Squid configuration directive acl
Available in: v7 v6 v5 v4 3.5 3.4 3.3 3.2 2.7 3.1 3.0 2.6
For older versions than v4 see the linked pages above
Configuration Details:
Option Name: | acl |
---|---|
Replaces: | |
Requires: | |
Default Value: | ACLs all, manager, localhost, to_localhost, to_linklocal, and CONNECT are predefined. |
Suggested Config: |
# # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed |
Defining an Access List Every access list definition must begin with an aclname and acltype, followed by either type-specific arguments or a quoted filename that they are read from. acl aclname acltype argument ... acl aclname acltype "file" ... When using "file", the file should contain one item per line. ACL Options Some acl types supports options which changes their default behaviour: -i,+i By default, regular expressions are CASE-SENSITIVE. To make them case-insensitive, use the -i option. To return case-sensitive use the +i option between patterns, or make a new ACL line without -i. -n Disable lookups and address type conversions. If lookup or conversion is required because the parameter type (IP or domain name) does not match the message address type (domain name or IP), then the ACL would immediately declare a mismatch without any warnings or lookups. -m[=delimiters] Perform a list membership test, interpreting values as comma-separated token lists and matching against individual tokens instead of whole values. The optional "delimiters" parameter specifies one or more alternative non-alphanumeric delimiter characters. non-alphanumeric delimiter characters. -- Used to stop processing all options, in the case the first acl value has '-' character as first character (for example the '-' is a valid domain name) Some acl types require suspending the current request in order to access some external data source. Those which do are marked with the tag [slow], those which don't are marked as [fast]. See https://wiki.squid-cache.org/SquidFaq/SquidAcl for further information ***** ACL TYPES AVAILABLE ***** acl aclname src ip-address/mask ... # clients IP address [fast] acl aclname src addr1-addr2/mask ... # range of addresses [fast] acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow] acl aclname localip ip-address/mask ... # IP address the client connected to [fast] if --enable-eui acl aclname arp mac-address ... acl aclname eui64 eui64-address ... # [fast] # MAC (EUI-48) and EUI-64 addresses use xx:xx:xx:xx:xx:xx notation. # # The 'arp' ACL code is not portable to all operating systems. # It works on Linux, Solaris, Windows, FreeBSD, and some other # BSD variants. # # The eui_lookup directive is required to be 'on' (the default) # and Squid built with --enable-eui for MAC/EUI addresses to be # available for this ACL. # # Squid can only determine the MAC/EUI address for IPv4 # clients that are on the same subnet. If the client is on a # different subnet, then Squid cannot find out its address. # # IPv6 protocol does not contain ARP. MAC/EUI is either # encoded directly in the IPv6 address or not available. endif acl aclname clientside_mark mark[/mask] ... # matches CONNMARK of an accepted connection [fast] # DEPRECATED. Use the 'client_connection_mark' instead. acl aclname client_connection_mark mark[/mask] ... # matches CONNMARK of an accepted connection [fast] # # mark and mask are unsigned integers (hex, octal, or decimal). # If multiple marks are given, then the ACL matches if at least # one mark matches. # # Uses netfilter-conntrack library. # Requires building Squid with --enable-linux-netfilter. # # The client, various intermediaries, and Squid itself may set # CONNMARK at various times. The last CONNMARK set wins. This ACL # checks the mark present on an accepted connection or set by # Squid afterwards, depending on the ACL check timing. This ACL # effectively ignores any mark set by other agents after Squid has # accepted the connection. acl aclname srcdomain .foo.com ... # reverse lookup, from client IP [slow] acl aclname dstdomain [-n] .foo.com ... # Destination server from URL [fast] acl aclname srcdom_regex [-i] \.foo\.com ... # regex matching client name [slow] acl aclname dstdom_regex [-n] [-i] \.foo\.com ... # regex matching server [fast] # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP # based URL is used and no match is found. The name "none" is used # if the reverse lookup fails. acl aclname src_as number ... acl aclname dst_as number ... # [fast] # Except for access control, AS numbers can be used for # routing of requests to specific caches. Here's an # example for routing all requests for AS#1241 and only # those to mycache.mydomain.net: # acl asexample dst_as 1241 # cache_peer_access mycache.mydomain.net allow asexample # cache_peer_access mycache_mydomain.net deny all acl aclname peername myPeer ... acl aclname