Squid configuration directive http_access
Available in: v7 v6 v5 v4 3.5 3.4 3.3 3.2 2.7 3.1 3.0 2.6
For older versions than v4 see the linked pages above
Configuration Details:
Option Name: | http_access |
---|---|
Replaces: | |
Requires: | |
Default Value: | Deny, unless rules exist in squid.conf. |
Suggested Config: |
# # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports # Deny CONNECT to other than secure SSL ports # Only allow cachemgr access from localhost # This default configuration only allows localhost requests because a more # permissive Squid installation could introduce new attack vectors into the # network by proxying external TCP connections to unprotected services. # The two deny rules below are unnecessary in this default configuration # because they are followed by a "deny all" rule. However, they may become # critically important when you start allowing external requests below them. # Protect web applications running on the same server as Squid. They often # assume that only local users can access them at "localhost" ports. # Protect cloud servers that provide local users with sensitive info about # their server via certain well-known link-local (a.k.a. APIPA) addresses. # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # For example, to allow access from your local networks, you may uncomment the # following rule (and/or add rules that match your definition of "local"): # http_access allow localnet # And finally deny all other access to this proxy |
Allowing or Denying access based on defined access lists To allow or deny a message received on an HTTP, HTTPS, or FTP port: http_access allow|deny [!]aclname ... NOTE on default values: If there are no "access" lines present, the default is to deny the request. If none of the "access" lines cause a match, the default is the opposite of the last line in the list. If the last line was deny, the default is allow. Conversely, if the last line is allow, the default will be deny. For these reasons, it is a good idea to have an "deny all" entry at the end of your access lists to avoid potential confusion. This clause supports both fast and slow acl types. See https://wiki.squid-cache.org/SquidFaq/SquidAcl for details. CONFIG_START http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost http_access deny to_localhost http_access deny to_linklocal http_access deny all CONFIG_END |
|
Introduction
- About Squid
- Why Squid?
- Squid Developers
- How to Donate
- How to Help Out
- Getting Squid
- Squid Source Packages
- Squid Deployment Case-Studies
- Squid Software Foundation
Documentation
- Quick Setup
- Configuration:
- FAQ and Wiki
- Guide Books:
- Non-English
- More...
Support
- Security Advisories
- Bugzilla Database
- Mailing lists
- Contacting us
- Commercial services
- Project Sponsors
- Squid-based products
Miscellaneous
- Developer Resources
- Related Writings
- Related Software:
- Squid Artwork
Web Site Translations
Mirrors
- Website:
- ... full list
- FTP Package Archive