====== Squid - ACLs - ACL Example Usage ======
===== Allowed Subnets =====
Add default **192.168.1.0/24**, and any other LAN subnets, such as my IOT subnet of **192.168.70.0/24** and Guest subnet of **172.16.0.0/24**.
Add any other IP that is allowed to use the proxy, for example, **100.1.2.3**.
The teachers group always have access to the Internet. The students group only has access between Monday and Friday during lunch time:
acl AllowedHosts src 192.168.1.0/24
acl AllowedHosts src 192.168.70/0/24
acl AllowedHosts src 172.16.0.0/24
acl AllowedHosts src 100.1.2.3
acl teachers src 192.168.10.0/255.255.255.0
acl students src 192.168.20.0-192.168.30.0/255.255.255.0
acl lunch time MTWHF 12:00-13:00
#[ black-list and white-list rules will go in here in the next step ]
http_access deny localhost
http_access allow teachers
http_access allow students lunch time
http_access allow AllowedHosts
http_access deny all
The **AllowedHosts** is just a name given to these, but you can call this anything. This name will be referenced later.
----
===== Black List Proxy vs Whitelist Proxy =====
Add additional ACL entries:
Decide which approach you want to follow:
* A **black-listing proxy** blocks offensive web sites. See black-list examples.
* A **white-listing proxy** only allows approved sites. A white-list has the benefit of blocking virtually everything that is not known to be “good”, but may take longer to configure. See white-list examples.
==== Blacklist Proxy Example ====
Place your rules in a location of your choosing (e.g., /etc/squid/), define them, then apply them something like the following.
#______[ Black List ]_____________________________________________________
acl advdom dstdomain "/etc/squid/ad.domains"
acl adv0exp url_regex -i "/etc/squid/ad0.exp"
acl adv1exp url_regex -i "/etc/squid/ad1.exp"
acl baddom dstdomain "/etc/squid/bad.domains"
acl baddom dstdomain "/etc/squid/proxy.domains"
acl badexp url_regex -i "/etc/squid/bad.exp"
acl violentdom dstdomain "/etc/ffilter/violent.domains"
acl hardblock url_regex -i "/etc/squid/hardblock.exp"
acl drugdomains dstdomain "/etc/ffilter/drug.domains"
acl gambledom dstdomain "/etc/ffilter/gambling.domains"
acl offensive dstdomain "/etc/ffilter/offensive.domains"
acl offendexp url_regex -i "/etc/ffilter/offensive.exp"
acl deceptive dstdomain "/etc/ffilter/deceptive.domains"
acl illegal dstdomain "/etc/ffilter/illegal.domains"
# If you have children who have their own computers and for whom
# you want extra protection, then try this idea:
acl children src "/etc/ffilter/kids.IPs"
acl curfewOK dstdomain "/etc/ffilter/curfew_ok.domains"
#
# On week-days the kids need to stop using the Internet at 10pm,
# but on Friday and Saturday we let them go until midnight:
#
acl curfew time SMTWH 22:00-23:59
acl curfew time SMTWHF 00:00-7:00
#______[ White List ]_____________________________________________________
acl safedom dstdomain "/etc/ffilter/safe.domains"
acl safeexp url_regex -i "/etc/ffilter/safe.exp"
acl christdom dstdomain "/etc/ffilter/christian.domains"
acl christexp url_regex -i "/etc/ffilter/christian.exp"
acl schooldom dstdomain "/etc/ffilter/school.domains"
acl employdom dstdomain "/etc/ffilter/employ.domains"
