| ACL TYPE |
proxy_auth_regex |
| Description |
As above, this ACL calls an external authenticator process, but allows regex pattern or case insensitive matches |
| Build Option |
Default |
| Usage |
acl aclname proxy_auth_regex [-i] pattern |
Synopsis
Matching based on regular expressions using external authentication process.
Arguments
| aclname |
Access list name |
| pattern |
Pattern to be matched |
Example(s)
acl ACLAUTH proxy_auth_regex -i mesh
tbody>
| ACL TYPE |
snmp_community string ... |
| Description |
Provides matching against community string to limit access to your SNMP Agent |
| Build Option |
Default |
| Usage |
acl aclname snmp_community string ... |
Synopsis
Matching done on snmp community strings.
Arguments
| aclname |
Access list name |
| string |
String to be matched |
Example(s)
acl snmppublic snmp_community public
| ACL TYPE |
maxconn |
| Description |
Matches when the client's IP address has more than the specified number of HTTP connections established |
| Build Option |
Default |
| Usage |
acl aclname maxconn number |
Synopsis
Matching is true when the defined number of HTTP connections has been established for a client.
Arguments
| aclname |
Access list name |
| number |
Maximum number of HTTP connections |
Example(s)
acl someuser src 1.2.3.4
acl twoconn maxconn 5
http_access deny someuser twoconn
http_access allow !twoconn
The above configuration will allow a maximum of 5 http connection to access.
| ACL TYPE |
max_user_ip |
| Description |
This will be matched when the same user attempts to log in for more than the specified number of times from
different ip addresses |
| Build Option |
Default |
| Usage |
acl aclname max_user_ip [-s] number |
Synopsis
If -s is specified then the limit is strict, denying browsing from any further IP addresses until the ttl has expired. Without -s Squid will just annoy the user by "randomly" denying requests. (the counter is then reset each time the limit is reached and a request is denied). The authenticate_ip_ttl parameter controls the timeout on the ip entries.
Note
1. Any authentication program must be running for this. NCSA will a simple configuration.
2. In acceleration mode or where there is mesh of child proxies, clients may appear to come from multiple addresses if they are going through proxy farms, so a limit of 1 may cause user problems.
Arguments
| aclname |
Access list name |
| number |
Number of times to login |
Example(s)
authenticate_ip_ttl 2 hours
acl maxuser max_user_ip -s 2
http_access deny maxuser
The same user can log to a maximum of 2 times from two different machines and when he tries to login for the third time from a third system, he will not be allowed to browse.
| ACL TYPE |
req_mime_type |
| Description |
Match against the mime type of the request generated by the client |
Build Option
|
Default
|
Usage
|
acl aclname req_mime_type mime_type ... |
Synopsis
Using this you can detect file upload or some types HTTP tunneling requests.
Arguments
| aclname |
Access list name |
| mime_type |
Mime type at the requesting side |
Example(s)
acl mymime req_mime_type text
This acl looks for the pattern "text" in request mime header.
Note
This does NOT match the reply. You cannot use this to match the returned file type.
| ACL TYPE |
req_header |
| Description |
Match against any of the known request headers. |
| Build Option |
Default |
| Usage |
acl aclname req_header header-name [-i] regular Expression |
Synopsis
Regular Expression match against any of the known request headers.
May be thought of as a superset of "browser", "referer" and "mime-type" ACLs.
Arguments
| aclname |
Access list name |
| header-name |
Name at the requesting side |
Example(s)
acl myheader req_header text
This acl looks for the pattern "text" in request header.
| ACL TYPE |
rep_mime_type |
| Description |
Match against the mime type of the reply received by Squid |
Build Option
|
Default
|
Usage
|
acl aclname rep_mime_type mime_type ... |
Synopsis
Also, using this, you can detect file download or some types HTTP tunneling requests.
This has no effect in http_access rules. It only has effect in rules that affect the reply data stream such as http_reply_access.
