Squid_ The Definitive Guide - Duane Wessels [42]
You can specify days of the week, starting and stopping times, or both. Days are specified by the single-letter codes shown in Table 6-2. Times are specified in 24-hour format. The starting time must be less than the ending time, which makes it awkward to write time ACLs that span "midnights."
Table 6-2. Day codes for the time ACL
Code
Day
S
Sunday
M
Monday
T
Tuesday
W
Wednesday
H
Thursday
F
Friday
A
Saturday
D
All weekdays (M-F)
* * *
Tip
Days and times are interpreted with the localtime( ) function, which takes into account your local time zone and daylight savings time settings. Make sure that your computer knows what time zone it is in! You'll also want to make sure that your clock is synchronized to the correct time.
* * *
To specify a time ACL that matches your weekday working hours, you can write:
acl Working_hours MTWHF 08:00-17:00
or:
acl Working_hours D 08:00-17:00
Let's look at a trickier example. Perhaps you're an ISP that relaxes access during off-peak hours, say 8 P.M. to 4 A.M. Since this time spans midnight, you can't write "20:00-04:00." Instead you'll need either to split this into two ACLs or define the peak hours and use negation. For example:
acl Offpeak1 20:00-23:59
acl Offpeak2 00:00-04:00
http_access allow Offpeak1 ...
http_access allow Offpeak2 ...
Alternatively, you can do it like this:
acl Peak 04:00-20:00
http_access allow !Peak ...
Although Squid allows it, you probably shouldn't put more than one day list and time range on a single time ACL line. The parser isn't always smart enough to figure out what you want. For example, if you enter this:
acl Blah time M 08:00-10:00 W 09:00-11:00
what you really end up with is this:
acl Blah time MW 09:00-11:00
The parser ORs weekdays together and uses only the last time range. It does work, however, if you write it like this, on two separate lines:
acl Blah time M 08:00-10:00
acl Blah time W 09:00-11:00
ident
The ident ACL matches usernames returned by the ident protocol. This is a simple protocol, that's documented in RFC 1413. It works something like this:
A user-agent (client) establishes a TCP connection to Squid.
Squid connects to the ident port (113) on the client's system.
Squid writes a line containing the two TCP port numbers of the client's first connection. The Squid-side port number is probably 3128 (or whatever you configured in squid.conf). The client-side port is more or less random.
The client's ident server writes back the username belonging to the process that opened the first connection.
Squid records the username for access control purposes and for logging in access.log.
When Squid encounters an ident ACL for a particular request, that request is postponed until the ident lookup is complete. Thus, the ident ACL may add some significant delays to your users' requests.
We recommend using the ident ACL only on local area networks and only if all or most of the client workstations run the ident server. If Squid and the client workstations are connected to a LAN with low latency, the ident ACL can work well. Using ident for clients connecting over WAN links is likely to frustrate both you and your users.
The ident protocol isn't very secure. Savvy users will be able to replace their normal ident server with a fake server that returns any username they select. For example, if I know that connections from the user administrator are always allowed, I can write a simple program that answers every ident request with that username.
* * *
Tip
You can't use ident ACLs with interception caching (see Chapter 9). When Squid is configured for interception caching, the operating system pretends that it is the origin server. This means that the local socket address for intercepted TCP connections has the origin server's IP address. If you run netstat -n on Squid, you'll see a lot of foreign IP addresses in the Local Address column. When Squid makes an ident query, it creates a new TCP socket and binds the local endpoint to the same IP address