Why Wireless Interference is an important consideration in Wi-Fi networks

Unlike a Wired Network, where adding more network switches gives better performance, a wireless network cannot be optimized for performance by adding more access points/ denser deployment of access points – mainly due to the Wireless Interference. In this article, we’ll try to understand frequency bands, interference, interference from 802.11 Wi-Fi enabled devices, interference from Non-Wi-Fi devices and how to identify and mitigate wireless interference.

Understanding Wireless Frequency Bands:

You might be familiar with the concept of frequency tuning in radio. When you tune your receiver to a certain frequency, you are able to hear the programs from a particular channel. So, when you use an analog rotary tuner to switch channels, you might have noticed that as you rotate the tuner, first a faint sound appears, then you get a strong signal, and then the signal weakens. So, the signals are received (with varying range of amplitudes) over a range of frequencies. When you consider many channels, the used range of frequencies becomes wider.

Similarly, Wireless (Wi-Fi networks) operate mainly in two major frequency bands (ranges) – 2.4Ghz and 5 Ghz. Both are unlicensed ISM band frequencies (Industrial, Scientific and Medical RF band) – Which means, any device / technology can use that band for communications.

2.4 Ghz & 5 Ghz are frequency bands (range of frequencies). The actual communications happen in sub-frequencies called channels, within each spectrum (frequency band). For example, in the 2.4 Ghz spectrum, Channel center frequencies might be like : Channel 1 – 2.412 Ghz; Channel 2 – 2.417 Ghz…… Channel 13 – 2.472 Ghz, etc. A Wireless Radio (on wireless access point) & client radio (wireless client on a laptop) operates in one of these channels to transmit information between them.

Every channel (sub-frequency) overlaps with its adjacent channels. So, Channel 6 for example, might overlap strongly with channels 5, 4 but weakly with channels 3, 2. In the 2.4 Ghz spectrum, Channels 1,6 & 11 are non-overlapping channels. That brings us to the next topic – Interference.

Wireless Interference:

Consider that there are three operational access points situated at a distance of 1 meter from each other (for example). If they operate in channels 1, 2 & 3 (respectively) or channels 1, 1 & 1 (respectively) – there would be a lot of interference that will affect all the clients connecting to these three access points. That’s because, generally access points and clients receive all the communications that are transmitted and reject those that are not in its frequency (channel) of operation. But if different access points operate in same channels (or) adjacent channels, they get confused if messages sent to them were meant for them or not!

But if the three access points are operating in channels 1, 6 & 11 (respectively), even if they are placed very close to each other, there would not be much interference because, the sub-frequencies used by each channel are far apart. In other words, these three channels are non-overlapping channels.

Interference might not allow you to connect to a wireless access point/ network, disconnect you from an existing connection (requiring you to re-connect to the network) or might slow down/ choke the wireless connectivity. Wireless Interference causes noticeable problems with real time applications like voice/ video transmitted over the wireless network. Interference is both a performance issue and a security concern (Rogue Access Points, Wireless DOS attacks, etc).

There are two types of wireless interference – Interference from Wi-Fi (802.11) Sources & Interference from Non-Wi-Fi Sources.

Interference from Wi-Fi (802.11) Sources:

Wi-Fi devices that interfere with the wireless network are – Access Points that are in the range of each other (and operating in overlapping channels); Neighboring Access Points that might be operating in overlapping channels & Wireless Jammers that intentionally operate in overlapping channels.

So, when two access points operate in same channel/ adjacent channels, and are in the range of each other, there would be interference. With 802.11 Wi-Fi based networks and devices, people might still be accessing and working on the wireless network even if there is considerable interference but with reduced throughput levels. 802.11 networks are resilient enough to retransmit the lost packets, but that might reduce the total available bandwidth.

Similarly, the access points across the street or in neighboring office, might as well be operating in the same channel, causing some interference. There are certain wireless jammers which cause interference in the network with the intention of disrupting wireless services.

Since the latest 802.11n network and devices use multiple antennas, they might be in a slightly better position to reduce interference by comparing the received signals from multiple antennas and averaging out the interfering signals.