Arguments
| aclname |
Access list name |
| mime_type |
Mime type at the receiving side |
Example(s)
acl m2 rep_mime_type ^application/pdf$
http_reply_access deny m2
This blocks access to application/pdf mime types.
| ACL TYPE |
rep_header |
| Description |
Match against any of the known response headers. |
| Build Option |
Default |
| Usage |
acl aclname rep_header header-name [-i] regular expression... |
Synopsis
Regular Expression match against any of the known response headers.
Arguments
aclname
|
Access list name
|
header-name
|
Header name at the receiving side
|
Example(s)
acl many_spaces rep_header Content-Disposition -i [[:space:]]
ACL TYPE
|
external |
| Description |
Provides match against external ACL lookup via a helper class defined by the external_acl_type tag |
| Build Option |
Default |
| Usage |
acl aclname external class_name [arguments...] |
Synopsis
Provides match against external ACL lookup via a helper class defined by the external_acl_type tag
Arguments
Example(s)
auth_param basic program < put your authenticator here >
auth_param basic children 20
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 1800 seconds
external_acl_type checkip children=20 %LOGIN %SRC /usr/local/Squid/bin/checkip.pl
acl password external checkip
acl it src 172.16.20.1-172.16.20.199/255.255.255.255
http_access allow it password
Allows user if user belongs to a group that is allowed during a given time and using a given ip.
| ACL TYPE |
urlgroup |
| Description |
This will match against the urlgroup as indicated by redirectors. |
| Build Option |
Default |
| Usage |
acl aclname urlgroup group1... |
Synopsis
match against the urlgroup as indicated by redirectors
Arguments
| aclname |
Access list name |
| group |
Set of url's indicated by redirectors |
Example(s)
acl jobs urlgroup job
http_access deny jobs
| ACL TYPE |
user_cert |
| Description |
This will match against the attributes in a user SSL certificate |
Build Option
|
Default
|
Usage
|
acl aclname user_cert attribute values... |
Synopsis
Match against attributes in a user SSL certificate
Arguments
| aclname |
Access list name |
| attribute |
Any one of DN/C/O/CN/L/ST |
| ACL TYPE |
ca_cert |
| Description |
This will match against attributes a users issuing CA SSL certificate |
| Build Option |
Default |
| Usage |
acl aclname ca_cert attribute values... |
Synopsis
Match against attributes in a user CA SSL certificate
Arguments
| aclname |
Access list name |
| attribute |
Any one of DN/C/O/CN/L/ST |
| ACL TYPE |
ext_user,extuser_regex |
| Description |
String match on username returned by external acl
|
| Build Option |
Default |
| Usage |
acl aclname ext_user username ...
acl aclname ext_user_regex [-i] pattern ... |
Synopsis
String match on username returned by external acl
Use REQUIRED to accept any user name.
Arguments
| aclname |
Access list name |
| username |
Username for match the external user |
| pattern |
regular Expression pattern to match External user |
Recommended minimum acl configuration
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
| TAG NAME |
follow_x_forwarded_for |
| Description |
Allowing or Denying the X-Forwarded-For header to be followed to find the original source of a request. |
| Build Option |
Default |
| Usage |
follow_x_forwearded_for allow|deny [!] aclname ... |
| Default |
follow_x_forwarded_for deny all |
Synopsis
Requests may pass through a chain of several other proxies before reaching this proxy. The X-Forwarded-For header will contain a comma-separated list of the IP addresses in the chain, with the rightmost address being the most recent.
If a request reaches us from a source that is allowed by this configuration item, then we consult the X-Forwarded-For header to see where that host received the request from.
If the X-Forwarded-For header contains multiple addresses, and if acl_uses_indirect_client is on, then we continue backtracking until we reach an address for which we are not allowed to follow the X-Forwarded-For header, or until we reach the first address in the list.
The end result of this process is an IP address that we will refer to as the indirect client address. This address may be treated as the client address for access control, delay pools and logging, depending on the acl_uses_indirect_client, delay_pool_uses_indirect_client and log_uses_indirect_client options.
