03
Home Solutions Knowledge Base FAQs E-mail Support Live Chat Buy Support

Disclaimer: This manual is NOT a Squid tutorial. It is only a reference material that provides detailed explanation of all configuration parameters available in Squid 2.6. The reader is expected to have prior knowledge of basic Squid installation and configuration. For Complete tutorial on Squid, please visit http://www.squid-cache.org

Squid 2.6 Configuration Manual - Access Control Parameters
Squid 2.6 Configuration Manual
ACCESS CONTROLS

Access control settings are among the most important features of Squid. You can configure Squid to set filters for various entities and at different granularities (e.g. filters for specific protocols, filters for certain types of commands, filters for specific routers, filters for specified domains, etc).
acl
 src
 dst
 myip
 arp
srcdomain dstdomain srcdom_regex
 dstdom_regex
 time
url_regex urlpath_regex urllogin
 port
 myport
proto
 method
 browser referer_regex
 ident
ident_regex
 src_as
 dst_as proxy_auth
 proxy_auth_regex
snmp_community
 maxconn
 max_user_ip req_mime_type req_header
rep_mime_type rep_header
 external
 urlgroup
 user_cert
ca_cert
 ext_user
 ext_user_regex






follow_x_forwarded_for
 acl_uses_indirect_client
 delay_pool_uses_indirect_client
 log_uses_indirect_client
 http_access
http_access2
 http_reply_access icp_access htcp_access
 htcp_clr_access
miss_access cache_peer_access ident_lookup_access tcp_outgoing_tos tcp_outgoing_address
reply_header_max_size
 reply_body_max_size log_access






Example(s) Recommended minimum acl configuration Recommended minimum http_access configuration
      TAG NAME                   acl








Description  Used to define an Access List
Build Option
  Default
Usage
  acl aclname acltype string1 ...
 acl aclname acltype "file"
Default
  Required minimum configuration for normal functioning

Synopsis
The first field represents the name of the ACL, which is simply an assigned name, that can be just about anything the user chooses. The second field is the type of the ACL, which can be one of a number of choices, that indicates to Squid what part of a request should be matched against for this ACL. The possible types include the requesting clients address, the Web server address or host name, a regular expression matching the URL, and many more. The final field is the actual string to match. Depending on what the ACL type is, this may be an IP address, a series of IP addresses, a URL, a host name, etc.

When using "file", the file should contain one item per line.

Arguments
aclname
  Name of the acl
acltype
  Type of acl
string
  String to match
file
  File that containing strings

      ACL TYPE
              src








Description  The IP address of the requesting client, or the clients IP Address
Build Option
  Default
Usage
  acl aclname src ip-address/netmask ... (clients IP address)
 acl aclname src addr1-addr2/netmask ... (range of addresses)

Synopsis
Matching done based on clients ip address

Arguments
aclname
  Access list name
ip-address
  Clients ip address
netmask
  Network mask
add1-addr2
  Range of ip address

Example(s)
acl network1 src 172.16.1.0/24 - refers to the whole Network with address 172.16.1.0
acl source1 src 172.16.1.25/32 - refers to a single source
acl srcrange src 172.16.1.25-172.16.1.35/32 - refers range of IP Addresses from 172.16.1.25-172.16.1.35

      ACL TYPE
              dst








Description  Same as src but looks for destination IP Address
Build Option
  Default
Usage
  acl aclname dst ip-address/netmask ... (URL host's IP address)

Synopsis
First Squid will dns-lookup for IPAddress from the domain-name, which is in request header. Then this acl is interpreted.

Arguments
aclname
  Access list name
ip-address
  ip-address of the oirgin server/machine
netmask
  Network mask

Example(s)
acl dest dst 63.194.81.67/32

      ACL TYPE
              myip







Description  The local IP address on which the client connection exists. 
Build Option
  Default
Usage
  acl aclname myip ip-address/netmask ... (local socket IP address)
         
Synopsis
Using this acl type, we can specify the local IP address on which the clients connections exists. This allows ACLs to be constructed that only match one physical network, if multiple interfaces are present on the proxy, among other things.

