44.6. Introduction to Access Control Lists
ACLs (access control lists) are possibly Squid's most powerful feature. An ACL is simply a test that is applied to a client request to see if it matches or not. Then, based on the ACLs that each request matches, you can choose to block it, prevent caching, force it into a delay pool, or hand it off to another proxy server. Many different types of ACL exist—for example, one type checks a client's IP address, another matches the URL being requested, and others check the destination port, web server hostname, authenticated user, and so on.
The most common use of ACLs is to block connections from clients outside your network. If you run a proxy server that is connected to and accessible from the Internet, hosts outside your local network should not be allowed to use it. Malicious people often use other proxies to launder connections used for hacking, sending spam, or accessing websites into which they shouldn't be allowed.
Because the special CONNECT proxy request can be used to connect to any port, an ACL is often used to block its use for any ports other than 443 (the SSL default). This stops users from using your proxy to connect to servers other than web servers, such as AIM, ICQ, or MSN. Similarly, an ACL can be set up to block normal HTTP requests to ports like 22, 23, and 25, which are normally used for SSH, telnet, and SMTP.
Just defining an ACL in the Squid configuration does not actually do anything—it must be applied in some way to have any effect. This section explains how to use ACLs to control which requests to your server are allowed or denied. Other sections explain how they relate to caching and accessing other servers.
When it receives a request, Squid first determines which ACLs it matches. It then compares this list of matches against a list of proxy restrictions, each of which contains one or more ACLs and an action to perform (either Allow or Deny). As soon as a restriction is found that matches the ACLs for the request, its action determines whether the request is allowed or denied. If no restrictions match, the opposite of the last action in the list is applied. For this reason, the final action in most Squid configurations is Allow all or Deny all.
ICP requests from other proxies are also checked to see which ACLs they match and are compared to a similar but different list of ICP restrictions to see whether or not they will be allowed. See Section 44.11 “Connecting to Other Proxies” for a more complex explanation of what ICP is and when it is used.
The typical default Squid configuration includes several ACLs and proxy restrictions. For security reasons, all requests from anywhere are denied by default. This means that you will need to change the restrictions list before anyone can use your proxy. Read on to find out how.
To view the lists of defined ACLs, proxy restrictions, and ICP restrictions, click on the Access Control icon on the module's main page. As Figure 44.4 shows, a table of ACLs showing their names, types, and matches is displayed on the left. To the right are tables of proxy and ICP restrictions showing their actions and the ACLs that they match. The restriction tables have up and down arrows next to each entry to move them in the list, because their order matters.
Figure 44.4. The access control lists page.
Before clients can use your proxy, you will need to configure it to allow access from some addresses. To do this, follow these steps:
1. | On the access control page, select Client Address from the menu below the list of existing ACLs. When you click the Create new ACL button, a form for entering matching addresses will appear. |
2. | |
3. | In the empty field under From IP, enter the starting IP address in the range to allow, such as 192.168.1.0. |
4. | In the field under To IP, enter the ending address in the range, such as 192.168.1.100. Only clients that fall within this range will match the ACL. |
5. | |
6. | Hit the Save button to add the ACL and return to the access control page on which your new ACL will be listed. |
7. | |
8. | On the form that appears, select Allow from the Action field. |
9. | |
10. | Hit the Save button on this form to go back to the access control page again. The new restriction will be displayed at the bottom of the table, most likely below the Deny all entry. |
11. | Hit the up arrow next to your new restriction to move it above Deny all. This tells Squid to allow connections from your network and deny everyone else. |
12. | Finally, click the Apply Changes link at the top of the page. The proxy will now be usable by clients on your internal network, but noone else! |
These instructions assume that you are starting with the default Squid configuration. If the proxy has already been configured to allow access from anywhere (by changing the Deny all restriction to Allow all), you should change it back again to block clients from outside your network. To learn more about the types of ACLs available and how to use them, read the next two sections.