acl

TAG NAME

acl

Description	Used to define an Access List
Build Option	Default
Usage	acl aclname acltype string1 … acl aclname acltype “file”
Default	Required minimum configuration for normal functioning

Synopsis

The first field represents the name of the ACL, which is simply an assigned name, that can be just about anything the user chooses. The second field is the type of the ACL, which can be one of a number of choices, that indicates to Squid what part of a request should be matched against for this ACL. The possible types include the requesting clients address, the Web server address or host name, a regular expression matching the URL, and many more. The final field is the actual string to match. Depending on what the ACL type is, this may be an IP address, a series of IP addresses, a URL, a host name, etc.

When using “file”, the file should contain one item per line.

Arguments

aclname	Name of the acl
acltype	Type of acl
string	String to match
file	File that containing strings

ACL TYPE

src

Description	The IP address of the requesting client, or the clients IP Address
Build Option	Default
Usage	acl aclname src ip-address/netmask … (clients IP address) acl aclname src addr1-addr2/netmask … (range of addresses)

Synopsis
Matching done based on clients ip address

Arguments

aclname	Access list name
ip-address	Clients ip address
netmask	Network mask
add1-addr2	Range of ip address

Example(s)
acl network1 src 172.16.1.0/24 – refers to the whole Network with address 172.16.1.0
acl source1 src 172.16.1.25/32 – refers to a single source
acl srcrange src 172.16.1.25-172.16.1.35/32 – refers range of IP Addresses from 172.16.1.25-172.16.1.35

ACL TYPE

dst

Description	Same as src but looks for destination IP Address
Build Option	Default
Usage	acl aclname dst ip-address/netmask … (URL host’s IP address)

Synopsis
First Squid will dns-lookup for IPAddress from the domain-name, which is in request header. Then this acl is interpreted.

Arguments

aclname	Access list name
ip-address	ip-address of the oirgin server/machine
netmask	Network mask

Example(s)
acl dest dst 63.194.81.67/32

ACL TYPE

myip

Description	The local IP address on which the client connection exists.
Build Option	Default
Usage	acl aclname myip ip-address/netmask … (local socket IP address)

Synopsis

Using this acl type, we can specify the local IP address on which the clients connections exists. This allows ACLs to be constructed that only match one physical network, if multiple interfaces are present on the proxy, among other things.

Arguments

aclname	Access list name
ip-address	ip address of the local machine
netmask	Network mask

Example(s)
acl myip1 myip 172.16.1.53/32

ACL TYPE

arp

Description	Ethernet (MAC) address matching
Build Option	–enable-arp-acl
Usage	acl aclname arp mac-address

Synopsis

This option only works for clients on the same local subnet, and only for certain platforms. Linux, Solaris, and some BSD variants are the supported operating systems for this type of ACL. This ACL can provide a somewhat secure method of access control, because MAC addresses are usually harder to spoof than IP addresses, and you can guarantee that your clients are on the local network (otherwise no ARP resolution can take place).

Arguments

aclname	Access list name
mac-address	Physical address to be matched

Example(s)
acl ACLARP arp 11:12:13:14:15:16
ACLARP refers MACADDRESS of the ethernet 11:12:13:14:15:16

Note
Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.

ACL TYPE

srcdomain

Description	This acl type provides matches against the client domain name
Build Option	Default
Usage	acl aclname srcdomain .domain-name …

Synopsis

Matching can be either a single domain name, or a list or domain names, or the path to a file that contains a list of domain names. If a path to a file, it must be surrounded by parentheses. This ACL type can increase the latency, and decrease throughput significantly on a loaded cache, as it must perform an address-to-name lookup for each request, so it is usually preferable to use the Client IP Address type.

Note: Here “.” is more important.

Arguments

aclname	Access list name
domain-name	Clients domain name

Example(s)
acl mydomain srcdomain .kovaiteam.com

ACL TYPE

dstdomain

Description	This refers to destination domain i.e. the source domain where the origin server is located
Build Option	Default
Usage	acl aclname dstdomain .domain-name …

Synopsis
When matching to be done based on the destination servers domain, you can use this acl type.

