ACCESS CONTROLS Access control settings are among the most important features of Squid. You can configure Squid to set filters for various entities and at different granularities (e.g. filters for specific protocols, filters for certain types of commands, filters for specific routers, filters for specified domains, etc).
|
|
TAG NAME
|
acl
|
Description
|
Used to define an Access List
|
Build Option
|
Default
|
Usage
|
acl aclname acltype string1 ... acl aclname acltype "file"
|
Default
|
Required minimum configuration for normal functioning
|
Synopsis
The first field represents the name of the ACL, which is simply an assigned name, that can be just about anything the user chooses. The second field is the type of the ACL, which can be one of a number of choices, that indicates to Squid what part of a request should be matched against for this ACL. The possible types include the requesting clients address, the Web server address or host name, a regular expression matching the URL, and many more. The final field is the actual string to match. Depending on what the ACL type is, this may be an IP address, a series of IP addresses, a URL, a host name, etc.
When using "file", the file should contain one item per line. Arguments
aclname
|
Name of the acl
|
acltype
|
Type of acl
|
string
|
String to match
|
file
|
File that containing strings
|
|
|
ACL TYPE
|
src
|
Description
|
The IP address of the requesting client, or the clients IP Address
|
Build Option
|
Default
|
Usage
|
acl aclname src ip-address/netmask ... (clients IP address) acl aclname src addr1-addr2/netmask ... (range of addresses)
|
Synopsis Matching done based on clients ip address
Arguments
aclname
|
Access list name
|
ip-address
|
Clients ip address
|
netmask
|
Network mask
|
add1-addr2
|
Range of ip address
|
Examples acl network1 src 172.16.1.0/24 - refers to the whole Network with address 172.16.1.0 acl source1 src 172.16.1.25/32 - refers to a single source acl srcrange src 172.16.1.25-172.16.1.35/32 - refers range of IP Addresses from 172.16.1.25-172.16.1.35
|
|
ACL TYPE
|
dst
|
Description
|
Same as src but looks for destination IP Address
|
Build Option
|
Default
|
Usage
|
acl aclname dst ip-address/netmask ... (URL host's IP address)
|
Synopsis First Squid will dns-lookup for IPAddress from the domain-name, which is in request header. Then this acl is interpreted.
Arguments
aclname
|
Access list name
|
ip-address
|
ip-address of the oirgin server/machine
|
netmask
|
Network mask
|
Examples acl dest dst 63.194.81.67/32
|
|
ACL TYPE
|
myip
|
Description
|
The local IP address on which the client connection exists.
|
Build Option
|
Default
|
Usage
|
acl aclname myip ip-address/netmask ... (local socket IP address)
|
Synopsis
Using this acl type, we can specify the local IP address on which the clients connections exists. This allows ACLs to be constructed that only match one physical network, if multiple interfaces are present on the proxy, among other things.
Arguments
aclname
|
Access list name
|
ip-address
|
ip address of the local machine
|
netmask
|
Network mask
|
Examples acl myip1 myip 172.16.1.53/32
|
|
ACL TYPE
|
arp
|
Description
|
Ethernet (MAC) address matching
|
Build Option
|
--enable-arp-acl
|
Usage
|
acl aclname arp mac-address
|
Synopsis
This option only works for clients on the same local subnet, and only for certain platforms. Linux, Solaris, and some BSD variants are the supported operating systems for this type of ACL. This ACL can provide a somewhat secure method of access control, because MAC addresses are usually harder to spoof than IP addresses, and you can guarantee that your clients are on the local network (otherwise no ARP resolution can take place).
Arguments
aclname
|
Access list name
|
mac-address
|
Physical address to be matched
|
Example(s) acl ACLARP arp 11:12:13:14:15:16 ACLARP refers MACADDRESS of the ethernet 11:12:13:14:15:16 Note Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.
|
|
ACL TYPE
|
srcdomain
|
Description
|
This acl type provides matches against the client domain name
|
Build Option
|
Default
|
Usage
|
acl aclname srcdomain .domain-name ...
|
Synopsis
Matching can be either a single domain name, or a list or domain names, or the path to a file that contains a list of domain names. If a path to a file, it must be surrounded by parentheses. This ACL type can increase the latency, and decrease throughput significantly on a loaded cache, as it must perform an address-to-name lookup for each request, so it is usually preferable to use the Client IP Address type.
