UNIX for Dummies Questions & Answers

# ACCESS CONTROLS
# -----------------------------------------------------------------------------

#  : acl
#	Defining an Access List
#
#	acl aclname acltype string1 ...
#	acl aclname acltype "file" ...
#
#	when using "file", the file should contain one item per line
#
#	acltype is one of the types described below
#
#	By default, regular expressions are CASE-SENSITIVE.  To make
#	them case-insensitive, use the -i option.
#
#	acl aclname src      ip-address/netmask ... (clients IP address)
#	acl aclname src      addr1-addr2/netmask ... (range of addresses)
#	acl aclname dst      ip-address/netmask ... (URL host's IP address)
#	acl aclname myip     ip-address/netmask ... (local socket IP address)
#
#	acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
#	  # The arp ACL requires the special configure option --enable-arp-acl.
#	  # Furthermore, the arp ACL code is not portable to all operating systems.
#	  # It works on Linux, Solaris, FreeBSD and some other *BSD variants.
#	  #
#	  # NOTE: Squid can only determine the MAC address for clients that are on
#	  # the same subnet. If the client is on a different subnet, then Squid cannot
#	  # find out its MAC address.
#
#	acl aclname srcdomain   .foo.com ...    # reverse lookup, client IP
#	acl aclname dstdomain   .foo.com ...    # Destination server from URL
#	acl aclname srcdom_regex [-i] xxx ...   # regex matching client name
#	acl aclname dstdom_regex [-i] xxx ...   # regex matching server
#	  # For dstdomain and dstdom_regex  a reverse lookup is tried if a IP
#	  # based URL is used and no match is found. The name "none" is used
#	  # if the reverse lookup fails.
#
#	acl aclname time     [day-abbrevs]  [h1:m1-h2:m2]
#	    day-abbrevs:
#		S - Sunday
#		M - Monday
#		T - Tuesday
#		W - Wednesday
#		H - Thursday
#		F - Friday
#		A - Saturday
#	    h1:m1 must be less than h2:m2
#	acl aclname url_regex [-i] ^http:// ...	# regex matching on whole URL
#	acl aclname urlpath_regex [-i] \.gif$ ...	# regex matching on URL path
#	acl aclname urllogin [-i] [^a-zA-Z0-9] ...	# regex matching on URL login field
#	acl aclname port     80 70 21 ...
#	acl aclname port     0-1024 ...		# ranges allowed
#	acl aclname myport   3128 ...		# (local socket TCP port)
#	acl aclname proto    HTTP FTP ...
#	acl aclname method   GET POST ...
#	acl aclname browser  [-i] regexp ...
#	  # pattern match on User-Agent header (see also req_header below)
#	acl aclname referer_regex  [-i] regexp ...
#	  # pattern match on Referer header
#	  # Referer is highly unreliable, so use with care
#	acl aclname ident    username ...
#	acl aclname ident_regex [-i] pattern ...
#	  # string match on ident output.
#	  # use REQUIRED to accept any non-null ident.
#	acl aclname src_as   number ...
#	acl aclname dst_as   number ...
#	  # Except for access control, AS numbers can be used for
#	  # routing of requests to specific caches. Here's an
#	  # example for routing all requests for AS#1241 and only
#	  # those to mycache.mydomain.net:
#	  # acl asexample dst_as 1241
#	  # cache_peer_access mycache.mydomain.net allow asexample
#	  # cache_peer_access mycache_mydomain.net deny all
#
#	acl aclname proxy_auth [-i] username ...
#	acl aclname proxy_auth_regex [-i] pattern ...
#	  # list of valid usernames
#	  # use REQUIRED to accept any valid username.
#	  #
#	  # NOTE: when a Proxy-Authentication header is sent but it is not
#	  # needed during ACL checking the username is NOT logged
#	  # in access.log.
#	  #
#	  # NOTE: proxy_auth requires a EXTERNAL authentication program
#	  # to check username/password combinations (see
#	  # auth_param directive).
#	  #
#	  # WARNING: proxy_auth can't be used in a transparent proxy. It
#	  # collides with any authentication done by origin servers. It may
#	  # seem like it works at first, but it doesn't.
#
#	acl aclname snmp_community string ...
#	  # A community string to limit access to your SNMP Agent
#	  # Example:
#	  #
#	  #	acl snmppublic snmp_community public
#
#	acl aclname maxconn number
#	  # This will be matched when the client's IP address has
#	  # more than <number> HTTP connections established.
#
#	acl aclname max_user_ip [-s] number
#	  # This will be matched when the user attempts to log in from more
#	  # than <number> different ip addresses. The authenticate_ip_ttl
#	  # parameter controls the timeout on the ip entries.
#	  # If -s is specified the limit is strict, denying browsing
#	  # from any further IP addresses until the ttl has expired. Without
#	  # -s Squid will just annoy the user by "randomly" denying requests.
#	  # (the counter is reset each time the limit is reached and a
#	  # request is denied)
#	  # NOTE: in acceleration mode or where there is mesh of child proxies,
#	  # clients may appear to come from multiple addresses if they are
#	  # going through proxy farms, so a limit of 1 may cause user problems.
#
#	acl aclname req_mime_type mime-type1 ...
#	  # regex match against the mime type of the request generated
#	  # by the client. Can be used to detect file upload or some
#	  # types HTTP tunneling requests.
#	  # NOTE: This does NOT match the reply. You cannot use this
#	  # to match the returned file type.
#
#	acl aclname req_header header-name [-i] any\.regex\.here
#	  # regex match against any of the known request headers.  May be
#	  # thought of as a superset of "browser", "referer" and "mime-type"
#	  # ACLs.
#
#	acl aclname rep_mime_type mime-type1 ...
#	  # regex match against the mime type of the reply received by
#	  # squid. Can be used to detect file download or some
#	  # types HTTP tunneling requests.
#	  # NOTE: This has no effect in http_access rules. It only has
#	  # effect in rules that affect the reply data stream such as
#	  # http_reply_access.
#
#	acl aclname rep_header header-name [-i] any\.regex\.here
#	  # regex match against any of the known response headers.
#	  # Example:
#	  #
#	  # acl many_spaces rep_header Content-Disposition -i [[:space:]]{3,}
#
#	acl acl_name external class_name [arguments...]
#	  # external ACL lookup via a helper class defined by the
#	  # external_acl_type directive.
#
#	acl urlgroup group1 ...
#	  # match against the urlgroup as indicated by redirectors
#
#	acl aclname user_cert attribute values...
#	  # match against attributes in a user SSL certificate
#	  # attribute is one of DN/C/O/CN/L/ST
#
#	acl aclname ca_cert attribute values...
#	  # match against attributes a users issuing CA SSL certificate
#	  # attribute is one of DN/C/O/CN/L/ST
#
#	acl aclname ext_user       username ...
#	acl aclname ext_user_regex [-i] pattern ...
#	  # string match on username returned by external acl
#	  # use REQUIRED to accept any user name.
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

