Squid 2.4 Stable1
Configuration Manual
 

 
Previous
Table of Contents
Next

ACCESS CONTROLS


Tag Name

acl

Usage

acl aclname acltype string1 ... | “file”

Description


This tag is used for defining an Access List.
When using "file", the file should contain one item per line By default, regular expressions are CASE-SENSITIVE. To make them case-insensitive, use the -i option.

Acl types:


src

This will look client IPAddress.

Usage

acl aclname src ip-address/netmask.
Example
  1. This refers to the whole Network with address 172.16.1.0 acl aclname src 172.16.1.0/24
  2. This refers specific single IPAddress acl aclname src 172.16.1.25/32 OR
  3. This refers range of IPAddress from 172.16.1.25 to 172.16.1.35 acl aclname src 72.16.1.25/255.255.255.255-172.16.1.35/255.255.255.255
Note While giving Netmask caution must be exerted in what value is given

dst

This is same as
src with only difference refers ServerIPaddress. First Squid will dns-lookup for IPAddress from the domain-name, which is in request header. Then this acl is interpreted.

srcdomain

Since squid needs to reverse dns lookup (from client ip-address to client domain-name) before this acl is interpreted, it can cause processing delays. This lookup adds some delay to the request.

Usage

acl aclname srcdomain domain-name
Example acl aclname srcdomain .kovaiteam.com
Note Here “.” is more important.

dstdomain

This is the effective method to control specific domain

Usage

acl aclname dstdomain domain-name
Example acl aclname dstdomain .kovaiteam.com
Hence this look for *.kovaiteam.com from URL
Note Here “.” is more important.

srcdom_regex

Since squid needs to reverse dns lookup (from client ip-address to client domain-name) before this acl is interpreted, it can cause processing delays. This lookup adds some delay to the request

Usage

acl aclname srcdom_regex pattern
Example acl aclname srcdom_regex kovai
Hence this look for the word “kovai” from the client domain name
Note Better avoid using this acltype to away from latency

dstdom_regex

This is also an effective method as dstdomain

Usage

acl aclname dstdom_regex pattern
Example acl aclname srcdom_regex kovai
Hence this will look for the word “kovai” from the client domain name

time

Time of day, and day of week

Usage

acl aclname time [day-abbrevs] [h1:m1-h2:m2]
day-abbrevs:
S - Sunday
M - Monday
T - Tuesday
W - Wednesday
H - Thursday
F - Friday
A - Saturday
h1:m1 must be less than h2:m2
Example acl ACLTIME time M 9:00-17:00
ACLTIME refers day of Monday from 9:00 to 17:00.

url_regex

The url_regex means to search the entire URL for the regular expression you specify. Note that these regular expressions are case-sensitive

Usage

acl aclname url_regex pattern
Example acl ACLREG url_regex cooking
ACLREG refers to the url containing ``cooking'' not “Cooking”

urlpath_regex

The urpath_regex regular expression pattern matching from URL but without protocol and hostname. Note that these regular expressions are case-sensitive

Usage

acl aclname urlpath_regex pattern
Example acl ACLPATHREG urlpath_regex cooking
ACLPATHREG refers only containing ``cooking'' not “Cooking” and without referring protocol and hostname.
If URL is http://www.visolve.com/folder/subdir/cooking/first.html then this acltype only looks after http://www.visolve.com/ .

port

Access can be controlled by destination (server) port address

Usage

acl aclname port port-no
Example This example allows http_access only to the destination 172.16.1.115:80 from network 172.16.1.0
acl acceleratedhost dst 172.16.1.115/255.255.255.255
acl acceleratedport port 80
acl mynet src 172.16.1.0/255.255.255.0
http_access allow acceleratedhost acceleratedport mynet
http_access deny all

proto

This specifies the transfer protocol

Usage

acl aclname proto protocol
Example acl aclname proto HTTP FTP
This refers protocols HTTP and FTP

method

This specifies the type of the method of the request

Usage

acl aclname method method-type
Example acl aclname method GET POST
This refers get and post methods only

browser

Regular expression pattern matching on the request's user-agent header

Usage

acl aclname browser pattern
Example acl aclname browser MOZILLA
This refers to the requests, which are coming from the browsers who have “MOZILLA” keyword in the user-agent header

ident

String matching on the user's name

Usage

acl aclname ident username ...
Example You can use ident to allow specific users access to your cache. This requires that an ident server process runs on the user's machine(s). In your squid.conf configuration file you would write something like this:
ident_lookup on
acl friends ident kim lisa frank joe
http_access allow friends
http_access deny all

ident_regex

Regular expression pattern matching on the user's name. String match on ident output. use REQUIRED to accept any non-null ident