#______[ Rules ]__________________________________________________________
# 0. 'hardblock' regex and IP matches
#
http_access deny hardblock
# 1. Children's curfew
#
http_access allow curfewOK
http_access deny children curfew
#http_access deny children gamedom
# Now block the stage zero regex blocks that are to come before safe regex
# holes; this is to allow certain parts of a regex to be blocked while the
# safe.exp match (for example) lets through the rest. For example, we might
# have a "safe site" that has ads we want to block.
#
http_access deny adv0exp
http_access deny bad0exp
http_access deny offendexp
# Let through safe domains, but not regex
#
http_access allow christdom
http_access allow safedom
http_access allow schooldom
http_access allow employdom
# 3. Block bad domains, but not regex
# Thus, the domain files should only contain domains which are TOTALLY bad.
# If a domain is only mostly bad, it should go in the regex file instead so
# that white-list rules can be applied.
# Put another way, any domain in a domain blacklist NEVER gets through, even if
# a white-list contains a regex pattern match.
#
http_access deny baddom
http_access deny violentIPs
http_access deny violentdom
http_access deny drugdomains
http_access deny gambledom
http_access deny deceptive
http_access deny offensive
http_access deny illegal
http_access deny p2p
# Ads and spam are last because I'd first want to tell people if the domain
# were bad for some other reason, and only as a last resort block it merely
# because it was spam.
#
http_access deny advdom
http_access deny spamdom
# 4. Let through safe regex
#
http_access allow christexp
http_access allow safeexp
# 5. Block bad regex
#
http_access deny badexp
http_access deny violentexp
http_access deny drugexp
http_access deny gambleexp
http_access deny deceptexp
# Ads and spam expressions are the last to be blocked.
#
http_access deny adv1exp
# 6. Everything else is permitted for those hosts that are allowed.
#
http_access allow AllowedHosts
http_access deny all
----
==== Whitelist Proxy Example ====
Place your rules in a location of your choosing (e.g., /etc/squid/), define them, then apply them something like the following.
#______[ Black List ]_____________________________________________________
acl advIPs dst "/etc/squid/ad.IPs"
acl advdom dstdomain "/etc/squid/ad.domains"
acl adv0exp url_regex -i "/etc/squid/ad0.exp"
acl baddom dstdomain "/etc/squid/bad.domains"
acl baddom dstdomain "/etc/squid/proxy.domains"
acl bad0exp url_regex -i "/etc/squid/bad.exp"
acl violentdom dstdomain "/etc/ffilter/violent.domains"
acl hardblock url_regex -i "/etc/squid/hardblock.exp"
acl drugdomains dstdomain "/etc/ffilter/drug.domains"
acl gambledom dstdomain "/etc/ffilter/gambling.domains"
acl offensive dstdomain "/etc/ffilter/offensive.domains"
acl deceptive dstdomain "/etc/ffilter/deceptive.domains"
acl illegal dstdomain "/etc/ffilter/illegal.domains"
# If you have children who have their own computers and for whom
# you want extra protection, then try this idea:
acl children src "/etc/ffilter/kids.IPs"
acl curfewOK dstdomain "/etc/ffilter/curfew_ok.domains"
#
# On week-days the kids need to stop using the Internet at 10pm,
# but on Friday and Saturday we let them go until midnight:
#
acl curfew time SMTWH 22:00-23:59
acl curfew time SMTWHF 00:00-7:00
#______[ White List ]_____________________________________________________
acl safedom dstdomain "/etc/ffilter/safe.domains"
acl safeexp url_regex -i "/etc/ffilter/safe.exp"
acl christdom dstdomain "/etc/ffilter/christian.domains"
acl christexp url_regex -i "/etc/ffilter/christian.exp"
acl schooldom dstdomain "/etc/ffilter/school.domains"
acl employdom dstdomain "/etc/ffilter/employ.domains"