Note: Here "." is more important.
Arguments
aclname
|
Access list name
|
domain-name
|
Clients domain name
|
Example(s) acl mydomain srcdomain .kovaiteam.com
|
|
ACL TYPE
|
dstdomain
|
Description
|
This refers to destination domain i.e. the source domain where the origin server is located
|
Build Option
|
Default
|
Usage
|
acl aclname dstdomain .domain-name ...
|
Synopsis When matching to be done based on the destination servers domain, you can use this acl type. Note: Here "." is more important.
Arguments
aclname
|
Access list name
|
domain-name
|
Destination domain
|
Example(s) acl domain1 dstdomain .kovaiteam.com This looks for *.kovaiteam.com from URL
|
|
ACL TYPE
|
srcdom_regex
|
Description
|
Matches against the client domain name
|
Build Option
|
Default
|
Usage
|
acl aclname srcdom_regex [-i] pattern ...
|
Synopsis
Matching can be either a single domain name, or a list of domain names, or a path to a file that contains a list of domain names. If a path to a file ia specified, it must be surrounded parentheses.
Arguments
aclname
|
Access list name
|
pattern
|
Pattern to match
|
Example(s) acl aclname srcdom_regex kovai - This looks for the word kovai from the client domain name
|
|
ACL TYPE
|
dstdom_regex
|
Description
|
Provides match against destination domain
|
Build Option
|
Default
|
Usage
|
acl aclname dstdom_regex [-i] pattern ...
|
Synopsis Matching done on destination domain based on regular expression.
Arguments
aclname
|
Access list name
|
pattern
|
Patern to match
|
Example(s) acl domain1 dstdom_regex redhat - This looks for the word redhat from the client's reqest.
|
|
ACL TYPE
|
time
|
Description
|
This type is just what it sounds like, providing a means to create ACLs that are active during certain times of the day or certain days of the week
|
Build Option
|
Default
|
Usage
|
acl aclname time [day-abbrevs] [h1:m1-h2:m2]
|
Synopsis
Provides timed filter settings. This feature is often used to block some types of content or some sections of the internet during business or class hours. Many companies block pornography, entertainment, sports, and other clearly non-work related sites during business hours, but then unblock them after hours. This might improve workplace efficiency in some situations (or it might just offend the employees). This ACL type allows you to enter days of the week and a time range, or select all hours of the selected days.
Day-abbrevs:
|
S
|
Sunday
|
M
|
Monday
|
T
|
Tuesday
|
W
|
Wednesday
|
H
|
Thursday
|
F
|
Friday
|
A
|
Saturday
|
Time:
|
h1:m1 must be less than h2:m2
|
Arguments
aclname
|
Access list name
|
day-abbrevs
|
Days list (as shown above)
|
h1:m1-h2:m2
|
from and to time
|
Example(s) acl acltime time M 9:00-17:00 - acltime refers day of Monday and time from 9:00 to 17:00.
|
|
ACL TYPE
|
url_regex
|
Description
|
Matches using a regular expression on the complete URL
|
Build Option
|
Default
|
Usage
|
acl aclname url_regex [-i] pattern
|
Synopsis
This ACL can be used to provide access control based on parts of the URL or a case insensitive match of the URL, and much more. The regular expressions used in Squid are provided by the GNU Regex library which is documented in the section 7 and 3 regex manpages. Regular expressions are also discussed briefly in a nice article by Guido Socher at LinuxFocus.
Arguments
aclname
|
Access list name
|
pattern
|
Matching to be done for
|
Example(s) acl reject url_regex -i ^https://www.google.co.in/index.html
reject contains the entire url https://www.google.co.in/index.html. If in the http_access if you deny reject, it will deny only the url https://www.google.co.in/index.html but allows the url https://www.google.co.in
|
|
ACL TYPE
|
urlpath_regex
|
Description
|
This ACL matches on the URL path minus any protocol, port, and host name information
|
Build Option
|
Default
|
Usage
|
acl aclname urlpath_regex [-i] pattern
|
Synopsis This acl type expects for the particular pattern alone from the given URLs. If found the words, it will match it.