Usage

acl aclname ident_regex pattern
Example You can use ident to allow specific users access to your cache. This requires that an ident server process run on the user's machine(s). In your squid.conf configuration file you would write something like this: ident_lookup on
acl friends ident_regex joe
This looks for the pattern “joe” in username

src_as

source (client) Autonomous System number

dst_as

destination (server) Autonomous System number

proxy_auth

User authentication via external processes. proxy_auth requires an EXTERNAL authentication program to check username/password combinations (see authenticate_program ).

Usage

acl aclname proxy_auth username...
use REQUIRED instead of username to accept any valid username
Example acl ACLAUTH proxy_auth venkatesh balu deepa
This acl is for authenticating users venkatesh, balu and deepa by externalprograms
Warning proxy_auth can't be used in a transparent proxy. It collides with any authentication done by origin servers. It may seem like it works at first, but it doesn't. When a Proxy-Authentication header is sent but it is not needed during ACL checking the username is NOT logged in access.log

proxy_auth_regex

This is same as proxy_auth with a difference. That is it matches the pattern with usernames, which are given in authenticate_program

Usage

acl aclname proxy_auth_regex [-i] pattern...

snmp_community

SNMP community string matching

max_conn

A limit on the maximum number of connections from a single client IP address

req_mime_type

Regular expression pattern matching on the request content-type header

Usage

acl aclname req_mime_type pattern
Example acl aclname req_mime_type text
This acl looks for the pattern “text” in request mime header

arp

Ethernet (MAC) address matching
This acl is supported on Linux, Solaris, and probably BSD variants.

NOTE: Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.

To use ARP (MAC) access controls, you first need to compile in the optional code. Do this with the --enable-arp-acl configure option:

% ./configure --enable-arp-acl ...
% make clean
% make

If everything compiles, then you can add some ARP ACL lines to your squid.conf

Usage

acl aclname arp ARP-ADDRESS
Example acl ACLARP arp 11:12:13:14:15:16
ACLARP refers MACADDRESS of the ethernet 11:12:13:14:15:16

Default


acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

Example

See the examples given in access list


Tag Name


http_access


Usage

http_access allow|deny [!]aclname ...

Description


Allowing or denying http access based on defined access lists

If none of the "access" lines cause a match, the default is the opposite of the last line in the list. If the last line was deny, then the default is allow. Conversely, if the last line is allow, the default will be deny. For these reasons, it is a good idea to have a "deny all" or "allow all" entry at the end of your access lists to avoid potential confusion

Default

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
If there are no "access" lines present, the default is to allow the request


Example

    1. To allow http_access for only one machine with MAC Address 00:08:c7:9f:34:41
    2. To restrict access to work hours (9am - 5pm, Monday to Friday) from IP 192.168.2/24
    3. Can i use multitime access control list for different users for different timing
    4. Rules are read from top to bottom


Caution

The deny all line is very important. After all the http_access rules, if access isn't denied, it's ALLOWED !! So, specifying a LOT of http_access allow rules, and forget the deny all after them, is the same of NOTHING. If access isn't allowed by one of your rules, the default action ( ALLOW ) will be triggered. So, don't forget the deny all rule AFTER all the rules.

And, finally, don't forget rules are read from top to bottom. The first rule matched will be used. Other rules won't be applied. Click here to See examples.



Tag Name

icp_access

Usage

icp_access allow|deny [!]aclname ...