peername_regex [-i] regex-pattern ... # [fast] # match against a named cache_peer entry # set unique name= on cache_peer lines for reliable use. acl aclname time [day-abbrevs] [h1:m1-h2:m2] # [fast] # day-abbrevs: # S - Sunday # M - Monday # T - Tuesday # W - Wednesday # H - Thursday # F - Friday # A - Saturday # h1:m1 must be less than h2:m2 acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL [fast] acl aclname urllogin [-i] [^a-zA-Z0-9] ... # regex matching on URL login field acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path [fast] acl aclname port 80 70 21 0-1024 ... # destination TCP port (or port range) of the request [fast] # # Port 0 matches requests that have no explicit and no default destination # ports (e.g., HTTP requests with URN targets) acl aclname localport 3128 ... # TCP port the client connected to [fast] # NP: for interception mode this is usually '80' acl aclname myportname 3128 ... # *_port name [fast] acl aclname proto HTTP FTP ... # request protocol [fast] acl aclname method GET POST ... # HTTP request method [fast] acl aclname http_status 200 301 500- 400-403 ... # status code in reply [fast] acl aclname browser [-i] regexp ... # pattern match on User-Agent header (see also req_header below) [fast] acl aclname referer_regex [-i] regexp ... # pattern match on Referer header [fast] # Referer is highly unreliable, so use with care acl aclname proxy_auth [-i] username ... # perform http authentication challenge to the client and match against # supplied credentials [slow] # # takes a list of allowed usernames. # use REQUIRED to accept any valid username. # # See proxy_auth_regex for more information. The two ACLs differ only in # their parameter syntax and username matching algorithm. acl aclname proxy_auth_regex [-i] username_pattern ... # perform http authentication challenge to the client and regex match # supplied username [slow] # # Will use proxy authentication in forward-proxy scenarios, and plain # http authentication in reverse-proxy scenarios # # NOTE: when a Proxy-Authentication header is sent but it is not # needed during ACL checking the username is NOT logged # in access.log. # # NOTE: proxy_auth requires a EXTERNAL authentication program # to check username/password combinations (see # auth_param directive). # # NOTE: proxy_auth can't be used in a transparent/intercepting proxy # as the browser needs to be configured for using a proxy in order # to respond to proxy authentication. acl aclname snmp_community string ... # A community string to limit access to your SNMP Agent [fast] # Example: # # acl snmppublic snmp_community public acl aclname maxconn number # This will be matched when the client's IP address has # more than <number> TCP connections established. [fast] # NOTE: This only measures direct TCP links so X-Forwarded-For # indirect clients are not counted. acl aclname max_user_ip [-s] number # This will be matched when the user attempts to log in from more # than <number> different ip addresses. The authenticate_ip_ttl # parameter controls the timeout on the ip entries. [fast] # If -s is specified the limit is strict, denying browsing # from any further IP addresses until the ttl has expired. Without # -s Squid will just annoy the user by "randomly" denying requests. # (the counter is reset each time the limit is reached and a # request is denied) # NOTE: in acceleration mode or where there is mesh of child proxies, # clients may appear to come from multiple addresses if they are # going through proxy farms, so a limit of 1 may cause user problems. acl aclname random probability # Pseudo-randomly match requests. Based on the probability given. # Probability may be written as a decimal (0.333), fraction (1/3) # or ratio of matches:non-matches (3:5). acl aclname req_mime_type [-i] mime-type ... # regex match against the mime type of the request generated # by the client. Can be used to detect file upload or some # types HTTP tunneling requests [fast] # NOTE: This does NOT match the reply. You cannot use this # to match the returned file type. acl aclname req_header header-name [-i] any\.regex\.here # regex match against any of the known request headers. May be # thought of as a superset of "browser", "referer" and "mime-type" # ACL [fast] acl aclname rep_mime_type [-i] mime-type ... # regex match against the mime type of the reply received by # squid. Can be used to detect file download or some # types HTTP tunneling requests. [fast] # NOTE: This has no effect in http_access rules. It only has # effect in rules that affect the reply data stream such as # http_reply_access. acl aclname rep_header header-name [-i] any\.regex\.here # regex match against any of the known reply headers. May be # thought of as a superset of "browser", "referer" and "mime-type" # ACLs [fast] acl aclname external class_name [arguments...] # external ACL lookup via a helper class defined by the # external_acl_type directive [slow] acl aclname user_cert attribute values... # match against attributes in a user SSL certificate # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] acl aclname ca_cert attribute values... # match against attributes a users issuing CA SSL certificate # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] acl aclname ext_user [-i] username ... # string match on username returned by external acl helper [slow] # use REQUIRED to accept any non-null user name. # # See also: ext_user_regex. The two ACLs differ only in their parameter # syntax and username matching algorithm. acl aclname ext_user_regex [-i] username_pattern ... # regex match on username returned by external acl helper [slow] acl aclname tag tagvalue ... # string match on tag returned by external acl helper [fast] # DEPRECATED. Only the first tag will match with this ACL. # Use the 'note' ACL instead for handling multiple tag values. acl aclname hier_code codename ... # string match against squid hierarchy code(s); [fast] # e.g., DIRECT, PARENT_HIT, NONE, etc. # # NOTE: This has no effect in http_access rules. It only has # effect in rules that affect the reply data stream such as # http_reply_access. acl aclname note [-m[=delimiters]] name [value ...] # match transaction annotation [fast] # Without values, matches any annotation with a given name. # With value(s), matches any annotation with a given name that # also has one of the given values. # If the -m flag is used, then the value of the named # annotation is interpreted as a list of tokens, and the ACL # matches individual name=token pairs rather than whole # name=value pairs. See "ACL Options" above for more info. # Annotation sources include note and adaptation_meta directives # as well as helper and eCAP responses. acl aclname annotate_transaction [-m[=delimiters]] key=value ... acl aclname annotate_transaction [-m[=delimiters]] key+=value ... # Always matches. [fast] # Used for its side effect: This ACL immediately adds a # key=value annotation to the current master transaction. # The added annotation can then be tested using note ACL and # logged (or sent to helpers) using %note format code. # # Annotations can be specified using replacement and addition # formats. The key=value form replaces old same-key annotation # value(s). The key+=value form appends a new value to the old # same-key annotation. Both forms create a new key=value # annotation if no same-key annotation exists already. If # -m flag is used, then the value is interpreted as a list # and the annotation will contain key=token pair(s) instead of the # whole key=value pair. # # This ACL is especially useful for recording complex multi-step # ACL-driven decisions. For example, the following configuration # avoids logging transactions accepted after aclX matched: # # # First, mark transactions accepted after aclX matched # acl markSpecial annotate_transaction special=true # http_access allow acl001 # ... # http_access deny acl100 # http_access allow aclX markSpecial # # # Second, do not log marked transactions: # acl markedSpecial note special true # access_log ... deny markedSpecial # # # Note that the following would not have worked because aclX # # alone does not determine whether the transaction was allowed: # access_log ... deny aclX # Wrong! # # Warning: This ACL annotates the transaction even when negated # and even if subsequent ACLs fail to match. For example, the # following three rules will have exactly the same effect as far # as annotations set by the "mark" ACL are concerned: # # some_directive acl1 ... mark # rule matches if mark is reached # some_directive acl1 ... !mark # rule never matches # some_directive acl1 ... mark !all # rule never matches acl aclname annotate_client [-m[=delimiters]] key=value ... acl aclname annotate_client [-m[=delimiters]] key+=value ... # # Always matches. [fast] # Used for its side effect: This ACL immediately adds a # key=value annotation to the current client-to-Squid # connection. Connection annotations are propagated to the current # and all future master transactions on the annotated connection. # See the annotate_transaction ACL for details. # # For example, the following configuration avoids rewriting URLs # of transactions bumped by SslBump: # # # First, mark bumped connections: # acl markBumped annotate_client bumped=true # ssl_bump peek acl1 # ssl_bump stare acl2 # ssl_bump bump acl3 markBumped # ssl_bump splice all # # # Second, do not send marked transactions to the redirector: # acl markedBumped note bumped true # url_rewrite_access deny markedBumped # # # Note that the following would not have worked because acl3 alone # # does not determine whether the connection is going to be bumped: # url_rewrite_access