Interference from Non-Wi-Fi Sources:

Since 2.4 Ghz and 5 Ghz are unlicensed frequency bands (spectrum), a lot of other technologies like Bluetooth, Zigbee & lot of devices like microwave ovens, wireless cameras, cordless phones, wireless headsets, wireless device controllers, etc operate in these frequency bands as well, thereby causing interference to Wi-Fi network communications.

Microwave ovens operate in multiple frequencies (wideband) and consistently interfere with the Wi-Fi devices. Wireless Cameras operate in narrow band and hence interfere on particular Wi-Fi frequencies, Bluetooth headset keeps hopping across the frequency band but still causes interference temporarily.

Even if a complete site-survey is done prior to the implementation of Wi-Fi network, it is still difficult to find out the Non-Wi-Fi sources of interference because, newer/smaller wireless devices are appearing in the market which could be brought by the employees at any time, thereby causing (unintentional) disturbance to the corporate Wi-Fi network.

Detecting and Mitigating Wireless Interference:

5 Ghz is a relatively clean spectrum without much interference from non Wi-Fi sources. But most of the commercially available Wi-Fi network devices operate in the more popular 2.4 Ghz spectrum. It might be better to implement Wi-Fi networks to operate in 5 Ghz frequency band (For this, both the client adapter on the laptops and access point should support 5 Ghz operation), especially with 802.11n high performance networks.

Some vendors fit sensors on access points that detect interference in their channel of operation (if any) and switch to other channels. But this may not be a solution for interference from non Wi-Fi sources. Its possible to reduce the chances of interference by controlling (reducing) the (transmission) power levels of access points. Using multiple/ multi-sector antennas might also improve the SNR.

Wi-Fi Sources: The interference from other Wi-Fi sources are relatively easier to detect, and in some cases even mitigate. The basic principle with Wi-Fi sources is to avoid any neighboring access points operating in the same channel (and adjacent channels). As far as possible, neighboring access points need to operate in non-overlapping channels (Like 1,6,11).

Its quite difficult to monitor each access point manually, and change the frequency of operation manually for all access points (though its possible). Even if they are set manually, if an access point reboots (due to power loss etc), it will choose an arbitrary frequency (channel) which may not be the same as manually set frequency. So, the process (assigning channels manually) needs to be repeated.

To automate this process, a Wireless Controller, that provides centralized management can be used in a network to continuously gauge the channel of operation for all the neighboring access points and adjust their channel settings dynamically. Most of the Wireless Controllers can manage only their own make of access points, but there are wireless management softwares available to manage multi-vendor access points/ controllers.

Non Wi-Fi Sources: The normal Wireless management softwares/ controllers may not detect interference from non Wi-Fi sources (some of them do) but there are specialized spectrum analyzers that can be employed for this purpose. But unlike the Wi-Fi sources of interference, simply changing the frequency channel of operation of access points may not be a solution for non Wi-FI based interference and hence the best way to tackle them might be to physically remove the sources / shield the sources from spreading out, hence restricting them to a certain area.

There are certain open source based spectrum analyzers which can be used for detecting interference like Netstumbler, Kismet, inSSIDer etc. Commercial spectrum analyzers are also available for the same.

Tips for Planning a Wireless Network

Know Your Building’s Bones

Do you know what your building is made of?  Before you install your wireless network, you should.  Dense building materials like filled cinder blocks, brick, rock walls, adobe or stucco construction can significantly reduce the strength of your wireless signal, and increase the number of access points needed to ensure a fast, reliable connection. Also anything that holds water, like pipes, bathrooms and elevator shafts tend to limit the range of wireless signals. 

Count Heads and Balance the Load

Typically, small and medium-sized businesses (SMBs) require fewer than 24 access points, but businesses must consider bandwidth in the overall plan.  Without adequate bandwidth to handle traffic, you may not realize expected productivity gains. IT staff should also be able to manage multiple access points and balance the load accordingly; centrally-managed wireless controller appliances can do this dynamically to boost performance and save time.

Power Up

After deciding the number of necessary WLAN access points you need, determine the power requirements necessary to support these points, typically 15 watts or less.  While power requirements differ for each business, power injectors are still a great option for powering the access points.  The injectors can be placed anywhere along the line within 100 meters and provide greater flexibility by eliminating the need for external AC Adapter power supply.