Description

Allowing or denying access to the ICP port based on defined access lists

Default

icp_access deny all

Example

icp_access allow all - Allow ICP queries from everyone

Caution

-


Tag Name

miss_access

Usage

miss_access allow|deny [!]aclname…

Description

Use to force your neighbors to use you as a sibling instead of a parent. For example:

acl localclients src 172.16.0.0/16
miss_access allow localclients
miss_access deny! localclients
This means that only your local clients are allowed to fetch MISSES and all other clients can only fetch HITS.

Default

By default, allow all clients who passed the http_access rules to fetch MISSES from us.
miss_access allow all

Example

-

Caution

-


Tag Name

cache_peer_access

Usage

cache_peer_access cache-host allow|deny [!]aclname ...

Description

Similar to 'cache_peer_domain ' but provides more flexibility by using ACL elements.

The syntax is identical to 'http_access' and the other lists of ACL elements. See the comments for 'http_access ' below, or the Squid FAQ ( http://squid.nlanr.net/Squid/FAQ/FAQ-10.html)

Default

none

Example

-

Caution

-


Tag Name

proxy_auth_realm

Usage

proxy_auth_realm string

Description

Specifies the realm name, which is to be reported to the client for proxy authentication (part of the text the user will see when prompted for the username and password).

Default

proxy_auth_realm Squid proxy-caching web server

Example

proxy_auth_realm My Caching Server

Caution

-


Tag Name

ident_lookup_access

Usage

ident_lookup_access allow|deny aclname…

Description

A list of ACL elements, which, if matched, cause an ident (RFC 931) lookup to be performed for this request. For example, you might choose to always perform ident lookups for your main multi-user Unix boxes, but not for your Macs and PCs

Default

By default, ident lookups are not performed for any requests

Example

.To enable ident lookups for specific client addresses, you can follow this example:
acl ident_aware_hosts src 198.168.1.0/255.255.255.0
ident_lookup_access allow ident_aware_hosts
ident_lookup_access deny all

Caution

This option may be disabled by using --disable-ident with the configure script


Examples

(1) To allow http_access for only one machine with MAC Address 00:08:c7:9f:34:41

To use MAC address in ACL rules.
Configure with option -enable-arp-acl.

acl all src 0.0.0.0
acl pl800_arp arp 00:08:c7:9f:34:41
http_access allow pl800_arp
http_access deny all

(2) To restrict access to work hours (9am - 5pm, Monday to Friday) from IP 192.168.2/24

acl ip_acl src 192.168.2/24
acl time_acl time M T W H F 9:00-17:00
http_access allow ip_acl time_acl
http_access deny all

(3) Can i use multitime access control list for different users for different timing. Like

AclDefnitions

acl abc src 172.161.163.85
acl xyz src 172.161.163.86
acl asd src 172.161.163.87
acl morning time 06:00-11:00
acl lunch time 14:00-14:30
acl evening time 16:25-23:59

Access Controls

http_access allow abc morning
http_access allow xyz morning lunch
http_access allow asd lunch

This is wrong. See the Description below.
Here access line “http_access allow xyz morning lunch” will not work. So ACLs are interpreted like this ...

http_access RULE statement1 AND statement2 AND statement3 OR
http_access ACTION statement1 AND statement2 AND statement3 OR
........

So, the ACL “http_access allow xyz morning lunch” will never work, as pointed by me, because at any given time, morning AND lunch will ALWAYS be false, because both morning and lunch will NEVER be true at the same time. As one of them is false, and acl uses AND logical statement, 0/1 AND 0 will always be 0 (false).

That's because this line is in two. It now read:

http_access allow xyz AND morning OR
http_access allow xyz lunch

If request comes from xyz, and we're in one of the allowed time, one of the rules will match TRUE. The other will obviously match FALSE. TRUE OR FALSE will be TRUE, and access will be permitted.

Finally Access Control looks…

http_access allow abc morning
http_access allow xyz morning
http_access allow xyz lunch
http_access allow asd lunch
http_access deny all

(4) Rules are read from top to bottom. The first rule matched will be used. Other rules won't be applied.

Example:

http_access allow xyz morning
http_access deny xyz
http_access allow xyz lunch

If xyz tries to access something in the morning, access will be granted. But if he tries to access something at lunchtime, access will be denied. It will be denied by the deny xyz rule, that was matched BEFORE the 'xyz lunch' rule.