Next Previous Contents

10. Access Controls

10.1 How do I implement an ACL ban list?

As an example, we will assume that you would like to prevent users from accessing cooking recipes.

One way to implement this would be to deny access to any URLs that contain the words ``cooking'' or ``recipe.'' You would use these configuration lines:

        acl Cooking1 url_regex cooking
        acl Recipe1 url_regex recipe
        http_access deny Cooking1
        http_access deny Recipe1
        http_access allow all
The url_regex means to search the entire URL for the regular expression you specify. Note that these regular expressions are case-sensitive, so a url containing ``Cooking'' would not be denied.

Another way is to deny access to specific servers which are known to hold recipes. For example:

        acl Cooking2 dstdomain gourmet-chef.com
        http_access deny Cooking2
        http_access allow all
The dstdomain means to search the hostname in the URL for the string ``gourmet-chef.com.'' Note that when IP addresses are used in URLs (instead of domain names), Squid-1.1 implements relaxed access controls. If the a domain name for the IP address has been saved in Squid's ``FQDN cache,'' then Squid can compare the destination domain against the access controls. However, if the domain is not immediately available, Squid allows the request and makes a lookup for the IP address so that it may be available for future reqeusts.

10.2 How do I block specific users or groups from accessing my cache?

Ident

You can use ident lookups to allow specific users access to your cache. This requires that an ident server process runs on the user's machine(s). In your squid.conf configuration file you would write something like this:

        ident_lookup on
        acl friends user kim lisa frank joe
        http_access allow friends
        http_access deny all

Proxy Authentication

Another option is to use proxy-authentication.

  1. Recompile squid with -DUSE_PROXY_AUTH=1. Uncomment USE_PROXY_AUTH in src/Makefile.
            make clean
            vi src/Makefile
            make
            make install
    
  2. Configure proxy authentication in squid.conf.
            proxy_auth /usr/local/squid/etc/passwd
    

    passwd is an apache-style file of passwords for authenticated proxy access. It looks like username:password, with the password being standard crypt() format.

  3. Create the passwd file and give the passwords to your users. You can use apache's htpasswd program to generate and maintain the passwd file. The usernames in the passwd file do not need to correspond to system user names. You may give many people the same username and password combination to access your cache.

10.3 Do you have a CGI program which lets users change their own proxy passwords?

Pedro L Orso has adapted the Apache's htpasswd into a CGI program called chpasswd.cgi.

10.4 Is there a way to do ident lookups only for a certain host and compare the result with a userlist in squid.conf?

Sort of.

If you use a user ACL in squid conf, then Squid will perform an ident lookup for every client request. In other words, Squid-1.1 will perform ident lookups for all requests or no requests. Defining a user ACL enables ident lookups, regardless of the ident_lookup setting.

However, even though ident lookups are performed for every request, Squid does not wait for the lookup to complete unless the ACL rules require it. Consider this configuration:

        acl host1 src 10.0.0.1
        acl host2 src 10.0.0.2
        acl pals  user kim lisa frank joe
        http_access allow host1
        http_access allow host2 pals
Requests coming from 10.0.0.1 will be allowed immediately because there are no user requirements for that host. However, requests from 10.0.0.2 will be allowed only after the ident lookup completes, and if the username is in the set kim, lisa, frank, or joe.

10.5 Common Mistakes

And/Or logic

You've probably noticed (and been frustrated by) the fact that you cannot combine access controls with terms like ``and'' or ``or.'' These operations are already built in to the access control scheme in a fundamental way which you must understand.

For example, the following access control configuration will never work:

        acl ME src 10.0.0.1
        acl YOU src 10.0.0.2
        http_access allow ME YOU
In order for the request to be allowed, it must match the ``ME'' acl AND the ``YOU'' acl. This is impossible because any IP address could only match one or the other. This should instead be rewritten as:
        acl ME src 10.0.0.1
        acl YOU src 10.0.0.2
        http_access allow ME
        http_access allow YOU
Or, alternatively, this would also work:
        acl US src 10.0.0.1 10.0.0.2
        http_access allow US

allow/deny mixups

I have read through my squid.conf numerous times, spoken to my neighbors, read the FAQ and Squid Docs and cannot for the life of me work out why the following will not work.

I can successfully access cachemgr.cgi from our web server machine here, but I would like to use MRTG to monitor various aspects of our proxy. When I try to use 'client' or GET cache_object from the machine the proxy is running on, I always get access denied.

        acl manager proto cache_object
        acl localhost src 127.0.0.1/255.255.255.255
        acl server    src 1.2.3.4/255.255.255.255
        acl all src 0.0.0.0/0.0.0.0
        acl ourhosts src 1.2.0.0/255.255.0.0

        http_access deny manager !localhost !server
        http_access allow ourhosts
        http_access deny all

The intent here is to allow cache manager requests from the localhost and server addresses, and deny all others. This policy has been expressed here:

        http_access deny manager !localhost !server

The problem here is that for allowable requests, this access rule is not matched. For example, if the source IP address is localhost, then ``!localhost'' is false and the access rule is not matched, so Squid continues checking the other rules. Cache manager requests from the server address work because server is a subset of ourhosts and the second access rule will match and allow the request. Also note that this means any cache manager request from ourhosts would be allowed.

