Squid configuration directive acl
- Changes to acl in Squid-4:
New -m flag for note ACL to match substrings.
- Changes to acl in Squid-3.5:
Deprecated type tag. Use type note with 'tag' key name instead.
New type adaptation_service to match the name of any icap_service, ecap_service, adaptation_service_set, or adaptation_service_chain that Squid has used (or attempted to use) for the HTTP transaction so far.
New type at_step to match the current SSL-Bump processing step. Never matches and should not be used outside of ssl_bump.
New types ssl::server_name and ssl::server_name_regex to match server name from various sources (CONNECT authority name, TLS SNI domain, or X.509 certificate Subject Name).
- Changes to acl in Squid-3.4:
New test type server_cert_fingerprint to match against server SSL certificate fingerprint.
New test type note to match against transaction annotations by name and value, or just by name.
New test type any-of to match if any one of a set of named ACLs.
New test type all-of to match against all of a set of named ACLs.
- Changes to acl in Squid-3.3:
myport and myipACL types replaced with localport and localip respectively. To reflect that it matches the TCP connection details and not the squid.conf port. This matters when dealing with intercepted traffic, where the Squid receiving port differs from the TCP connection IP:port. Always use myportname type to match the squid.conf port details.
New default built-in ACLs for testing SSL certificate properties.
ssl::certHasExpired, ssl::certNotYetValid, ssl::certDomainMismatch, ssl::certUntrusted, ssl::certSelfSigned.
For older versions than 3.3 see the linked pages above
|Default Value:||ACLs all, manager, localhost, and to_localhost are predefined.|
# # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localhet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT
- About Squid
- Why Squid?
- Squid Developers
- How to Donate
- How to Help Out
- Getting Squid
- Squid Source Packages
- Squid Deployment Case-Studies
- Squid Software Foundation
- FAQ and Wiki
- Guide Books:
- Security Advisories
- Bugzilla Database
- Mailing lists
- Contacting us
- Commercial services
- Project Sponsors
- Squid-based products
- Developer Resources
- Related Writings
- Related Software:
- Squid Artwork