Squid service ACL Access Control

Introduction:
The squid service provides powerful Access Control functions. By defining various ACLs (Access Control List and Access Control List), these lists contain certain filtering and Control conditions, then, you only need to set allow (allowed) or deny (deny) to implement access control.

In the squid. conf configuration file, HTTP access control is mainly implemented by the acl and http_access configuration items. The two configuration items are used to define the control conditions (list) and implementation control respectively.

1. Define the ACL list
Acl Configuration items are used to set the content of the access control list. You can specify a name for each group of specific control targets.
Format:
Acl list name list type list content...
List name: User-Defined name
List type: the specified squid value must be used.
List content: control object
Common squid predefined list types:
Type 1: src
List content Demonstration:
192.168.1.1/32
192.168.1.0/255.255.255.0
192.168.1.0-192.168.3.0/24
Purpose:
Client IP address, network segment, address range
Type 2: dst
List content Demonstration:
Www.bkjia.com
216.163.137.3/32
Purpose:
Target Host Name or IP address accessed by the user
Type 3: port
List content Demonstration:
80 8080 21
Purpose:
User-accessed Port
Type 4: srcdomain
List content Demonstration:
.Linuxfan.cn
.Llfa.cn
Purpose:
Client source domain name (reverse resolution based on IP address)
Type 5: dstdomain
List content Demonstration:
.Qq.com .msn.com .verycd.com
Purpose:
Target Domain accessed by the user, matching all sites in the domain
Type 6: time
List content Demonstration:
MTWHF-
PM-PM
AS
Purpose:
Time period for users to access the Internet
English abbreviation of each day of a week
M-Monday
T-Tuesday
W-Wednesday
H-Thursday
F-Friday
A-Saturday
S-Sunday
List type 7: Maxcon
List content Demonstration:
15
Purpose:
Concurrent HTTP connections on the client
List type 8: url_regex
List content Demonstration:
Url_regex-I ^ rtsp: // ^ mms ://
Url_regex-I ^ emule ://
Purpose:
The whole URL accessed by the user,
You can use a regular expression,
-I indicates case insensitive.
List type 9: urlpath_regex
List content Demonstration:
Urlpath_regex-I sex adult nude
Urlpath_regex-I \. mp3 $ \. rar $
Purpose:
Matches the URL path (partial) accessed by the user ),
You can use a regular expression.
2. Set acl Access Permissions
For the defined acl list, use the http_access configuration item to control its access permissions, allow or deny (deny ).
The http_access configuration line must be defined after the corresponding acl list.
Configure a permission control rule for each line of http_access.
Each http_access rule can contain multiple acl list names at the same time. The relationship between each list is "and". Only the conditions corresponding to all acl lists are met,
You can use "!" Symbol setting inverse Condition
Format:
Http_access allow or deny list name .....
Effective sequence:
In squid. conf, The http_access rules are matched in order, and the matching is stopped;
There is no rule that squid access rejects client requests.
There are rules but no matching items are found:
Use the permission opposite to the last one,
That is, if the last one is allow, the request is rejected. Otherwise, the request is allowed.
Usually put the most common control rules at the beginning to reduce squid load.
In terms of the overall access control policy, use: deny first, allow first, or deny first, and then add "http_access allow all" or "http_access deny all"

3. Implementation steps:
Definition list
Acl all src 0.0.0.0/0.0.0.0
Acl localhost src 127.0.0.1/255.255.255.255
Acl LAN1 src 192.168.1.0/24
Acl LAN2 src 192.168.2.0/24
Acl PC1 src 192.168.1.66/32
Acl lan_Domain .linuxfan.cn .benet.com
Acl to_localhost dst 127.0.0.0/8
Acl Black_IP dst 61.143.79.86/32 217.23.45.77/32
Acl Black_host dst www.xxxx.comwww.adult.com # squid
Acl Black_Domain dstdomain .qq.com .msn.com j.gamezone.net
Acl Max10_Conn maxconn 10
Acl Max20_Conn maxconn 20
Acl Black_URL url_regex-I ^ rtsp: // ^ mms: // ^ emule ://
Acl Illegal_words urlpath_regex-I sex adult fake
Acl MediaFile urlpath_regex-I \. mp3 $ \. mp4 $ \. rmvb $ \. rm $ \. mov $ \. mpg $
Acl Lunch_Hours time MTWHF-
Acl Work_Hours time MTWHF-
Implement permission Control
Http_access deny LAN1 Black_IP
Http_access deny LAN1 Black_Host
Http_access deny LAN1 Black_Domain
Http_access deny LAN2 Black_URL
Http_access deny LAN2 Illegal_words
Http_access deny LAN2 MediaFile
Http_access deny PC1 Max10_conn
Http_access deny LAN1 Max20_conn
Http_access allow LAN_Domain Work_Hours
Http_access allow LAN1 Work_Hours
Http_access allow LNA2 Work_Hours
Http_access deny all

Squid details: click here
Squid: click here

Recommended reading:

Configure Squid proxy http and rsync

Squid: high-speed Web Access

CentOS 6.2 compilation and installation Squid configuration Reverse Proxy Server

Application of Squid in Enterprise Network