Note: Here “.” is more important.

Arguments

aclname	Access list name
domain-name	Destination domain

Example(s)
acl domain1 dstdomain .kovaiteam.com
This looks for *.kovaiteam.com from URL

ACL TYPE

srcdom_regex

Description	Matches against the client domain name
Build Option	Default
Usage	acl aclname srcdom_regex [-i] pattern …

Synopsis

Matching can be either a single domain name, or a list of domain names, or a path to a file that contains a list of domain names. If a path to a file ia specified, it must be surrounded parentheses.

Arguments

aclname	Access list name
pattern	Pattern to match

Example(s)
acl aclname srcdom_regex kovai – This looks for the word kovai from the client domain name

ACL TYPE

dstdom_regex

Description	Provides match against destination domain
Build Option	Default
Usage	acl aclname dstdom_regex [-i] pattern …

Synopsis
Matching done on destination domain based on regular expression.

Arguments

aclname	Access list name
pattern	Patern to match

Example(s)
acl domain1 dstdom_regex redhat – This looks for the word redhat from the client’s reqest.

ACL TYPE

time

Description	This type is just what it sounds like, providing a means to create ACLs that are active during certain times of the day or certain days of the week
Build Option	Default
Usage	acl aclname time [day-abbrevs] [h1:m1-h2:m2]

Synopsis

Provides timed filter settings. This feature is often used to block some types of content or some sections of the internet during business or class hours. Many companies block pornography, entertainment, sports, and other clearly non-work related sites during business hours, but then unblock them after hours. This might improve workplace efficiency in some situations (or it might just offend the employees). This ACL type allows you to enter days of the week and a time range, or select all hours of the selected days.

Day-abbrevs:
S	Sunday
M	Monday
T	Tuesday
W	Wednesday
H	Thursday
F	Friday
A	Saturday
Time:
h1:m1 must be less than h2:m2

Arguments

aclname	Access list name
day-abbrevs	Days list (as shown above)
h1:m1-h2:m2	from and to time

Example(s)
acl acltime time M 9:00-17:00 – acltime refers day of Monday and time from 9:00 to 17:00.

ACL TYPE

url_regex

Description	Matches using a regular expression on the complete URL
Build Option	Default
Usage	acl aclname url_regex [-i] pattern

Synopsis

This ACL can be used to provide access control based on parts of the URL or a case insensitive match of the URL, and much more. The regular expressions used in Squid are provided by the GNU Regex library which is documented in the section 7 and 3 regex manpages. Regular expressions are also discussed briefly in a nice article by Guido Socher at LinuxFocus.

Arguments

aclname	Access list name
pattern	Matching to be done for

Example(s)
acl reject url_regex -i ^http://www.google.co.in/index.html

reject contains the entire url http://www.google.co.in/index.html. If in the http_access if you deny reject, it will deny only the url http://www.google.co.in/index.html but allows the url http://www.google.co.in

ACL TYPE

urlpath_regex

Description	This ACL matches on the URL path minus any protocol, port, and host name information
Build Option	Default
Usage	acl aclname urlpath_regex [-i] pattern

Synopsis
This acl type expects for the particular pattern alone from the given URLs. If found the words, it will match it.

Arguments

aclname	Access list name
pattern	Pattern which is expected for match

Example(s)
acl reject url_regex -i index.html
reject contains the pattern index.html. If in the http_access if you deny reject, then for any url containing the pattern index.html will be denied.

ACL TYPE

urllogin

Description	The ACL regular expression matching on URL login field
Build Option	Default
Usage	acl aclname urllogin [-i] [^a-zA-Z0-9] …

Synopsis
Regular Expression matching on URL login field

Arguments

aclname	Access list name
pattern	Pattern which ia expected for match

Example(s)
acl urllogin -i adminstrator

ACL TYPE

port

Description	This ACL matches on the destination port for the request
Build Option	Default
Usage	acl aclname port port-number acl aclname port range

Synopsis
Matching done on the destination port.

