Squid 2.4 Stable1 Configuration Manual |
||
Previous |
Tag Name |
acl |
|
Usage |
acl aclname acltype string1 ... | “file” |
|
Description This tag is used for defining an Access List. When using "file", the file should contain one item per line By default, regular expressions are CASE-SENSITIVE. To make them case-insensitive, use the -i option. |
||
Acl types: |
||
src |
This will look client IPAddress. |
|
Usage |
acl aclname src ip-address/netmask. |
|
Example |
|
|
Note | While giving Netmask caution must be exerted in what value is given | |
dst |
This is same as src with only difference refers ServerIPaddress. First Squid will dns-lookup for IPAddress from the domain-name, which is in request header. Then this acl is interpreted. |
|
srcdomain |
Since squid needs to reverse dns lookup (from client ip-address to client domain-name) before this acl is interpreted, it can cause processing delays. This lookup adds some delay to the request. |
|
Usage |
acl aclname srcdomain domain-name |
|
Example | acl aclname srcdomain. kovaiteam.com | |
Note | Here “.” is more important. | |
dstdomain |
This is the effective method to control specific domain |
|
Usage |
acl aclname dstdomain domain-name |
|
Example |
acl aclname srcdomain. kovaiteam.com Hence this look for *.kovaiteam.com from URL |
|
Note | Here “.” is more important. | |
srcdom_regex |
Since squid needs to reverse dns lookup (from client ip-address to client domain-name) before this acl is interpreted, it can cause processing delays. This lookup adds some delay to the request |
|
Usage |
acl aclname srcdom_regex pattern |
|
Example |
acl aclname srcdom_regex kovai Hence this look for the word “kovai” from the client domain name |
|
Note | Better avoid using this acltype to away from latency | |
dstdom_regex |
This is also an effective method as dstdomain |
|
Usage |
acl aclname dstdom_regex pattern |
|
Example | acl aclname srcdom_regex kovai
Hence this will look for the word “kovai” from the client domain name |
|
time |
Time of day, and day of week |
|
Usage |
acl aclname time [day-abbrevs] [h1:m1-h2:m2] day-abbrevs: S - Sunday M - Monday T - Tuesday W - Wednesday H - Thursday F - Friday A - Saturday h1:m1 must be less than h2:m2 |
|
Example |
acl ACLTIME time M 9:00-17:00 ACLTIME refers day of Monday from 9:00 to 17:00. |
|
url_regex |
The url_regex means to search the entire URL for the regular expression you specify. Note that these regular expressions are case-sensitive |
|
Usage |
acl aclname url_regex pattern |
|
Example | acl ACLREG url_regex cooking
ACLREG refers to the url containing ``cooking'' not “Cooking” |
|
urlpath_regex |
The urpath_regex regular expression pattern matching from URL but without protocol and hostname. Note that these regular expressions are case-sensitive |
|
Usage |
acl aclname urlpath_regex pattern |
|
Example | acl ACLPATHREG urlpath_regex
cooking ACLPATHREG refers only containing ``cooking'' not “Cooking” and without referring protocol and hostname. If URL is http://www.visolve.com/folder/subdir/cooking/first.html then this acltype only looks after http://www.visolve.com/ . |
|
port |
Access can be controlled by destination (server) port address |
|
Usage |
acl aclname port port-no |
|
Example | This example allows http_access
only to the destination 172.16.1.115:80 from network 172.16.1.0 acl acceleratedhost dst 172.16.1.115/255.255.255.255 acl acceleratedport port 80 acl mynet src 172.16.1.0/255.255.255.0 http_access allow acceleratedhost acceleratedport mynet http_access deny all |
|
proto |
This specifies the transfer protocol |
|
Usage |
acl aclname proto protocol |
|
Example | acl aclname proto HTTP FTP
This refers protocols HTTP and FTP |
|
method |
This specifies the type of the method of the request |
|
Usage |
acl aclname method method-type |
|
Example | acl aclname method GET POST
This refers get and post methods only |
|
browser |
Regular expression pattern matching on the request's user-agent header |
|
Usage |
acl aclname browser pattern |
|
Example | acl aclname browser MOZILLA
This refers to the requests, which are coming from the browsers who have “MOZILLA” keyword in the user-agent header |
|
ident |
String matching on the user's name |
|
Usage |
acl aclname ident username ... |
|
Example | You can use ident to allow
specific users access to your cache. This requires that an ident server
process runs on the user's machine(s). In your squid.conf configuration
file you would write something like this: ident_lookup on acl friends ident kim lisa frank joe http_access allow friends http_access deny all |
|
ident_regex |
Regular expression pattern matching on the user's name. String match on ident output. use REQUIRED to accept any non-null ident |
|
Usage |
acl aclname ident_regex pattern |
|
Example | You can use ident to allow
specific users access to your cache. This requires that an ident server
process run on the user's machine(s). In your squid.conf configuration
file you would write something like this: ident_lookup on acl friends ident_regex joe This looks for the pattern “joe” in username |
|
src_as |
source (client) Autonomous System number |
|
dst_as |
destination (server) Autonomous System number |
|
proxy_auth |
User authentication via external processes. proxy_auth requires an EXTERNAL authentication program to check username/password combinations (see authenticate_program ). |
|
Usage |
acl aclname proxy_auth username... use REQUIRED instead of username to accept any valid username |
|
Example | acl ACLAUTH proxy_auth venkatesh
balu deepa This acl is for authenticating users venkatesh, balu and deepa by externalprograms |
|
