Table of Contents

Squid - ACLs - ACL Types

Access control settings are among the most important features of Squid. You can configure Squid to set filters for various entities and at different granularities (e.g. filters for specific protocols, filters for certain types of commands, filters for specific routers, filters for specified domains, etc).

aclsrcdstmyiparp
srcdomaindstdomainsrcdom_regexdstdom_regextime
url_regexurlpath_regexurlloginportmyport
protomethodbrowserreferer_regexident
ident_regexsrc_asdst_asproxy_authproxy_auth_regex
snmp_communitymaxconnmax_user_ipreq_mime_typereq_header
rep_mime_typerep_headerexternalurlgroupuser_cert
ca_certext_userext_user_regex
follow_x_forwarded_foracl_uses_indirect_clientdelay_pool_uses_indirect_clientlog_uses_indirect_clienthttp_access
http_access2http_reply_accessicp_accesshtcp_accesshtcp_clr_access
miss_accesscache_peer_accessident_lookup_accesstcp_outgoing_tostcp_outgoing_address
reply_header_max_sizereply_body_max_sizelog_access
ExampleRecommended minimum acl configurationRecommended minimum http_access configuration

acl

Used to define an Access List.

acl aclname acltype string1 ...
acl aclname acltype "file"

where


src

Matching done based on clients IP address.

The IP address of the requesting client, or the clients IP Address.

acl aclname src ip-address/netmask ... (clients IP address)
acl aclname src addr1-addr2/netmask ... (range of addresses)

where:

Examples:

acl network1 src 172.16.1.0/24 - refers to the whole Network with address 172.16.1.0
acl source1 src 172.16.1.25/32 - refers to a single source
acl srcrange src 172.16.1.25-172.16.1.35/32 - refers range of IP Addresses from 172.16.1.25-172.16.1.35

dst

Same as src but looks for destination IP Address.

First Squid will dns-lookup for IPAddress from the domain-name, which is in request header. Then this acl is interpreted.

acl aclname dst ip-address/netmask ... (URL host's IP address)

where:

Examples

acl dest dst 63.194.81.67/32

myip

The local IP address on which the client connection exists.

This allows ACLs to be constructed that only match one physical network, if multiple interfaces are present on the proxy, among other things.

acl aclname myip ip-address/netmask ... (local socket IP address)

where:

Example:

acl myip1 myip 172.16.1.53/32

arp

Ethernet (MAC) address matching.

Build Option:

-enable-arp-acl

This option only works for clients on the same local subnet, and only for certain platforms:

This ACL can provide a somewhat secure method of access control, because MAC addresses are usually harder to spoof than IP addresses, and you can guarantee that your clients are on the local network (otherwise no ARP resolution can take place).

acl aclname arp mac-address

where:

Example(s)

acl ACLARP arp 11:12:13:14:15:16

ACLARP refers to the MACADDRESS of the ethernet 11:12:13:14:15:16.

NOTE: Squid can only determine the MAC address for clients that are on the same subnet.

If the client is on a different subnet, then Squid cannot find out its MAC address.


srcdomain

Matches against the client domain name.

Matching can be either a single domain name, or a list or domain names, or the path to a file that contains a list of domain names.

NOTE: If a path to a file, it must be surrounded by parentheses.

This ACL type can increase the latency, and decrease throughput significantly on a loaded cache, as it must perform an address-to-name lookup for each request, so it is usually preferable to use the Client IP Address type.

aclname srcdomain .domain-name ...
 

NOTE: Here “.” is more important.

where

Example:

acl mydomain srcdomain .sharewiz.net

dstdomain

This refers to destination domain.

acl aclname dstdomain .domain-name ...

NOTE: Here “.” is more important.

where:

Example(s)

acl domain1 dstdomain .sharewiz.net

This looks for *.sharewiz.net from URL


srcdom_regex

Matches against the client domain name.

Matching can be either a single domain name, or a list of domain names, or a path to a file that contains a list of domain names.

NOTE: If a path to a file is specified, it must be surrounded by parentheses.

acl aclname srcdom_regex [-i] pattern ...

where:

Example:

acl aclname srcdom_regex sharewiz

This looks for the word sharewiz from the client domain name


dstdom_regex

Matching done on destination domain based on regular expression.

acl aclname dstdom_regex [-i] pattern ...

where:

Example(s)

acl domain1 dstdom_regex redhat

This looks for the word redhat from the client's request.


time

Provides time filter settings; hat are active during certain times of the day or certain days of the week.

