accesscontrols

ACCESS CONTROLS

Access control settings are among the most important features of Squid. You can configure Squid to set filters for various entities and at different granularities (e.g. filters for specific protocols, filters for certain types of commands, filters for specific routers, filters for specified domains, etc).

acl

src

dst

myip

arp

srcdomain

dstdomain

srcdom_regex

dstdom_regex

time

url_regex

urlpath_regex

urllogin

port

myport

proto

method

browser

referer_regex

ident

ident_regex

src_as

dst_as

proxy_auth

proxy_auth_regex

snmp_community

maxconn

max_user_ip

req_mime_type

req_header

rep_mime_type

rep_header

external

urlgroup

user_cert

ca_cert

ext_user

ext_user_regex

   

follow_x_forwarded_for

acl_uses_indirect_client

delay_pool_uses_indirect_client

log_uses_indirect_client

http_access

http_access2

http_reply_access

icp_access

htcp_access

htcp_clr_access

miss_access

cache_peer_access

ident_lookup_access

tcp_outgoing_tos

tcp_outgoing_address

reply_header_max_size

reply_body_max_size

log_access



Example

Recommended minimum acl configuration

Recommended minimum http_access configuration

TAG NAME

acl

Description

Used to define an Access List

Build Option

Default

Usage

acl aclname acltype string1 ...
acl aclname acltype "file"

Default

Required minimum configuration for normal functioning

Synopsis

The first field represents the name of the ACL, which is simply an assigned name, that can be just about anything the user chooses. The second field is the type of the ACL, which can be one of a number of choices, that indicates to Squid what part of a request should be matched against for this ACL. The possible types include the requesting clients address, the Web server address or host name, a regular expression matching the URL, and many more. The final field is the actual string to match. Depending on what the ACL type is, this may be an IP address, a series of IP addresses, a URL, a host name, etc.

When using "file", the file should contain one item per line.

Arguments

aclname

Name of the acl

acltype

Type of acl

string

String to match

file

File that containing strings

ACL TYPE

src

Description

The IP address of the requesting client, or the clients IP Address

Build Option

Default

Usage

acl aclname src ip-address/netmask ... (clients IP address)
acl aclname src addr1-addr2/netmask ... (range of addresses)

Synopsis
Matching done based on clients ip address

Arguments

aclname

Access list name

ip-address

Clients ip address

netmask

Network mask

add1-addr2

Range of ip address

Examples
acl network1 src 172.16.1.0/24 - refers to the whole Network with address 172.16.1.0
acl source1 src 172.16.1.25/32 - refers to a single source
acl srcrange src 172.16.1.25-172.16.1.35/32 - refers range of IP Addresses from 172.16.1.25-172.16.1.35

ACL TYPE

dst

Description

Same as src but looks for destination IP Address

Build Option

Default

Usage

acl aclname dst ip-address/netmask ... (URL host's IP address)

Synopsis
First Squid will dns-lookup for IPAddress from the domain-name, which is in request header. Then this acl is interpreted.

Arguments

aclname

Access list name

ip-address

ip-address of the oirgin server/machine

netmask

Network mask

Examples
acl dest dst 63.194.81.67/32

ACL TYPE

myip

Description

The local IP address on which the client connection exists.

Build Option

Default

Usage

acl aclname myip ip-address/netmask ... (local socket IP address)

Synopsis

Using this acl type, we can specify the local IP address on which the clients connections exists. This allows ACLs to be constructed that only match one physical network, if multiple interfaces are present on the proxy, among other things.

Arguments

aclname

Access list name

ip-address

ip address of the local machine

netmask

Network mask

Examples
acl myip1 myip 172.16.1.53/32

ACL TYPE

arp

Description

Ethernet (MAC) address matching

Build Option

--enable-arp-acl

Usage

acl aclname arp mac-address

Synopsis

This option only works for clients on the same local subnet, and only for certain platforms. Linux, Solaris, and some BSD variants are the supported operating systems for this type of ACL. This ACL can provide a somewhat secure method of access control, because MAC addresses are usually harder to spoof than IP addresses, and you can guarantee that your clients are on the local network (otherwise no ARP resolution can take place).