Arguments
aclname
|
Access list name
|
pattern
|
Pattern which is expected for match
|
Example(s)
acl reject url_regex -i index.html reject contains the pattern index.html. If in the http_access if you deny reject, then for any url containing the pattern index.html will be denied.
|
|
ACL TYPE
|
urllogin
|
Description
|
The ACL regular expression matching on URL login field
|
Build Option
|
Default
|
Usage
|
acl aclname urllogin [-i] [^a-zA-Z0-9] ...
|
Synopsis Regular Expression matching on URL login field
Arguments
aclname
|
Access list name
|
pattern
|
Pattern which ia expected for match
|
Example(s) acl urllogin -i adminstrator
|
|
ACL TYPE
|
port
|
Description
|
This ACL matches on the destination port for the request
|
Build Option
|
Default
|
Usage
|
acl aclname port port-number acl aclname port range
|
Synopsis Matching done on the destination port.
Arguments
aclname
|
Access list name
|
port-number
|
Destination port number
|
range
|
Range of port numbers
|
Example(s) The following allows access only to the destination 172.16.1.115:80 from network 172.16.1.0 acl acceleratedhost dst 172.16.1.115/255.255.255.255 acl acceleratedport port 80 acl mynet src 172.16.1.0/255.255.255.0 http_access allow acceleratedhost acceleratedport mynet http_access deny all
|
|
ACL TYPE
|
myport
|
Description
|
This provides match against local socket TCP port
|
Build Option
|
Default
|
Usage
|
acl aclname myport port-numbers ...
|
Synopsis Matching done on local interface port.
Arguments
aclname
|
Access list name
|
port-numbers
|
Local interface port numbers
|
Example(s) acl mp myport 3128 http_access deny 3128 http_access allow all These will deny all requests coming to the port 3128. Allows requests coming at all other ports.
|
|
ACL TYPE
|
proto
|
Description
|
This ACL matches on the protocol of the request
|
Build Option
|
Default
|
Usage
|
acl aclname proto protocol
|
Synopsis Matching done based on protocol used in the request such as FTP, HTTP, ICP, etc.
Arguments
aclname
|
Access list name
|
protocol
|
Protocol to be matched
|
Example(s) acl myproto proto HTTP FTP - This refer protocols HTTP and FTP
|
|
ACL TYPE
|
method
|
Description
|
This ACL type matches the HTTP method in the request headers. This includes the methods GET, PUT, etc
|
Build Option
|
Default
|
Usage
|
acl aclname method method-type
|
Synopsis Matching done based on the HTTP request method like GET, PUT, etc.
Arguments
aclname
|
Access list name
|
method-type
|
HTTP request method
|
Example(s) acl getmethod method GET POST - This refers get and post methods only.
|
|
ACL TYPE
|
browser
|
Description
|
A regular expression that matches the clients browser type based on the user agent header
|
Build Option
|
Default
|
Usage
|
acl aclname browser [-i] regexp
|
Synopsis
This allows for ACL's to operate based on the browser type in use, for example, using this ACL type, one could create an ACL for Netscape users and another for Internet Explorer users.
Arguments
aclname
|
Access list name
|
regexp
|
Browser name
|
Example(s) acl aclname browser MOZILLA This refers to the requests, which are coming from the browsers who have "MOZILLA" keyword in the user-agent header.
|
|
ACL TYPE
|
referer_regex
|
Description
|
Pattern match on Referer header
|
Build Option
|
Default
|
Usage
|
acl aclname referer_regex [-i] pattern
|
Synopsis Pattern match on Referer header Note: Referer is highly unreliable, so use with care
Arguments
aclname
|
Access list name
|
pattern
|
Pattern to be matched
|
Example(s) In your Squid.conf configuration file you would write something like this, acl expression referer_regex -i user1 This looks for the pattern "user1" in username
|
|
ACL TYPE
|
ident
|
Description
|
Provides string matching on user name
|
Build Option
|
Default
|
Usage
|
acl aclname ident username ...
|
Synopsis Matching based on iden lookups. Note: Need an external ident server server running on the client machines.
