ACLs (Access Control Lists) Define who can and who cannot access the proxy.

Access Control Lists (ACL) are lists with rules that are processed sequentially.

ACLs must be defined before they can be used.

Some default ACLs, such as all and localhost, already exist.

However, the mere definition of an ACL does not mean that it is actually applied.

This only happens when there is a corresponding http_access rule.

The syntax for ACL is:

acl ACL_NAME TYPE DATA

• ACL_NAME: Can be chosen arbitrarily.
• TYPE: Select from a variety of different options which can be found in the ACCESS CONTROLS section in the /etc/squid/squid.conf file.
• DATA: Depends on the individual ACL type and can also be read from a file. For example, “via” host names, IP addresses, or URLs.

• http_access defines who is allowed to use the proxy and who can access what on the Internet.
  • This ACL must be defined.
  • localhost and all have already been defined above for which you can deny or allow access via deny or allow.
  • A list containing any number of http_access entries can be created, processed from top to bottom. Depending on which occurs first, access is allowed or denied to the respective URL. The last entry should always be http_access deny all. In the following example, localhost has free access to everything while all other hosts are denied access completely:

    http_access allow localhost
    http_access deny all

• In another example using these rules, the group teachers always has access to the Internet. The group students only has access between Monday and Friday during lunch time:

    http_access deny localhost
    http_access allow teachers
    http_access allow students lunch time
    http_access deny all

• For readability, within the configuration file /etc/squid/squid.conf, specify all http_access options as a block.

• With this option, specify a URL rewriter.

• If users must be authenticated on the proxy, set a corresponding program, such as /usr/sbin/pam_auth. When accessing pam_auth for the first time, the user sees a login window in which they need to specify a user name and a password. In addition, you need an ACL, so only clients with a valid login can use the Internet:

    acl password proxy_auth REQUIRED

    http_access allow password
    http_access deny all

• In the acl proxy_auth option, using REQUIRED means that all valid user names are accepted. REQUIRED can also be replaced with a list of permitted user names.

• With this option, have an ident request run to find each user's identity for all clients defined by an ACL of the type src. Alternatively, use this for all clients, apply the predefined ACL all as the ACL_NAME.
• All clients covered by ident_lookup_access must run an ident daemon. On Linux, you can use pidentd (package pidentd ) as the ident daemon. For other operating systems, free software is usually available. To ensure that only clients with a successful ident lookup are permitted, define a corresponding ACL:

    acl identhosts ident REQUIRED

    http_access allow identhosts
    http_access deny all

• In the acl identhosts ident option, using REQUIRED means that all valid user names are accepted. REQUIRED can also be replaced with a list of permitted user names.
• Using ident can slow down access time, because ident lookups are repeated for each request.

Add default 192.168.1.0/24, and any other LAN subnets, such as my IOT subnet of 192.168.70.0/24 and Guest subnet of 172.16.0.0/24.

Add any other IP that is allowed to use the proxy, for example, 100.1.2.3.

The teachers group always have access to the Internet. The students group only has access between Monday and Friday during lunch time:

acl AllowedHosts src 192.168.1.0/24
acl AllowedHosts src 192.168.70/0/24
acl AllowedHosts src 172.16.0.0/24

acl AllowedHosts src 100.1.2.3

acl teachers src 192.168.10.0/255.255.255.0 
acl students src 192.168.20.0-192.168.30.0/255.255.255.0 
acl lunch time MTWHF 12:00-13:00

#[ black-list and white-list rules will go in here in the next step ]

http_access deny localhost
http_access allow teachers
http_access allow students lunch time

http_access allow AllowedHosts
http_access deny all

The AllowedHosts is just a name given to these, but you can call this anything. This name will be referenced later.

Add additional ACL entries:

Decide which approach you want to follow:

• A black-listing proxy blocks offensive web sites. See black-list examples.

• A white-listing proxy only allows approved sites. A white-list has the benefit of blocking virtually everything that is not known to be “good”, but may take longer to configure. See white-list examples.

Place your rules in a location of your choosing (e.g., /etc/squid/), define them, then apply them something like the following.