Arguments

aclname

Access list name

mac-address

Physical address to be matched

Example(s)
acl ACLARP arp 11:12:13:14:15:16
ACLARP refers MACADDRESS of the ethernet 11:12:13:14:15:16

Note
Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.

ACL TYPE

srcdomain

Description

This acl type provides matches against the client domain name

Build Option

Default

Usage

acl aclname srcdomain .domain-name ...

Synopsis

Matching can be either a single domain name, or a list or domain names, or the path to a file that contains a list of domain names. If a path to a file, it must be surrounded by parentheses. This ACL type can increase the latency, and decrease throughput significantly on a loaded cache, as it must perform an address-to-name lookup for each request, so it is usually preferable to use the Client IP Address type.

Note: Here "." is more important.

Arguments

aclname

Access list name

domain-name

Clients domain name

Example(s)
acl mydomain srcdomain .kovaiteam.com

ACL TYPE

dstdomain

Description

This refers to destination domain i.e. the source domain where the origin server is located

Build Option

Default

Usage

acl aclname dstdomain .domain-name ...

Synopsis
When matching to be done based on the destination servers domain, you can use this acl type.

Note: Here "." is more important.

Arguments

aclname

Access list name

domain-name

Destination domain

Example(s)
acl domain1 dstdomain .kovaiteam.com
This looks for *.kovaiteam.com from URL

ACL TYPE

srcdom_regex

Description

Matches against the client domain name

Build Option

Default

Usage

acl aclname srcdom_regex [-i] pattern ...

Synopsis

Matching can be either a single domain name, or a list of domain names, or a path to a file that contains a list of domain names. If a path to a file ia specified, it must be surrounded parentheses.

Arguments

aclname

Access list name

pattern

Pattern to match

Example(s)
acl aclname srcdom_regex kovai - This looks for the word kovai from the client domain name

ACL TYPE

dstdom_regex

Description

Provides match against destination domain

Build Option

Default

Usage

acl aclname dstdom_regex [-i] pattern ...

Synopsis
Matching done on destination domain based on regular expression.

Arguments

aclname

Access list name

pattern

Patern to match

Example(s)
acl domain1 dstdom_regex redhat - This looks for the word redhat from the client's reqest.

ACL TYPE

time

Description

This type is just what it sounds like, providing a means to create ACLs that are active during certain times of the
day or certain days of the week

Build Option

Default

Usage

acl aclname time [day-abbrevs] [h1:m1-h2:m2]

Synopsis

Provides timed filter settings. This feature is often used to block some types of content or some sections of the internet during business or class hours. Many companies block pornography, entertainment, sports, and other clearly non-work related sites during business hours, but then unblock them after hours. This might improve workplace efficiency in some situations (or it might just offend the employees). This ACL type allows you to enter days of the week and a time range, or select all hours of the selected days.

Day-abbrevs:

S

Sunday

M

Monday

T

Tuesday

W

Wednesday

H

Thursday

F

Friday

A

Saturday

Time:

h1:m1 must be less than h2:m2

Arguments

aclname

Access list name

day-abbrevs

Days list (as shown above)

h1:m1-h2:m2

from and to time

Example(s)
acl acltime time M 9:00-17:00 - acltime refers day of Monday and time from 9:00 to 17:00.

ACL TYPE

url_regex

Description

Matches using a regular expression on the complete URL

Build Option

Default

Usage

acl aclname url_regex [-i] pattern

Synopsis

This ACL can be used to provide access control based on parts of the URL or a case insensitive match of the URL, and much more. The regular expressions used in Squid are provided by the GNU Regex library which is documented in the section 7 and 3 regex manpages. Regular expressions are also discussed briefly in a nice article by Guido Socher at LinuxFocus.