Arguments
aclname
|
Access list name
|
username
|
Username to be matched
|
Example(s) You can use ident to allow specific users access to your cache. In your Squid.conf configuration file you would write something like this, ident_lookup_access allow all acl friends ident kim lisa frank joe http_access allow friends http_access deny all
|
|
ACL TYPE
|
ident_regex
|
Description
|
Provides string match on ident output
|
Build Option
|
Default
|
Usage
|
acl aclname ident_regex [-i] pattern
|
Synopsis Same as ident but matching is done on ident output. Note: Need an external ident server server running on the client machines. Arguments
aclname
|
Access list name
|
pattern
|
Pattern to be matched
|
Example(s) In your Squid.conf configuration file you would write something like this, ident_lookup-access allow all acl friends ident_regex joe This looks for the pattern "joe" in username
|
|
ACL TYPE
|
src_as, dst_as
|
Description
|
Source Autonomous System Number is another AS related ACL type, and matches on the AS number of thesource of the request Destination Autonomous System Number is the AS number of the server being queried
|
Build Option
|
Default
|
Usage
|
acl aclname src_as number acl aclname dst_as number
|
Synopsis
The autonomous system number ACL types are generally only used in Cache Peer, or ICP, access restrictions. Autonomous system numbers are used in organizations that have multiple internet links and routers operating under a single administrative authority using the same gateway protocol. Routing decisions are then based on knowledge of the AS in addition to other possible data.
Arguments
aclname
|
Access list name
|
number
|
AS numbers to be matched
|
Example(s) An example for routing all requests for AS#1241 and only those to mycache.mydomain.net acl asexample dst_as 1241 cache_peer_access mycache.mydomain.net allow asexample cache_peer_access mycache_mydomain.net deny all
|
|
ACL TYPE
|
proxy_auth
|
Description
|
This ACL type calls an external authenticator process to decide whether the request will be allowed
|
Build Option
|
Default
|
Usage
|
acl aclname proxy_auth [-i] username ...
|
Synopsis
Some of the authenticator helper programs available for Squid are PAM, NCSA, UNIX passwd, SMB, NTLM, etc. Note that authentication cannot work on a transparent proxy or HTTP accelerator. The HTTP protocol does not provide for two authentication stages (one local and one on remote Web sites). So in order to use an authenticator, your proxy must operate as a traditional proxy, where a client will respond appropriately to a proxy authentication request as well as external Web server authentication requests.
Note: proxy_auth can't be used in a transparent proxy. It collides with any authentication done by origin servers. It may seem like it works at first, but it doesn't. When a Proxy-Authentication header is sent but it is not needed during ACL checking the username is NOT logged in access.log.
Arguments
aclname
|
Access list name
|
username
|
User name to be authenticated
|
Example(s) acl ACLAUTH proxy_auth ramesh senthil muthu http_access allow ACLAUTH http_access deny all The above configuration will allow only ramesh, senthil and muthu if they give valid username and password.
|
|
ACL TYPE |
proxy_auth_regex |
Description |
As above, this ACL calls an external authenticator process, but allows regex pattern or case insensitive matches |
Build Option |
Default |
Usage |
acl aclname proxy_auth_regex [-i] pattern |
Synopsis
Matching based on regular expressions using external authentication process.
Arguments
aclname |
Access list name |
pattern |
Pattern to be matched |
Example(s)
acl ACLAUTH proxy_auth_regex -i mesh
ACL TYPE |
snmp_community string ... |
Description |
Provides matching against community string to limit access to your SNMP Agent |
Build Option |
Default |
Usage |
acl aclname snmp_community string ... |
Synopsis
Matching done on snmp community strings.
