Squid Cache As Proxy Routing

ACLs

Using the ACLs: http_access

  • How it works
    • For each request that Squid receives it will look through all the http_access statements in order until it finds a line that matches.
    • It then either accepts or denys depending on your setting.
    • The remaining rules are ignored.
  • Syntax
    http_access (allow|deny) acl1 acl2 acl3 ...
    
    • AND syntax: putting conditions in one line
      http_access allow access_to_google access_from_office
      
    • OR syntax: putting conditions in separate lines
      http_access allow access_to_google
      http_access allow access_from_office
      

Translating ACLs ( examples )

  • example1
    • If you get a connection trying to use the cache_object protocol (as defined in the manager acl) and from localhost, then allow.
      acl manager proto cache_object
      acl localhost src 127.0.0.1/32 ::1
      http_access allow manager localhost
      http_access deny manager
      
    • this example can be changed this way.
      • If you get a connection trying to use the cache_object protocol (as defined in the manager acl), deny it, unless it's from the acl localhost.
        acl manager proto cache_object
        acl localhost src 127.0.0.1/32 ::1
        http_access deny manager !localhost
        
    • what is cache_object
      • squid-only protocol that returns information to the sender as to how the cache is configured

Logging

IPv6 in Squid

Setup Squid Cache for Multiple Outgoing IP address

Setup Squid Cache for IPv4 inbound to IPv6 outbound

Hide privacy

Block IPv4 outbound

  • Question: http://lists.squid-cache.org/pipermail/squid-users/2015-November/007485.html
  • Answer: http://lists.squid-cache.org/pipermail/squid-users/2015-November/007499.html
  • Condtions:
    • The server where Squid is running enables IPv4 and IPv6 network
    • IPv4 inbound request with different port and IPv6 outbound request with mapped IPv6 (by tcp_outgoing_address)
    • If target domain doesn't support IPv6 ( no DNS AAAA record ), then IPv4 ( DNS A record ) will be used. In this case, the ip of server where Squid is running will be used. It's because OS returns IPv4, and since Squid might not have tcp_outgoing_address mapping like tcp_outgoing_address 127.0.0.1 all, Squid just allow to use the server ip.
  • Solution 1: using fallback tcp_outgoing_address
    # if there is no mapped ip found, then use 127.0.0.1.
    # This returns bad request page.
    tcp_outgoing_address 127.0.0.1 all 
    
  • Solution 2: recommended. blocking IPv4 outbound request.
    # Somehow, this approach, blocking to IPv4 doesn't work.
    # acl to_ipv4 dst ipv4
    # http_access deny to_ipv4
    
    # Blocking non-IPv6 outbound request works.
    acl to_ipv6 dst ipv6
    http_access deny !to_ipv6
    

External References

Available ACL variables

  • src: source (client) IP addresses
  • dst: destination (server) IP addresses
  • myip: the local IP address of a client's connection
  • arp: Ethernet (MAC) address matching
  • srcdomain: source (client) domain name
  • dstdomain: destination (server) domain name
  • srcdom_regex: source (client) regular expression pattern matching
  • dstdom_regex: destination (server) regular expression pattern matching
  • src_as: source (client) Autonomous System number
  • dst_as: destination (server) Autonomous System number
  • peername: name tag assigned to the cache_peer where request is expected to be sent.
  • time: time of day, and day of week
  • url_regex: URL regular expression pattern matching
  • urlpath_regex: URL-path regular expression pattern matching, leaves out the protocol and hostname
  • port: destination (server) port number
  • myport: local port number that client connected to
  • myportname: name tag assigned to the squid listening port that client connected to
  • proto: transfer protocol (http, ftp, etc)
  • method: HTTP request method (get, post, etc)
  • http_status: HTTP response status (200 302 404 etc.)
  • browser: regular expression pattern matching on the request user-agent header
  • referer_regex: regular expression pattern matching on the request http-referer header
  • ident: string matching on the user's name
  • ident_regex: regular expression pattern matching on the user's name
  • proxy_auth: user authentication via external processes
  • proxy_auth_regex: regular expression pattern matching on user authentication via external processes
  • snmp_community: SNMP community string matching
  • maxconn: a limit on the maximum number of connections from a single client IP address
  • max_user_ip: a limit on the maximum number of IP addresses one user can login from
  • req_mime_type: regular expression pattern matching on the request content-type header
  • req_header: regular expression pattern matching on a request header content
  • rep_mime_type: regular expression pattern matching on the reply (downloaded content) content-type header. This is only usable in the http_reply_access directive, not http_access.
  • rep_header: regular expression pattern matching on a reply header content. This is only usable in the http_reply_access directive, not http_access.
  • external: lookup via external acl helper defined by external_acl_type
  • user_cert: match against attributes in a user SSL certificate
  • ca_cert: match against attributes a users issuing CA SSL certificate
  • ext_user: match on user= field returned by external acl helper defined by external_acl_type
  • ext_user_regex: regular expression pattern matching on user= field returned by external acl helper defined by external_acl_type

External Resources

Last modified 23 months ago Last modified on 03/14/18 16:31:20