Arguments

aclname	Access list name
port-number	Destination port number
range	Range of port numbers

Example(s)
The following allows access only to the destination 172.16.1.115:80 from network 172.16.1.0
acl acceleratedhost dst 172.16.1.115/255.255.255.255
acl acceleratedport port 80
acl mynet src 172.16.1.0/255.255.255.0
http_access allow acceleratedhost acceleratedport mynet
http_access deny all

ACL TYPE

myport

Description	This provides match against local socket TCP port
Build Option	Default
Usage	acl aclname myport port-numbers …

Synopsis
Matching done on local interface port.

Arguments

aclname	Access list name
port-numbers	Local interface port numbers

Example(s)
acl mp myport 3128
http_access deny mp
http_access allow all
These will deny all requests coming to the port 3128. Allows requests coming at all other ports.

ACL TYPE

myportname

Description	This provides match against http(s)_port name
Build Option	Default
Usage	acl aclname myportname port-numbers …

Synopsis
Matching done on http_port or htts_port where the request was accepted.

Arguments

aclname	Access list name
port-numbers	http_port or https_port

Example(s)
acl mp myportname 3128
http_access deny mp
http_access allow all
These will deny all requests coming to the port 3128. Allows requests coming at all other ports.

ACL TYPE

proto

Description	This ACL matches on the protocol of the request
Build Option	Default
Usage	acl aclname proto protocol

Synopsis
Matching done based on protocol used in the request such as FTP, HTTP, ICP, etc.

Arguments

aclname	Access list name
protocol	Protocol to be matched

Example(s)
acl myproto proto HTTP FTP – This refer protocols HTTP and FTP

ACL TYPE

method

Description	This ACL type matches the HTTP method in the request headers. This includes the methods GET, PUT, etc
Build Option	Default
Usage	acl aclname method method-type

Synopsis
Matching done based on the HTTP request method like GET, PUT, etc.

Arguments

aclname	Access list name
method-type	HTTP request method

Example(s)
acl getmethod method GET POST – This refers get and post methods only.

ACL TYPE

browser

Description	A regular expression that matches the clients browser type based on the user agent header
Build Option	Default
Usage	acl aclname browser [-i] regexp

Synopsis

This allows for ACL’s to operate based on the browser type in use, for example, using this ACL type, one could create an ACL for Netscape users and another for Internet Explorer users.

Arguments

aclname	Access list name
regexp	Browser name

Example(s)
acl aclname browser MOZILLA
This refers to the requests, which are coming from the browsers who have “MOZILLA” keyword in the user-agent header.

ACL TYPE

referer_regex

Description	Pattern match on Referer header
Build Option	Default
Usage	acl aclname referer_regex [-i] pattern

Synopsis
Pattern match on Referer header

Note: Referer is highly unreliable, so use with care
Arguments

aclname	Access list name
pattern	Pattern to be matched

Example(s)
In your Squid.conf configuration file you would write something like this,
acl expression referer_regex -i user1
This looks for the pattern “user1″ in username

ACL TYPE

ident

Description	Provides string matching on user name
Build Option	Default
Usage	acl aclname ident username …

Synopsis
Matching based on iden lookups.

Note: Need an external ident server server running on the client machines.

Arguments

aclname	Access list name
username	Username to be matched

Example(s)
You can use ident to allow specific users access to your cache. In your Squid.conf configuration file you would write something like this,
ident_lookup_access allow all
acl friends ident kim lisa frank joe
http_access allow friends
http_access deny all

ACL TYPE

ident_regex

Description	Provides string match on ident output
Build Option	Default
Usage	acl aclname ident_regex [-i] pattern

Synopsis
Same as ident but matching is done on ident output.

Note: Need an external ident server server running on the client machines.
Arguments

aclname	Access list name
pattern	Pattern to be matched

Example(s)
In your Squid.conf configuration file you would write something like this,
ident_lookup-access allow all
acl friends ident_regex joe
This looks for the pattern “joe” in username

ACL TYPE

src_as, dst_as

Description	Source Autonomous System Number is another AS related ACL type, and matches on the AS number of thesource of the request Destination Autonomous System Number is the AS number of the server being queried
Build Option	Default
Usage	acl aclname src_as number acl aclname dst_as number

Synopsis

The autonomous system number ACL types are generally only used in Cache Peer, or ICP, access restrictions. Autonomous system numbers are used in organizations that have multiple internet links and routers operating under a single administrative authority using the same gateway protocol. Routing decisions are then based on knowledge of the AS in addition to other possible data.