Note
SECURITY CONSIDERATIONS:
Any host for which we follow the X-Forwarded-For header can place incorrect information in the header, and Squid will use the incorrect information as if it were the source address of the request. This may enable remote hosts to bypass any access control restrictions that are based on the client's source addresses.
Arguments
| allow/deny |
Allow or deny on matching the acl |
| aclname |
Access list to be allowed/denied on match |
Example(s)
acl localhost src 127.0.0.1
acl my_other_proxy srcdomain .proxy.example.com
follow_x_forwarded_for allow localhost
follow_x_forwarded_for allow my_other_proxy
| TAG NAME |
acl_uses_indirect_client |
| Description |
Controls whether the indirect client address is used instead of the direct client address in acl matching.
|
| Build Option |
Default |
| Usage |
acl_uses_indirect_client on|off |
| Default |
acl_uses_indirect_client on |
Synopsis
Controls whether the indirect client address (refer follow_x_forwarded_for) is used instead of the direct client address in acl matching.
Arguments
| on/off |
Enable/Disable the acl indirect client feature |
Example(s)
acl_uses_indirect_client off
| TAG NAME |
delay_pools_uses_indirect_client |
| Description |
Controls whether the indirect client address is used instead of the direct client address in delay pools.
|
| Build Option |
Default |
| Usage |
delay_pools_uses_indirect_client on|off |
| Default |
delay_pool_uses_indirect_client on |
Synopsis
Controls whether the indirect client address (Refer follow_x_forwarded_for) is used instead of the direct client address in delay pools.
Arguments
| on/off |
Enable/Disable the delay pools indirect client feature |
Example(s)
delay_pool_uses_indirect_client off
| TAG NAME |
log_uses_indirect_client |
| Description |
Controls whether the indirect client address is used instead of the direct client address in the access log. |
| Build Option |
Default |
| Usage |
log_uses_indirect_client on|off |
| Default |
log_uses_indirect_client on |
Synopsis
Controls whether the indirect client address (Refer follow_x_forwarded_for) is used instead of thedirect client address in the access log.
Arguments
| on/off |
Enable/Disable the delay pools indirect client feature |
Example(s)
log_uses_indirect_client off
| TAG NAME |
http_access |
| Description |
Using this, you can allow or deny the access lists defined by acl |
| Build Option |
Default |
| Usage |
http_access allow|deny [!] aclname ... |
| Default |
http_access deny all |
Synopsis
This is used for filtering based on the acl matchings. If none of the "access" lines cause a match, the default is the opposite of the last line in the list. If the last line was deny, then the default is allow. Conversely, if the last line is allow, the default will be deny. For these reasons, it is a good idea to have an "deny all" or "allow all" entry at the end of your access lists to avoid potential confusion.
Arguments
| allow/deny |
Allow or deny on matching the acl |
| aclname |
Access list to be allowed/denied on match |
Example(s)
To allow http_access for only one machine with MAC Address 00:08:c7:9f:34:41
To restrict access to work hours (9am - 5pm, Monday to Friday) from IP 192.168.2/24
Can i use multitime access control list for different users for different timing
Rules are read from top to bottom
Note
The deny all line is very important. After all the http_access rules, if access isn't denied, it's ALLOWED !! So, specifying a LOT of http_access allow rules, and forget the deny all after them, is the same of NOTHING. If access isn't allowed by one of your rules, the default action ( ALLOW ) will be triggered. So, don't forget the deny all rule AFTER all the rules.
And, finally, don't forget rules are read from top to bottom. The first rule matched will be used. Other rules won't be applied.
Recommended minimum http_access configuration
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
| TAG NAME |
http_access2 |
| Description |
Allowing or Denying access based on defined access lists |
Build Option
|
Default |
Usage
|
http_access2 allow|deny [!] aclname ... |
Default
|
none |
Synopsis
Identical to http_access, but runs after redirectors. If not set then only http_access is used.
