Home Solutions Knowledge Base FAQs E-mail Support Live Chat Buy Support

Disclaimer: This manual is NOT a Squid tutorial. It is only a reference material that provides detailed explanation of all configuration parameters available in Squid 3.0. The reader is expected to have prior knowledge of basic Squid installation and configuration. For Complete tutorial on Squid, please visit http://www.squid-cache.org

Squid 3.0 Configuration Manual ACCESS CONTROLS Access control settings are among the most important features of Squid. You can configure Squid to set filters for various entities and at different granularities (e.g. filters for specific protocols, filters for certain types of commands, filters for specific routers, filters for specified domains, etc). acl src dst myip srcdomain dstdomain srcdom_regex dstdom_regex time url_regex urlpath_regex port myport proto method browser ident ident_regex src_as dst_as proxy_auth proxy_auth_regex snmp_community maxconn max_user_ip req_mime_type rep_mime_type external arp http_access http_reply_access icp_access miss_access cache_peer_access ident_lookup_access tcp_outgoing_tos tcp_outgoing_address reply_body_max_size log_access Example(s) Recommended minimum acl configuration Recommended minimum http_access configuration

TAG NAME                   acl Description  Used to define an Access List Build Option  Default Usage  acl aclname acltype string1 ...  acl aclname acltype "file" Default  Required minimum configuration for normal functioning Synopsis The first field represents the name of the ACL, which is simply an assigned name, that can be just about anything the user chooses. The second field is the type of the ACL, which can be one of a number of choices, that indicates to Squid what part of a request should be matched against for this ACL. The possible types include the requesting clients address, the Web server address or host name, a regular expression matching the URL, and many more. The final field is the actual string to match. Depending on what the ACL type is, this may be an IP address, a series of IP addresses, a URL, a host name, etc. When using "file", the file should contain one item per line. Arguments aclname  Name of the acl acltype  Type of acl string  String to match file  File that containing strings       ACL TYPE              src Description  The IP address of the requesting client, or the clients IP Address Build Option  Default Usage  acl aclname src ip-address/netmask ... (clients IP address)  acl aclname src addr1-addr2/netmask ... (range of addresses) Synopsis Matching done based on clients ip address Arguments aclname  Access list name ip-address  Clients ip address netmask  Network mask add1-addr2  Range of ip address Example(s) acl network1 src 172.16.1.0/24 - refers to the whole Network with address 172.16.1.0 acl source1 src 172.16.1.25/32 - refers to a single source acl srcrange src 172.16.1.25-172.16.1.35/32 - refers range of IP Addresses from 172.16.1.25-172.16.1.35       ACL TYPE              dst Description  Same as src but looks for destination IP Address Build Option  Default Usage  acl aclname dst ip-address/netmask ... (URL host's IP address) Synopsis First Squid will dns-lookup for IPAddress from the domain-name, which is in request header. Then this acl is interpreted. Arguments aclname  Access list name ip-address  ip-address of the oirgin server/machine netmask  Network mask Example(s) acl dest dst 63.194.81.67/32       ACL TYPE              myip Description  The local IP address on which the client connection exists.  Build Option  Default Usage  acl aclname myip ip-address/netmask ... (local socket IP address)           Synopsis Using this acl type, we can specify the local IP address on which the clients connections exists. This allows ACLs to be constructed that only match one physical network, if multiple interfaces are present on the proxy, among other things. Arguments aclname  Access list name ip-address  ip address of the local machine netmask  Network mask Example(s) acl myip1 myip 172.16.1.53/32       ACL TYPE              srcdomain Description  This acl type provides matches against the client domain name     Build Option  Default Usage  acl aclname srcdomain .domain-name ... Synopsis Matching can be either a single domain name, or a list or domain names, or the path to a file that contains a list of domain names. If a path to a file, it must be surrounded by parentheses. This ACL type can increase the latency, and decrease throughput significantly on a loaded cache, as it must perform an address-to-name lookup