Arguments

aclname	Access list name
number	AS numbers to be matched

Example(s)
An example for routing all requests for AS#1241 and only those to mycache.mydomain.net
acl asexample dst_as 1241
cache_peer_access mycache.mydomain.net allow asexample
cache_peer_access mycache_mydomain.net deny all

ACL TYPE

proxy_auth

Description	This ACL type calls an external authenticator process to decide whether the request will be allowed
Build Option	Default
Usage	acl aclname proxy_auth [-i] username …

Synopsis

Some of the authenticator helper programs available for Squid are PAM, NCSA, UNIX passwd, SMB, NTLM, etc. Note that authentication cannot work on a transparent proxy or HTTP accelerator. The HTTP protocol does not provide for two authentication stages (one local and one on remote Web sites). So in order to use an authenticator, your proxy must operate as a traditional proxy, where a client will respond appropriately to a proxy authentication request as well as external Web server authentication requests.

Note: proxy_auth can’t be used in a transparent proxy. It collides with any authentication done by origin servers. It may seem like it works at first, but it doesn’t. When a Proxy-Authentication header is sent but it is not needed during ACL checking the username is NOT logged in access.log.

Arguments

aclname	Access list name
username	User name to be authenticated

Example(s)
acl ACLAUTH proxy_auth ramesh senthil muthu
http_access allow ACLAUTH
http_access deny all
The above configuration will allow only ramesh, senthil and muthu if they give valid username and password.

ACL TYPE

proxy_auth_regex

Description	As above, this ACL calls an external authenticator process, but allows regex pattern or case insensitive matches
Build Option	Default
Usage	acl aclname proxy_auth_regex [-i] pattern

Synopsis
Matching based on regular expressions using external authentication process.

Arguments

aclname	Access list name
pattern	Pattern to be matched

Example(s)
acl ACLAUTH proxy_auth_regex -i mesh

ACL TYPE

snmp_community string …

Description	Provides matching against community string to limit access to your SNMP Agent
Build Option	Default
Usage	acl aclname snmp_community string …

Synopsis
Matching done on snmp community strings.

Arguments

aclname	Access list name
string	String to be matched

Example(s)
acl snmppublic snmp_community public

ACL TYPE

maxconn

Description	Matches when the client’s IP address has more than the specified number of HTTP connections established
Build Option	Default
Usage	acl aclname maxconn number

Synopsis
Matching is true when the defined number of HTTP connections has been established for a client.

Arguments

aclname	Access list name
number	Maximum number of HTTP connections

Example(s)
acl someuser src 1.2.3.4
acl twoconn maxconn 5
http_access deny someuser twoconn
http_access allow !twoconn
The above configuration will allow a maximum of 5 http connection to access.

ACL TYPE

max_user_ip

Description	This will be matched when the same user attempts to log in for more than the specified number of times from different ip addresses
Build Option	Default
Usage	acl aclname max_user_ip [-s] number

Synopsis

If -s is specified then the limit is strict, denying browsing from any further IP addresses until the ttl has expired. Without -s Squid will just annoy the user by “randomly” denying requests. (the counter is then reset each time the limit is reached and a request is denied). The authenticate_ip_ttl parameter controls the timeout on the ip entries.

Note
1. Any authentication program must be running for this. NCSA will a simple configuration.
2. In acceleration mode or where there is mesh of child proxies, clients may appear to come from multiple addresses if they are going through proxy farms, so a limit of 1 may cause user problems.

Arguments

aclname	Access list name
number	Number of times to login

Example(s)
authenticate_ip_ttl 2 hours
acl maxuser max_user_ip -s 2
http_access deny maxuser
The same user can log to a maximum of 2 times from two different machines and when he tries to login for the third time from a third system, he will not be allowed to browse.

