Use Squid ACL and access list to implement efficient access control

Squid is a software used to cache Internet data. It receives user download requests and automatically processes the downloaded data. When a user wants to download a home page, he/she can send an application to Squid to download the page instead of Squid. Then, Squid connects to the requested website and requests the home page, the home page is sent to the user and a backup is retained at the same time. When other users apply for the same page, Squid immediately transmits the saved backup to the user, making the user feel that the speed is quite fast. Squid can act as a proxy for HTTP, FTP, GOPHER, SSL, WAIS, and other protocols. Squid can be automatically processed and Squid can be set as needed to filter out unwanted items.

Squid can work in many operating systems, such as AIX, Digital, UNIX, FreeBSD, HP-UX, Irix, Linux, NetBSD, Nextstep, SCO, Solaris, OS/2, etc.

Reasonable Use of access control is very important during use. With the access control feature, you can control the caching, access to a specific site or a group of sites at a specific time interval. Squid Access Control has two elements: ACL element and access list. The access list allows or denies access to this service by some users. The following describes the ACL elements and how to use the access list.

1. ACL Element

The syntax defined by this element is as follows:

acl aclname acltype string1…
acl aclname acltype "file"…

When a file is used, the format of the file is that each line contains an entry.

Acltype can be src, dst, srcdomain, dstdomain, url_regex, urlpath_regex, time, port, proto, or method.

Src: Specifies the source address. You can use the following method:

Acl aclname src ip-address/netmask... customer ip address acl aclname src addr1-addr2/netmask... address range

Dst: Specify the target address, that is, the IP address of the server requested by the customer. Syntax:

acl aclname dst ip-address/netmask ... 

Srcdomain: Specifies the domain to which the customer belongs. Squid will reverse query DNS based on the customer's IP address. Syntax:

acl aclname srcdomain foo.com ... 

Dstdomain: Specifies the domain of the Request server, which is determined by the URL requested by the customer. Syntax:

Acl aclname dstdomain foo.com .... Note: If you use the Server IP address instead of the complete domain name, Squid performs reverse DNS resolution to determine its complete domain name. If the domain name fails, the record is "none ".

Time: Specifies the access time. Syntax:

acl aclname time [day-abbrevs] [h1:m1-h2:m2][hh:mm-hh:mm]

The abbreviation of a date is as follows:

In addition, h1: m1 must be smaller than h2: m2, and the expression is [hh: mm-hh: mm].

Port: Specifies the access port. You can specify multiple ports, for example:

Acl aclname port 80 70 21... acl aclname port 0-1024... specify a port range

Proto: Specifies the protocol used. You can specify multiple protocols:

acl aclname proto HTTP FTP ...

Method: Specifies the request method. For example:

acl aclname method GET POST ...

Url_regex: URL rule expression matching. Syntax:

acl aclname url_regex[-i] pattern

Urlpath_regex: URL-path rule expression matching, skipping the protocol and host name. Its syntax is:

acl aclname urlpath_regex[-i] pattern

When using the preceding ACL elements, pay attention to the following points:

2. http_access Access Control List

Allows or disables access from a certain type of users based on the access control list. If no project is matched for an access request, the "Non" of the last project of the application is used by default ". For example, if the last one is allowed, it is disabled by default. Generally, the last entry should be set to "deny all" or "allow all" to avoid security risks.

Note the following when using this access control list:

3. Use Access Control

The preceding section details the ACL elements, the syntax of the http_access access control list, and the issues that need to be paid attention to during use. The following is an example of how to use these access control methods:

1) Allow all clients in the network segment 10.0.0.124/24 and 192.168.10.15/24 to access the proxy server, and allow clients listed in the file/etc/squid/guest to access the proxy server, in addition, the client rejects access to the local proxy server:

acl clients src 10.0.0.124/24 192.168.10.15/24acl guests src “/etc/squid/guest”acl all src 0.0.0.0/0.0.0.0http_access allow clientshttp_access allow guestshttp_access deny all

The content in the file "/etc/squid/guest" is:

172.168.10.3/24210.113.24.8/1610.0.1.24/25

2) allow two domains with the domain name job.net and gdfq.edu.cn to access the local proxy server. Other domains will reject access to the local proxy server:

acl permitted_domain src job.net gdfq.edu.cnacl all src 0.0.0.0/0.0.0.0http_access allow permitted_domainhttp_access deny all

3) use a regular expression to deny the client from accessing a website containing keywords such as "sexy" through the proxy server:

acl deny_url url_regex -i sexyhttp_access deny deny_url

4) The client is denied to access the website with the specified IP address or domain name in the file through the proxy server, where the file/etc/squid/deny_ip contains the IP address that denies access, in the file/etc/squid/deny_dns, the domain name for which access is denied is stored:

acl deny_ip dst “etc/squid/deny_ip”acl deny_dns dst “etc/squid/deny_dns”http_access deny deny_iphttp_access deny deny_dns

5) Allow and deny the specified user access to the specified website, where Allow client 1 to access the website http://www.sina.com.cn while rejecting client 2 to access the website http://www.163.com:

acl client1 src 192.168.0.118acl client1_url url_regex ^http://www.sina.com.cnacl client2 src 192.168.0.119acl client2_url url_regex ^http://www.163.comhttp_access allow client1 client1_urlhttp_access deny client2 client2_url

6) Allow all users to access the proxy server from to from Monday to Thursday within the specified time. Only the system administrator of a specific user can access the proxy server. The network segment is 192.168.10.0/24) access the proxy server on Friday afternoon, and others reject access to the proxy server from one o'clock P.M. to 6.1 on Friday:

acl allclient src 0.0.0.0/0.0.0.0acl administrator 192.168.10.0/24acl common_time time MTWH 8:30-20:30acl manage_time time F 13:00-18:00http_access allow allclient common_timehttp_access allow administrator manage_timehttp_access deny manage_time

 

For more details about Linux management, please pay attention to my Linux system comprehensive management topics: http:// OS .51cto.com/art/201009/228849.htm

This article from the "excellence begins with the foot" blog, please be sure to keep this source http://patterson.blog.51cto.com/1060257/394338