Squid Chinese authoritative guide (8)

Squid Chinese authoritative guide (8)-Linux Enterprise Application-Linux server application information. The following is a detailed description. 6.1.2.19 dstdom_regex

Dstdom_regex ACL is similar to dstdomain. The following example matches the host name starting with www:
Acl WebSite dstdom_regex-I ^ www \.

The following is another useful regular expression used to match the IP address in the URL Host Name:
Acl IPaddr dstdom_regex [0-9] $

This works because squid requires that the URL host name be completely verifiable. Since the global top-level domain name does not end with a number, the ACL only matches the IP address and ends with a number.


6.1.2.20 url_regex

Url_regex ACL is used to match any part of the request URL, including the transport protocol and the original server host name. For example, the following ACL matches the MP3 file request from the FTP server:
Acl FTPMP3 url_regex-I ^ ftp: //. * \. mp3 $


6.1.2.21 urlpath_regex

Urlpath_regex is very similar to url_regex, but the transport protocol and host name are not included in the matching conditions. This makes some types of detection very easy. For example, if you have to reject the "sex" in the URL but still allow the request containing "sex" in the Host Name, do this:
Acl Sex urlpath_regex sex

In another example, if you want to specially process cgi-bin requests, you can capture them as follows:
Acl CGI1 urlpath_regex ^/cgi-bin

Of course, CGI programs are not always in the/cgi-bin/directory, so you should write other ACLs to capture them.


6.1.2.22 browser

Most HTTP requests contain the User-Agent header. The typical value of this header is as follows:
Mozilla/4.51 [en] (X11; I; Linux 2.2.5-15 i686)

Browser ACL performs regular expression matching on the user-agent header. For example, to reject a request not from the Mozilla browser, you can write it as follows:
Acl Mozilla browser Mozilla
Http_access deny! Mozilla

Before using browser ACL, make sure that you fully understand the User-Agent string received by the cache. Some user-agents are related to their sources. Even squid can overwrite the User-Agent header of the request it forwards. Some browsers, such as Konqueror of Opera and KDE, can send different user-agent strings to different original servers, or simply ignore them.


6.1.2.23 req_mime_type

Req_mime_type ACL indicates the Content-Type header in the client's HTTP request. This type of header usually only appears in the request message body. POST and PUT requests may contain this header, but GET never. You can use this type of ACL to detect certain file uploads and some types of HTTP tunnel requests.

The req_mime_type ACL value is a regular expression. You can write an ACL to capture the audio file type as follows:
Acl AuidoFileUploads req_mime_type-I ^ audio/


6.1.2.24 rep_mime_type

This Type of ACL refers to the Content-Type header in the HTTP Response of the original server. It is only useful when http_reply_access rules are used. All other access control forms are based on client requests. The ACL is based on the server response.

If you want to use squid to block Java code, you can write as follows:
Acl JavaDownload rep_mime_type application/x-java
Http_reply_access deny JavaDownload


6.1.2.25 ident_regex

Ident ACL is described earlier in this section. Ident_regex allows you to use regular expressions instead of strict string matching, which are used for the username returned by the ident protocol. For example, the following ACL matches the username that contains numbers:
Acl NumberInName ident_regex [0-9]


6.1.2.26 proxy_auth_regex

This ACL allows you to use a regular expression for the proxy authentication username. For example, the following ACL matches
Admin, administrator, and administrators:
Acl Admins proxy_auth_regex-I ^ admin


6.1.3 external ACL

Squid 2.5 introduces a new feature: External ACL. You can instruct squid to send some pieces of information to the external process, and then the external auxiliary program tells squid that the data matches or does not match.

Squid comes with a large number of external acl aids, most of which are used to determine whether a named user is a member of a special group. See Chapter 12.5 for descriptions of these programs and information on how to compile your own programs. Now I explain how to define and use the external ACL type.

The external_acl_type command defines the new external ACL type. The general syntax is as follows:
External_acl_type type-name [options] format helper-command

Type-name is a user-defined string. You can also reference it in the acl row.

Squid currently supports the following options ):

Ttl = n
Time quantity, in seconds, used to cache the length of time for matching values. The default value is 3600 seconds or 1 hour.

Negative_ttl = n
The number of times, in seconds, used to cache the duration of unmatched values. The default value is 3600 seconds or 1 hour.

Concurrency = n
Number of derivative auxiliary programs. The default value is 5.

Cache = n
The maximum number of cached results. The default value is 0, indicating that the cache size is not limited.

The format is one or more keywords starting with % characters. Squid currently supports the following formats:

% LOGIN
The username obtained from the proxy authentication Credit Option.

% IDENT
The username obtained from RFC 1413 ident.

% SRC
Client IP address.

% DST
The IP address of the original server.

% PROTO
Transmission Protocol (such as HTTP and FTP)

% PORT
The TCP port of the original server.

% METHOD
HTTP request method.

%
The value of the HTTP request header. For example, % causes squid to send such a string to the validators: "Mozilla/4.0 (compatible; MSIE 6.0; Win32 )"

%
Select a certain number of list-based HTTP headers, such as Caceh-Control. For example, the following HTTP headers are provided:
X-Some-Header: foo = xyugh, bar = plugh, foo = zoinks

For the value of %, squid sends such a string to the external ACL process:
Foo = xyks, foo = zoinks

%
Same as %, except ";" is a list separator. You can use any non-alphanumeric character as the separator.

The Auxiliary Command is derived from the auxiliary program by squid. You can also include command parameters here. For example, the entire command may be like this:
/Usr/local/squid/libexec/my-acl-prog.pl-X-5/usr/local/squid/etc/datafile

Put these in a long line. Squid does not support the following technology to separate long rows by backslash, so remember that all these must be placed in a single row:
External_acl_type MyAclType cache = 100% LOGIN % \
/Usr/local/squid/libexec/my-acl-prog.pl-X-5 \
/Usr/local/squid/share/usernames \
/Usr/local/squid/share/useragents

Now you know how to define the external ACL. The next step is to write the acl rows that reference it. This is relatively easy. The syntax is as follows:
Acl-name external type-name [args...]

The following is a simple example:
Acl MyAcl external MyAclType

Squid accepts any number of parameters after type-name. These are sent to the helper in each request.
See Chapter 12.5.3. I have described the unix_group helper as an example of this function.


6.1.4 process the long ACL list

The ACL list is very long in some cases. This list is difficult to maintain in the squid. conf file. You may also want to automatically generate the squid ACL list from other resources. In this case, you can include an ACL list from an external file. Syntax:
Acl name "filename"

The double quotation marks indicate that squid opens filename and assigns content to ACL. For example, the following ACL is too long:
Acl Foo BadClients 1.2.3.4 1.2.3.5 1.2.3.6 1.2.3.7 1.2.3.9...

You can do this:
Acl Foo BadClients "/usr/local/squid/etc/BadClients"

Put the IP address in the BadClients file:
1.2.3.4
1.2.3.5
1.2.3.6
1.2.3.7
1.2.3.9
...

The file can contain comments starting. Note that each IP address in the file must be a separate line. Values are separated by spaces anywhere in the acl row. The new line is the boundary between files containing ACL values.


6.1.5 how does Squid match an access control element?