Arguments

aclname

Access list name

pattern

Matching to be done for

Example(s)
acl reject url_regex -i ^http://www.google.co.in/index.html

reject contains the entire url http://www.google.co.in/index.html. If in the http_access if you deny reject, it will deny only the url http://www.google.co.in/index.html but allows the url http://www.google.co.in

ACL TYPE

urlpath_regex

Description

This ACL matches on the URL path minus any protocol, port, and host name information

Build Option

Default

Usage

acl aclname urlpath_regex [-i] pattern

Synopsis
This acl type expects for the particular pattern alone from the given URLs. If found the words, it will match it.

Arguments

aclname

Access list name

pattern

Pattern which is expected for match

Example(s)

acl reject url_regex -i index.html
reject contains the pattern index.html. If in the http_access if you deny reject, then for any url containing the pattern index.html will be denied.

ACL TYPE

urllogin

Description

The ACL regular expression matching on URL login field

Build Option

Default

Usage

acl aclname urllogin [-i] [^a-zA-Z0-9] ...

Synopsis
Regular Expression matching on URL login field

Arguments

aclname

Access list name

pattern

Pattern which ia expected for match

Example(s)
acl urllogin -i adminstrator

ACL TYPE

port

Description

This ACL matches on the destination port for the request

Build Option

Default

Usage

acl aclname port port-number
acl aclname port range

Synopsis
Matching done on the destination port.

Arguments

aclname

Access list name

port-number

Destination port number

range

Range of port numbers

Example(s)
The following allows access only to the destination 172.16.1.115:80 from network 172.16.1.0
acl acceleratedhost dst 172.16.1.115/255.255.255.255
acl acceleratedport port 80
acl mynet src 172.16.1.0/255.255.255.0
http_access allow acceleratedhost acceleratedport mynet
http_access deny all

ACL TYPE

myport

Description

This provides match against local socket TCP port

Build Option

Default

Usage

acl aclname myport port-numbers ...

Synopsis
Matching done on local interface port.

Arguments

aclname

Access list name

port-numbers

Local interface port numbers

Example(s)
acl mp myport 3128
http_access deny 3128
http_access allow all
These will deny all requests coming to the port 3128. Allows requests coming at all other ports.

ACL TYPE

proto

Description

This ACL matches on the protocol of the request

Build Option

Default

Usage

acl aclname proto protocol

Synopsis
Matching done based on protocol used in the request such as FTP, HTTP, ICP, etc.

Arguments

aclname

Access list name

protocol

Protocol to be matched

Example(s)
acl myproto proto HTTP FTP - This refer protocols HTTP and FTP

ACL TYPE

method

Description

This ACL type matches the HTTP method in the request headers. This includes the methods GET, PUT, etc

Build Option

Default

Usage

acl aclname method method-type

Synopsis
Matching done based on the HTTP request method like GET, PUT, etc.

Arguments

aclname

Access list name

method-type

HTTP request method

Example(s)
acl getmethod method GET POST - This refers get and post methods only.

ACL TYPE

browser

Description

A regular expression that matches the clients browser type based on the user agent header

Build Option

Default

Usage

acl aclname browser [-i] regexp

Synopsis

This allows for ACL's to operate based on the browser type in use, for example, using this ACL type, one could create an ACL for Netscape users and another for Internet Explorer users.

Arguments

aclname

Access list name

regexp

Browser name

Example(s)
acl aclname browser MOZILLA
This refers to the requests, which are coming from the browsers who have "MOZILLA" keyword in the user-agent header.