Arguments
| allow/deny |
Allow or deny on matching the acl |
| aclname |
Access list to be allowed/denied on match |
Example(s) acl off_time time SMT 9.30 - 5.30
http_access2 allow all
http_access2 deny off_time
| TAG NAME |
http_reply_access |
| Description |
This is complementary to http_access which allows or denies clients replies |
| Build Option |
Default |
| Usage |
http_reply_access allow|deny [!] aclname ... |
| Default |
http_reply_access allow all |
Synopsis
This is used for filtering based on the acl matchings but on the client requests reply. If none of the access lines cause a match, then the opposite of the last line will apply. Thus it is good practice to end the rules with an "allow all" or "deny all" entry.
Arguments
| allow/deny |
Allow or deny on matching the acl |
| aclname |
Access list to be allowed/denied on match |
Example(s)
acl reject urlpath_regex i home
http_reply_access deny reject
| TAG NAME |
icp_access
|
| Description |
Allowing or Denying access to the ICP port based on defined access lists |
| Build Option |
Default |
| Usage |
icp_access allow|deny [!] aclname ... |
| Default |
icp_access deny all |
Synopsis
This tag controls icp access on defined access lists.
Arguments
| allow/deny |
Allow or deny on matching the acl |
| aclname |
Access list to be allowed/denied on match |
Example(s)
icp_access allow all
Allows ICP queries from everyone.
| TAG NAME |
htcp_access |
| Description |
Allowing or Denying access to the HTCP port based on defined access lists |
| Build Option |
--enable-htcp |
| Usage |
htcp_access allow|deny [!] aclname ... |
| Default |
htcp_access allow localnet htcp_access deny all |
Synopsis
Allowing or Denying access to the HTCP port based on defined access lists
See http_access for details
Arguments
allow/deny
|
Allow or deny on matching the acl
|
aclname
|
Access list to be allowed/denied on match |
Example(s)
To allow HTCP queries from everyone
htcp_access allow all
| TAG NAME |
htcp_clr_access |
| Description |
Allowing or Denying access to purge content using HTCP based on defined access lists |
| Build Option |
--enable-htcp |
| Usage |
htcp_clr_access allow|deny [!] aclname ... |
| Default |
htcp_clr_access deny all |
Synopsis
Allowing or Denying access to purge content using HTCP based on defined access lists
See http_access for details
Arguments
| allow/deny |
Allow or deny on matching the acl |
| aclname |
Access list to be allowed/denied on match |
Example(s)
Allow HTCP CLR requests from trusted peers
acl htcp_clr_peer src 172.16.1.2
htcp_clr_access allow htcp_clr_peer
| TAG NAME |
miss_access |
| Description |
Used to force your neighbours to use you as sibling instead of parent |
| Build Option |
Default |
| Usage |
miss_access allow|deny [!] aclname ... |
| Default |
miss_access allow all |
Synopsis
This tag forces the neighbouring peers to treat you as sibling instead of parent.
Arguments
| allow/deny |
Allow or deny on matching the acl |
| aclname |
Access list to be allowed/denied on match |
Example(s)
acl localclients src 172.16.0.0/16
miss_access allow localclients
miss_access deny !localclients
This means that only your local clients are allowed to fetch MISSES and all other clients can only fetch HITS.
| TAG NAME |
cache_peer_access |
| Description |
Similar to cache_peer_domain but provides more flexibility by using ACL elements |
| Build Option |
Default |
| Usage |
cache_peer_access cache-host allow|deny [!]aclname ... |
| Default |
none |
Synopsis
The syntax is identical to http_access and the other lists of ACL elements. See http_access for further reference.
Arguments
allow/deny
|
Allow or deny on matching the acl |
aclname
|
Access list to be allowed/denied on match |
Example(s)
The following example could be used, if we want all requests from a specific IP address range to go to a specific cache server (for accounting purposes, for example). Here, all the requests from the 10.0.1.* range are passed to proxy.visolve.com, but all other requests are handled directly.
