Differences

This shows you the differences between two versions of the page.

--- squid:acls [2020/04/06 14:50] – [ACL Syntax] peter
+++ squid:acls [2020/07/15 09:30] (current) – external edit 127.0.0.1
@@ Line 16: / Line 16: @@
 acl name type definition1 definition2 definition3 ...
 </code>
+  * **name**:  Can be chosen arbitrarily.
+  * **type**:  See  [[Squid:ACLs:ACL Types|ACL Types]] for the different options.  This can be also found in the ACCESS CONTROLS section in the /etc/squid/squid.conf file.
+  * **definitions...**:  Depends on the individual ACL type and can also be read from a file.  For example, “via” host names, IP addresses, or URLs.
 Examples:
@@ Line 25: / Line 31: @@
 acl need_to_authenticate proxy_auth
 </code>
+<WRAP info>
+**NOTE:**  Defining the ACLs alone does not actually block anything – it’s just a definition.
+You must also define the access they need - see further below.
+</WRAP>
@@ Line 48: / Line 60: @@
-Defining the ACLs alone does not actually block anything – it’s just a definition.
 ----
@@ Line 59: / Line 71: @@
 The most useful feature is the **http_access** statement.  It works similar to the way a firewall would handle rules.
-For each request that Squid receives it will look through all the **http_access** statements in order until it finds a line that matches.
+**http_access** defines who is allowed to use the proxy and who can access what on the Internet.
-It then either accepts or denys depending on your setting.
+  * For each request that Squid receives it will look through all the **http_access** statements in order, from top to bottom. until it finds a line that matches.
+  * It then either accepts or denys depending on your setting.
+  * The remaining rules are ignored.
+  * The last entry should always be **http_access deny all**.
-The remaining rules are ignored.
 The general syntax of an http_access line is:
@@ Line 74: / Line 88: @@
 <code>
-http_access allow accesses_from_admins
+http_access allow access_from_admins
-http_access deny accesses_to_porn_urls
+http_access deny access_to_porn_urls
-http_access allow accesses_during_lunchtime
+http_access allow access_during_lunchtime
 http_access deny all
 </code>
-This would allow accessing from the admins (whatever that ACL looks like – probably a src ACL pointing to the subnet where the admin workstations are in).
+  * This would allow accessing from the admins (whatever that ACL looks like – probably a src ACL pointing to the subnet where the admin workstations are in).
+  * For everyone else it will deny accesses to porn URLs.
+  * Then it would allow accesses from everyone to every web site during lunch time.
+  * And finally all other accesses would be denied.
-For everyone else it will deny accesses to porn URLs.
+Example 2:
-Then it would allow accesses from everyone to every web site during lunch time.
+<code>
+acl localhost src 127.0.0.1/32 ::1
+acl all src 0.0.0.0/0.0.0.0
+http_access allow localhost
+http_access deny all
+</code>
-And finally all other accesses would be denied.
+  * localhost has free access to everything while all other hosts are denied access completely.
+Example 3:
+<code>
+acl localhost src 127.0.0.1/32 ::1
+acl all src 0.0.0.0/0.0.0.0
+acl teachers src 192.168.10.0/255.255.255.0
+acl students src 192.168.20.0-192.168.30.0/255.255.255.0
+acl lunch time MTWHF 12:00-13:00
+http_access deny localhost
+http_access allow teachers
+http_access allow students lunch time
+http_access deny all
+</code>
+  * The group teachers always has access to the Internet.
+  * The group students only has access between Monday and Friday during lunch time.
+<WRAP tip>
+**TIP**:  For readability, within the configuration file /etc/squid/squid.conf, specify all **http_access** options as a block.
+</WRAP>
 ----
@@ Line 116: / Line 164: @@
 ===== Custom error pages (deny_info) =====
-By default when you deny access the user gets the error page that is stored in the ERR_ACCESS_DENIED file.
+By default when you deny access the user gets the error page that is stored in the **ERR_ACCESS_DENIED** file.
-But luckily you can define your own custom error pages and display them when you deny certain accesses. A simple example:
+But you can define your own custom error pages and display them when you deny certain access.  A simple example:
 <code>
@@ Line 137: / Line 185: @@
 </code>
-This will deny access only for the user from the IP address 10.0.5.16 when www.google.com is accessed.
+  * This will deny access only for the user from the IP address 10.0.5.16 when www.google.com is accessed.
+    * As you can see the ACLs admin and google are combined.  In such a combination the last ACL in the line is taken into account for lookups of **deny_info**.
-As you can see the ACLs admin and google are combined.  In such a combination the last ACL in the line is taken into account for lookups of **deny_info**.
+    * So it’s important that you define a **deny_info** for the google ACL.
-So it’s important that you define a **deny_info** for the google ACL.
 ----