To implement the desired policy correctly, the access rules should be rewritten as

        http_access allow manager localhost
        http_access allow manager server
        http_access deny manager
        http_access allow ourhosts
        http_access deny all
If you're using miss_access, then don't forget to also add a miss_access rule for the cache manager:
        miss_access allow manager

You may be concerned that the having five access rules instead of three may have an impact on the cache performance. In our experience this is not the case. Squid is able to handle a moderate amount of access control checking without degrading overall performance. You may like to verify that for yourself, however.

Differences between src and srcdomain ACL types.

For the srcdomain ACL type, Squid does a reverse lookup of the client's IP address and checks the result with the domains given on the acl line. With the src ACL type, Squid converts hostnames to IP addresses at startup and then only compares the client's IP address. The src ACL is preferred over srcdomain because it does not require address-to-name lookups for each request.

10.6 I set up my access controls, but they don't work! why?

You can debug your access control configuration by setting the debug_options parameter in squid.conf and watching cache.log as requests are made. The access control routes correspond to debug section 28, so you might enter:

        debug_options ALL,1 28,9

10.7 Proxy-authentication and neighbor caches

The problem...

                       [ Parents ]
                       /         \
                      /           \
               [ Proxy A ] --- [ Proxy B ]
                   |
                   |
                  USER

Proxy A sends and ICP query to Proxy B about an object, Proxy B replies with an ICP_HIT. Proxy A forwards the HTTP request to Proxy B, but does not pass on the authentication details, therefore the HTTP GET from Proxy A fails.

Only ONE proxy cache in a chain is allowed to ``use'' the Proxy-Authentication request header. Once the header is used, it must not be passed on to other proxies.

Therefore, you must allow the neighbor caches to request from each other without proxy authentication. This is simply accomplished by listing the neighbor ACL's first in the list of http_access lines. For example:

        acl proxy-A src 10.0.0.1
        acl proxy-B src 10.0.0.2
        acl user_passwords proxy_auth /tmp/user_passwds

        http_access allow proxy-A
        http_access allow proxy-B
        http_access allow user_passwords
        http_access deny all

10.8 Is there an easy way of banning all Destination addresses except one?

        acl GOOD dst 10.0.0.1
        acl BAD dst 0.0.0.0/0.0.0.0
        http_access allow GOOD
        http_access deny BAD

10.9 Does anyone have a ban list of porn sites and such?

10.10 Squid doesn't match my subdomains

There is a subtle problem with domain-name based access controls when a single ACL element has an entry that is a subdomain of another entry. For example, consider this list:

        acl FOO dstdomain boulder.co.us vail.co.us co.us

In the first place, the above list is simply wrong because the first two (boulder.co.us and vail.co.us) are unnecessary. Any domain name that matches one of the first two will also match the last one (co.us). Ok, but why does this happen?

The problem stems from the data structure used to index domain names in an access control list. Squid uses Splay trees for lists of domain names. As other tree-based data structures, the searching algorithm requires a comparison function that returns -1, 0, or +1 for any pair of keys (domain names). This is similar to the way that strcmp() works.

The problem is that it is wrong to say that co.us is greater-than, equal-to, or less-than boulder.co.us.

For example, if you said that co.us is LESS than fff.co.us, then the Splay tree searching algorithm might never discover co.us as a match for kkk.co.us.

similarly, if you said that co.us is GREATER than fff.co.us, then the Splay tree searching algorithm might never discover co.us as a match for bbb.co.us.

The bottom line is that you can't have one entry that is a subdomain of another. Squid-2.2 will warn you if it detects this condition.

10.11 Why does Squid deny some port numbers?

It is dangerous to allow Squid to connect to certain port numbers. For example, it has been demonstrated that someone can use Squid as an SMTP (email) relay. As I'm sure you know, SMTP relays are one of the ways that spammers are able to flood our mailboxes. To prevent mail relaying, Squid denies requests when the URL port number is 25. Other ports should be blocked as well, as a precaution.

There are two ways to filter by port number: either allow specific ports, or deny specific ports. By default, Squid does the first. This is the ACL entry that comes in the default squid.conf:

        acl Safe_ports port 80 21 443 563 70 210 1025-65535
        http_access deny !Safe_ports
The above configuration denies requests when the URL port number is not in the list. The list allows connections to the standard ports for HTTP, FTP, Gopher, SSL, WAIS, and all non-priveleged ports.

Another approach is to deny dangerous ports. The dangerous port list should look something like:

        acl Dangerous_ports 7 9 19 22 23 25 53 109 110 119
        http_access deny Dangerous_ports
...and probably many others.

Please consult the /etc/services file on your system for a list of known ports and protocols.


Next Previous Contents