Squid_ The Definitive Guide - Duane Wessels [28]
Access Controls
I'll have a lot to say about access controls in Chapter 6. For now, I'll cover a few controls so that more enthusiastic readers can quickly start using Squid.
Squid's default configuration file denies every client request. You must place additional access control rules in squid.conf before anyone can use the proxy. The simplest approach is to define an ACL that corresponds to your user's IP addresses and an access rule that tells Squid to allow HTTP requests from those addresses. Squid has many different ACL types. The src type matches client IP addresses, and the http_access rules are checked for client HTTP requests. Thus, you need to add only two lines:
acl MyNetwork src 192.168.0.0/16
http_access allow MyNetwork
The tricky part is putting these lines in the right place. The order of http_access lines is very important, but the order of acl lines doesn't matter. You should also be aware that the default configuration file contains some important access controls. You shouldn't change or disrupt these until you fully comprehend their significance. When you edit squid.conf for the first time, look for this comment:
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
Insert your new rules below this comment, and before the http_access deny All line.
For the sake of completeness, here is a suitable initial access control configuration, including the recommended default controls and the example earlier:
acl All src 0/0
acl Manager proto cache_object
acl Localhost src 127.0.0.1/32
acl Safe_ports port 80 21 443 563 70 210 280 488 591 777 1025-65535
acl SSL_ports 443 563
acl CONNECT method CONNECT
acl MyNetwork src 192.168.0.0/16
http_access allow Manager Localhost
http_access deny Manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow MyNetwork
http_access deny All
Visible Hostname
Hopefully, you won't need to worry about the visible_hostname directive. However, you'll need to set it if Squid can't figure out the hostname of the machine on which it is running. When this happens, Squid complains and refuses to run:
% squid -Nd1
FATAL: Could not determine fully qualified hostname. Please set 'visible_hostname'
Squid wants to be sure about its hostname for a number of reasons:
The hostname appears in Squid's error messages. This helps users identify the source of potential problems.
The hostname appears in the HTTP Via header of cache misses that Squid forwards. When the request arrives at the origin server, the Via header contains a list of all proxies involved in the transaction. Squid also uses the Via header to detect forwarding loops. I'll talk about forwarding loops in Chapter 10.
Squid uses internal URLs for certain things, such as the icons for FTP directory listings. When Squid generates an HTML page for an FTP directory, it inserts embedded images for little icons that indicate the type of each file in the directory. The icon URLs contain the cache's hostname so that web browsers request them directly from Squid.
Each HTTP reply from Squid includes an X-Cache header. This isn't an official HTTP header. Rather, it is an extension header that indicates if the response was a cache hit or a cache miss. Since requests and responses may flow through more than one cache, each X-Cache header includes the name of the cache reporting hit or miss. Here's a sample response that passed through two caches:HTTP/1.0 200 OK
Date: Mon, 29 Sep 2003 22:57:23 GMT
Content-type: text/html
Content-length: 733
X-Cache: HIT from bo2.us.ircache.net
X-Cache: MISS from bo1.us.ircache.net
Squid tries