2. http_access access control list
A certain type of user access is allowed or prohibited based on the access control list. If a visit does not have a matching item, the default is to apply the "non" of the last item. For example, if the last item is allowed, the default is prohibition. Usually the last entry should be set to "deny all" or "allow all" to avoid security risks. Use this access control list to pay attention to the following issues:
● These rules are matched and detected in their order of arrangement. Once a matched rule is detected, the matched detection will end immediately;
● The access list can be composed of multiple rules;
● If no rules match the access request, the default action will correspond to the last rule in the list;
● All elements in an access entry will be connected with logic and operations as follows:
http_access Action Statement 1 AND Statement 2 AND Statement OR
http_access Action Statement 3
● Multiple http_access declarations are connected with or operations, but each access entry has an operation connection;
● The rules in the list always follow a top-down order.
3. Use access control
The above describes the syntax of ACL elements and http_access access control lists and issues that need to be paid attention to during use. The following examples of using these access control methods are given.
If all clients within segments 10.0.0.124/24 and 192.168.10.15/24 are allowed to access the proxy server, and clients listed in the file /etc/squid/guest are allowed to access the proxy server, other clients will deny access to the local proxy server. Then the specific operation is as follows:
acl clients src 10.0.0.124/24 192.168.10.15/24
acl guests src “/etc/squid/guest”
acl all src 0.0.0.0/0.0.0.0
http_access allow clients
http_access allow guests
http_access deny all
Among them, the content in the file "/etc/squid/guest" is:
172.168.10.3/24
210.113.24.8/16
10.0.1.24/25
……
If two domains with domain name, are allowed to access the local proxy server, the other domains will deny access to the local proxy server. Then the specific operation is as follows:
acl permitted_domain src
acl all src 0.0.0.0/0.0.0.0
http_access allow permitted_domain
http_access deny all
If, using regular expressions, the client is denied access to a website containing keywords such as "sexy" through the proxy server. Then the specific operation is as follows:
acl deny_url url_regex - sexy
http_access deny deny_url
If the client is denied access to the website with the specified IP or domain name in the file through the proxy server, the file /etc/squid/deny_ip contains the IP address that is denied, and the file /etc/squid/deny_dns contains the domain name that is denied. Then the specific operation is as follows:
acl deny_ip dst “etc/squid/deny_ip”
acl deny_dns dst “etc/squid/deny_dns”
http_access deny deny_ip
http_access deny deny_dns
If, the specified user is allowed and denied access to the specified website, whereby, the client 1 is allowed to access the website, and the client 2 is denied to access the website http://. Then the specific operation is as follows:
acl client1 src