for each request, so it is usually preferable to use the Client IP Address type. Note: Here "." is more important. Arguments aclname  Access list name domain-name  Clients domain name Example(s) acl mydomain srcdomain .kovaiteam.com       ACL TYPE              dstdomain Description  This refers to destination domain i.e. the source domain where the origin server is located Build Option  Default Usage  acl aclname dstdomain .domain-name ... Synopsis When matching to be done based on the destination servers domain, you can use this acl type. Note: Here "." is more important. Arguments aclname  Access list name domain-name  Destination domain Example(s) acl domain1 dstdomain .kovaiteam.com This looks for *.kovaiteam.com from URL       ACL TYPE              srcdom_regex Description  Matches against the client domain name   Build Option  Default Usage  acl aclname srcdom_regex [-i] pattern ... Synopsis Matching can be either a single domain name, or a list of domain names, or a path to a file that contains a list of domain names. If a path to a file ia specified, it must be surrounded parentheses. Arguments aclname  Access list name pattern  Pattern to match Example(s) acl aclname srcdom_regex kovai - This looks for the word kovai from the client domain name       ACL TYPE              dstdom_regex Description  Provides match against destination domain Build Option  Default Usage  acl aclname dstdom_regex [-i] pattern ... Synopsis Matching done on destination domain based on regular expression. Arguments aclname  Access list name pattern  Patern to match Example(s) acl domain1 dstdom_regex redhat - This looks for the word redhat from the client's reqest.       ACL TYPE              time Description  This type is just what it sounds like, providing a means to create ACLs that are active during certain times of the  day or certain days of the week Build Option  Default Usage  acl aclname time [day-abbrevs] [h1:m1-h2:m2] Synopsis Provides timed filter settings. This feature is often used to block some types of content or some sections of the internet during business or class hours. Many companies block pornography, entertainment, sports, and other clearly non-work related sites during business hours, but then unblock them after hours. This might improve workplace efficiency in some situations (or it might just offend the employees). This ACL type allows you to enter days of the week and a time range, or select all hours of the selected days. Day-abbrevs: S  Sunday M  Monday T  Tuesday W  Wednesday H  Thursday F  Friday A  Saturday Time: h1:m1 must be less than h2:m2 Arguments aclname  Access list name day-abbrevs  Days list (as shown above) h1:m1-h2:m2  from and to time Example(s) acl acltime time M 9:00-17:00 - acltime refers day of Monday and time from 9:00 to 17:00.       ACL TYPE              url_regex Description  Matches using a regular expression on the complete URL Build Option  Default Usage  acl aclname url_regex [-i] pattern Synopsis This ACL can be used to provide access control based on parts of the URL or a case insensitive match of the URL, and much more. The regular expressions used in Squid are provided by the GNU Regex library which is documented in the section 7 and 3 regex manpages. Regular expressions are also discussed briefly in a nice article by Guido Socher at LinuxFocus. Arguments aclname  Access list name pattern  Matching to be done for Example(s) acl reject url_regex -i ^http://www.google.co.in/index.html reject contains the entire url http://www.google.co.in/index.html. If in the http_access if you deny reject, it will deny only the url http://www.google.co.in/index.html but allows the url http://www.google.co.in       ACL TYPE              urlpath_regex Description  This ACL matches on the URL path minus any protocol, port, and host name information Build Option  Default Usage  acl aclname urlpath_regex [-i] pattern Synopsis This acl type expects for the particular pattern alone from the given URLs. If found the words, it will match it. Arguments aclname  Access list name pattern  Pattern which is expected for match Example(s) acl reject url_regex -i index.html reject contains the pattern index.html. If in the http_access if you deny reject, then for any url containing the pattern index.html will be denied.       