Squid ACLs
Server Training - Proxy Server

Access Control Lists

The importance of access controls cannot be overstated.  It is important to have a good understanding of how to control who uses squid.  When access controls are created you will use two components.  The first is the acl which defines, clients, IP Addresses, hostnames, origin port numbers and request methods.  Once these are created they are combined with rules for the acls.


The acls are created using a basic structure.

acl name type value

Here is an example which shows the name as “net”, the type is “src” which is the source and the vlaue is the network address.

acl net src 192.168.7.0/24


ACL Types

There are about 25 acl types which can be used.


src, dst, myip

Several types use ip addresses as a value.  The following three examples are all acceptable to squid.  Squid will try to calculate the subnet if it is not included, however, it is a good practice to add the correct subnet when the acl is written.
acl net src 192.168.7.0/24

acl net src 192.168.7.0/255.255.255.0

acl net src 192.168.7.0

Hostnames may be used in the acls but this is not a god idea and squid will convert hostnames on startup but will not make DNS lookups after that so if the address of the host changes it will be incorrect.

src

The src is the source or where the request is coming from.

acl myworkstation src 192.168.7.56

Here the source is the specific ip address of 192.168.7.56.


dst

dst is where the request is directed at.  One of the problems of using dst is that it must make a host lookup before it can process the request and this may take too long.  Better to use dstdomain.

myip

This type is useful only when squid will use several ip addresses.  It is used to indicate which ip address for squid to use.  This may be very useful for setting up squid so that it will listen on two separate networks with different ip addresses.

srcdomian, dstdomain, cache_host_domain

These types use domain names.  Be careful with domain names because of the difference between domain names and subdomains.  If the acl begins with a “.” then it is used as a wildcard and it will

match all domains and subdomians.  If it is without the “.”, then it will be considered an exact match.

acl example1 srcdomain example.com

acl example2 srcdomain .example.com

In the examples above the acl example1 will not match mail.example.com nor www.example.com because it must be an exact match.  However,

mail.example.com, www.example.com and example.com all will match the second acl.

The differences between dst and dstdomain.

The dst type only checks the domain one time, so that if it changes you will not have the correct information.  However, when using dstdomain, squid will check it every time it is accessed, which is a safer situation.

srcdomain

The srcdomain will force squid to do a reverse DNS lookup to verify the IP Address. If a domain is not configured correctly, then it will not be able to complete the reverse lookup and fail.  This is the biggest drawback to using srcdomain.

ident, proxy_auth

These two types use usernames.

srcdom_regex, dstdom_regex, url_regex, urlpath_regex,

browser, referer_regex, ident_regex, proxy_auth_regex,

req_mime_type, rep_mime_type


^http://

The regular expression matches any URL that begins with http://.


\.jpg$

The regular expression matches any file extension that ends in .jpg.

the \ is added because “.” is also a wildcard.

acl net url_regex ^http://www

Squid is case sensitive by default. In order to make it

case insensitive use the -i option.

acl net url_regex -i ^http://www

port, myport

The port number is a number that is used by a service on a server or workstation to communicate with another service.

acl net port 22

acl net port 20-21


port

Ports are an area to be careful with.  The best configuration will deny all ports and only allow those determined to be safe.  The configuration below allows only ports 21,80.443,1209 and unregistered ports.  Port 21 is used

for ftp, port 80 for web services, port 443 for encrypted sites and port 1209 is a special port used for a web

based learning site.  Unregistered ports are ports that  are used to connect to services on the Internet and are generally accepted as safe when they are outgoing ports.


acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 1209        # plato

acl Safe_ports port 1025-65535  # unregistered ports


http_access deny !Safe_ports


myport

Myport is used when a squid server may receive different types of requests for specific services.  For example if the squid server was accepting connections as a proxy for  users and also accepting connections as a HTTP accelerator.


acl accelerator myport 80

acl proxy myport 3128

acl net src 192.168.7.0/24


http_access allow accerator

http_access allow proxy net

http_access deny proxy


method

Methods relates to the HTTP request method.   Squid is configured to respond to these methods: GET,POST,PUT,HEAD, CONNECT,TRACE,OPTIONS and DELETE.


CONNECT

The CONNECT method is important as it is used to tunnel requests through HTTP proxies.  By default Squid only allows CONNECT using the SSL_ports 443 and 563.


time

The time acl is used to control access based on time.


acl name_of_acl [days] [h1:m1-h2:m2]


Days of the Week

S       Sunday

M       Monday

T       Tuesday

W       Wednesday

H       Thursday

F       Friday

A       Saturday

D       All weekdays


Specify working Hours

acl school_hours MTWHF 08:00-16:00

or all days

acl school_hours D 08:00-16:00

ident

When a user connects to squid, squid will connect to the ident port 113 on the client and establish the username and access control based on the settings as well as log everything in the access.log.  This acl is not very secure so use it sparingly.

maxconn
This acl refers to the maximum number of simultaneous connections from one IP Address.

acl OverConnLimit maxconn 3
http_access deny OverConnLimit

This will allow 3 connections from the same IP Address.  This acl can be sued to reduce usage by users on the squid system.

arp
The arp acl is used to check the MAC address of network cards.

acl myworkstation arp 00:04:76:73:34:F0

url-regex
This acl may be used to match a part of a URL.  The example shows how to select all flash videos in urls.

acl swf url_regex -i .*\.swf$


urlpath_regex
The urlpath_regex will not use  hostname or transfer protocol.  This will disallow those sites with music in the url but allow those that have music in the hostname.

acl music urlpath_regex music

acl cgi urlpath_regex ^/cgi-bin

browser
The browser acl allows you to deny browsers that you do not want users to use on the Internet.  You may need to verify the User-agent strings that each particular browser uses to check if it will work correctly.

acl firefox browser firefox
http_access deny !firefox

req_mime_type
This acl interacts with the Content-Type head of the server's HTTP response.  In order for it to work effectively, it should be used with a http_reply_access rule.

acl flash rep_mime_type application/x-swf
http_reply_access deny flash

ident_regex
This acl permits the use of regular expressions with usernames.  In this example all usernames that start with student.

acl student ident_regex ^student

proxy_auth_regex
When you use proxy_auth_regex you will be able to target users for special needs.

acl writers proxy_auth_regex ^writer


Extended ACL Lists
Squid allows for an external list of names or information that can be imported into the acl.  The file needs to have one item per line in the list and have the external list location in quotes in the acl.

acl bad badsites “/usr/share/squid/badsites”

badsites file
# List Bad Sites
192.168.5.23
192.168.7.25
192.168.6.45

Place each IP Address on a separate line.  Use a # to introduce a comment.