Warning | proxy_auth can't be used in a transparent proxy. It collides with any authentication done by origin servers. It may seem like it works at first, but it doesn't. When a Proxy-Authentication header is sent but it is not needed during ACL checking the username is NOT logged in access.log | |
proxy_auth_regex |
This is same as proxy_auth with a difference. That is it matches the pattern with usernames, which are given in authenticate_program |
|
Usage |
acl aclname proxy_auth_regex [-i] pattern... |
|
snmp_community |
SNMP community string matching |
|
max_conn |
A limit on the maximum number of connections from a single client IP address |
|
req_mime_type |
Regular expression pattern matching on the request content-type header |
|
Usage |
acl aclname req_mime_type pattern |
|
Example | acl aclname req_mime_type text
This acl looks for the pattern “text” in request mime header |
|
arp |
Ethernet (MAC) address matching This acl is supported on Linux, Solaris, and probably BSD variants. NOTE: Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address. To use ARP (MAC) access controls, you first need to compile in the optional code. Do this with the --enable-arp-acl configure option: % ./configure --enable-arp-acl ... % make clean % make If everything compiles, then you can add some ARP ACL lines to your squid.conf |
|
Usage |
acl aclname arp ARP-ADDRESS |
|
Example | acl ACLARP arp 11:12:13:14:15:16
ACLARP refers MACADDRESS of the ethernet 11:12:13:14:15:16 |
|
Default acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 1025-65535 acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT |
||
Example See the examples given in access list |
Tag Name |
||
Usage |
http_access allow|deny [!]aclname ... |
|
Description Allowing or denying http access based on defined access lists If none of the "access" lines cause a match, the default is the opposite of the last line in the list. If the last line was deny, then the default is allow. Conversely, if the last line is allow, the default will be deny. For these reasons, it is a good idea to have a "deny all" or "allow all" entry at the end of your access lists to avoid potential confusion |
Default http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all If there are no "access" lines present, the default is to allow the request |
|
|
Tag Name |
icp_access |
|
Usage |
icp_access allow|deny [!]aclname ... |
|
Description |
||
Allowing or denying access to the ICP port based on defined access lists |
||
Default |
icp_access deny all |
|
Example |
icp_access allow all - Allow ICP queries from everyone |
|
Caution |
- |
Tag Name |
miss_access |
|
Usage |
miss_access allow|deny [!]aclname… |
|
Description |
||
Use to force your neighbors to use you as a sibling instead of a parent. For example: acl localclients src 172.16.0.0/16 miss_access allow localclients miss_access deny! localclients This means that only your local clients are allowed to fetch MISSES and all other clients can only fetch HITS. |
||
Default By default, allow all clients who passed the http_access rules to fetch MISSES from us. miss_access allow all |
||
Example |
- |
|
Caution |
- |
Tag Name |
cache_peer_access |
|
Usage |
cache_peer_access cache-host allow|deny [!]aclname ... |
|
Description |
||
Similar to 'cache_peer_domain ' but provides more flexibility by using ACL elements. The syntax is identical to 'http_access' and the other lists of ACL elements. See the comments for 'http_access ' below, or the Squid FAQ ( http://squid.nlanr.net/Squid/FAQ/FAQ-10.html) |
||
Default |
none |
|
Example |
- |
|
Caution |
- |
Tag Name |
proxy_auth_realm |
|
Usage |
proxy_auth_realm string |
|
Description |
||
Specifies the realm name, which is to be reported to the client for proxy authentication (part of the text the user will see when prompted for the username and password). |
||
Default |
proxy_auth_realm Squid proxy-caching web server |
|
Example |
proxy_auth_realm My Caching Server |
|
Caution |
- |
Tag Name |
ident_lookup_access |
|
Usage |
ident_lookup_access allow|deny aclname… |
|
Description |
||
A list of ACL elements, which, if matched, cause an ident (RFC 931) lookup to be performed for this request. For example, you might choose to always perform ident lookups for your main multi-user Unix boxes, but not for your Macs and PCs |
||
Default By default, ident lookups are not performed for any requests |
||
Example .To enable ident lookups for specific client addresses, you can follow this example: acl ident_aware_hosts src 198.168.1.0/255.255.255.0 ident_lookup_access allow ident_aware_hosts ident_lookup_access deny all |
||
Caution This option may be disabled by using --disable-ident with the configure script |
(2) To restrict access to work hours (9am - 5pm, Monday to Friday) from IP 192.168.2/24
(3) Can i use multitime access control list for different users for different timing. Like AclDefnitions
Access Controls
This
is wrong. See the Description below.
So, the ACL “http_access allow xyz morning lunch” will never work, as pointed by me, because at any given time, morning AND lunch will ALWAYS be false, because both morning and lunch will NEVER be true at the same time. As one of them is false, and acl uses AND logical statement, 0/1 AND 0 will always be 0 (false). That's because this line is in two. It now read:
If request comes from xyz, and we're in one of the allowed time, one of the rules will match TRUE. The other will obviously match FALSE. TRUE OR FALSE will be TRUE, and access will be permitted. Finally Access Control looks…
(4) Rules are read from top to bottom. The first rule matched will be used. Other rules won't be applied. Example:
If xyz tries to access something in the morning, access will be granted. But if he tries to access something at lunchtime, access will be denied. It will be denied by the deny xyz rule, that was matched BEFORE the 'xyz lunch' rule. |