This feature is often used to block some types of content or some sections of the internet during business or class hours.

Many companies block pornography, entertainment, sports, and other clearly non-work related sites during business hours, but then unblock them after hours.

This might improve workplace efficiency in some situations (or it might just offend the employees).

This ACL type allows you to enter days of the week and a time range, or select all hours of the selected days.

acl aclname time [day-abbrevs] [h1:m1-h2:m2]

where:

Day-abbrevs:

SSunday
MMonday
TTuesday
WWednesday
HThursday
FFriday
ASaturday

Time:

h1:m1 must be less than h2:m2

Example:

acl acltime time M 9:00-17:00

url_regex

Matches using a regular expression on the complete URL.

Can be used to provide access control based on parts of the URL or a case insensitive match of the URL, and much more.

The regular expressions used in Squid are provided by the GNU Regex library which is documented in the section 7 and 3 regex manpages.

acl aclname url_regex [-i] pattern

where:

Example:

acl reject url_regex -i ^https://www.google.co.uk/index.html

urlpath_regex

Matches on the URL path minus any protocol, port, and host name information.

If the words are found it will match.

acl aclname urlpath_regex [-i] pattern

where:

Example:

acl reject url_regex -i index.html

urllogin

Regular Expression matching on URL login field.

acl aclname urllogin [-i] [^a-zA-Z0-9] ...

where:

Example:

acl urllogin -i adminstrator

port

Matching done on the destination port.

acl aclname port port-number
acl aclname port range

where:

Example:

acl acceleratedhost dst 172.16.1.115/255.255.255.255
acl acceleratedport port 80
acl mynet src 172.16.1.0/255.255.255.0
http_access allow acceleratedhost acceleratedport mynet
http_access deny all

The following allows access only to the destination 172.16.1.115:80 from network 172.16.1.0


myport

This provides match against local socket TCP interface port.

	
acl aclname myport port-numbers ...

where:

Example(s)

acl mp myport 3128
http_access deny 3128
http_access allow all

These will deny all requests coming to the port 3128.

Allows requests coming at all other ports.


proto

Matching done based on protocol used in the request such as FTP, HTTP, ICP, etc.

acl aclname proto protocol

where:

Example:

acl myproto proto HTTP FTP

This refers to HTTP and FTP protocols.


method

Matching done based on the HTTP request method like GET, PUT, etc.

acl aclname method method-type

where:

Example(s)

acl getmethod method GET POST

This refers to the GET and POST methods only.


browser

A regular expression that matches the clients browser type based on the user agent header

For example, using this ACL type, one could create an ACL for Netscape users and another for Internet Explorer users.

acl aclname browser [-i] regexp

where:

Example:

acl aclname browser MOZILLA

This refers to the requests, which are coming from the browsers who have “MOZILLA” keyword in the user-agent header.


referer_regex

Pattern match on Referer header.

WARNING: Referer is highly unreliable, so use with care.

acl aclname referer_regex [-i] pattern

where:

Example:

In your Squid.conf configuration file you would write something like this,

acl expression referer_regex -i user1

This looks for the pattern “user1” in username


ident

Provides string matching on user name.

Matching based on iden lookups.

NOTE: Need an external ident server server running on the client machines.

acl aclname ident username ...

where:

Example:

You can use ident to allow specific users access to your cache.

In your Squid.conf configuration file you would write something like this,

ident_lookup_access allow all
acl friends ident kim lisa frank joe
http_access allow friends
http_access deny all

ident_regex

Provides string match on ident output.

Same as ident but matching is done on ident output.

NOTE: Need an external ident server server running on the client machines.

acl aclname ident_regex [-i] pattern

where:

Example:

In your Squid.conf configuration file you would write something like this,

ident_lookup-access allow all
acl friends ident_regex joe

This looks for the pattern “joe” in username


src_as, dst_as

Source Autonomous System Number is another AS related ACL type, and matches on the AS number of thesource of the request,

Destination Autonomous System Number is the AS number of the server being queried.

~The autonomous system number ACL types are generally only used in Cache Peer, or ICP, access restrictions.

Autonomous system numbers are used in organizations that have multiple internet links and routers operating under a single administrative authority using the same gateway protocol.

