address | netmask ) - destination address of the IP packet
dst-port ( port ) - a list or range of ports the packet is destined to
local-port ( port ) - specifies the port of the web proxy via which the packet was received. This
value should match one of the ports web proxy is listening on.
method ( any | connect | delete | get | head | options | post | put | trace ) - HTTP method used in the
request (see HTTP Methods section at the end of this document)
src-address ( IP address | netmask ) - source address of the IP packet
url ( wildcard ) - the URL of the HTTP request
Notes
There is one rule by default, that disallows connect method connections to ports other than 443
(https) and 563 (snews). connect method is a security hole that allows connections (transparent
tunneling) to any computer using any protocol. It is used mostly by spammers, as they found it very
convenient to use others' mail (SMTP) servers as anonymous mail relay to send spam over the
Internet.
It is strongly recommended to deny all IP addresses except those behind the router as the proxy still
may be used to access your internal-use-only (intranet) web servers. Also, consult examples in
Firewall Manual on how to protect your router.
Wildcard property url matches a complete string (i.e., they will not match "example.com" if they
are set to "example"). Available wildcards are '*' (match any number of any characters) and '?'
(match any one character). Regular expressions are also accepted here, but if the property should be
treated as a regular expression, it should start with a colon (':').
Small hits in using regular expressions:
• \\ symbol sequence is used to enter \ character in console
• \. pattern means . only (in regular expressions single dot in pattern means any symbol)
• to show that no symbols are allowed before the given pattern, we use ^ symbol at the
beginning of the pattern
Page 556 of 695
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.