deny acl3 # Wrong! acl aclname adaptation_service service ... # Matches the name of any icap_service, ecap_service, # adaptation_service_set, or adaptation_service_chain that Squid # has used (or attempted to use) for the master transaction. # This ACL must be defined after the corresponding adaptation # service is named in squid.conf. This ACL is usable with # adaptation_meta because it starts matching immediately after # the service has been selected for adaptation. acl aclname transaction_initiator initiator ... # Matches transaction's initiator [fast] # # Supported initiators are: # certificate-fetching: matches transactions fetching # a missing intermediate TLS certificate # cache-digest: matches transactions fetching Cache Digests # from a cache_peer # htcp: matches HTCP requests from peers # icp: matches ICP requests to peers # icmp: matches ICMP RTT database (NetDB) requests to peers # asn: matches asns db requests # internal: matches any of the above # client: matches transactions containing an HTTP or FTP # client request received at a Squid *_port # all: matches any transaction, including internal transactions # without a configurable initiator and hopefully rare # transactions without a known-to-Squid initiator # # Multiple initiators are ORed. acl aclname has component # matches a transaction "component" [fast] # # Supported transaction components are: # request: transaction has a request header (at least) # response: transaction has a response header (at least) # ALE: transaction has an internally-generated Access Log Entry # structure; bugs notwithstanding, all transaction have it # # For example, the following configuration helps when dealing with HTTP # clients that close connections without sending a request header: # # acl hasRequest has request # acl logMe note important_transaction # # avoid "logMe ACL is used in context without an HTTP request" warnings # access_log ... logformat=detailed hasRequest logMe # # log request-less transactions, instead of ignoring them # access_log ... logformat=brief !hasRequest # # Multiple components are not supported for one "acl" rule, but # can be specified (and are ORed) using multiple same-name rules: # # # OK, this strange logging daemon needs request or response, # # but can work without either a request or a response: # acl hasWhatMyLoggingDaemonNeeds has request # acl hasWhatMyLoggingDaemonNeeds has response acl aclname at_step step # match against the current request processing step [fast] # Valid steps are: # GeneratingCONNECT: Generating HTTP CONNECT request headers if --with-openssl # The following ssl_bump processing steps are recognized: # SslBump1: After getting TCP-level and HTTP CONNECT info. # SslBump2: After getting SSL Client Hello info. # SslBump3: After getting SSL Server Hello info. endif if --with-openssl acl aclname ssl_error errorname # match against SSL certificate validation error [fast] # # When used with sslproxy_cert_error, this ACL tests a single # certificate validation error currently being evaluated by that # directive. When used with slproxy_cert_sign or sslproxy_cert_adapt, # the ACL tests all past certificate validation errors associated with # the current Squid-to-server connection (attempt). This ACL is not yet # supported for use with other directives. # # For valid error names see in /usr/local/squid/share/errors/templates/error-details.txt # template file. # # The following can be used as shortcuts for certificate properties: # [ssl::]certHasExpired: the "not after" field is in the past # [ssl::]certNotYetValid: the "not before" field is in the future # [ssl::]certUntrusted: The certificate issuer is not to be trusted. # [ssl::]certSelfSigned: The certificate is self signed. # [ssl::]certDomainMismatch: The certificate CN domain does not # match the name the name of the host we are connecting to. # # The ssl::certHasExpired, ssl::certNotYetValid, ssl::certDomainMismatch, # ssl::certUntrusted, and ssl::certSelfSigned can also be used as # predefined ACLs, just like the 'all' ACL. acl aclname server_cert_fingerprint fingerprint # match against server SSL certificate fingerprint [fast] # # The fingerprint is the digest of the DER encoded version # of the whole certificate. The user should use the form: XX:XX:... # The SHA1 digest algorithm is the default and is currently # the only algorithm supported. acl aclname ssl::server_name [option] .foo.com ... # matches server name obtained from various sources [fast] # # The ACL computes server name(s) using such information sources as # CONNECT request URI, TLS client SNI, and TLS server certificate # subject (CN and SubjectAltName). The computed server name(s) usually # change with each SslBump step, as more info becomes available: # * SNI is used as the server name instead of the request URI, # * subject