Arguments
aclname
  Access list name
ip-address  ip address of the local machine
netmask
  Network mask

Example(s)
acl myip1 myip 172.16.1.53/32

      ACL TYPE
              arp





Description  Ethernet (MAC) address matching
Build Option
  --enable-arp-acl
Usage
  acl aclname arp mac-address

Synopsis
This option only works for clients on the same local subnet, and only for certain platforms. Linux, Solaris, and some BSD variants are the supported operating systems for this type of ACL. This ACL can provide a somewhat secure method of access control, because MAC addresses are usually harder to spoof than IP addresses, and you can guarantee that your clients are on the local network (otherwise no ARP resolution can take place).

Arguments
aclname
  Access list name
mac-address
  Physical address to be matched

Example(s)
 acl ACLARP arp 11:12:13:14:15:16
ACLARP refers MACADDRESS of the ethernet 11:12:13:14:15:16

Note
Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.

      ACL TYPE
              srcdomain








Description  This acl type provides matches against the client domain name    
Build Option
  Default
Usage
  acl aclname srcdomain .domain-name ...

Synopsis
Matching can be either a single domain name, or a list or domain names, or the path to a file that contains a list of domain names. If a path to a file, it must be surrounded by parentheses. This ACL type can increase the latency, and decrease throughput significantly on a loaded cache, as it must perform an address-to-name lookup for each request, so it is usually preferable to use the Client IP Address type.

Note: Here "." is more important.

Arguments
aclname
  Access list name
domain-name
  Clients domain name

Example(s)
 acl mydomain srcdomain .kovaiteam.com

      ACL TYPE
              dstdomain








Description  This refers to destination domain i.e. the source domain where the origin server is located
Build Option
  Default
Usage
  acl aclname dstdomain .domain-name ...

Synopsis
When matching to be done based on the destination servers domain, you can use this acl type.

Note: Here "." is more important.

Arguments
aclname
  Access list name
domain-name
  Destination domain

Example(s)
 acl domain1 dstdomain .kovaiteam.com
This looks for *.kovaiteam.com from URL

      ACL TYPE
              srcdom_regex








Description  Matches against the client domain name  
Build Option
  Default
Usage
  acl aclname srcdom_regex [-i] pattern ...

Synopsis
Matching can be either a single domain name, or a list of domain names, or a path to a file that contains a list of domain names. If a path to a file ia specified, it must be surrounded parentheses.

Arguments
aclname
  Access list name
pattern
  Pattern to match

Example(s)
 acl aclname srcdom_regex kovai - This looks for the word kovai from the client domain name

      ACL TYPE
              dstdom_regex







Description  Provides match against destination domain
Build Option
  Default
Usage
  acl aclname dstdom_regex [-i] pattern ...

Synopsis
Matching done on destination domain based on regular expression.

Arguments
aclname
  Access list name
pattern
  Patern to match

Example(s)
 acl domain1 dstdom_regex redhat - This looks for the word redhat from the client's reqest.

      ACL TYPE
              time








Description  This type is just what it sounds like, providing a means to create ACLs that are active during certain times of the
 day or certain days of the week
Build Option
  Default
Usage
  acl aclname time [day-abbrevs] [h1:m1-h2:m2]

Synopsis
Provides timed filter settings. This feature is often used to block some types of content or some sections of the internet during business or class hours. Many companies block pornography, entertainment, sports, and other clearly non-work related sites during business hours, but then unblock them after hours. This might improve workplace efficiency in some situations (or it might just offend the employees). This ACL type allows you to enter days of the week and a time range, or select all hours of the selected days.
Day-abbrevs:
S
  Sunday
M
  Monday
T
  Tuesday
W
  Wednesday
H
  Thursday
F
  Friday
A
  Saturday
Time:
h1:m1 must be less than h2:m2

Arguments
aclname
  Access list name
day-abbrevs
  Days list (as shown above)
h1:m1-h2:m2
  from and to time

Example(s)
 acl acltime time M 9:00-17:00 - acltime refers day of Monday and time from 9:00 to 17:00.