Using acls to select peers,
acl myNet src 10.0.0.0/255.255.255.0
acl cusNet src 10.0.1.0/255.255.255.0
acl all src 0.0.0.0/0.0.0.0
cache_peer proxy.visolve.com parent 3128 3130
cache_peer_access proxy.visolve.com allow custNet
cache_peer_access proxy.visolve.com deny all
| TAG NAME |
ident_lookup_access |
| Description |
A list of ACL elements which, if matched, cause an ident (RFC 931) lookup to be performed for this request |
| Build Option |
Default |
| Usage |
ident_lookup_access allow|deny aclname |
| Default |
ident_lookup_access deny all |
Synopsis
This tag allows or denies ident lookups an matching the access lists.
Note: Only src type ACL checks are fully supported. A src_domain ACL might work at times, but it will not always provide the correct result. This option may be disabled by using --disable-ident-lookups with the configure script.
Arguments
allow/deny
|
Allow or deny on matching the acl |
aclname
|
Access list to be allowed/denied on match |
Example(s)
To enable ident lookups for specific client addresses, you can follow this example,
acl ident_aware_hosts src 198.168.1.0/255.255.255.0
ident_lookup_access allow ident_aware_hosts
ident_lookup_access deny all
| TAG NAME |
tcp_outgoing_tos |
| Description |
Allows you to select a TOS/Diffserv value to mark outgoing connections with, based on the username or source address making the request |
| Build Option |
Default |
| Usage |
tcp_outgoing_tos ds-field [!]aclname ... |
| Default |
none |
Synopsis
The TOS/DSCP byte must be exactly that - a byte, value 0 - 255, or "default" to use whatever default your host has. Processing proceeds in the order specified, and stops at first fully matching line.
Arguments
ds-fiels
|
Outgoing TOS value
|
aclname
|
Identifier that contains the list to match on
|
Example(s)
acl good_service_net src 10.0.1.0/255.255.255.0
tcp_outgoing_tos 0x20 good_service_net
Here, good_service_net uses the TOS value 0x20
| TAG NAME |
tcp_outgoing_address |
| Description |
Allows you to map requests to different outgoing IP addresses based on the username or source address of the user making the request |
| Build Option |
Default |
| Usage |
tcp_outgoing_address ipaddr [[!]aclname] ... |
| Default |
none |
Synopsis
Processing proceeds in the order specified, and stops at first fully matching line.
Arguments
| ipaddr |
Outgoing ip address |
| aclname |
Access lists |
Example(s)
acl normal_net src 172.16.1.0/24
tcp_outgoing_address 172.16.1.53 normal_net
Here requests from machines in network 172.16.1.0 will be sent as request from 172.16.1.53 to the origin server.
| TAG NAME |
reply_body_max_size |
| Description |
This option specifies the maximum size of a reply body |
Build Option
|
Default
|
Usage
|
reply_body_max_size size [acl acl...] |
Default
|
none |
Synopsis
Using this you can prevent users from downloading very large files, such as MP3's and movies.
Note: 1. Downstream caches probably can not detect a partial reply if there is no content-length header, so they will cache partial responses and give them out as hits. You should NOT use this option if you have downstream caches.
2. A maximum size smaller than the size of Squid's error messages will cause an infinite loop and crash Squid. Ensure that the smallest non-zero value you use is greater that the maximum header size plus the size of your largest error page.
Arguments
| size |
Maximum reply body size |
| acl |
Access lists on which this functions during match |
Example(s)
acl site url_regex -i ^http://www.visolve.com
reply_body_max_size 5 KB site
Here, the reply contains content-length. Its size is checked with the specified value. If it is greater then the specified range the an error page is displayed only for this site while access to other sites are allowed.
| TAG NAME |
log_access |
| Description |
This options allows you to control which requests gets logged to access.log |
| Build Option |
Default |
| Usage |
log_access allow|deny acl acl... |
| Default |
none |
Synopsis
Sometimes you will not be interested in certain access to be logged in the access.log file. This can be implemented using this tag as follows.
Arguments
allow/deny
|
Allow or deny on matching the acl |
aclname
|
Access list to be allowed/denied on match |
|
(408) 666 4320