Routing decisions are then based on knowledge of the AS in addition to other possible data.

acl aclname src_as number
acl aclname dst_as number

where:

Example:

An example for routing all requests for AS#1241 and only those to mycache.mydomain.net

acl asexample dst_as 1241
cache_peer_access mycache.mydomain.net allow asexample
cache_peer_access mycache_mydomain.net deny all

proxy_auth

This ACL type calls an external authenticator process to decide whether the request will be allowed.

Some of the authenticator helper programs available for Squid are PAM, NCSA, UNIX passwd, SMB, NTLM, etc.

Note that authentication cannot work on a transparent proxy or HTTP accelerator. The HTTP protocol does not provide for two authentication stages (one local and one on remote Web sites).

So in order to use an authenticator, your proxy must operate as a traditional proxy, where a client will respond appropriately to a proxy authentication request as well as external Web server authentication requests.

NOTE: proxy_auth can't be used in a transparent proxy.

It collides with any authentication done by origin servers.

It may seem like it works at first, but it doesn't.

When a Proxy-Authentication header is sent but it is not needed during ACL checking the username is NOT logged in access.log.

acl aclname proxy_auth [-i] username ...

where:

Example:

<CODE> acl ACLAUTH proxy_auth peter john james http_access allow ACLAUTH http_access deny all </CODE>

The above configuration will allow only peter, john and james if they give valid username and password.


proxy_auth_regex

As above, this ACL calls an external authenticator process, but allows regex pattern or case insensitive matches.

Matching based on regular expressions using external authentication process.

acl aclname proxy_auth_regex [-i] pattern

where:

Example:

acl ACLAUTH proxy_auth_regex -i mesh

snmp_community string ...

matching against SNMP community stringS to limit access to your SNMP Agent.

acl aclname snmp_community string ...

where:

Example:

acl snmppublic snmp_community public

maxconn

Matches when the client's IP address has more than the specified number of HTTP connections established.

acl aclname maxconn number

where:

Example:

acl someuser src 1.2.3.4
acl twoconn maxconn 5
http_access deny someuser twoconn
http_access allow !twoconn

The above configuration will allow a maximum of 5 http connection to access.


max_user_ip

This will be matched when the same user attempts to log in for more than the specified number of times from different addresses,

If -s is specified then the limit is strict, denying browsing from any further IP addresses until the ttl has expired.

Without -s Squid will just annoy the user by “randomly” denying requests. (the counter is then reset each time the limit is reached and a request is denied).

The authenticate_ip_ttl parameter controls the timeout on the IP entries.

NOTE:

1. Any authentication program must be running for this. NCSA will a simple configuration.

2. In acceleration mode or where there is mesh of child proxies, clients may appear to come from multiple addresses if they are going through proxy farms, so a limit of 1 may cause user problems.

acl aclname max_user_ip [-s] number

where:

Example:

authenticate_ip_ttl 2 hours
acl maxuser max_user_ip -s 2
http_access deny maxuser

The same user can log to a maximum of 2 times from two different machines and when he tries to login for the third time from a third system, he will not be allowed to browse.


req_mime_type

Match against the mime type of the request generated by the client.

Using this you can detect file upload or some types HTTP tunneling requests.

acl aclname req_mime_type mime_type ...

where:

Example:

acl mymime req_mime_type text

This acl looks for the pattern “text” in request mime header.

NOTE: This does NOT match the reply.

You cannot use this to match the returned file type.


req_header

Regular Expression match against any of the known request headers.

May be thought of as a superset of “browser”, “referer” and “mime-type” ACLs.

acl aclname req_header header-name [-i] regular Expression

where:

Example:

acl myheader req_header text

This acl looks for the pattern “text” in request header.


rep_mime_type

Match against the mime type of the reply received by Squid.

Using this, you can detect file download or some types HTTP tunneling requests.

This has no effect in http_access rules. It only has effect in rules that affect the reply data stream such as http_reply_access.

acl aclname rep_mime_type mime_type ...

where:

Example:

acl m2 rep_mime_type ^application/pdf$
http_reply_access deny m2

This blocks access to application/pdf mime types.


rep_header

Regular Expression match against any of the known response headers.

acl aclname rep_header header-name [-i] regular expression...

where:

Example:

acl many_spaces rep_header Content-Disposition -i [[:space:]]3,

external

Provides match against external ACL lookup via a helper class defined by the external_acl_type tag.

acl aclname external class_name [arguments...]

where:

Example:

auth_param basic program < put your authenticator here >
auth_param basic children 20
auth_param basic realm Squid proxy-caching web s