#______[ Black List ]_____________________________________________________

acl advdom      dstdomain       "/etc/squid/ad.domains"
acl adv0exp     url_regex -i    "/etc/squid/ad0.exp"
acl adv1exp     url_regex -i    "/etc/squid/ad1.exp"

acl baddom      dstdomain       "/etc/squid/bad.domains"
acl baddom      dstdomain       "/etc/squid/proxy.domains"
acl badexp      url_regex -i    "/etc/squid/bad.exp"

acl violentdom  dstdomain       "/etc/ffilter/violent.domains"
acl hardblock   url_regex -i    "/etc/squid/hardblock.exp"
acl drugdomains dstdomain       "/etc/ffilter/drug.domains"
acl gambledom   dstdomain       "/etc/ffilter/gambling.domains"
acl offensive   dstdomain       "/etc/ffilter/offensive.domains"
acl offendexp   url_regex -i    "/etc/ffilter/offensive.exp"
acl deceptive   dstdomain       "/etc/ffilter/deceptive.domains"
acl illegal     dstdomain       "/etc/ffilter/illegal.domains"

# If you have children who have their own computers and for whom
# you want extra protection, then try this idea:

acl children    src             "/etc/ffilter/kids.IPs"
acl curfewOK    dstdomain       "/etc/ffilter/curfew_ok.domains"
#
# On week-days the kids need to stop using the Internet at 10pm,
# but on Friday and Saturday we let them go until midnight:
#
acl curfew time SMTWH   22:00-23:59
acl curfew time SMTWHF  00:00-7:00

#______[ White List ]_____________________________________________________

acl safedom     dstdomain       "/etc/ffilter/safe.domains"
acl safeexp     url_regex -i    "/etc/ffilter/safe.exp"
acl christdom   dstdomain       "/etc/ffilter/christian.domains"
acl christexp   url_regex -i    "/etc/ffilter/christian.exp"
acl schooldom   dstdomain       "/etc/ffilter/school.domains"
acl employdom   dstdomain       "/etc/ffilter/employ.domains"


#______[ Rules ]__________________________________________________________

# 0. 'hardblock' regex and IP matches
#
http_access deny hardblock

# 1. Children's curfew
#
http_access allow curfewOK
http_access deny children curfew
#http_access deny children gamedom

# Now block the stage zero regex blocks that are to come before safe regex
# holes; this is to allow certain parts of a regex to be blocked while the
# safe.exp match (for example) lets through the rest.  For example, we might
# have a "safe site" that has ads we want to block.
#
http_access deny adv0exp
http_access deny bad0exp
http_access deny offendexp

# Let through safe domains, but not regex
#
http_access allow christdom
http_access allow safedom
http_access allow schooldom
http_access allow employdom

# 3. Block bad domains, but not regex
#       Thus, the domain files should only contain domains which are TOTALLY bad.
#   If a domain is only mostly bad, it should go in the regex file instead so
#   that white-list rules can be applied.
#       Put another way, any domain in a domain blacklist NEVER gets through, even if
#   a white-list contains a regex pattern match.
#
http_access deny baddom
http_access deny violentIPs
http_access deny violentdom
http_access deny drugdomains
http_access deny gambledom
http_access deny deceptive
http_access deny offensive
http_access deny illegal
http_access deny p2p

# Ads and spam are last because I'd first want to tell people if the domain
#   were bad for some other reason, and only as a last resort block it merely
#   because it was spam.
#
http_access deny advdom
http_access deny spamdom

# 4. Let through safe regex
#
http_access allow christexp
http_access allow safeexp

# 5. Block bad regex
#
http_access deny badexp
http_access deny violentexp
http_access deny drugexp
http_access deny gambleexp
http_access deny deceptexp

# Ads and spam expressions are the last to be blocked.
#
http_access deny adv1exp

# 6. Everything else is permitted for those hosts that are allowed.
#  
http_access allow AllowedHosts
http_access deny all

Place your rules in a location of your choosing (e.g., /etc/squid/), define them, then apply them something like the following.

