Squid configuration directive acl
- Changes in 3.3 acl
myport and myipACL types replaced with localport and localip respectively. To reflect that it matches the TCP connection details and not the squid.conf port. This matters when dealing with intercepted traffic, where the Squid receiving port differs from the TCP connection IP:port. Always use myportname type to match the squid.conf port details.
New default built-in ACLs for testing SSL certificate properties.
ssl::certHasExpired, ssl::certNotYetValid, ssl::certDomainMismatch, ssl::certUntrusted, ssl::certSelfSigned.
- Changes in 3.2 acl : random, urllogin
New type random. Pseudo-randomly match requests based on a configured probability.
Ported urllogin option from Squid 2.7, to match a regex pattern on the URL login field (if any).
The manager ACL requires adjustment to cover new cache manager access. So it has now been built-in as a predefined ACL name matching URLs equivalent to the following regular expression:
^(cache_object://|https?://[^/]+/squid-internal-mgr/)squid.conf containing the old manager definition can expect to see ACL type collisions.
- Changes in 3.1 acl
New preset ipv6 available in the src and dst ACL matching all of the public IPv6 network space.
New preset ipv4 available in the src and dst ACL matching all of IPv4 network space.
New acl type myportname, matching the name of the http_port or https_port where the request was accepted.
New acl type tag, matching the tag= returned from the external_acl_type helper.
New acl type peername, matching against a named cache_peer entry where the request will be attempted first. NP: peername currently is limited to only match the first peer possible.
acl aclname dst ipv6 # request for IPv6-enabled site acl aclname src ipv6 # request from IPv6 address acl aclname dst ipv4 # request for IPv4 site acl aclname src ipv4 # request from IPv4 address acl aclname myportname 3128 ... # http(s)_port name acl aclname peername myPeer ... # cache_peer ... name=myPeer acl aclname tag value ... # tag= option from external ACL
- Changes in 2.7 acl myportname
new acl matching the incoming port name
- Changes in 3.HEAD acl
New test type server_cert_fingerprint to match against server SSL certificate fingerprint.
- Changes in 3.0 acl myportname
New acl type myportname, matching the name of the http(s)_port where the request was accepted
acl aclname myportname 3128 ... # http(s)_port name
- Changes in 2.6 acl urlgroup
New acl class
|Default Value:||ACLs all, manager, localhost, and to_localhost are predefined.|
# # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT
- About Squid
- Why Squid?
- Squid Developers
- How to Donate
- How to Help Out
- Getting Squid
- Squid Source Packages
- Squid Deployment Case-Studies
- Squid Software Foundation
- FAQ and Wiki
- Guide Books:
- Security Advisories
- Bugzilla Database
- Mailing lists
- Contacting us
- Commercial services
- Project Sponsors
- Squid-based products
- Developer Resources
- Related Writings
- Related Software:
- Squid Artwork