Squid_ The Definitive Guide - Duane Wessels [48]
icp_access
If your Squid cache is configured to serve ICP replies (see Section 10.6), you should use the icp_access list. In most cases, you'll want to allow ICP requests only from your neighbor caches.
no_cache
You can use the no_cache access list to tell Squid it must never store certain responses (on disk or in memory). This list is typically used in conjunction with dst, dstdomain, and url_regex ACLs.
The "no" in no_cache causes some confusion because of double negatives. A request that is denied by the no_cache list isn't cached. In other words no_cache deny ... is the way to make something uncachable. See Section 6.3.10 for an example.
miss_access
The miss_access list is primarily useful for a Squid cache with sibling neighbors. It determines how Squid handles requests that are cache misses. This feature is necessary for Squid to enforce sibling relationships with its neighbors. See Section 6.3.7 for an example.
redirector_access
This access list determines which requests are sent to one of the redirector processes (see Chapter 11). By default, all requests go through a redirector if you are using one. You can use the redirector_access list to prevent certain requests from being rewritten. This is particularly useful because a redirector receives less information about a particular request than does the access control system.
ident_lookup_access
The ident_lookup_access list is similar to redirector_access. It enables you to make "lazy" ident lookups for certain requests. Squid doesn't issue ident queries by default. It does so only for requests that are allowed by the ident_lookup_access rules (or by an ident ACL).
always_direct
This access list affects how a Squid cache with neighbors forwards cache misses. Usually Squid tries to forward cache misses to a parent cache, and/or Squid uses ICP to locate cached responses in neighbors. However, when a request matches an always_direct rule, Squid forwards the request directly to the origin server.
With this list, matching an allow rule causes Squid to forward the request directly. See Section 10.4.4 for more information and an example.
never_direct
Not surprisingly, never_direct is the opposite of always_direct. Cache miss requests that match this list must be sent to a neighbor cache. This is particularly useful for proxies behind firewalls.
With this list, matching an allow rule causes Squid to forward the request to a neighbor. See Section 10.4.3 for more information and an example.
snmp_access
This access list applies to queries sent to Squid's SNMP port. The ACLs that you can use with this list are snmp_community and src. You can also use srcdomain, srcdom_regex, and src_as if you really want to. See Section 14.3 for an example.
broken_posts
This access list affects the way that Squid handles certain POST requests. Some older user-agents are known to send an extra CRLF (carriage return and linefeed) at the end of the request body. That is, the message body is two bytes longer than indicated by the Content-Length header. Even worse, some older HTTP servers actually rely on this incorrect behavior. When a request matches this access list, Squid emulates the buggy client and sends the extra CRLF characters.
Squid has a number of additional configuration directives that use ACL elements. Some of these used to be global settings that were modified to use ACLs to provide more flexibility.
cache_peer_access
This access list controls the HTTP requests and ICP/HTCP queries that are sent to a neighbor cache. See Section 10.4.1 for more information and examples.
reply_body_max_size
This access list restricts the maximum acceptable size of an HTTP reply body. See Appendix A for more information.
delay_access
This access rule list controls whether or not the delay pools are applied to the (cache miss) response for this request. See