name(s) from the server certificate (CN and # SubjectAltName) are used as the server names instead of SNI. # # When the ACL computes multiple server names, matching any single # computed name is sufficient for the ACL to match. # # The "none" name can be used to match transactions where the ACL # could not compute the server name using any information source # that was both available and allowed to be used by the ACL options at # the ACL evaluation time. # # Unlike dstdomain, this ACL does not perform DNS lookups. # # A server name may be an IP address. For example, subject alternative # names (a.k.a. SANs) in some real server certificates include IPv4 and # IPv6 entries. Internally, Squid uses inet_ntop(3) to prep IP names for # matching. When using IPv6 names, use "::" notation (if applicable). # Do not use brackets. For example: 1080::8:800:200c:417a. # # An ACL option below may be used to restrict what information # sources are used to extract the server names from: # # --client-requested # The server name is SNI regardless of what the server says. # --server-provided # The server name(s) are the certificate subject name(s), regardless # of what the client has requested. If the server certificate is # unavailable, then the name is "none". # --consensus # The server name is either SNI (if SNI matches at least one of the # certificate subject names) or "none" (otherwise). When the server # certificate is unavailable, the consensus server name is SNI. # # Combining multiple options in one ACL is a fatal configuration # error. # # For all options: If no SNI is available, then the CONNECT request # target (a.k.a. URI) is used instead of SNI (for an intercepted # connection, this target is the destination IP address). acl aclname ssl::server_name_regex [-i] \.foo\.com ... # regex matches server name obtained from various sources [fast] # # See ssl::server_name for details, including IPv6 address formatting # caveats. Use case-insensitive matching (i.e. -i option) to reduce # dependency on how Squid formats or sanitizes server names. acl aclname connections_encrypted # matches transactions with all HTTP messages received over TLS # transport connections. [fast] # # The master transaction deals with HTTP messages received from # various sources. All sources used by the master transaction in the # past are considered by the ACL. The following rules define whether # a given message source taints the entire master transaction, # resulting in ACL mismatches: # # * The HTTP client transport connection is not TLS. # * An adaptation service connection-encryption flag is off. # * The peer or origin server transport connection is not TLS. # # Caching currently does not affect these rules. This cache ignorance # implies that only the current HTTP client transport and REQMOD # services status determine whether this ACL matches a from-cache # transaction. The source of the cached response does not have any # effect on future transaction that use the cached response without # revalidation. This may change. # # DNS, ICP, and HTCP exchanges during the master transaction do not # affect these rules. endif acl aclname any-of acl1 acl2 ... # match any one of the acls [fast or slow] # The first matching ACL stops further ACL evaluation. # # ACLs from multiple any-of lines with the same name are ORed. # For example, A = (a1 or a2) or (a3 or a4) can be written as # acl A any-of a1 a2 # acl A any-of a3 a4 # # This group ACL is fast if all evaluated ACLs in the group are fast # and slow otherwise. acl aclname all-of acl1 acl2 ... # match all of the acls [fast or slow] # The first mismatching ACL stops further ACL evaluation. # # ACLs from multiple all-of lines with the same name are ORed. # For example, B = (b1 and b2) or (b3 and b4) can be written as # acl B all-of b1 b2 # acl B all-of b3 b4 # # This group ACL is fast if all evaluated ACLs in the group are fast # and slow otherwise. Examples: acl macaddress arp 09:00:2b:23:45:67 acl myexample dst_as 1241 acl password proxy_auth REQUIRED acl fileupload req_mime_type -i ^multipart/form-data$ acl javascript rep_mime_type -i ^application/x-javascript$ CONFIG_START acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http CONFIG_END |
|
Introduction
- About Squid
- Why Squid?
- Squid Developers
- How to Donate
- How to Help Out
- Getting Squid
- Squid Source Packages
- Squid Deployment Case-Studies
- Squid Software Foundation
Documentation
- Quick Setup
- Configuration:
- FAQ and Wiki
- Guide Books:
- Non-English
- More...
Support
- Security Advisories
- Bugzilla Database
- Mailing lists
- Contacting us
- Commercial services
- Project Sponsors
- Squid-based products
Miscellaneous
- Developer Resources
- Related Writings
- Related Software:
- Squid Artwork
Web Site Translations
Mirrors
- Website:
- ... full list
- FTP Package Archive