#______[ Rules ]__________________________________________________________
# 0. 'hardblock' regex and IP matches
#
http_access deny hardblock
# 1. Children's curfew
#
http_access allow curfewOK
http_access deny children curfew
#http_access deny children gamedom
# Now block the stage zero regex blocks that are to come before safe regex
# holes; this is to allow certain parts of a regex to be blocked while the
# safe.exp match (for example) lets through the rest. For example, we might
# have a "safe site" that has ads we want to block.
#
http_access deny adv0exp
http_access deny bad0exp
# Let through safe domains, but not expressions yet
#
http_access allow christdom
http_access allow safedom
http_access allow schooldom
http_access allow employdom
# 3. Block bad domains (domains which have no desirable content).
#
http_access deny baddom
http_access deny violentdom
http_access deny drugdomains
http_access deny gambledom
http_access deny deceptive
http_access deny offensive
http_access deny illegal
http_access deny p2p
# Ads and spam are last because I'd first want to tell people if the domain
# were bad for some other reason, and only as a last resort block it merely
# because it was spam.
#
http_access deny advdom
http_access deny spamdom
# 4. Let through safe expressions
#
http_access allow christexp
http_access allow safeexp
# 5. Everything else is denied. Do NOT put the AllowedHosts ACL in here
# or you will defeat the white-list.
#
http_access deny all
----
===== Children's curfew =====
Include the following into the same **Allowed Subnets** box. Place the RULES section at the bottom, but remember that RULES are processed top to bottom order until the first one that matches the criteria is met.
# If you have children who have their own computers and for whom
# you want extra protection, then try this idea:
#
acl children src "/etc/ffilter/kids.IPs"
acl curfewOK dstdomain "/etc/ffilter/curfew_ok.domains"
#
# On week-days the kids need to stop using the Internet at 10pm,
# but on Friday and Saturday we let them go until midnight:
#
acl curfew time SMTWH 22:00-23:59
acl curfew time SMTWHF 00:00-7:00
# RULES:
#
# Children's curfew
#
http_access allow curfewOK
http_access deny children curfew
#http_access deny children gamedom
----
===== url_rewrite_program PATH =====
* With this option, specify a URL rewriter.
* Squid doesn't know how to run external helpers based on scripts, like .bat, .cmd, .vbs, .pl, etc. So in squid.conf the interpreter path must be always specified, for example:
url_rewrite_program c:/perl/bin/perl.exe c:/squid/libexec/redir.pl
The actual rewriter script that is called would be something like this:
#!/usr/bin/env perl
$|=1;
while (<>) {
$url = m/^([^ ]*)/;
if ($url !~ /^http:\/\/www\.hostname\.com/) {
$url =~ s@^http://www\.hostname\.com/(.*)@http://www.hostname.com/\1@;
print "301:$url\n";
} else {
print "$url\n";
}
}
If it exists with abnormal program termination and this is in the cache.log:
2012/03/23 19:26:12| helperOpenServers: Starting 5 'c:\squid\php\redirect.pl' processes
2012/03/23 19:26:12| ipcCreate: CHILD: c:\squid\php\redirect.pl: (8) Exec format error
2012/03/23 19:26:12| ipcCreate: PARENT: OK read test failed
2012/03/23 19:26:13| --> read returned 4
Then could be to not place quotes around the path...
----
===== auth_param basic program PATH =====
* If users must be authenticated on the proxy, set a corresponding program, such as /usr/sbin/pam_auth. When accessing pam_auth for the first time, the user sees a login window in which they need to specify a user name and a password. In addition, you need an ACL, so only clients with a valid login can use the Internet:
acl password proxy_auth REQUIRED
http_access allow password
http_access deny all
* In the acl proxy_auth option, using **REQUIRED** means that all valid user names are accepted. REQUIRED can also be replaced with a list of permitted user names.
----
===== ident_lookup_access allow ACL_NAME =====
* With this option, have an ident request run to find each user's identity for all clients defined by an ACL of the type src. Alternatively, use this for all clients, apply the predefined ACL all as the ACL_NAME.
* All clients covered by ident_lookup_access must run an ident daemon. On Linux, you can use pidentd (package pidentd ) as the ident daemon. For other operating systems, free software is usually available. To ensure that only clients with a successful ident lookup are permitted, define a corresponding ACL:
acl identhosts ident REQUIRED
http_access allow identhosts
http_access deny all
* In the acl identhosts ident option, using REQUIRED means that all valid user names are accepted. REQUIRED can also be replaced with a list of permitted user names.
* Using ident can slow down access time, because ident lookups are repeated for each request.
----
===== References =====
http://www.squid-cache.org/Versions/v3/3.5/cfgman/acl.html
https://ispltd.org/server_guides:proxy
https://doc.opensuse.org/documentation/leap/archive/15.0/reference/html/book.opensuse.reference/cha.squid.html