Squid Chinese authoritative guide (Part 5)

Squid Chinese authoritative guide (5)-Linux Enterprise Application-Linux server application information. The following is a detailed description. The backslash escapes this. The regular expression matches any string ending with .jpg. If you do not use the ^ or $ character, the regular expression is like a standard substring search. They match words or phrases that appear anywhere in the string.

For all squid Regular Expression classes, you can use case-sensitive options. Matching is case sensitive by default. To be case insensitive, use the-I option after the ACL type. For example:
Acl Foo url_regex-I ^ http: // www


6.1.1.5 TCP port number

Intended audience: port and myport

This type is relative. The value is an individual port number or port range. Recall that the TCP port number is a 16-bit value, so that its value must be greater than 0 and less than 65536. The following are some examples:
Acl Foo port 123
Acl Bar port 1-1024


6.1.1.6 autonomous system number
Intended audience: src_as, dst_as
The Internet router uses the Autonomous System (AS) number to create a route table. Basically, an AS number points to the IP network range managed by the same organization. For example, my ISP assigned the following network blocks: 134.116.0.0/16,137.41 .0.0/16,206.168 .0.0/16, and more. In the Internet routing table, these networks are published AS 3404. When a vro forwards packets, they are typically routed to the path with the minimum. If these are not important to you, do not pay attention to them. The AS-based ACL is only used by the Network gurus.

The following is how the AS-based type works: When squid is first started, it sends a special query to a whois server. The query statement is basically: "Tell me which IP network belongs to this AS number ". Such information is collected and managed by RADB. Once Squid receives the IP network list, it treats them similarly as the IP base ACL.

The AS-based type works well only when the ISP maintains their RADB information and updates it on a daily basis. Some ISPs update RADB better than others, and many do not update it at all. Note that squid only converts the AS to the network address when it is started or reconfigure. If the ISP updates its RADB interface, squid will not know the change unless you restart or reconfigure squid.

In addition, RADB may not be available when your squid is started. If Squid cannot contact the RADB server, it deletes the AS interface from the access control configuration. The default whois server is whois.ra.net, which is too far away and untrustworthy for many users.


6.1.2 ACL type

Now we can focus on the ACL type itself. Here I will list them in descending order of importance.


6.1.2.1 src

IP addresses are the most commonly used in access control elements. Most sites use IP addresses to control the user's access to Squid. The src type refers to the customer source IP address. That is to say, when the src ACL appears in the access control list, squid compares it with the customer IP address of the publishing request.

Normally, you allow requests from hosts in the intranet and block other requests. For example, if your organization uses the 192.168.0.0 subnet, you can specify the ACL as follows:
Acl MyNetwork src 192.168.0.0

If you have many subnets, you can list them in the same acl row:
Acl MyNetwork src 192.168.0.0 10.0.1.0/24 10.0.5.0/24 172.16.0.0/12

Squid has many other ACL types used to check customer addresses. The srcdomain type compares the complete verifiable Domain Name of the customer. It requires reverse DNS query, which may delay processing the request. Srcdom_regex ACL is similar, but it allows you to use regular expressions to match domain names. Finally, src_as compares the customer's AS number.


6.1.2.2 dst

The dst type points to the original server (target) IP address. In some cases, you can use this type to prevent your users from accessing a specific web site. However, exercise caution when using the dst ACL. Most requests received by squid include the original server host name. For example:
GET http://www.web-cache.com/https/1.0

Here, the www.web-cache.com is the host name. When the access list rule contains the dst element, squid must find the IP address of the host name. If the squid IP cache contains a valid interface for this host name, this ACL is immediately detected. Otherwise, squid will delay processing this request when DNS queries are busy. This may cause latency for some requests.

To avoid latency, use the dstdomain ACL type instead of dst.

The following is a simple dst ACL example:
Acl AdServers dst 1.2.3.0/24

Note that the problem with dst ACL is that the original server you attempt to allow or deny access may change its IP address. If you don't care about this change, you don't have to worry about upgrading squid. conf. You can put the host name in the acl line, but this will delay the startup speed. If your ACL requires many host names, you may convert the pre-processing configuration file to an IP address.


6.1.2.3 myip

Myip refers to the IP address of Squid, which is connected by the customer. When you run netstat-n on squid, you can see that they are in the local address column. Most squid installations do not use this type. Generally, all customers connect to the same IP address. Therefore, this ACL element is only useful when the system has multiple IP addresses.

To understand why myip is useful, consider a company network with two subnets. Users in subnet 1 are programmers and engineers. Subnet 2 includes accounting, marketing, and other management departments. In this case, squid has three network interfaces: one connecting subnet 1, one connecting subnet 2, and the third connecting to the external internet.

When the configuration is correct, all users in subnet 1 are connected to the IP address of squid in the subnet. Similarly, users in subnet 2 are connected to the second IP address of squid. In this way, you can give full access to technical staff of subnet 1, but restrict employees of management departments to only access work-related sites.

The ACL may be as follows:
Acl Eng myip 172.16.1.5
Acl Admin myip 172.16.2.5

However, please note that you must be especially careful when using this mechanism to prevent users from accessing the IP address of squid in another subnet. Otherwise, smart users in accounting and market subnets can connect to the Technical subnet to bypass your restrictions.


6.1.2.4 dstdomain

In some cases, you may find name-Based Access Control very useful. You can use them to block access to some sites, control how squid forwards requests, and make some responses uncacheable. Dstdomain is very useful because it checks the host name in the request url.

However, I want to declare the differences between the following two rows:
Acl A dst www.squid-cache.org.
Acl B dstdomain www.squid-cache.org

A is actually an IP address ACL. When Squid resolves the profile, it queries the IP addresses of the www.squid-cache.org and stores them in memory. It does not save the name. If the IP address changes when squid is running, squid will continue to use the old address.

However, the dstdomain ACL is stored as a domain name, not an IP address. When squid checks acl B, it uses the string comparison function for the host name of the URL. In this case, it does not really care about www.squid-cache.org
The IP address of is changed.

The main problem with using dstdomain ACL is that some URLs use IP addresses instead of host names. If your goal is to use dstdomain ACL to block access to some sites, smart users can manually query the site's IP addresses and put them in the URL. For example, the following two URLs bring the same page:
Http://www.squid-cache.org/docs/FAQ/
Http: // 206.168.0.9/docs/FAQ/

The first row can be easily matched by the dstdomain ACL, but the second row cannot. In this way, if you rely on dstdomain ACL, you should also block all requests that use IP addresses instead of host names. See section 6.3.8.


6.1.2.5 srcdomain

Srcdomain ACL is also a little troublesome. It requires a reverse DNS query for each customer's IP address. Technically, squid requests the dns ptr record for this address. DNS response-fully verifiable domain name (FQDN)-is something where squid matches the ACL value. (Refer to O 'Reilly's DNS and BIND to find