      ACL TYPE
              url_regex








Description  Matches using a regular expression on the complete URL
Build Option
  Default
Usage
  acl aclname url_regex [-i] pattern

Synopsis
This ACL can be used to provide access control based on parts of the URL or a case insensitive match of the URL, and much more. The regular expressions used in Squid are provided by the GNU Regex library which is documented in the section 7 and 3 regex manpages. Regular expressions are also discussed briefly in a nice article by Guido Socher at LinuxFocus.

Arguments
aclname
  Access list name
pattern  Matching to be done for

Example(s)
acl reject url_regex -i ^http://www.google.co.in/index.html
reject contains the entire url http://www.google.co.in/index.html. If in the http_access if you deny reject, it will deny only the url http://www.google.co.in/index.html but allows the url http://www.google.co.in

      ACL TYPE
              urlpath_regex







Description  This ACL matches on the URL path minus any protocol, port, and host name information
Build Option
  Default
Usage
  acl aclname urlpath_regex [-i] pattern

Synopsis
This acl type expects for the particular pattern alone from the given URLs. If found the words, it will match it.

Arguments
aclname
  Access list name
pattern
  Pattern which is expected for match

Example(s)

acl reject url_regex -i index.html
reject contains the pattern index.html. If in the http_access if you deny reject, then for any url containing the pattern index.html will be denied.

      ACL TYPE
              urllogin








Description  The ACL regular expression matching on URL login field
Build Option
  Default
Usage  acl aclname urllogin [-i] [^a-zA-Z0-9] ...
  
Synopsis
  Regular Expression matching on URL login field

Arguments
aclname  Access list name
pattern  Pattern which ia expected for match

Example(s)
acl urllogin -i adminstrator

      ACL TYPE
              port








Description  This ACL matches on the destination port for the request
Build Option
  Default
Usage
  acl aclname port port-number
 acl aclname port range 
  
Synopsis
Matching done on the destination port.

Arguments
aclname
  Access list name
port-number
  Destination port number
range
  Range of port numbers

Example(s)
 The following allows access only to the destination 172.16.1.115:80 from network 172.16.1.0
acl acceleratedhost dst 172.16.1.115/255.255.255.255
acl acceleratedport port 80
acl mynet src 172.16.1.0/255.255.255.0
http_access allow acceleratedhost acceleratedport mynet
http_access deny all

      ACL TYPE
              myport








Description  This provides match against local socket TCP port
Build Option
  Default
Usage
  acl aclname myport port-numbers ...

Synopsis
Matching done on local interface port.

Arguments
aclname
  Access list name
port-numbers
  Local interface port numbers

Example(s)
 acl mp myport 3128
http_access deny 3128
http_access allow all
These will deny all requests coming to the port 3128. Allows requests coming at all other ports.

      ACL TYPE
              proto






Description  This ACL matches on the protocol of the request
Build Option
  Default
Usage
  acl aclname proto protocol

Synopsis
Matching done based on protocol used in the request such as FTP, HTTP, ICP, etc.

Arguments
aclname
  Access list name
protocol
  Protocol to be matched

Example(s)
acl myproto proto HTTP FTP - This refer protocols HTTP and FTP

      ACL TYPE
              method







Description  This ACL type matches the HTTP method in the request headers. This includes the methods GET, PUT, etc
Build Option
  Default
Usage
  acl aclname method method-type
 
Synopsis
Matching done based on the HTTP request method like GET, PUT, etc.

Arguments
aclname
  Access list name
method-type
 HTTP request method

Example(s)
acl getmethod method GET POST - This refers get and post methods only.

      ACL TYPE
              browser







Description  A regular expression that matches the clients browser type based on the user agent header