Safe and Secure Networking

Who among us hasn’t searched for an unsecured wireless network to jump on when we are away from home or work?  Keeping the wireless network safe is a top priority, so avoid using obsolete protocols for wireless security, like WEP (Wired Equivalent Privacy). Better alternatives include WPA (Wi-Fi Protected Access) and WPA2, which will help safeguard against hackers.  For increased protection, IT departments should configure access points to use the strongest available AES 256 bit encryption.

Common Wireless Networking Missteps

Are you ready to jump online?  Avoid some of the more common wireless network pitfalls:

This Access Point Worked at Home

Depending on the size of the business, wireless devices designed for home use may not be a fit for the business environment.  Although home access points are less expensive, they are not designed to achieve the results necessary beyond a small home office.  Businesses with multiple access points require devices designed to achieve a seamless connection.  Home access points are designed for single deployments and will interfere with other access points in multiple access point scenarios.

Just Add Access Points

The easiest locations for access points are not necessarily the best locations.  While a comprehensive wireless site survey is ideal, it may be cost prohibitive for most small businesses, ranging from $2,000 - $3,000, so consider these approaches to the access point challenge:

• Install multiple access points and err on the side of over-coverage.  The initial investment in multiple access points will save money in the long run, compared to commissioning a site survey
• Perform a rudimentary site survey independently by setting up one access point, charting its coverage using one laptop and using its coverage range as a guideline for access points throughout the facility
• Consider a wireless LAN controller.  The controller recognizes all of the connected access points and sets the appropriate channel and power setting.  Some controllers even let you load a diagram of the floor plan, providing a heat map that shows the signal strength of each access point

Do What You’ve Always Done

It’s easy to become complacent with wireless routines.  Network equipment is constantly improving, with networked devices becoming smarter and more complex -- just like the technologies that hackers use to attack networks.  Don’t put your small business at risk -- understand exactly where the wireless marketplace stands and where the technology is headed to avoid exposing the business to security risks that waste time and money.

Don’t Plan to Grow

When implementing a WLAN, think about current and future networking needs, and be prepared to grow with the technology. One benefit of a wireless infrastructure is that it is fairly simple to reconfigure an office space during times of growth or change.  The equipment and the configuration should be driven by business goals -- be mindful of what potential needs will be six months to a year into the future
A wireless network can be a great asset to your business, but be careful to consider the objectives, limitations and the potential future benefits.  Also, be aware of the possible pitfalls to avoid disappointment and lost productivity time.  When done right, a wireless implementation can translate into a successful business plan.

Protecting website using basic authentication

Apache uses auth_mod to protect the whole or part of a site.
Here we will see how to provide access to your website to only authenticated users. I will demonstrate and explain the use of basic authentication.
In Apache’s main configuration file located at /etc/httpd/conf/httpd.conf or inside <VirtualHost></VirtualHost> directives, put in the following:

<Directory />
AuthName "Authentication Needed"
AuthType Basic
AuthUserFile /etc/httpd/conf/security_users
require valid-user
</Directory>

Let me explain the above directives one by one:
<Directory /> means that the directives applies to / , that is to the DocumentRoot of the site
AuthName creates a label that is displayed by web browsers to users.
AuthUserFile sets the file that Apache will consult to check user names and passwords for authenticating users.
AuthType specifies what type of authentication scheme to use
require directive stats that only valid users are allowed access to the site.
Now we have create the file that will hold the users and their passwords with the following command

htpasswd -c /etc/httpd/conf/security_users testuser
New password:
Re-type new password:
Adding password for user testuser

-c is meant to create the linuxgravity_access and testuser is the user to be created. The flag -c is not needed when adding any further users in the same file.
Now restart Apache.

/etc/init.d/apache2 restart

Access the site e.g. http://localhost or http://IP_of_apache

What is Server Virtualization?

Servers rarely run at full capacity. Server Virtualization enables multiple applications running on multiple operating systems to run on the same server, utilizing that unused additional capacity. Lets find out more about Server Virtualization, in this article.

What is Server Virtualization?

In the above diagram, the three servers on the left hand side represent stand-alone servers – There is an Operating System & an Application on each of them. That’s the conventional set up. Well, almost. There are some drawbacks with this set up – Some operating systems/ applications do not use all the resources of an entire server. So, the additional capacity goes under-used. Also, unless more physical servers are introduced, there is no back up for these stand-alone servers/applications – should they fail.

The three servers on the right hand side represent virtualized servers. In each server (for the sake of simplicity) lets consider that multiple applications are running on multiple operating systems. Each OS/Application is isolated from the others. Further, server resources like processor capacity/ RAM/ Hard-disk capacity etc, are reserved (or allocated) separately for each OS/Application.

The OS/Application pairs run over a software module called Hypervisor. The Hypervisor resides between the bare metal hardware and the virtual systems. It basically de-couples the Operating System/ Applications from the underlying physical hardware and provides a common management / operating platform for multiple operating systems/ applications.

So, in a nutshell, Server Virtualization can be defined as – Multiple instances of different operating systems/ applications running on a physical server hardware. This approach, has a lot of advantages as discussed below.

Advantages of Server Virtualization:

• Since the resources (RAM, Processor, etc) of the virtualized servers are utilized more (than stand-alone OS/App) as multiple operating systems and applications share the same server resources, Server Virtualization improves the resource utilization ratio.
• Server Virtualization enables server consolidation – resulting in the usage of less number of servers for the same OS/application(s).
• If a server is down (due to either hardware or application failure) (or) due to maintenance activities, application downtime can be avoided by migrating the virtual systems (OS/application pairs) to other servers. This ensures high availability of the applications.
• The applications can also be transferred from a primary data center to a secondary data center (by certain virtualization softwares, if up-to date copies are kept at the secondary data center) enabling effective disaster recovery strategy.
• Server Virtualization avoids over-purchasing/ over-allocation of servers for certain applications.
• On-demand resource allocation is possible along with the ability to scale up / scale down resources.
• The time required for getting an application up and running is greatly reduced, especially for smaller applications that can be provisioned in one of the existing virtual servers.
• Server Virtualization is an Operating System neutral technology – multiple operating systems can reside alongside in the same server.
• Even though various operating systems/ applications reside in the same server, they are logically isolated from each other thereby enhancing  security.
• The operating systems/ applications (virtual systems) are hardware independent. They just need to communicate with the hypervisor and the hypervisor communicates with the hardware components.
• Server Virtualization is useful for testing applications / using them in the production environment temporarily as there is no need to buy additional servers for doing that.

Limitations of Server Virtualization:

• The resource allocation for each virtual system needs to be planned carefully. If very less resources are allocated, the application performance might be affected and if too much resources are allocated, it will result in under-utilization. The servers that are to be virtualized should have sufficient resources, in the first place.
• 32-bit processors/ operating systems/ applications can make use of only limited memory resources in the server (4 GB) and hence 64-bit computing is preferred for server virtualization. But not all the applications have been migrated to 64-bit computing yet.
• Only a few processors (that support virtualization) can be used to virtualize servers. And for migrating the virtual systems from one server to another, some vendors require similar model/make of processors.
• The hypervisor itself utilizes some processing power. This is in addition to the processing power required for the applications.
• The cost of virtualization software, management applications, management expertise required etc, might limit the usage of server virtualization in smaller environments with very few servers.
• Sometimes, a separate SAN/NAS network might be required for storage as there may not be sufficient storage capacity inside the server for multiple OS/ Applications.
• The software switch running inside the hypervisor to connect the various virtual systems (Operating System/ Application) may not be able to integrate with the existing network settings like VLAN/ QoS settings, etc. At least, they cannot implement all the features of a specialized network switches connecting to individual servers in a full fledged way.

Squid Access Controls

Tag Name

acl

Usage

acl aclname acltype string1 ... | "file"

Description
This tag is used for defining an access List. When using "file" the file should contain one item per line By default, regular expressions are CASE-SENSITIVE. To make them case-insensitive, use the -i option.

Acl Type: src Description This will look client IP Address. Usage acl aclname src ip-address/netmask. Example 1.This refers to the whole Network with address 172.16.1.0 - acl aclname src 172.16.1.0/24 2.This refers specific single IP Address - acl aclname src 172.16.1.25/32 3.This refers range of IP Addresses from 172.16.1.25-172.16.1.35 - acl aclname src 172.16.1.25-172.16.1.35/32 Note While giving Netmask caution must be exerted in what value is given

Acl Type: dst Description This is same as src with only difference refers Server IPaddress. First Squid will dns-lookup for IPAddress from the domain-name, which is in request header. Then this acl is interpreted. Usage acl aclname dst ip-address/netmask.

Acl Type: srcdomain Description Since squid needs to reverse dns lookup (from client ip-address to client domain-name) before this acl is interpreted, it can cause processing delays. This lookup adds some delay to the request. Usage acl aclname srcdomain domain-name Example acl aclname srcdomain .kovaiteam.com Note Here "." is more important.

Acl Type: dstdomain Description This is the effective method to control specific domain Usage acl aclname dstdomain domain-name Example acl aclname dstdomain .kovaiteam.com Hence this looks for *.kovaiteam.com from URL Hence this looks for *.kovaiteam.com from URL Note Here "." is more important.

Acl Type: srcdom_regex Description Since squid needs to reverse dns lookup (from client ip-address to client domain-name) before this acl is interpreted, it can cause processing delays. This lookup adds some delay to the request Usage acl aclname srcdom_regex pattern Example acl aclname srcdom_regex kovai Hence this looks for the word kovai from the client domain name Note Better avoid using this acl type to be away from latency.

Acl Type: dstdom_regex Description This is also an effective method as dstdomain Usage acl aclname dstdom_regex pattern Example acl aclname dstdom_regex kovai Hence this looks for the word kovai from the client domain name

Acl Type: time Description Time of day, and day of week Usage acl aclname time [day-abbreviations] [h1:m1-h2:m2] day-abbreviations: S - Sunday M - Monday T - Tuesday W - Wednesday H - Thursday F - Friday A - Saturday h1:m1 must be less than h2:m2 Example acl ACLTIME time M 9:00-17:00 ACLTIME refers day of Monday from 9:00 to 17:00.

Acl Type: url_regex Description The url_regex means to search the entire URL for the regular expression you specify. Note that these regular expressions are case-sensitive. To make them case-insensitive, use the -i option. Usage acl aclname url_regex pattern Example acl ACLREG url_regex cooking ACLREG refers to the url containing "cooking" not "Cooking"

Acl Type: urlpath_regex Description The urlpath_regex regular expression pattern matching from URL but without protocol and hostname. Note that these regular expressions are case-sensitive Usage acl aclname urlpath_regex pattern Example acl ACLPATHREG urlpath_regex cooking ACLPATHREG refers only containing "cooking'' not "Cooking"; and without referring protocol and hostname. If URL is http://www.visolve.com/folder/subdir/cooking/first.html then this acltype only looks after http://www.visolve.com . In other words, if URL is http://www.visolve.com/folder/subdir/cooking/first.html then this acltype's regex must match /folder/subdir/cooking/first.html .

Acl Type: port Description Access can be controlled by destination (server) port address Usage acl aclname port port-no Example This example allows http_access only to the destination 172.16.1.115:80 from network 172.16.1.0 acl acceleratedhost dst 172.16.1.115/255.255.255.255 acl acceleratedport port 80 acl mynet src 172.16.1.0/255.255.255.0 http_access allow acceleratedhost acceleratedport mynet http_access deny all

Acl Type: proto Description This specifies the transfer protocol Usage acl aclname proto protocol Example acl aclname proto HTTP FTP This refers protocols HTTP and FTP

Acl Type: method Description This specifies the type of the method of the request Usage acl aclname method method-type Example acl aclname method GET POST This refers get and post methods only

Acl Type: browser Description Regular expression pattern matching on the request's user-agent header Usage acl aclname browser pattern Example acl aclname browser MOZILLA This refers to the requests, which are coming from the browsers who have "MOZILLA" keyword in the user-agent header.

