Squid_ The Definitive Guide - Duane Wessels [51]
header_access
reply_body_max_size
reply_access
ident_lookup
delay_access
miss_access
broken_posts
icp_access
cache_peer_access
redirector_access
snmp_access
The following ACL types may require information from external sources (DNS, authenticators, etc.) and are thus incompatible with fast access rules:
srcdomain, dstdomain, srcdom_regex, dstdom_regex
dst, dst_as
proxy_auth
ident
external_acl_type
This means, for example, that you can't reliably use an ident ACL in a header_access rule.
Common Scenarios
Because access controls can be complicated, this section contains a few examples. They demonstrate some of the common uses for access controls. You should be able to adapt them to your particular needs.
Allowing Local Clients Only
Almost every Squid installation should restrict access based on client IP addresses. This is one of the best ways to protect your system from abuses. The easiest way to do this is write an ACL that contains your IP address space and then allow HTTP requests for that ACL and deny all others:
acl All src 0/0
acl MyNetwork src 172.16.5.0/24 172.16.6.0/24
http_access allow MyNetwork
http_access deny All
Most likely, this access control configuration will be too simple, so you'll need to add more lines. Remember that the order of the http_access lines is important. Don't add anything after deny All. Instead, add the new rules before or after allow MyNetwork as necessary.
Blocking a Few Misbehaving Clients
For one reason or another, you may find it necessary to deny access for a particular client IP address. This can happen, for example, if an employee or student launches an aggressive web crawling agent that consumes too much bandwidth or other resources. Until you can stop the problem at the source, you can block the requests coming to Squid with this configuration:
acl All src 0/0
acl MyNetwork src 172.16.5.0/24 172.16.6.0/24
acl ProblemHost src 172.16.5.9
http_access deny ProblemHost
http_access allow MyNetwork
http_access deny All
Denying Pornography
Blocking access to certain content is a touchy subject. Often, the hardest part about using Squid to deny pornography is coming up with the list of sites that should be blocked. You may want to maintain such a list yourself, or get one from somewhere else. The "Access Controls" section of the Squid FAQ has links to freely available lists.
The ACL syntax for using such a list depends on its contents. If the list contains regular expressions, you probably want something like this:
acl PornSites url_regex "/usr/local/squid/etc/pornlist"
http_access deny PornSites
On the other hand, if the list contains origin server hostnames, simply change url_regex to dstdomain in this example.
Restricting Usage During Working Hours
Some corporations like to restrict web usage during working hours, either to save bandwidth, or because policy forbids employees from doing certain things while working. The hardest part about this is differentiating between appropriate and inappropriate use of the Internet during these times. Unfortunately, I can't help you with that. For this example, I'm assuming that you've somehow collected or acquired a list of web site domain names that are known to be inappropriate. The easy part is configuring Squid:
acl NotWorkRelated dstdomain "/usr/local/squid/etc/not-work-related-sites"
acl WorkingHours time D 08:00-17:30
http_access deny !WorkingHours NotWorkRelated
Notice that I've placed the !WorkingHours ACL first in the rule. The dstdomain ACL is expensive (comparing strings and traversing lists), but the time ACL is a simple inequality check.
Let's take this a step further and understand how to combine something like this with the source address controls described previously. Here's one way to do it:
acl All src 0/0
acl MyNetwork src 172.16.5.0/24 172.16.6.0/24
acl NotWorkRelated dstdomain "/usr/local/squid/etc/not-work-related-sites"