ACL TYPE

req_mime_type

Description	Match against the mime type of the request generated by the client
Build Option	Default
Usage	acl aclname req_mime_type mime_type …

Synopsis
Using this you can detect file upload or some types HTTP tunneling requests.

Arguments

aclname	Access list name
mime_type	Mime type at the requesting side

Example(s)
acl mymime req_mime_type text
This acl looks for the pattern “text” in request mime header.

Note
This does NOT match the reply. You cannot use this to match the returned file type.

ACL TYPE

req_header

Description	Match against any of the known request headers.
Build Option	Default
Usage	acl aclname req_header header-name [-i] regular Expression

Synopsis
Regular Expression match against any of the known request headers.

May be thought of as a superset of “browser”, “referer” and “mime-type” ACLs.

Arguments

aclname	Access list name
header-name	Name at the requesting side

Example(s)
acl myheader req_header text
This acl looks for the pattern “text” in request header.

ACL TYPE

rep_mime_type

Description	Match against the mime type of the reply received by Squid
Build Option	Default
Usage	acl aclname rep_mime_type mime_type …

Synopsis
Also, using this, you can detect file download or some types HTTP tunneling requests.

This has no effect in http_access rules. It only has effect in rules that affect the reply data stream such as http_reply_access.

Arguments

aclname	Access list name
mime_type	Mime type at the receiving side

Example(s)
acl m2 rep_mime_type ^application/pdf$
http_reply_access deny m2
This blocks access to application/pdf mime types.

ACL TYPE

rep_header

Description	Match against any of the known response headers.
Build Option	Default
Usage	acl aclname rep_header header-name [-i] regular expression…

Synopsis
Regular Expression match against any of the known response headers.

Arguments

aclname	Access list name
header-name	Header name at the receiving side

Example(s)
acl many_spaces rep_header Content-Disposition -i [[:space:]]{3,}

ACL TYPE

external

Description	Provides match against external ACL lookup via a helper class defined by the external_acl_type tag
Build Option	Default
Usage	acl aclname external class_name [arguments...]

Synopsis
Provides match against external ACL lookup via a helper class defined by the external_acl_type tag

Arguments

aclname	Access list name
class_name	Defined by external_acl_type tag

Example(s)

auth_param basic program < put your authenticator here >

auth_param basic children 20

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 1800 seconds

external_acl_type checkip children=20 %LOGIN %SRC /usr/local/Squid/bin/checkip.pl

acl password external checkip

acl it src 172.16.20.1-172.16.20.199/255.255.255.255

http_access allow it password

Allows user if user belongs to a group that is allowed during a given time and using a given ip.

ACL TYPE

urlgroup

Description	This will match against the urlgroup as indicated by redirectors.
Build Option	Default
Usage	acl aclname urlgroup group1…

Synopsis

match against the urlgroup as indicated by redirectors

Arguments

aclname	Access list name
group	Set of url’s indicated by redirectors

Example(s)
acl jobs urlgroup job
http_access deny jobs

ACL TYPE

user_cert

Description	This will match against the attributes in a user SSL certificate
Build Option	Default
Usage	acl aclname user_cert attribute values…

Synopsis

Match against attributes in a user SSL certificate

Arguments

aclname	Access list name
attribute	Any one of DN/C/O/CN/L/ST

ACL TYPE

ca_cert

Description	This will match against attributes a users issuing CA SSL certificate
Build Option	Default
Usage	acl aclname ca_cert attribute values…

Synopsis

Match against attributes in a user CA SSL certificate

Arguments

aclname	Access list name
attribute	Any one of DN/C/O/CN/L/ST

ACL TYPE

ext_user,extuser_regex

Description	String match on username returned by external acl
Build Option	Default
Usage	acl aclname ext_user username … acl aclname ext_user_regex [-i] pattern …

Synopsis

String match on username returned by external acl
Use REQUIRED to accept any user name.

Arguments

aclname	Access list name
username	Username for match the external user
pattern	regular Expression pattern to match External user

Recommended minimum acl configuration

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

Squid Proxy Configuration

Open Source linux proxy configuration

Blogroll