ACL TYPE              port Description  This ACL matches on the destination port for the request Build Option  Default Usage  acl aclname port port-number  acl aclname port range     Synopsis Matching done on the destination port. Arguments aclname  Access list name port-number  Destination port number range  Range of port numbers Example(s) The following allows access only to the destination 172.16.1.115:80 from network 172.16.1.0 acl acceleratedhost dst 172.16.1.115/255.255.255.255 acl acceleratedport port 80 acl mynet src 172.16.1.0/255.255.255.0 http_access allow acceleratedhost acceleratedport mynet http_access deny all       ACL TYPE              myport Description  This provides match against local socket TCP port Build Option  Default Usage  acl aclname myport port-numbers ... Synopsis Matching done on local interface port. Arguments aclname  Access list name port-numbers  Local interface port numbers Example(s) acl mp myport 3128 http_access deny 3128 http_access allow all These will deny all requests coming to the port 3128. Allows requests coming at all other ports.       ACL TYPE              proto Description  This ACL matches on the protocol of the request Build Option  Default Usage  acl aclname proto protocol Synopsis Matching done based on protocol used in the request such as FTP, HTTP, ICP, etc. Arguments aclname  Access list name protocol  Protocol to be matched Example(s) acl myproto proto HTTP FTP - This refer protocols HTTP and FTP       ACL TYPE              method Description  This ACL type matches the HTTP method in the request headers. This includes the methods GET, PUT, etc Build Option  Default Usage  acl aclname method method-type   Synopsis Matching done based on the HTTP request method like GET, PUT, etc. Arguments aclname  Access list name method-type  HTTP request method Example(s) acl getmethod method GET POST - This refers get and post methods only.       ACL TYPE              browser Description  A regular expression that matches the clients browser type based on the user agent header Build Option  Default Usage  acl aclname browser [-i] regexp     Synopsis This allows for ACL's to operate based on the browser type in use, for example, using this ACL type, one could create an ACL for Netscape users and another for Internet Explorer users. Arguments aclname  Access list name regexp  Browser name Example(s) acl aclname browser MOZILLA This refers to the requests, which are coming from the browsers who have "MOZILLA" keyword in the user-agent header.       ACL TYPE              ident Description  Provides string matching on user name Build Option  Default Usage  acl aclname ident username ... Synopsis Matching based on iden lookups. Note: Need an external ident server server running on the client machines. Arguments aclname  Access list name username  Username to be matched Example(s) You can use ident to allow specific users access to your cache. In your Squid.conf configuration file you would write something like this, ident_lookup_access allow all acl friends ident kim lisa frank joe http_access allow friends http_access deny all       ACL TYPE              ident_regex Description  Provides string match on ident output Build Option  Default Usage  acl aclname ident_regex [-i] pattern Synopsis Same as ident but matching is done on ident output. Note: Need an external ident server server running on the client machines. Arguments aclname  Access list name pattern  Pattern to be matched Example(s) In your Squid.conf configuration file you would write something like this, ident_lookup-access allow all acl friends ident_regex joe This looks for the pattern "joe" in username       ACL TYPE              src_as, dst_as Description  Source Autonomous System Number is another AS related ACL type, and matches on the AS number of thesource of  the request  Destination Autonomous System Number is the AS number of the server being queried Build Option  Default Usage  acl aclname src_as number  acl aclname dst_as number Synopsis The autonomous system number ACL types are generally only used in Cache Peer, or ICP, access restrictions. Autonomous system numbers are used in organizations that have multiple internet links and routers operating under a single administrative authority using the same gateway protocol. Routing decisions are then based on knowledge of the AS in addition to other possible data. Arguments aclname  Access list name number  AS numbers to be matched Example(s) An example for routing all requests for AS#1241 and only those to mycache.mydomain.net acl asexample dst_as 1241 cache_peer_access mycache.mydomain.net allow asexample cache_peer_access mycache_mydomain.net deny all       ACL TYPE              proxy_auth Description  This ACL type calls an external authenticator process to decide whether the request will be allowed Build Option  Default