Squid configuration directive acl

Available in: 3.HEAD   3.5   3.4   3.3   3.2   2.7   3.1   3.0   2.6  

History:

Changes in 3.5 acl

Deprecated type tag. Use type note with 'tag' key name instead.

New type adaptation_service to match the name of any icap_service, ecap_service, adaptation_service_set, or adaptation_service_chain that Squid has used (or attempted to use) for the HTTP transaction so far.

New type at_step to match the current SSL-Bump processing step. Never matches and should not be used outside of ssl_bump.

Changes in 3.4 acl

New test type server_cert_fingerprint to match against server SSL certificate fingerprint.

New test type note to match against transaction annotations by name and value, or just by name.

New test type any-of to match if any one of a set of named ACLs.

New test type all-of to match against all of a set of named ACLs.

Changes in 3.3 acl

myport and myipACL types replaced with localport and localip respectively. To reflect that it matches the TCP connection details and not the squid.conf port. This matters when dealing with intercepted traffic, where the Squid receiving port differs from the TCP connection IP:port. Always use myportname type to match the squid.conf port details.

New default built-in ACLs for testing SSL certificate properties.

ssl::certHasExpired, ssl::certNotYetValid, ssl::certDomainMismatch, ssl::certUntrusted, ssl::certSelfSigned.

For older versions see the linked page above

Configuration Details:

Option Name:acl
Replaces:
Requires:
Default Value:ACLs all, manager, localhost, and to_localhost are predefined.
Suggested Config:
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
acl localhet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
acl localnet src fc00::/7       	# RFC 4193 local private network range
acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

	Defining an Access List

	Every access list definition must begin with an aclname and acltype, 
	followed by either type-specific arguments or a quoted filename that
	they are read from.

	   acl aclname acltype argument ...
	   acl aclname acltype "file" ...

	When using "file", the file should contain one item per line.

	Some acl types supports options which changes their default behaviour.
	The available options are:

	-i,+i	By default, regular expressions are CASE-SENSITIVE. To make them
		case-insensitive, use the -i option. To return case-sensitive
		use the +i option between patterns, or make a new ACL line
		without -i.	

	-n	Disable lookups and address type conversions.  If lookup or
		conversion is required because the parameter type (IP or
		domain name) does not match the message address type (domain
		name or IP), then the ACL would immediately declare a mismatch
		without any warnings or lookups.

	--	Used to stop processing all options, in the case the first acl
		value has '-' character as first character (for example the '-'
		is a valid domain name)

	Some acl types require suspending the current request in order
	to access some external data source.
	Those which do are marked with the tag [slow], those which
	don't are marked as [fast].
	See http://wiki.squid-cache.org/SquidFaq/SquidAcl
	for further information

	***** ACL TYPES AVAILABLE *****

	acl aclname src ip-address/mask ...	# clients IP address [fast]
	acl aclname src addr1-addr2/mask ...	# range of addresses [fast]
	acl aclname dst [-n] ip-address/mask ...	# URL host's IP address [slow]
	acl aclname localip ip-address/mask ... # IP address the client connected to [fast]

	acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
	  # The arp ACL requires the special configure option --enable-arp-acl.
	  # Furthermore, the ARP ACL code is not portable to all operating systems.
	  # It works on Linux, Solaris, Windows, FreeBSD, and some
	  # other *BSD variants.
	  # [fast]
	  #
	  # NOTE: Squid can only determine the MAC address for clients that are on
	  # the same subnet. If the client is on a different subnet,
	  # then Squid cannot find out its MAC address.

	acl aclname srcdomain   .foo.com ...
	  # reverse lookup, from client IP [slow]
	acl aclname dstdomain [-n] .foo.com ...
	  # Destination server from URL [fast]
	acl aclname srcdom_regex [-i] \.foo\.com ...
	  # regex matching client name [slow]
	acl aclname dstdom_regex [-n] [-i] \.foo\.com ...
	  # regex matching server [fast]
	  #
	  # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
	  # based URL is used and no match is found. The name "none" is used
	  # if the reverse lookup fails.

	acl aclname src_as number ...
	acl aclname dst_as number ...
	  # [fast]
	  # Except for access control, AS numbers can be used for
	  # routing of requests to specific caches. Here's an
	  # example for routing all requests for AS#1241 and only
	  # those to mycache.mydomain.net:
	  # acl asexample dst_as 1241
	  # cache_peer_access mycache.mydomain.net allow asexample
	  # cache_peer_access mycache_mydomain.net deny all

	acl aclname peername myPeer ...
	  # [fast]
	  # match against a named cache_peer entry
	  # set unique name= on cache_peer lines for reliable use.

