Using Squid's ACL and access list to achieve efficient access control

Squid is a software that caches Internet data, receives a user's download request, and processes the downloaded data automatically. When a user wants to download a home page, can send a request to squid, squid instead of it for download, and then squid connection to the application site and request the home page, and then to the home page to the user to keep a backup, when other users apply for the same page, Squid passes the saved backup to the user immediately, making the user feel very fast. Squid can proxy http, FTP, GOPHER, SSL, and WAIS protocols and, squid can be automatically processed, you can set the squid according to their needs, so that it filters out unwanted things.

Squid can work in many operating systems, such as AIX, Digital, UNIX, FreeBSD, HP-UX, Irix, Linux, NetBSD, Nextstep, SCO, Solaris, OS/2, and so on.

It is very important to use access control reasonably in the process of use. Access control features allow you to control the caching of a specific time interval, access to a specific site, or a set of sites, and so on. Squid access control has two elements: ACL elements and Access lists. Access lists allow or deny certain users access to this service. The following describes the ACL elements and how to use the access list.

1. ACL elements

The syntax for this element definition is as follows:

ACL aclname acltype string1 ...
ACL aclname acltype "File" ...

When you use a file, the format of the file contains an entry for each row.

The acltype can be either SRC, DST, Srcdomain, Dstdomain, Url_regex, Urlpath_regex, time, Port, Proto, and method.

SRC: Indicates the source address. You can specify it in the following ways:

ACL aclname src ip-address/netmask ... Client IP address
ACL aclname src addr1-addr2/netmask ... Address range

DST: Indicates the destination address, which is the IP address of the server requested by the client. The syntax is:

Srcdomain: Indicates the domain to which the customer belongs, squid will reverse query DNS according to the client IP. The syntax is:

Dstdomain: Indicates the domain to which the requesting server belongs, as determined by the URL requested by the customer. The syntax is:

ACL aclname dstdomain foo.com .... Note here: If the user uses the server IP rather than the full domain name, squid will perform a reverse DNS resolution to determine its full domain name, if it fails, it is recorded as "none".

Time: Indicates access times. The syntax is as follows:

ACL aclname time [Day-abbrevs] [h1:m1-h2:m2][hh:mm-hh:mm]

The initials of the date refer to the following relationship:

S: Refer to Sunday

M: Refer to Monday

T: Refer to Tuesday

W: Refer to Wednesday

H: Refer to Thursday

F: Refer to Friday

A: Refer to Saturday

In addition, the H1:M1 must be less than h2:m2 and the expression is [hh:mm-hh:mm].

Port: Specify access ports. You can specify multiple ports, such as:

ACL aclname Port ...
ACL aclname Port 0-1024 ... Specify a port range

Proto: Specifies the use protocol. You can specify multiple protocols:

ACL aclname Proto HTTP FTP ...

Methods: Specifies the request method. Like what:

ACL Aclname method Get POST ...

Url_regex:url rule expression matches the syntax:

ACL Aclname Url_regex[-i] Pattern

Urlpath_regex:url-path rule expression matching, omitting protocol and host name. Its syntax is:

ACL Aclname Urlpath_regex[-i] Pattern

In the process of using the ACL elements described above, note the following points:

Acltype can be any one of the names defined in the ACL.

Any two ACL elements cannot be in the same name.

Each ACL is made up of list values. When a match is detected, multiple values are connected by logic or operations; in other words, if the value of any ACL element is matched, the ACL element is matched.

Not all ACL elements can use all the types in the access list.

Different ACL elements are written in the peer, squid combines these elements in a list.

See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/Servers/proxy/