Usage  acl aclname proxy_auth [-i] username ... Synopsis Some of the authenticator helper programs available for Squid are PAM, NCSA, UNIX passwd, SMB, NTLM, etc. Note that authentication cannot work on a transparent proxy or HTTP accelerator. The HTTP protocol does not provide for two authentication stages (one local and one on remote Web sites). So in order to use an authenticator, your proxy must operate as a traditional proxy, where a client will respond appropriately to a proxy authentication request as well as external Web server authentication requests. Note: proxy_auth can't be used in a transparent proxy. It collides with any authentication done by origin servers. It may seem like it works at first, but it doesn't. When a Proxy-Authentication header is sent but it is not needed during ACL checking the username is NOT logged in access.log. Arguments aclname  Access list name username  User name to be authenticated Example(s) acl ACLAUTH proxy_auth ramesh senthil muthu http_access allow ACLAUTH http_access deny all The above configuration will allow only ramesh, senthil and muthu if they give valid username and password.       ACL TYPE              proxy_auth_regex Description  As above, this ACL calls an external authenticator process, but allows regex pattern or case insensitive matches Build Option  Default Usage  acl aclname proxy_auth_regex [-i] pattern Synopsis Matching based on regular expressions using external authentication process.   Arguments aclname  Access list name pattern  Pattern to be matched Example(s) acl ACLAUTH proxy_auth_regex -i mesh       ACL TYPE              snmp_community string ... Description  Provides matching against community string to limit access to your SNMP Agent Build Option  Default Usage  acl aclname snmp_community string ... Synopsis Matching done on snmp community strings. Arguments aclname  Access list name string  String to be matched Example(s) acl snmppublic snmp_community public       ACL TYPE              maxconn Description  Matches when the client's IP address has more than the specified number of HTTP connections established Build Option  Default Usage  acl aclname maxconn number Synopsis Matching is true when the defined number of HTTP connections has been established for a client. Arguments aclname  Access list name number  Maximum number of HTTP connections Example(s) acl someuser src 1.2.3.4 acl twoconn maxconn 5 http_access deny someuser twoconn http_access allow !twoconn The above configuration will allow a maximum of 5 http connection to access.       ACL TYPE              max_user_ip Description  This will be matched when the same user attempts to log in for more than the specified number of times from  different ip addresses Build Option  Default Usage  acl aclname max_user_ip [-s] number Synopsis If -s is specified then the limit is strict, denying browsing from any further IP addresses until the ttl has expired. Without -s Squid will just annoy the user by "randomly" denying requests. (the counter is then reset each time the limit is reached and a request is denied). The authenticate_ip_ttl parameter controls the timeout on the ip entries. Note: 1. Any authentication program must be running for this. NCSA will a simple configuration. 2. In acceleration mode or where there is mesh of child proxies, clients may appear to come from multiple addresses if they are going through proxy farms, so a limit of 1 may cause user problems. Arguments aclname  Access list name number  Number of times to login Example(s) authenticate_ip_ttl 2 hours acl maxuser max_user_ip -s 2 http_access deny maxuser The same user can log to a maximum of 2 times from two different machines and when he tries to login for the third time from a third system, he will not be allowed to browse.       ACL TYPE              req_mime_type Description  Match against the mime type of the request generated by the client Build Option  Default Usage  acl aclname req_mime_type mime_type ... Synopsis Using this you can detect file upload or some types HTTP tunneling requests. Arguments aclname  Access list name mime_type  Mime type at the requesting side Example(s) acl mymime req_mime_type text This acl looks for the pattern "text" in request mime header. Note This does NOT match the reply. You cannot use this to match the returned file type.       