	acl aclname time [day-abbrevs] [h1:m1-h2:m2]
	  # [fast]
	  #  day-abbrevs:
	  #	S - Sunday
	  #	M - Monday
	  #	T - Tuesday
	  #	W - Wednesday
	  #	H - Thursday
	  #	F - Friday
	  #	A - Saturday
	  #  h1:m1 must be less than h2:m2

	acl aclname url_regex [-i] ^http:// ...
	  # regex matching on whole URL [fast]
	acl aclname urllogin [-i] [^a-zA-Z0-9] ...
	  # regex matching on URL login field
	acl aclname urlpath_regex [-i] \.gif$ ...
	  # regex matching on URL path [fast]

	acl aclname port 80 70 21 0-1024...   # destination TCP port [fast]
	                                      # ranges are alloed
	acl aclname localport 3128 ...	      # TCP port the client connected to [fast]
	                                      # NP: for interception mode this is usually '80'

	acl aclname myportname 3128 ...       # *_port name [fast]

	acl aclname proto HTTP FTP ...        # request protocol [fast]
 
	acl aclname method GET POST ...       # HTTP request method [fast]

	acl aclname http_status 200 301 500- 400-403 ... 
	  # status code in reply [fast]

	acl aclname browser [-i] regexp ...
	  # pattern match on User-Agent header (see also req_header below) [fast]

	acl aclname referer_regex [-i] regexp ...
	  # pattern match on Referer header [fast]
	  # Referer is highly unreliable, so use with care

	acl aclname ident username ...
	acl aclname ident_regex [-i] pattern ...
	  # string match on ident output [slow]
	  # use REQUIRED to accept any non-null ident.

	acl aclname proxy_auth [-i] username ...
	acl aclname proxy_auth_regex [-i] pattern ...
	  # perform http authentication challenge to the client and match against
	  # supplied credentials [slow]
	  #
	  # takes a list of allowed usernames.
	  # use REQUIRED to accept any valid username.
	  #
	  # Will use proxy authentication in forward-proxy scenarios, and plain
	  # http authenticaiton in reverse-proxy scenarios
	  #
	  # NOTE: when a Proxy-Authentication header is sent but it is not
	  # needed during ACL checking the username is NOT logged
	  # in access.log.
	  #
	  # NOTE: proxy_auth requires a EXTERNAL authentication program
	  # to check username/password combinations (see
	  # auth_param directive).
	  #
	  # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
	  # as the browser needs to be configured for using a proxy in order
	  # to respond to proxy authentication.

	acl aclname snmp_community string ...
	  # A community string to limit access to your SNMP Agent [fast]
	  # Example:
	  #
	  #	acl snmppublic snmp_community public

	acl aclname maxconn number
	  # This will be matched when the client's IP address has
	  # more than <number> TCP connections established. [fast]
	  # NOTE: This only measures direct TCP links so X-Forwarded-For
	  # indirect clients are not counted.

	acl aclname max_user_ip [-s] number
	  # This will be matched when the user attempts to log in from more
	  # than <number> different ip addresses. The authenticate_ip_ttl
	  # parameter controls the timeout on the ip entries. [fast]
	  # If -s is specified the limit is strict, denying browsing
	  # from any further IP addresses until the ttl has expired. Without
	  # -s Squid will just annoy the user by "randomly" denying requests.
	  # (the counter is reset each time the limit is reached and a
	  # request is denied)
	  # NOTE: in acceleration mode or where there is mesh of child proxies,
	  # clients may appear to come from multiple addresses if they are
	  # going through proxy farms, so a limit of 1 may cause user problems.

	acl aclname random probability
	  # Pseudo-randomly match requests. Based on the probability given.
	  # Probability may be written as a decimal (0.333), fraction (1/3)
	  # or ratio of matches:non-matches (3:5).

	acl aclname req_mime_type [-i] mime-type ...
	  # regex match against the mime type of the request generated
	  # by the client. Can be used to detect file upload or some
	  # types HTTP tunneling requests [fast]
	  # NOTE: This does NOT match the reply. You cannot use this
	  # to match the returned file type.

	acl aclname req_header header-name [-i] any\.regex\.here
	  # regex match against any of the known request headers.  May be
	  # thought of as a superset of "browser", "referer" and "mime-type"
	  # ACL [fast]

	acl aclname rep_mime_type [-i] mime-type ...
	  # regex match against the mime type of the reply received by
	  # squid. Can be used to detect file download or some
	  # types HTTP tunneling requests. [fast]
	  # NOTE: This has no effect in http_access rules. It only has
	  # effect in rules that affect the reply data stream such as
	  # http_reply_access.

	acl aclname rep_header header-name [-i] any\.regex\.here
	  # regex match against any of the known reply headers. May be
	  # thought of as a superset of "browser", "referer" and "mime-type"
	  # ACLs [fast]

	acl aclname external class_name [arguments...]
	  # external ACL lookup via a helper class defined by the
	  # external_acl_type directive [slow]

	acl aclname user_cert attribute values...
	  # match against attributes in a user SSL certificate
	  # attribute is one of DN/C/O/CN/L/ST [fast]

	acl aclname ca_cert attribute values...
	  # match against attributes a users issuing CA SSL certificate
	  # attribute is one of DN/C/O/CN/L/ST [fast]

	acl aclname ext_user username ...
	acl aclname ext_user_regex [-i] pattern ...
	  # string match on username returned by external acl helper [slow]
	  # use REQUIRED to accept any non-null user name.