ACL TYPE

referer_regex

Description

Pattern match on Referer header

Build Option

Default

Usage

acl aclname referer_regex [-i] pattern

Synopsis
Pattern match on Referer header

Note: Referer is highly unreliable, so use with care

Arguments

aclname

Access list name

pattern

Pattern to be matched

Example(s)
In your Squid.conf configuration file you would write something like this,
acl expression referer_regex -i user1
This looks for the pattern "user1" in username

ACL TYPE

ident

Description

Provides string matching on user name

Build Option

Default

Usage

acl aclname ident username ...

Synopsis
Matching based on iden lookups.

Note: Need an external ident server server running on the client machines.

Arguments

aclname

Access list name

username

Username to be matched

Example(s)
You can use ident to allow specific users access to your cache. In your Squid.conf configuration file you would write something like this,
ident_lookup_access allow all
acl friends ident kim lisa frank joe
http_access allow friends
http_access deny all

ACL TYPE

ident_regex

Description

Provides string match on ident output

Build Option

Default

Usage

acl aclname ident_regex [-i] pattern

Synopsis
Same as ident but matching is done on ident output.

Note: Need an external ident server server running on the client machines.
Arguments

aclname

Access list name

pattern

Pattern to be matched

Example(s)
In your Squid.conf configuration file you would write something like this,
ident_lookup-access allow all
acl friends ident_regex joe
This looks for the pattern "joe" in username

ACL TYPE

src_as, dst_as

Description

Source Autonomous System Number is another AS related ACL type, and matches on the AS number of thesource of
the request
Destination Autonomous System Number is the AS number of the server being queried

Build Option

Default

Usage

acl aclname src_as number
acl aclname dst_as number

Synopsis

The autonomous system number ACL types are generally only used in Cache Peer, or ICP, access restrictions. Autonomous system numbers are used in organizations that have multiple internet links and routers operating under a single administrative authority using the same gateway protocol. Routing decisions are then based on knowledge of the AS in addition to other possible data.

Arguments

aclname

Access list name

number

AS numbers to be matched

Example(s)
An example for routing all requests for AS#1241 and only those to mycache.mydomain.net
acl asexample dst_as 1241
cache_peer_access mycache.mydomain.net allow asexample
cache_peer_access mycache_mydomain.net deny all

ACL TYPE

proxy_auth

Description

This ACL type calls an external authenticator process to decide whether the request will be allowed

Build Option

Default

Usage

acl aclname proxy_auth [-i] username ...

Synopsis

Some of the authenticator helper programs available for Squid are PAM, NCSA, UNIX passwd, SMB, NTLM, etc. Note that authentication cannot work on a transparent proxy or HTTP accelerator. The HTTP protocol does not provide for two authentication stages (one local and one on remote Web sites). So in order to use an authenticator, your proxy must operate as a traditional proxy, where a client will respond appropriately to a proxy authentication request as well as external Web server authentication requests.

Note: proxy_auth can't be used in a transparent proxy. It collides with any authentication done by origin servers. It may seem like it works at first, but it doesn't. When a Proxy-Authentication header is sent but it is not needed during ACL checking the username is NOT logged in access.log.

Arguments

aclname

Access list name

username

User name to be authenticated


Example(s)
acl ACLAUTH proxy_auth ramesh senthil muthu
http_access allow ACLAUTH
http_access deny all
The above configuration will allow only ramesh, senthil and muthu if they give valid username and password.

ACL TYPE proxy_auth_regex
Description As above, this ACL calls an external authenticator process, but allows regex pattern or case insensitive matches
Build Option Default
Usage acl aclname proxy_auth_regex [-i] pattern

Synopsis
Matching based on regular expressions using external authentication process.

Arguments

aclname Access list name
pattern Pattern to be matched

Example(s)
acl ACLAUTH proxy_auth_regex -i mesh

 

ACL TYPE snmp_community string ...
Description Provides matching against community string to limit access to your SNMP Agent
Build Option Default
Usage acl aclname snmp_community string ...

Synopsis
Matching done on snmp community strings.

