Efficient access control using Squid ACL and access list

Source: Internet
Author: User
Tags reverse dns


Squid's ACL and access list implement efficient access control. Squid is a software that caches Internet data. It receives user download requests and automatically processes the downloaded data. When a user wants to download a home page, he/she can send an application to Squid to download the page instead of Squid. Then, Squid connects to the requested website and requests the home page, the home page is sent to the user and a backup is retained at the same time. When other users apply for the same page, Squid immediately transmits the saved backup to the user, making the user feel that the speed is quite fast. Squid can act as a proxy for HTTP, FTP, GOPHER, SSL, WAIS, and other protocols. Squid can be automatically processed and Squid can be set as needed to filter out unwanted items. Www.2cto.com Squid can work in many operating systems, such as AIX, Digital, UNIX, FreeBSD, HP-UX, Irix, Linux, NetBSD, Nextstep, SCO, Solaris, OS/2, etc. Reasonable Use of access control is very important during use. With the access control feature, you can control the caching, access to a specific site or a group of sites at a specific time interval. Squid Access Control has two elements: ACL element and access list. The access list allows or denies access to this service by some users. The following describes the ACL elements and how to use the access list.
1. ACL element the syntax defined by this element is as follows: acl aclname acltype string1... Acl aclname acltype "file "... When a file is used, the format of the file is that each line contains an entry. Acltype can be src, dst, srcdomain, dstdomain, url_regex, urlpath_regex, time, port, proto, or method. Src: Specifies the source address. You can specify the acl aclname src ip-address/netmask... customer IP address acl aclname src addr1-addr2/netmask... address range dst: Specify the target address, that is, the IP address of the server requested by the customer. Syntax: acl aclname dst ip-address/netmask...
Srcdomain: Specifies the domain to which the customer belongs. Squid will reverse query DNS based on the customer's IP address. Syntax: acl aclname srcdomain foo.com... dstdomain: Specifies the domain of the Request server, which is determined by the URL requested by the customer. Syntax: acl aclname dstdomain foo.com .... Note: If you use the Server IP address instead of the complete domain name, Squid performs reverse DNS resolution to determine its complete domain name. If the domain name fails, the record is "none ". Time: Specifies the access time. The syntax is as follows: acl aclname time [day-abbrevs] [h1: m1-h2: m2] [hh: mm-hh: mm] the abbreviation of a date is as follows: S: Refers to SundayM: mondayT: TuesdayW: WednesdayH: ThursdayF: FridayA: Saturday. In addition, h1: m1 must be smaller than h2: m2, and the expression is [hh: mm-hh: mm]. Port: Specifies the access port. You can specify multiple ports, such as acl aclname port 80 70 21... acl aclname port 0-1024... specifying a port range proto: specifying the protocol. You can specify multiple protocols: acl aclname proto http ftp... method: Specify the request method. For example, acl aclname method get post... url_regex: URL rule expression matching. Syntax: acl aclname url_regex [-I] patternurlpath_regex: URL-path rule expression matching. Protocol and host name are omitted. The syntax is: acl aclname urlpath_regex [-I] pattern. When using the preceding ACL elements, note the following: acltype can be any name defined in the ACL. No two ACL elements must have the same name. Each ACL consists of list values. When matching is detected, multiple values are connected by logic or operation. In other words, if the value of any ACL element is matched, the ACL element is matched. Not all ACL elements can use all types in the access list. Different ACL elements are written in different rows. Squid combines these elements in a list. 2. The http_access access control list allows or disables access from a certain type of users based on the access control list. If no project is matched for an access request, the "Non" of the last project of the application is used by default ". For example, if the last one is allowed, it is disabled by default. Generally, the last entry should be set to "deny all" or "allow all" to avoid security risks. Note the following when using this access control list: These rules perform matching detection in the order they are arranged. Once a matching rule is detected, the matching detection ends immediately. The access list can be composed of multiple rules. If no rule matches the access request, the default action corresponds to the last rule in the list. All elements in an access entry are connected by logic AND operation (as shown below): http_access Action declares 1 AND declares 2 AND multiple http_access statements are connected by or, however, each element of an access entry is connected to an operation. Rules in the list always follow the top-down order. 3. the above section describes the ACL elements, the syntax of the http_access access control list, and the issues that need to be paid attention to during use. The following example shows how to use these access control methods: (1) allow all clients in the network segment 10.0.0.124/24 and 192.168.10.15/24 to access the proxy server, and allow clients listed in the file/etc/squid/guest to access the proxy server, in addition, the client rejects access to the local proxy server: acl clients src 10.0.0.124/24 192.168.10.15/24acl guests src "/etc/squid/guest" acl all src 0.0.0.0/0.0.0http _ access allow clientshttp_access allow guestshttp_access deny all, the content in the file "/etc/squid/guest" is: 172.1610.3/24210.113.24.8/1610.0.1.24/25 (2) allows two domains with the domain name job.net and gdfq.edu.cn to access the local proxy server, other domains will reject access to the local proxy server: acl permitted_domain src job.net gdfq.edu. cnacl all src 0.0.0.0/0.0.0http _ access allow permitted_domainhttp_access deny all (3) use a regular expression to deny the client from accessing a website containing keywords such as "sexy" through the proxy server: acl deny_url url_regex-I sexyhttp_access deny deny_url (4) refuse the client to access the website with the specified IP address or domain name in the file through the proxy server, the file/etc/squid/deny_ip contains the IP address that rejects access, and the file/etc/squid/deny_dns contains the domain name that rejects access: acl deny_ip dst "etc/squid/deny_ip" acl deny_dns dst "etc/squid/deny_dns" http_access deny deny_iphttp_access deny deny_dns (5) allows and denies specified users from accessing the specified website, specifically, allow customer 1 to access the website http://www.sina.com.cn And deny client 2 access to the website. http://www.163.com : Acl client1 src 192.168.0.118acl client1_url url_regex ^ http://www.sina.com.cn Acl client2 src 192.168.0.119acl client2_url url_regex ^ http://www.163.com Http_access allow client1 client1_urlhttp_access deny client2 client2_url (6) allows all users to access the proxy server within the specified time period (-from Monday to Thursday, only specific users (the system administrator with the CIDR Block 192.168.10.0/24) are allowed to access the proxy server on Friday afternoon. Others refuse to access the proxy server from Friday one o'clock P.M. to 6.1: acl allclient src 0.0.0.0/0.0.0acl administrator 192.168.10.0/24acl common_time time MTWH-20: 30acl manage_time time F-18: 00http_access allow allclient login allow administrator manage_timehttp_access deny manage_time

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.