- Linux Training
- Desktop Tutorials
- Server Tutorials
|Server Training - Proxy Server|
Access Control Lists
The importance of access controls cannot be overstated. It is important to have a good understanding of how to control who uses squid. When access controls are created you will use two components. The first is the acl which defines, clients, IP Addresses, hostnames, origin port numbers and request methods. Once these are created they are combined with rules for the acls.
acl name type value
Here is an example which shows the name as “net”, the type is “src” which is the source and the vlaue is the network address.
There are about 25 acl types which can be used.
Several types use ip addresses as a value. The following three examples are all acceptable to squid. Squid will try to calculate the subnet if it is not included, however, it is a good practice to add the correct subnet when the acl is written.
acl net src 192.168.7.0/255.255.255.0
acl net src 192.168.7.0
The src is the source or where the request is coming from.
acl myworkstation src 192.168.7.56
dst is where the request is directed at. One of the problems of using dst is that it must make a host lookup before it can process the request and this may take too long. Better to use dstdomain.
This type is useful only when squid will use several ip addresses. It is used to indicate which ip address for squid to use. This may be very useful for setting up squid so that it will listen on two separate networks with different ip addresses.
These types use domain names. Be careful with domain names because of the difference between domain names and subdomains. If the acl begins with a “.” then it is used as a wildcard and it will
match all domains and subdomians. If it is without the “.”, then it will be considered an exact match.
acl example1 srcdomain example.com
acl example2 srcdomain .example.com
mail.example.com, www.example.com and example.com all will match the second acl.
The differences between dst and dstdomain.
The dst type only checks the domain one time, so that if it changes you will not have the correct information. However, when using dstdomain, squid will check it every time it is accessed, which is a safer situation.
The srcdomain will force squid to do a reverse DNS lookup to verify the IP Address. If a domain is not configured correctly, then it will not be able to complete the reverse lookup and fail. This is the biggest drawback to using srcdomain.
These two types use usernames.
srcdom_regex, dstdom_regex, url_regex, urlpath_regex,
browser, referer_regex, ident_regex, proxy_auth_regex,
The regular expression matches any URL that begins with http://.
The regular expression matches any file extension that ends in .jpg.
the \ is added because “.” is also a wildcard.
Squid is case sensitive by default. In order to make it
case insensitive use the -i option.
The port number is a number that is used by a service on a server or workstation to communicate with another service.
acl net port 20-21
Ports are an area to be careful with. The best configuration will deny all ports and only allow those determined to be safe. The configuration below allows only ports 21,80.443,1209 and unregistered ports. Port 21 is used
for ftp, port 80 for web services, port 443 for encrypted sites and port 1209 is a special port used for a web
based learning site. Unregistered ports are ports that are used to connect to services on the Internet and are generally accepted as safe when they are outgoing ports.
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 1209 # plato
acl Safe_ports port 1025-65535 # unregistered ports
Myport is used when a squid server may receive different types of requests for specific services. For example if the squid server was accepting connections as a proxy for users and also accepting connections as a HTTP accelerator.
acl proxy myport 3128
acl net src 192.168.7.0/24
http_access allow proxy net
http_access deny proxy
Methods relates to the HTTP request method. Squid is configured to respond to these methods: GET,POST,PUT,HEAD, CONNECT,TRACE,OPTIONS and DELETE.
The CONNECT method is important as it is used to tunnel requests through HTTP proxies. By default Squid only allows CONNECT using the SSL_ports 443 and 563.
The time acl is used to control access based on time.
D All weekdays
acl school_hours MTWHF 08:00-16:00
or all days
acl school_hours D 08:00-16:00
When a user connects to squid, squid will connect to the ident port 113 on the client and establish the username and access control based on the settings as well as log everything in the access.log. This acl is not very secure so use it sparingly.