Arguments

aclname Access list name
string String to be matched

Example(s)
acl snmppublic snmp_community public

 

ACL TYPE maxconn
Description Matches when the client's IP address has more than the specified number of HTTP connections established
Build Option Default
Usage acl aclname maxconn number

Synopsis
Matching is true when the defined number of HTTP connections has been established for a client.

Arguments

aclname Access list name
number Maximum number of HTTP connections

Example(s)
acl someuser src 1.2.3.4
acl twoconn maxconn 5
http_access deny someuser twoconn
http_access allow !twoconn
The above configuration will allow a maximum of 5 http connection to access.

 

ACL TYPE max_user_ip
Description This will be matched when the same user attempts to log in for more than the specified number of times from
different ip addresses
Build Option Default
Usage acl aclname max_user_ip [-s] number

Synopsis

If -s is specified then the limit is strict, denying browsing from any further IP addresses until the ttl has expired. Without -s Squid will just annoy the user by "randomly" denying requests. (the counter is then reset each time the limit is reached and a request is denied). The authenticate_ip_ttl parameter controls the timeout on the ip entries.

Note

1. Any authentication program must be running for this. NCSA will a simple configuration.
2. In acceleration mode or where there is mesh of child proxies, clients may appear to come from multiple addresses if they are going through proxy farms, so a limit of 1 may cause user problems.

Arguments

aclname Access list name
number Number of times to login

Example(s)
authenticate_ip_ttl 2 hours
acl maxuser max_user_ip -s 2
http_access deny maxuser
The same user can log to a maximum of 2 times from two different machines and when he tries to login for the third time from a third system, he will not be allowed to browse.

 

ACL TYPE req_mime_type
Description Match against the mime type of the request generated by the client
Build Option Default
Usage acl aclname req_mime_type mime_type ...

Synopsis
Using this you can detect file upload or some types HTTP tunneling requests.

Arguments

aclname Access list name
mime_type Mime type at the requesting side

Example(s)

acl mymime req_mime_type text
This acl looks for the pattern "text" in request mime header.

Note
This does NOT match the reply. You cannot use this to match the returned file type.

 

ACL TYPE req_header
Description Match against any of the known request headers.
Build Option Default
Usage acl aclname req_header header-name [-i] regular Expression

Synopsis

Regular Expression match against any of the known request headers.

May be thought of as a superset of "browser", "referer" and "mime-type" ACLs.

Arguments

aclname Access list name
header-name Name at the requesting side

Example(s)
acl myheader req_header text
This acl looks for the pattern "text" in request header.

 

ACL TYPE rep_mime_type
Description Match against the mime type of the reply received by Squid
Build Option Default
Usage acl aclname rep_mime_type mime_type ...

Synopsis
Also, using this, you can detect file download or some types HTTP tunneling requests.

This has no effect in http_access rules. It only has effect in rules that affect the reply data stream such as http_reply_access.

Arguments

aclname Access list name
mime_type Mime type at the receiving side

Example(s)

acl m2 rep_mime_type ^application/pdf$
http_reply_access deny m2
This blocks access to application/pdf mime types.

 

ACL TYPE rep_header
Description Match against any of the known response headers.
Build Option Default
Usage acl aclname rep_header header-name [-i] regular expression...

Synopsis
Regular Expression match against any of the known response headers.

Arguments

aclname Access list name
header-name Header name at the receiving side

Example(s)
acl many_spaces rep_header Content-Disposition -i [[:space:]]3,

 

ACL TYPE external
Description Provides match against external ACL lookup via a helper class defined by the external_acl_type tag
Build Option Default
Usage acl aclname external class_name [arguments...]

Synopsis

Provides match against external ACL lookup via a helper class defined by the external_acl_type tag

Arguments

aclname Access list name
class_name Defined by external_acl_type tag

Example(s)

auth_param basic program < put your authenticator here >
auth_param basic children 20
auth_param basic realm Squid proxy-caching web s