New test type server_cert_fingerprint to match against server SSL certificate fingerprint.
New test type note to match against transaction annotations by name and value, or just by name.
New test type any-of to match if any one of a set of named ACLs.
New test type all-of to match against all of a set of named ACLs.
myport and myipACL types replaced with localport and localip respectively. To reflect that it matches the TCP connection details and not the squid.conf port. This matters when dealing with intercepted traffic, where the Squid receiving port differs from the TCP connection IP:port. Always usemyportname type to match the squid.conf port details.
New default built-in ACLs for testing SSL certificate properties.
ssl::certHasExpired, ssl::certNotYetValid, ssl::certDomainMismatch, ssl::certUntrusted,ssl::certSelfSigned.
New type random. Pseudo-randomly match requests based on a configured probability.
Ported urllogin option from Squid 2.7, to match a regex pattern on the URL login field (if any).
The manager ACL requires adjustment to cover new cache manager access. So it has now been built-in as a predefined ACL name matching URLs equivalent to the following regular expression:
^(cache_object://|https?://[^/]+/squid-internal-mgr/)squid.conf containing the old manager definition can expect to see ACL type collisions.
For older versions see the linked page above
Option Name: | acl |
---|---|
Replaces: | |
Requires: | |
Default Value: | ACLs all, manager, localhost, and to_localhost are predefined. |
Suggested Config: | # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT |
Defining an Access List Every access list definition must begin with an aclname and acltype, followed by either type-specific arguments or a quoted filename that they are read from. acl aclname acltype argument ... acl aclname acltype "file" ... When using "file", the file should contain one item per line. Some acl types supports options which changes their default behaviour. The available options are: -i,+i By default, regular expressions are CASE-SENSITIVE. To make them case-insensitive, use the -i option. To return case-sensitive use the +i option between patterns, or make a new ACL line without -i. -n Disable lookups and address type conversions. If lookup or conversion is required because the parameter type (IP or domain name) does not match the message address type (domain name or IP), then the ACL would immediately declare a mismatch without any warnings or lookups. -- Used to stop processing all options, in the case the first acl value has '-' character as first character (for example the '-' is a valid domain name) Some acl types require suspending the current request in order to access some external data source. Those which do are marked with the tag [slow], those which don't are marked as [fast]. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for further information ***** ACL TYPES AVAILABLE ***** acl aclname src ip-address/mask ... # clients IP address [fast] acl aclname src addr1-addr2/mask ... # range of addresses [fast] acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] acl aclname localip ip-address/mask ... # IP address the client connected to [fast] acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) # The arp ACL requires the special configure option --enable-arp-acl. # Furthermore, the ARP ACL code is not portable to all operating systems. # It works on Linux, Solaris, Windows, FreeBSD, and some # other *BSD variants. # [fast] # # NOTE: Squid can only determine the MAC address for clients that are on # the same subnet. If the client is on a different subnet, # then Squid cannot find out its MAC address. acl aclname srcdomain .foo.com ... # reverse lookup, from client IP [slow] acl aclname dstdomain [-n] .foo.com ... # Destination server from URL [fast] acl aclname srcdom_regex [-i] \.foo\.com ... # regex matching client name [slow] acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # regex matching server [fast] # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP # based URL is used and no match is found. The name "none" is used # if the reverse lookup fails. acl aclname src_as number ... acl aclname dst_as number ... # [fast] # Except for access control, AS numbers can be used for # routing of requests to specific caches. Here's an # example for routing all requests for AS#1241 and only # those to mycache.mydomain.net: # acl asexample dst_as 1241 # cache_peer_access mycache.mydomain.net allow asexample # cache_peer_access mycache_mydomain.net deny all acl aclname peername myPeer ... # [fast] # match against a named cache_peer entry # set unique name= on cache_peer lines for reliable use. acl aclname time [day-abbrevs] [h1:m1-h2:m2] # [fast] # day-abbrevs: # S - Sunday # M - Monday # T - Tuesday # W - Wednesday # H - Thursday # F - Friday # A - Saturday # h1:m1 must be less than h2:m2 acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL [fast] acl aclname urllogin [-i] [^a-zA-Z0-9] ... # regex matching on URL login field acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path [fast] acl aclname port 80 70 21 0-1024... # destination TCP port [fast] # ranges are alloed acl aclname localport 3128 ... # TCP port the client connected to [fast] # NP: for interception mode this is usually '80' acl aclname myportname 3128 ... # http(s)_port name [fast] acl aclname proto HTTP FTP ... # request protocol [fast] acl aclname method GET POST ... # HTTP request method [fast] acl aclname http_status 200 301 500- 400-403 ... # status code in reply [fast] acl aclname browser [-i] regexp ... # pattern match on User-Agent header (see also req_header below) [fast] acl aclname referer_regex [-i] regexp ... # pattern match on Referer header [fast] # Referer is highly unreliable, so use with care acl aclname ident username ... acl aclname ident_regex [-i] pattern ... # string match on ident output [slow] # use REQUIRED to accept any non-null ident. acl aclname proxy_auth [-i] username ... acl aclname proxy_auth_regex [-i] pattern ... # perform http authentication challenge to the client and match against # supplied credentials [slow] # # takes a list of allowed usernames. # use REQUIRED to accept any valid username. # # Will use proxy authentication in forward-proxy scenarios, and plain # http authenticaiton in reverse-proxy scenarios # # NOTE: when a Proxy-Authentication header is sent but it is not # needed during ACL checking the username is NOT logged # in access.log. # # NOTE: proxy_auth requires a EXTERNAL authentication program # to check username/password combinations (see # auth_param directive). # # NOTE: proxy_auth can't be used in a transparent/intercepting proxy # as the browser needs to be configured for using a proxy in order # to respond to proxy authentication. acl aclname snmp_community string ... # A community string to limit access to your SNMP Agent [fast] # Example: # # acl snmppublic snmp_community public acl aclname maxconn number # This will be matched when the client's IP address has # more than |