Acl Type: ident Description String matching on the user's name Usage acl aclname ident username ... Example You can use ident to allow specific users access to your cache. This requires that an ident server process runs on the user's machine(s). In your squid.conf configuration file you would write something like this: ident_lookup on acl friends ident kim lisa frank joe http_access allow friends http_access deny all

Acl Type: ident_regex Description Regular expression pattern matching on the user's name. String match on ident output. Use REQUIRED to accept any non-null ident Usage acl aclname ident_regex pattern Example You can use ident to allow specific users access to your cache. This requires that an ident server process run on the user's machine(s). In your squid.conf configuration file you would write something like this: ident_lookup on acl friends ident_regex joe This looks for the pattern "joe" in username

Acl Type: src_as Description source (client) Autonomous System number

Acl Type: dst_as Description destination (server) Autonomous System number

Acl Type: proxy_auth Description User authentication via external processes. proxy_auth requires an EXTERNAL authentication program to check username/password combinations (see authenticate_program ). Usage acl aclname proxy_auth username... use REQUIRED instead of username to accept any valid username Example acl ACLAUTH proxy_auth usha venkatesh balu deepa This acl is for authenticating users usha, venkatesh, balu and deepa by external programs. Warning proxy_auth can't be used in a transparent proxy. It collides with any authentication done by origin servers. It may seem like it works at first, but it doesn't. When a Proxy-Authentication header is sent but it is not needed during ACL checking the username is NOT logged in access.log.

Acl Type: proxy_auth_regex Description This is same as proxy_auth with a difference. That is it matches the pattern with usernames, which are given in authenticate_program Usage acl aclname proxy_auth_regex [-i] pattern...

Acl Type: snmp_community Description SNMP community string matching Example acl aclname snmp_community public snmp_access aclname

Acl Type: maxconn Description A limit on the maximum number of connections from a single client IP address. It is an ACL that will be true if the user has more than maxconn connections open. It is used in http_access to allow/deny the request just like all the other acl types. Example acl someuser src 1.2.3.4 acl twoconn maxconn 5 http_access deny someuser twoconn http_access allow !twoconn Note maxconn acl requires client_db feature, so if you disabled that (client_db off) maxconn won't work.

Acl Type: req_mime_type Usage acl aclname req_mime_type pattern Description Regular expression pattern matching on the request content-type header Example acl aclname req_mime_type text This acl looks for the pattern "text" in request mime header

Acl Type: arp Usage acl aclname arp ARP-ADDRESS Description Ethernet (MAC) address matching This acl is supported on Linux, Solaris, and probably BSD variants. To use ARP (MAC) access controls, you first need to compile in the optional code. Do this with the --enable-arp-acl configure option: % ./configure --enable-arp-acl ... % make clean % make If everything compiles, then you can add some ARP ACL lines to your squid.conf Default acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 1025-65535 acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT Example acl ACLARP arp 11:12:13:14:15:16 ACLARP refers MACADDRESS of the ethernet 11:12:13:14:15:16 Note Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.

Tag Name http_access Usage http_access allow|deny [!]aclname ... Description Allowing or denying http access based on defined access lists If none of the "access" lines cause a match, the default is the opposite of the last line in the list. If the last line was deny, then the default is allow. Conversely, if the last line is allow, the default will be deny. For these reasons, it is a good idea to have a "deny all" or "allow all" entry at the end of your access lists to avoid potential confusion Default http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all If there are no "access" lines present, the default is to allow the request Caution The deny all line is very important. After all the http_access rules, if access isn't denied, it's ALLOWED !! So, specifying a LOT of http_access allow rules, and forget the deny all after them, is the same of NOTHING. If access isn't allowed by one of your rules, the default action ( ALLOW ) will be triggered. So, don't forget the deny all rule AFTER all the rules. And, finally, don't forget rules are read from top to bottom. The first rule matched will be used. Other rules won't be applied.

