Squid ACLs

Access Control Lists

The importance of access controls cannot be overstated.  It is important to have a good understanding of how to control who uses squid.  When access controls are created you will use two components.  The first is the acl which defines, clients, IP Addresses, hostnames, origin port numbers and request methods.  Once these are created they are combined with rules for the acls.

Squid Proxy
Live Virtual Class That Covers Squid Proxy
Squid Introduction
Squid Basic Configuration
Squid Authentication
Squid Access Control Lists
Squid on OpenVZ


The acls are created using a basic structure.

acl name type value

Here is an example which shows the name as “net”, the type is “src” which is the source and the vlaue is the network address.

acl net src 192.168.7.0/24

ACL Types

There are about 25 acl types which can be used. 

src, dst, myip

Several types use ip addresses as a value.  The following three examples are all acceptable to squid.  Squid will try to calculate the subnet if it is not included, however, it is a good practice to add the correct subnet when the acl is written.
acl net src 192.168.7.0/24

acl net src 192.168.7.0/255.255.255.0

acl net src 192.168.7.0

Hostnames may be used in the acls but this is not a god idea and squid will convert hostnames on startup but will not make DNS lookups after that so if the address of the host changes it will be incorrect.

src

The src is the source or where the request is coming from.

acl myworkstation src 192.168.7.56

Here the source is the specific ip address of 192.168.7.56.

dst

dst is where the request is directed at.  One of the problems of using dst is that it must make a host lookup before it can process the request and this may take too long.  Better to use dstdomain.

myip

This type is useful only when squid will use several ip addresses.  It is used to indicate which ip address for squid to use.  This may be very useful for setting up squid so that it will listen on two separate networks with different ip addresses.

srcdomian, dstdomain, cache_host_domain

These types use domain names.  Be careful with domain names because of the difference between domain names and subdomains.  If the acl begins with a “.” then it is used as a wildcard and it will

match all domains and subdomians.  If it is without the “.”, then it will be considered an exact match.

acl example1 srcdomain example.com

acl example2 srcdomain .example.com

In the examples above the acl example1 will not match mail.example.com nor www.example.com because it must be an exact match.  However,

mail.example.com, www.example.com and example.com all will match the second acl.

The differences between dst and dstdomain.

The dst type only checks the domain one time, so that if it changes you will not have the correct information.  However, when using dstdomain, squid will check it every time it is accessed, which is a safer situation.

srcdomain

The srcdomain will force squid to do a reverse DNS lookup to verify the IP Address. If a domain is not configured correctly, then it will not be able to complete the reverse lookup and fail.  This is the biggest drawback to using srcdomain.

ident, proxy_auth

These two types use usernames.

srcdom_regex, dstdom_regex, url_regex, urlpath_regex,

browser, referer_regex, ident_regex, proxy_auth_regex,

req_mime_type, rep_mime_type

^http://

The regular expression matches any URL that begins with http://.

\.jpg$

The regular expression matches any file extension that ends in .jpg.

the \ is added because “.” is also a wildcard.

acl net url_regex ^http://www

Squid is case sensitive by default. In order to make it

case insensitive use the -i option.

acl net url_regex -i ^http://www

port, myport

The port number is a number that is used by a service on a server or workstation to communicate with another service.

acl net port 22

acl net port 20-21

port

Ports are an area to be careful with.  The best configuration will deny all ports and only allow those determined to be safe.  The configuration below allows only ports 21,80.443,1209 and unregistered ports.  Port 21 is used

for ftp, port 80 for web services, port 443 for encrypted sites and port 1209 is a special port used for a web

based learning site.  Unregistered ports are ports that  are used to connect to services on the Internet and are generally accepted as safe when they are outgoing ports.

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 1209        # plato

acl Safe_ports port 1025-65535  # unregistered ports

http_access deny !Safe_ports

myport

Myport is used when a squid server may receive different types of requests for specific services.  For example if the squid server was accepting connections as a proxy for  users and also accepting connections as a HTTP accelerator.

acl accelerator myport 80

acl proxy myport 3128

acl net src 192.168.7.0/24

http_access allow accerator

http_access allow proxy net

http_access deny proxy

method

Methods relates to the HTTP request method.   Squid is configured to respond to these methods: GET,POST,PUT,HEAD, CONNECT,TRACE,OPTIONS and DELETE.

CONNECT

The CONNECT method is important as it is used to tunnel requests through HTTP proxies.  By default Squid only allows CONNECT using the SSL_ports 443 and 563.

time

The time acl is used to control access based on time.

acl name_of_acl [days] [h1:m1-h2:m2]

Days of the Week

S       Sunday

M       Monday

T       Tuesday

W       Wednesday

H       Thursday

F       Friday

A       Saturday

D       All weekdays

Specify working Hours

acl school_hours MTWHF 08:00-16:00

or all days

acl school_hours D 08:00-16:00

ident

When a user connects to squid, squid will connect to the ident port 113 on the client and establish the username and access control based on the settings as well as log everything in the access.log.  This acl is not very secure so use it sparingly.