Arguments
aclname |
Access list name |
string |
String to be matched |
Example(s)
acl snmppublic snmp_community public
ACL TYPE |
maxconn |
Description |
Matches when the client's IP address has more than the specified number of HTTP connections established |
Build Option |
Default |
Usage |
acl aclname maxconn number |
Synopsis
Matching is true when the defined number of HTTP connections has been established for a client.
Arguments
aclname |
Access list name |
number |
Maximum number of HTTP connections |
Example(s)
acl someuser src 1.2.3.4
acl twoconn maxconn 5
http_access deny someuser twoconn
http_access allow !twoconn
The above configuration will allow a maximum of 5 http connection to access.
ACL TYPE |
max_user_ip |
Description |
This will be matched when the same user attempts to log in for more than the specified number of times from different ip addresses |
Build Option |
Default |
Usage |
acl aclname max_user_ip [-s] number |
Synopsis
If -s is specified then the limit is strict, denying browsing from any further IP addresses until the ttl has expired. Without -s Squid will just annoy the user by "randomly" denying requests. (the counter is then reset each time the limit is reached and a request is denied). The authenticate_ip_ttl parameter controls the timeout on the ip entries.
Note
1. Any authentication program must be running for this. NCSA will a simple configuration.
2. In acceleration mode or where there is mesh of child proxies, clients may appear to come from multiple addresses if they are going through proxy farms, so a limit of 1 may cause user problems.
Arguments
aclname |
Access list name |
number |
Number of times to login |
Example(s)
authenticate_ip_ttl 2 hours
acl maxuser max_user_ip -s 2
http_access deny maxuser
The same user can log to a maximum of 2 times from two different machines and when he tries to login for the third time from a third system, he will not be allowed to browse.
ACL TYPE |
req_mime_type |
Description |
Match against the mime type of the request generated by the client |
Build Option |
Default |
Usage |
acl aclname req_mime_type mime_type ... |
Synopsis
Using this you can detect file upload or some types HTTP tunneling requests.
Arguments
aclname |
Access list name |
mime_type |
Mime type at the requesting side |
Example(s)
acl mymime req_mime_type text
This acl looks for the pattern "text" in request mime header.
Note This does NOT match the reply. You cannot use this to match the returned file type.
ACL TYPE |
req_header |
Description |
Match against any of the known request headers. |
Build Option |
Default |
Usage |
acl aclname req_header header-name [-i] regular Expression |
Synopsis
Regular Expression match against any of the known request headers.
May be thought of as a superset of "browser", "referer" and "mime-type" ACLs.
Arguments
aclname |
Access list name |
header-name |
Name at the requesting side |
Example(s)
acl myheader req_header text
This acl looks for the pattern "text" in request header.
ACL TYPE |
rep_mime_type |
Description |
Match against the mime type of the reply received by Squid |
Build Option |
Default |
Usage |
acl aclname rep_mime_type mime_type ... |
Synopsis
Also, using this, you can detect file download or some types HTTP tunneling requests.
This has no effect in http_access rules. It only has effect in rules that affect the reply data stream such as http_reply_access.
Arguments
aclname |
Access list name |
mime_type |
Mime type at the receiving side |
Example(s)
acl m2 rep_mime_type ^application/pdf$
http_reply_access deny m2
This blocks access to application/pdf mime types.
ACL TYPE |
rep_header |
Description |
Match against any of the known response headers. |
Build Option |
Default |
Usage |
acl aclname rep_header header-name [-i] regular expression... |
Synopsis
Regular Expression match against any of the known response headers.
Arguments
aclname |
Access list name |
header-name |
Header name at the receiving side |
Example(s)
acl many_spaces rep_header Content-Disposition -i [[:space:]]3,
ACL TYPE |
external |
Description |
Provides match against external ACL lookup via a helper class defined by the external_acl_type tag |
Build Option |
Default |
Usage |
acl aclname external class_name [arguments...] |
Synopsis
Provides match against external ACL lookup via a helper class defined by the external_acl_type tag
Arguments
Example(s)
auth_param basic program < put your authenticator here >
auth_param basic children 20
auth_param basic realm Squid proxy-caching web s