#______[ Black List ]_____________________________________________________

acl advIPs      dst             "/etc/squid/ad.IPs"
acl advdom      dstdomain       "/etc/squid/ad.domains"
acl adv0exp     url_regex -i    "/etc/squid/ad0.exp"

acl baddom      dstdomain       "/etc/squid/bad.domains"
acl baddom      dstdomain       "/etc/squid/proxy.domains"
acl bad0exp     url_regex -i    "/etc/squid/bad.exp"

acl violentdom  dstdomain       "/etc/ffilter/violent.domains"
acl hardblock   url_regex -i    "/etc/squid/hardblock.exp"
acl drugdomains dstdomain       "/etc/ffilter/drug.domains"
acl gambledom   dstdomain       "/etc/ffilter/gambling.domains"
acl offensive   dstdomain       "/etc/ffilter/offensive.domains"
acl deceptive   dstdomain       "/etc/ffilter/deceptive.domains"
acl illegal     dstdomain       "/etc/ffilter/illegal.domains"

# If you have children who have their own computers and for whom
# you want extra protection, then try this idea:

acl children    src             "/etc/ffilter/kids.IPs"
acl curfewOK    dstdomain       "/etc/ffilter/curfew_ok.domains"
#
# On week-days the kids need to stop using the Internet at 10pm,
# but on Friday and Saturday we let them go until midnight:
#
acl curfew time SMTWH   22:00-23:59
acl curfew time SMTWHF  00:00-7:00

#______[ White List ]_____________________________________________________

acl safedom     dstdomain       "/etc/ffilter/safe.domains"
acl safeexp     url_regex -i    "/etc/ffilter/safe.exp"
acl christdom   dstdomain       "/etc/ffilter/christian.domains"
acl christexp   url_regex -i    "/etc/ffilter/christian.exp"
acl schooldom   dstdomain       "/etc/ffilter/school.domains"
acl employdom   dstdomain       "/etc/ffilter/employ.domains"


#______[ Rules ]__________________________________________________________

# 0. 'hardblock' regex and IP matches
#
http_access deny hardblock

# 1. Children's curfew
#
http_access allow curfewOK
http_access deny children curfew
#http_access deny children gamedom

# Now block the stage zero regex blocks that are to come before safe regex
# holes; this is to allow certain parts of a regex to be blocked while the
# safe.exp match (for example) lets through the rest.  For example, we might
# have a "safe site" that has ads we want to block.
#
http_access deny adv0exp
http_access deny bad0exp

# Let through safe domains, but not expressions yet
#
http_access allow christdom
http_access allow safedom
http_access allow schooldom
http_access allow employdom

# 3. Block bad domains (domains which have no desirable content).
#
http_access deny baddom
http_access deny violentdom
http_access deny drugdomains
http_access deny gambledom
http_access deny deceptive
http_access deny offensive
http_access deny illegal
http_access deny p2p

# Ads and spam are last because I'd first want to tell people if the domain
#   were bad for some other reason, and only as a last resort block it merely
#   because it was spam.
#
http_access deny advdom
http_access deny spamdom

# 4. Let through safe expressions
#
http_access allow christexp
http_access allow safeexp

# 5. Everything else is denied.  Do NOT put the AllowedHosts ACL in here
#    or you will defeat the white-list.
#  
http_access deny all

Include the following into the same Allowed Subnets box. Place the RULES section at the bottom, but remember that RULES are processed top to bottom order until the first one that matches the criteria is met.

# If you have children who have their own computers and for whom
# you want extra protection, then try this idea:
#
acl children    src             "/etc/ffilter/kids.IPs"
acl curfewOK    dstdomain       "/etc/ffilter/curfew_ok.domains"
#
# On week-days the kids need to stop using the Internet at 10pm,
# but on Friday and Saturday we let them go until midnight:
#
acl curfew time SMTWH   22:00-23:59
acl curfew time SMTWHF  00:00-7:00


# RULES:
#
# Children's curfew
#
http_access allow curfewOK
http_access deny children curfew
#http_access deny children gamedom

http://www.squid-cache.org/Versions/v3/3.5/cfgman/acl.html

https://ispltd.org/server_guides:proxy

https://doc.opensuse.org/documentation/leap/archive/15.0/reference/html/book.opensuse.reference/cha.squid.html