	acl aclname tag tagvalue ...
	  # string match on tag returned by external acl helper [fast]
	  # DEPRECATED. Only the first tag will match with this ACL.
	  # Use the 'note' ACL instead for handling multiple tag values.

	acl aclname hier_code codename ...
	  # string match against squid hierarchy code(s); [fast]
	  #  e.g., DIRECT, PARENT_HIT, NONE, etc.
	  #
	  # NOTE: This has no effect in http_access rules. It only has
	  # effect in rules that affect the reply data stream such as
	  # http_reply_access.

	acl aclname note name [value ...]
	  # match transaction annotation [fast]
	  # Without values, matches any annotation with a given name.
	  # With value(s), matches any annotation with a given name that
	  # also has one of the given values.
	  # Names and values are compared using a string equality test.
	  # Annotation sources include note and adaptation_meta directives
	  # as well as helper and eCAP responses.

	acl aclname adaptation_service service ...
	  # Matches the name of any icap_service, ecap_service,
	  # adaptation_service_set, or adaptation_service_chain that Squid
	  # has used (or attempted to use) for the master transaction.
	  # This ACL must be defined after the corresponding adaptation
	  # service is named in squid.conf. This ACL is usable with
	  # adaptation_meta because it starts matching immediately after
	  # the service has been selected for adaptation.

IF USE_OPENSSL
	acl aclname ssl_error errorname
	  # match against SSL certificate validation error [fast]
	  #
	  # For valid error names see in /usr/local/squid/share/errors/templates/error-details.txt
	  # template file.
	  #
	  # The following can be used as shortcuts for certificate properties:
	  #  [ssl::]certHasExpired: the "not after" field is in the past
	  #  [ssl::]certNotYetValid: the "not before" field is in the future
	  #  [ssl::]certUntrusted: The certificate issuer is not to be trusted.
	  #  [ssl::]certSelfSigned: The certificate is self signed.
	  #  [ssl::]certDomainMismatch: The certificate CN domain does not
	  #         match the name the name of the host we are connecting to.
	  #
	  # The ssl::certHasExpired, ssl::certNotYetValid, ssl::certDomainMismatch,
	  # ssl::certUntrusted, and ssl::certSelfSigned can also be used as
	  # predefined ACLs, just like the 'all' ACL.
	  #
	  # NOTE: The ssl_error ACL is only supported with sslproxy_cert_error,
	  # sslproxy_cert_sign, and sslproxy_cert_adapt options.

	acl aclname server_cert_fingerprint [-sha1] fingerprint
	  # match against server SSL certificate fingerprint [fast]
	  #
	  # The fingerprint is the digest of the DER encoded version 
	  # of the whole certificate. The user should use the form: XX:XX:...
	  # Optional argument specifies the digest algorithm to use.
	  # The SHA1 digest algorithm is the default and is currently
	  # the only algorithm supported (-sha1).

	acl aclname at_step step
	  # match against the current step during ssl_bump evaluation [fast]
	  # Never matches and should not be used outside the ssl_bump context.
	  #
	  # At each SslBump step, Squid evaluates ssl_bump directives to find
	  # the next bumping action (e.g., peek or splice). Valid SslBump step
	  # values and the corresponding ssl_bump evaluation moments are:
	  #   SslBump1: After getting TCP-level and HTTP CONNECT info.
	  #   SslBump2: After getting SSL Client Hello info.
	  #   SslBump3: After getting SSL Server Hello info.
ENDIF
	acl aclname any-of acl1 acl2 ...
	  # match any one of the acls [fast or slow]
	  # The first matching ACL stops further ACL evaluation.
	  #
	  # ACLs from multiple any-of lines with the same name are ORed.
	  # For example, A = (a1 or a2) or (a3 or a4) can be written as
	  #   acl A any-of a1 a2
	  #   acl A any-of a3 a4
	  #
	  # This group ACL is fast if all evaluated ACLs in the group are fast
	  # and slow otherwise.

	acl aclname all-of acl1 acl2 ... 
	  # match all of the acls [fast or slow]
	  # The first mismatching ACL stops further ACL evaluation.
	  #
	  # ACLs from multiple all-of lines with the same name are ORed.
	  # For example, B = (b1 and b2) or (b3 and b4) can be written as
	  #   acl B all-of b1 b2
	  #   acl B all-of b3 b4
	  #
	  # This group ACL is fast if all evaluated ACLs in the group are fast
	  # and slow otherwise.

	Examples:
		acl macaddress arp 09:00:2b:23:45:67
		acl myexample dst_as 1241
		acl password proxy_auth REQUIRED
		acl fileupload req_mime_type -i ^multipart/form-data$
		acl javascript rep_mime_type -i ^application/x-javascript$


 

Back

Search

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors