| Tag Name | acl |
| Usage | acl aclname acltype string1 ... | "file" |
Description
This tag is used for defining an access List. When using "file" the file should contain one item per line By default, regular expressions are CASE-SENSITIVE. To make them case-insensitive, use the -i option.
This tag is used for defining an access List. When using "file" the file should contain one item per line By default, regular expressions are CASE-SENSITIVE. To make them case-insensitive, use the -i option.
This is same as src with only difference refers Server IPaddress. First Squid will dns-lookup for IPAddress from the domain-name, which is in request header. Then this acl is interpreted.
|
Since squid needs to reverse dns lookup (from client ip-address to client domain-name) before this acl is interpreted, it can cause processing delays. This lookup adds some delay to the request.
acl aclname srcdomain .kovaiteam.com Note Here "." is more important. |
This is the effective method to control specific domain
acl aclname dstdomain .kovaiteam.com Hence this looks for *.kovaiteam.com from URL Hence this looks for *.kovaiteam.com from URL Note Here "." is more important. |
Since squid needs to reverse dns lookup (from client ip-address to client domain-name) before this acl is interpreted, it can cause processing delays. This lookup adds some delay to the request
acl aclname srcdom_regex kovai Hence this looks for the word kovai from the client domain name Note Better avoid using this acl type to be away from latency. |
This is also an effective method as dstdomain
acl aclname dstdom_regex kovai Hence this looks for the word kovai from the client domain name |
Time of day, and day of week
acl ACLTIME time M 9:00-17:00 ACLTIME refers day of Monday from 9:00 to 17:00. |
The url_regex means to search the entire URL for the regular expression you specify. Note that these regular expressions are case-sensitive. To make them case-insensitive, use the -i option.
acl ACLREG url_regex cooking ACLREG refers to the url containing "cooking" not "Cooking" |
The urlpath_regex regular expression pattern matching from URL but without protocol and hostname. Note that these regular expressions are case-sensitive
Example acl ACLPATHREG urlpath_regex cooking ACLPATHREG refers only containing "cooking'' not "Cooking"; and without referring protocol and hostname. If URL is http://www.visolve.com/folder/subdir/cooking/first.html then this acltype only looks after http://www.visolve.com . In other words, if URL is http://www.visolve.com/folder/subdir/cooking/first.html then this acltype's regex must match /folder/subdir/cooking/first.html . |
Access can be controlled by destination (server) port address
This example allows http_access only to the destination 172.16.1.115:80 from network 172.16.1.0 acl acceleratedhost dst 172.16.1.115/255.255.255.255 acl acceleratedport port 80 acl mynet src 172.16.1.0/255.255.255.0 http_access allow acceleratedhost acceleratedport mynet http_access deny all |
This specifies the transfer protocol
acl aclname proto HTTP FTP This refers protocols HTTP and FTP |
This specifies the type of the method of the request
acl aclname method GET POST This refers get and post methods only |
Regular expression pattern matching on the request's user-agent header
acl aclname browser MOZILLA This refers to the requests, which are coming from the browsers who have "MOZILLA" keyword in the user-agent header. |
String matching on the user's name
You can use ident to allow specific users access to your cache. This requires that an ident server process runs on the user's machine(s). In your squid.conf configuration file you would write something like this: ident_lookup on acl friends ident kim lisa frank joe http_access allow friends http_access deny all |
Regular expression pattern matching on the user's name. String match on ident output. Use REQUIRED to accept any non-null ident
You can use ident to allow specific users access to your cache. This requires that an ident server process run on the user's machine(s). In your squid.conf configuration file you would write something like this: ident_lookup on acl friends ident_regex joe This looks for the pattern "joe" in username |
source (client) Autonomous System number |
destination (server) Autonomous System number |
User authentication via external processes. proxy_auth requires an EXTERNAL authentication program to check username/password combinations (see authenticate_program ).
acl ACLAUTH proxy_auth usha venkatesh balu deepa This acl is for authenticating users usha, venkatesh, balu and deepa by external programs. Warning proxy_auth can't be used in a transparent proxy. It collides with any authentication done by origin servers. It may seem like it works at first, but it doesn't. When a Proxy-Authentication header is sent but it is not needed during ACL checking the username is NOT logged in access.log. |
This is same as proxy_auth with a difference. That is it matches the pattern with usernames, which are given in authenticate_program
|
SNMP community string matching Example acl aclname snmp_community public snmp_access aclname |
A limit on the maximum number of connections from a single client IP address. It is an ACL that will be true if the user has more than maxconn connections open. It is used in http_access to allow/deny the request just like all the other acl types. Example acl someuser src 1.2.3.4 acl twoconn maxconn 5 http_access deny someuser twoconn http_access allow !twoconn Note maxconn acl requires client_db feature, so if you disabled that (client_db off) maxconn won't work. |
Regular expression pattern matching on the request content-type header acl aclname req_mime_type text This acl looks for the pattern "text" in request mime header |
Ethernet (MAC) address matching This acl is supported on Linux, Solaris, and probably BSD variants. To use ARP (MAC) access controls, you first need to compile in the optional code. Do this with the --enable-arp-acl configure option: % ./configure --enable-arp-acl ... % make clean % make If everything compiles, then you can add some ARP ACL lines to your squid.conf
acl ACLARP arp 11:12:13:14:15:16 ACLARP refers MACADDRESS of the ethernet 11:12:13:14:15:16 Note Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address. |
Allowing or denying http access based on defined access lists If none of the "access" lines cause a match, the default is the opposite of the last line in the list. If the last line was deny, then the default is allow. Conversely, if the last line is allow, the default will be deny. For these reasons, it is a good idea to have a "deny all" or "allow all" entry at the end of your access lists to avoid potential confusion
Caution The deny all line is very important. After all the http_access rules, if access isn't denied, it's ALLOWED !! So, specifying a LOT of http_access allow rules, and forget the deny all after them, is the same of NOTHING. If access isn't allowed by one of your rules, the default action ( ALLOW ) will be triggered. So, don't forget the deny all rule AFTER all the rules. And, finally, don't forget rules are read from top to bottom. The first rule matched will be used. Other rules won't be applied. |
icp_access allow|deny [!]aclname ...
icp_access allow all - Allow ICP queries from everyone |
Used to force your neighbors to use you as a sibling instead of a parent. For example: acl localclients src 172.16.0.0/16 This means that only your local clients are allowed to fetch MISSES and all other clients can only fetch HITS.miss_access allow localclients miss_access deny !localclients
|
Similar to 'cache_peer_domain ' but provides more flexibility by using ACL elements. The syntax is identical to 'http_access' and the other lists of ACL elements. See 'http_access ' for further reference.
The following example could be used, if we want all requests from a specific IP address range to go to a specific cache server (for accounting purposes, for example). Here, all the requests from the 10.0.1.* range are passed to proxy.visolve.com, but all other requests are handled directly. Using acls to select peers, acl myNet src 10.0.0.0/255.255.255.0 acl cusNet src 10.0.1.0/255.255.255.0 acl all src 0.0.0.0/0.0.0.0 cache_peer proxy.visolve.com parent 3128 3130 cache_peer_access proxy.visolve.com allow custNet cache_peer_access proxy.visolve.com deny all |
Specifies the realm name, which is to be reported to the client for proxy authentication (part of the text the user will see when prompted for the username and password).
proxy_auth_realm My Caching Server |
A list of ACL elements, which, if matched, cause an ident (RFC 931) lookup to be performed for this request. For example, you might choose to always perform ident lookups for your main multi-user Unix boxes, but not for your Macs and PCs
To enable ident lookups for specific client addresses, you can follow this example: acl ident_aware_hosts src 198.168.1.0/255.255.255.0 Cautionident_lookup_access allow ident_aware_hosts ident_lookup_access deny all This option may be disabled by using --disable-ident with the configure script. |
Examples: |
To use MAC address in ACL rules. Configure with option -enable-arp-acl.
acl all src 0.0.0.0/0.0.0.0
acl pl800_arp arp 00:08:c7:9f:34:41
http_access allow pl800_arp
http_access deny all
(2) To restrict access to work hours (9am - 5pm, Monday to Friday) from IP 192.168.2/24acl pl800_arp arp 00:08:c7:9f:34:41
http_access allow pl800_arp
http_access deny all
acl ip_acl src 192.168.2.0/24
acl time_acl time M T W H F 9:00-17:00
http_access allow ip_acl time_acl
http_access deny all
(3) Can i use multitime access control list for different users for different timing.acl time_acl time M T W H F 9:00-17:00
http_access allow ip_acl time_acl
http_access deny all
AclDefnitions
acl abc src 172.161.163.85
acl xyz src 172.161.163.86
acl asd src 172.161.163.87
acl morning time 06:00-11:00
acl lunch time 14:00-14:30
acl evening time 16:25-23:59
acl xyz src 172.161.163.86
acl asd src 172.161.163.87
acl morning time 06:00-11:00
acl lunch time 14:00-14:30
acl evening time 16:25-23:59
Access Controls
http_access allow abc morning
http_access allow xyz morning lunch
http_access allow asd lunch
This is wrong. The description follows:
Here access line "http_access allow xyz morning lunch" will not work. So ACLs are interpreted like this ...
http_access RULE statement1 AND statement2 AND statement3 OR
http_access ACTION statement1 AND statement2 AND statement3 OR
........http_access ACTION statement1 AND statement2 AND statement3 OR
So, the ACL "http_access allow xyz morning lunch" will never work, as pointed, because at any given time, morning AND lunch will ALWAYS be false, because both morning and lunch will NEVER be true at the same time. As one of them is false, and acl uses AND logical statement, 0/1 AND 0 will always be 0 (false).
That's because this line is in two. If now read:
http_access allow xyz AND morning OR
http_access allow xyz lunch
http_access allow xyz lunch
If request comes from xyz, and we're in one of the allowed time, one of the rules will match TRUE. The other will obviously match FALSE. TRUE OR FALSE will be TRUE, and access will be permitted.
Finally Access Control looks...http_access allow abc morning
http_access allow xyz morning
http_access allow xyz lunch
http_access allow asd lunch
http_access deny all
(4) Rules are read from top to bottom. The first rule matched will be used. Other rules won't be applied.http_access allow xyz morning
http_access allow xyz lunch
http_access allow asd lunch
http_access deny all
Example:
http_access allow xyz morning
http_access deny xyz
http_access allow xyz lunch
If xyz tries to access something in the morning, access will be granted. But if he tries to access something at lunchtime, access will be denied. It will be denied by the deny xyz rule, that was matched before the 'xyz lunch' rule.
No comments:
Post a Comment