Tag Name icp_access Usage icp_access allow|deny [!]aclname ... Description icp_access allow|deny [!]aclname ... Default icp_access deny all Example icp_access allow all - Allow ICP queries from everyone

Tag Name miss_access Usage miss_access allow|deny [!]aclname... Description Used to force your neighbors to use you as a sibling instead of a parent. For example: acl localclients src 172.16.0.0/16 miss_access allow localclients miss_access deny !localclients This means that only your local clients are allowed to fetch MISSES and all other clients can only fetch HITS. Default By default, allow all clients who passed the http_access rules to fetch MISSES from us. miss_access allow all

Tag Name cache_peer_access Usage cache_peer_access cache-host allow|deny [!]aclname ... Description Similar to 'cache_peer_domain ' but provides more flexibility by using ACL elements. The syntax is identical to 'http_access' and the other lists of ACL elements. See 'http_access ' for further reference. Default none Example The following example could be used, if we want all requests from a specific IP address range to go to a specific cache server (for accounting purposes, for example). Here, all the requests from the 10.0.1.* range are passed to proxy.visolve.com, but all other requests are handled directly. Using acls to select peers, acl myNet src 10.0.0.0/255.255.255.0 acl cusNet src 10.0.1.0/255.255.255.0 acl all src 0.0.0.0/0.0.0.0 cache_peer proxy.visolve.com parent 3128 3130 cache_peer_access proxy.visolve.com allow custNet cache_peer_access proxy.visolve.com deny all

Tag Name proxy_auth_realm Usage proxy_auth_realm string Description Specifies the realm name, which is to be reported to the client for proxy authentication (part of the text the user will see when prompted for the username and password). Default proxy_auth_realm Squid proxy-caching web server Example proxy_auth_realm My Caching Server

Tag Name ident_lookup_access Usage ident_lookup_access allow|deny aclname... Description A list of ACL elements, which, if matched, cause an ident (RFC 931) lookup to be performed for this request. For example, you might choose to always perform ident lookups for your main multi-user Unix boxes, but not for your Macs and PCs Default By default, ident lookups are not performed for any requests ident_lookup_access deny all Example To enable ident lookups for specific client addresses, you can follow this example: acl ident_aware_hosts src 198.168.1.0/255.255.255.0 ident_lookup_access allow ident_aware_hosts ident_lookup_access deny all Caution This option may be disabled by using --disable-ident with the configure script.

Examples:

(1) To allow http_access for only one machine with MAC Address 00:08:c7:9f:34:41

To use MAC address in ACL rules. Configure with option -enable-arp-acl.

acl all src 0.0.0.0/0.0.0.0
acl pl800_arp arp 00:08:c7:9f:34:41
http_access allow pl800_arp
http_access deny all

(2) To restrict access to work hours (9am - 5pm, Monday to Friday) from IP 192.168.2/24

acl ip_acl src 192.168.2.0/24
acl time_acl time M T W H F 9:00-17:00
http_access allow ip_acl time_acl
http_access deny all

(3) Can i use multitime access control list for different users for different timing.

AclDefnitions

acl abc src 172.161.163.85
acl xyz src 172.161.163.86
acl asd src 172.161.163.87
acl morning time 06:00-11:00
acl lunch time 14:00-14:30
acl evening time 16:25-23:59

Access Controls
http_access allow abc morning
http_access allow xyz morning lunch
http_access allow asd lunch
This is wrong. The description follows:
Here access line "http_access allow xyz morning lunch" will not work. So ACLs are interpreted like this ...

http_access RULE statement1 AND statement2 AND statement3 OR
http_access ACTION statement1 AND statement2 AND statement3 OR

........

So, the ACL "http_access allow xyz morning lunch" will never work, as pointed, because at any given time, morning AND lunch will ALWAYS be false, because both morning and lunch will NEVER be true at the same time. As one of them is false, and acl uses AND logical statement, 0/1 AND 0 will always be 0 (false).

That's because this line is in two. If now read:

http_access allow xyz AND morning OR
http_access allow xyz lunch

If request comes from xyz, and we're in one of the allowed time, one of the rules will match TRUE. The other will obviously match FALSE. TRUE OR FALSE will be TRUE, and access will be permitted.

Finally Access Control looks...

http_access allow abc morning
http_access allow xyz morning
http_access allow xyz lunch
http_access allow asd lunch
http_access deny all

(4) Rules are read from top to bottom. The first rule matched will be used. Other rules won't be applied.
Example:
http_access allow xyz morning
http_access deny xyz
http_access allow xyz lunch
If xyz tries to access something in the morning, access will be granted. But if he tries to access something at lunchtime, access will be denied. It will be denied by the deny xyz rule, that was matched before the 'xyz lunch' rule.