ACL TYPE              rep_mime_type Description  Match against the mime type of the reply received by Squid Build Option  Default Usage  acl aclname rep_mime_type mime_type ... Synopsis Also, using this, you can detect file download or some types HTTP tunneling requests. This has no effect in http_access rules. It only has effect in rules that affect the reply data stream such as http_reply_access. Arguments aclname  Access list name mime_type  Mime type at the receiving side Example(s) acl m2 rep_mime_type ^application/pdf$ http_reply_access deny m2 This blocks access to application/pdf mime types.       ACL TYPE              arp Description  Ethernet (MAC) address matching Build Option  --enable-arp-acl Usage  acl aclname arp mac-address Synopsis This option only works for clients on the same local subnet, and only for certain platforms. Linux, Solaris, and some BSD variants are the supported operating systems for this type of ACL. This ACL can provide a somewhat secure method of access control, because MAC addresses are usually harder to spoof than IP addresses, and you can guarantee that your clients are on the local network (otherwise no ARP resolution can take place). Arguments aclname  Access list name mac-address  Physical address to be matched Example(s) acl ACLARP arp 11:12:13:14:15:16 ACLARP refers MACADDRESS of the ethernet 11:12:13:14:15:16 Note Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.       ACL TYPE              external Description  Provides match against external ACL lookup via a helper class defined by the external_acl_type tag Build Option  Default Usage  acl aclname external class_name [arguments...] Synopsis Provides match against external ACL lookup via a helper class defined by the external_acl_type tag Arguments aclname  Access list name class_name  Defined by external_acl_type tag Example(s) auth_param basic program < put your authenticator here > auth_param basic children 20  auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 1800 seconds external_acl_type checkip children=20 %LOGIN %SRC /usr/local/Squid/bin/checkip.pl acl password external checkip acl it src 172.16.20.1-172.16.20.199/255.255.255.255 http_access allow it password Allows user if user belongs to a group that is allowed during a given time and using a given ip. Recommended minimum acl configuration acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80                                       acl Safe_ports port 21                                       acl Safe_ports port 443 563                             acl Safe_ports port 70                                     acl Safe_ports port 210                                   acl Safe_ports port 1025-65535                      acl Safe_ports port 280                                 acl Safe_ports port 488                                 acl Safe_ports port 591                                 acl Safe_ports port 777                                 acl CONNECT method CONNECT       TAG NAME                   http_access Description  Using this, you can allow or deny the access lists defined by acl Build Option  Default Usage  http_access allow|deny [!] aclname ... Default  http_access deny all Synopsis This is used for filtering based on the acl matchings. If none of the "access" lines cause a match, the default is the opposite of the last line in the list.  If the last line was deny, then the default is allow.  Conversely, if the last line is allow, the default will be deny.  For these reasons, it is a good idea to have an "deny all" or "allow all" entry at the end of your access lists to avoid potential confusion. Arguments allow/deny  Allow or deny on matching the acl aclname  Access list to be allowed/denied on match Example(s) To allow http_access for only one machine with MAC Address 00:08:c7:9f:34:41 To restrict access to work hours (9am - 5pm, Monday to Friday) from IP 192.168.2/24 Can i use multitime access control list for different users for different timing Rules are read from top to bottom Note The deny all line is very important. After all the http_access rules, if access isn't denied, it's ALLOWED !! So, specifying a LOT of http_access allow rules, and forget the deny all after them, is the same of NOTHING. If access isn't allowed by one of your rules, the default action ( ALLOW ) will be triggered. So, don't forget the deny all rule AFTER all the rules. And, finally, don't forget rules are read from top to bottom. The first rule matched will be used. Other rules won't be applied. Recommended minimum http_access configuration http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all       TAG NAME                   http_reply_access Description  This is complementary to http_access which allows or denies clients replies Build Option  Default Usage  http_reply_access allow|deny [!] aclname ... Default  http_reply_access allow all Synopsis This is used for filtering based on the acl matchings but on the client requests reply. If none of the access lines cause a match, then the opposite of the last line will apply. Thus it is good practice to end the rules with an "allow all" or "deny all" entry. Arguments allow/deny  Allow or deny on matching the acl aclname  Access list to be allowed/denied on match Example(s) acl reject urlpath_regex i home http_reply_access deny reject       TAG NAME                   icp_access Description  Allowing or Denying access to the ICP port based on defined access lists Build Option  Default Usage  icp_access  allow|deny [!] aclname ... Default  icp_access deny all Synopsis This tag controls icp access on defined access lists. Arguments allow/deny  Allow or deny on matching the acl aclname  Access list to be allowed/denied on match Example(s) icp_access allow all Allows ICP queries from everyone.       TAG NAME                  miss_access Description  Used to force your neighbours to use you as sibling instead of parent Build Option  Default Usage  miss_access allow|deny [!] aclname ... Default  miss_access allow all Synopsis This tag forces the neighbouring peers to treat you as sibling instead of parent. Arguments allow/deny  Allow or deny on matching the acl aclname  Access list to be allowed/denied on match Example(s) acl localclients src 172.16.0.0/16 miss_access allow localclients miss_access deny !localclients This means that only your local clients are allowed to fetch MISSES and all other clients can only fetch HITS.       TAG NAME                   cache_peer_access Description  Similar to cache_peer_domain but provides more flexibility by using ACL elements Build Option  Default Usage  cache_peer_access cache-host allow|deny [!]aclname ... Default  none Synopsis The syntax is identical to http_access and the other lists of ACL elements. See http_access for further reference. Arguments allow/deny  Allow or deny on matching the acl aclname  Access list to be allowed/denied on match Example(s) The following example could be used, if we want all requests from a specific IP address range to go to a specific cache server (for accounting purposes, for example). Here, all the requests from the 10.0.1.* range are passed to proxy.visolve.com, but all other requests are handled directly. Using acls to select peers, acl myNet src 10.0.0.0/255.255.255.0 acl cusNet src 10.0.1.0/255.255.255.0 acl all src 0.0.0.0/0.0.0.0 cache_peer proxy.visolve.com parent 3128 3130 cache_peer_access proxy.visolve.com allow custNet cache_peer_access proxy.visolve.com deny all       TAG NAME                   ident_lookup_access Description  A list of ACL elements which, if matched, cause an ident (RFC 931) lookup to be performed for this request Build Option  Default Usage  ident_lookup_access allow|deny aclname Default  ident_lookup_access deny all Synopsis This tag allows or denies ident lookups an matching the access lists. Note: Only src type ACL checks are fully supported.  A src_domain ACL might work at times, but it will not always provide the correct result. This option may be disabled by using --disable-ident-lookups with the configure script. Arguments allow/deny  Allow or deny on matching the acl aclname  Access list to be allowed/denied on match Example(s) To enable ident lookups for specific client addresses, you can follow this example, acl ident_aware_hosts src 198.168.1.0/255.255.255.0 ident_lookup_access allow ident_aware_hosts ident_lookup_access deny all       TAG NAME                   tcp_outgoing_tos Description  Allows you to select a TOS/Diffserv value to mark outgoing connections with, based on the username or source address  making the request Build Option  Default Usage  tcp_outgoing_tos ds-field [!]aclname ... Default  none Synopsis The TOS/DSCP byte must be exactly that - a byte, value  0 - 255, or "default" to use whatever default your host has. Processing proceeds in the order specified, and stops at first fully matching line. Arguments ds-fiels  Outgoing TOS value aclname  Identifier that contains the list to match on Example(s) acl good_service_net src 10.0.1.0/255.255.255.0 tcp_outgoing_tos 0x20 good_service_net Here, good_service_net uses the TOS value 0x20       TAG NAME                   tcp_outgoing_address Description  Allows you to map requests to different outgoing IP addresses based on the username or source address of the  user making the request Build Option  Default Usage  tcp_outgoing_address ipaddr [[!]aclname] ... Default  none Synopsis Processing proceeds in the order specified, and stops at first fully matching line. Arguments ipaddr  Outgoing ip address aclname  Access lists Example(s) acl normal_net src 172.16.1.0/24 tcp_outgoing_address 172.16.1.53 normal_net Here requests from machines in network 172.16.1.0 will be sent as request from 172.16.1.53 to the origin server.       