acl facebook url_regex -i facebook
acl twitter url_regex -i twitter

acl localnet src 10.0.0.0/24
http_access allow localnet

#  : follow_x_forwarded_for
#	Allowing or Denying the X-Forwarded-For header to be followed to
#	find the original source of a request.
#
#	Requests may pass through a chain of several other proxies
#	before reaching us.  The X-Forwarded-For header will contain a
#	comma-separated list of the IP addresses in the chain, with the
#	rightmost address being the most recent.
#
#	If a request reaches us from a source that is allowed by this
#	configuration item, then we consult the X-Forwarded-For header
#	to see where that host received the request from.  If the
#	X-Forwarded-For header contains multiple addresses, and if
#	acl_uses_indirect_client is on, then we continue backtracking
#	until we reach an address for which we are not allowed to
#	follow the X-Forwarded-For header, or until we reach the first
#	address in the list.  (If acl_uses_indirect_client is off, then
#	it's impossible to backtrack through more than one level of
#	X-Forwarded-For addresses.)
#
#	The end result of this process is an IP address that we will
#	refer to as the indirect client address.  This address may
#	be treated as the client address for access control, delay
#	pools and logging, depending on the acl_uses_indirect_client,
#	delay_pool_uses_indirect_client and log_uses_indirect_client
#	options.
#
#	SECURITY CONSIDERATIONS:
#
#		Any host for which we follow the X-Forwarded-For header
#		can place incorrect information in the header, and Squid
#		will use the incorrect information as if it were the
#		source address of the request.  This may enable remote
#		hosts to bypass any access control restrictions that are
#		based on the client's source addresses.
#
#	For example:
#
#		acl localhost src 127.0.0.1
#		acl my_other_proxy srcdomain .proxy.example.com
#		follow_x_forwarded_for allow localhost
#		follow_x_forwarded_for allow my_other_proxy
#
#Default:
# follow_x_forwarded_for deny all
follow_x_forwarded_for allow localhost

#  : acl_uses_indirect_client	on|off
#	Controls whether the indirect client address
#	(see follow_x_forwarded_for) is used instead of the
#	direct client address in acl matching.
#
#Default:
# acl_uses_indirect_client on

#  : delay_pool_uses_indirect_client	on|off
#	Controls whether the indirect client address
#	(see follow_x_forwarded_for) is used instead of the
#	direct client address in delay pools.
#
#Default:
# delay_pool_uses_indirect_client on

#  : log_uses_indirect_client	on|off
#	Controls whether the indirect client address
#	(see follow_x_forwarded_for) is used instead of the
#	direct client address in the access log.
#
#Default:
# log_uses_indirect_client on

#  : http_access
#	Allowing or Denying access based on defined access lists
#
#	Access to the HTTP port:
#	http_access allow|deny [!]aclname ...
#
#	NOTE on default values:
#
#	If there are no "access" lines present, the default is to deny
#	the request.
#
#	If none of the "access" lines cause a match, the default is the
#	opposite of the last line in the list.  If the last line was
#	deny, the default is allow.  Conversely, if the last line
#	is allow, the default will be deny.  For these reasons, it is a
#	good idea to have an "deny all" or "allow all" entry at the end
#	of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks

# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all

http_access deny facebook
http_access deny twitter

acl facebook url_regex -i facebook twitter
acl hours time MTWHF 12:30-14:00
...
http_access deny facebook
http_access deny !hours
http_access allow localnet
http_access deny all