TAG NAME                   reply_body_max_size Description  This option specifies the maximum size of a reply body Build Option  Default Usage  reply_body_max_size size [acl acl...] Default  none Synopsis Using this you can prevent users from downloading very large files, such as MP3's and movies. Note: 1. Downstream caches probably can not detect a partial reply if there is no content-length header, so they will cache partial responses and give them out as hits.  You should NOT use this option if you have downstream caches. 2. A maximum size smaller than the size of Squid's error messages will cause an infinite loop and crash Squid. Ensure that the smallest non-zero value you use is greater that the maximum header size plus the size of your largest error page. Arguments size  Maximum reply body size acl  Access lists on which this functions during match Example(s) acl site url_regex -i ^http://www.visolve.com reply_body_max_size 5 KB site Here, the reply contains content-length. Its size is checked with the specified value. If it is greater then the specified range the an error page is displayed only for this site while access to other sites are allowed.       TAG NAME                   log_access Description  This options allows you to control which requests gets logged to access.log Build Option  Default Usage  log_access allow|deny acl acl... Default  none Synopsis Sometimes you will not be interested in certain access to be logged in the access.log file. This can be implemented using this tag as follows. Arguments allow/deny  Allow or deny on matching the acl aclname  Access list to be allowed/denied on match Example(s) acl google url_regex ^http://www.google.co.in log_access deny google access_log /usr/local/Squid3.0pre3/var/logs/access.log common google This will not log access to http://www.google.co.in into the access.log file. Example(s) (1) To allow http_access for only one machine with MAC Address 00:08:c7:9f:34:41       To use MAC address in ACL rules. Configure with option -enable-arp-acl. acl all src 0.0.0.0/0.0.0.0 acl pl800_arp arp 00:08:c7:9f:34:41 http_access allow pl800_arp http_access deny all (2) To restrict access to work hours (9am - 5pm, Monday to Friday) from IP 192.168.2/24 acl ip_acl src 192.168.2.0/24 acl time_acl time M T W H F 9:00-17:00 http_access allow ip_acl time_acl http_access deny all (3) Can i use multitime access control list for different users for different timing.       Acl Defnitions, acl abc src 172.161.163.85 acl xyz src 172.161.163.86 acl asd src 172.161.163.87 acl morning time 06:00-11:00 acl lunch time 14:00-14:30 acl evening time 16:25-23:59      Access Controls, http_access allow abc morning http_access allow xyz morning lunch http_access allow asd lunch This is wrong. The description follows: Here access line "http_access allow xyz morning lunch" will not work. So ACLs are interpreted like this ... http_access RULE statement1 AND statement2 AND statement3 OR http_access ACTION statement1 AND statement2 AND statement3 OR ........ So, the ACL "http_access allow xyz morning lunch" will never work, as pointed, because at any given time, morning AND lunch will ALWAYS be false,    because both morning and lunch will NEVER be true at the same time. As one of them is false, and acl uses AND logical statement, 0/1 AND 0 will    always be 0 (false). That's because this line is in two. If now read, http_access allow xyz AND morning OR http_access allow xyz lunch If request comes from xyz, and we're in one of the allowed time, one of the rules will match TRUE. The other will obviously match FALSE. TRUE OR  FALSE will be TRUE, and access will be permitted. Finally Access Control looks... http_access allow abc morning http_access allow xyz morning http_access allow xyz lunch http_access allow asd lunch http_access deny all (4) Rules are read from top to bottom. The first rule matched will be used. Other rules won't be applied. http_access allow xyz morning http_access deny xyz http_access allow xyz lunch If xyz tries to access something in the morning, access will be granted. But if he tries to access something at lunchtime, access will be denied. It will be  denied by the deny xyz rule, that was matched before the 'xyz lunch' rule.