How Squid ACL works
June 15, 2021
Squid ACL Basics
Let's now dwell on how exactly ACLs work.
The Squid web proxy access control scheme consists of two different components:
- ACL entries are directive strings that begin with the word “acl” and represent the types of tests that are performed on any request transaction.
- Access list rules consist of an allow or deny action followed by a series of ACL entries and are used to specify which action or restriction should be applied to a given request. They are checked in order, and the list search stops as soon as one of the rules matches. If a rule has multiple ACL entries, it is implemented as a logical AND operation (all ACL entries of the rule must be met for the rule to be considered a match).
acl NAME TYPE DEFINITION1 DEFINITION2 DEFINITION3 ...
acl localnet src 192.168.0.102 acl Safe_ports port 80 acl accesses_to_google dstdomain .google.com acl accesses_to_search_engines dstdomain .yahoo.com .google.com .vivisimo.com acl accesses_from_marketing_department src 10.52.0.0/16 acl need_to_authenticate proxy_auth
You can also use definition lists, which are stored in files on your hard drive. Let's say you have a list of search engine URLs that you want to allow:
cat /etc/squid/search-engines-urls.txt: .google.com .bing.com .yandex.ru .duckduckgo.com .yahoo.com
Then the ACL for this file will look like this:
acl accessess_to_search_engines dstdomain "/etc/squid/search-engines-urls.txt"
The quotes are needed here to tell Squid to look for definitions in this file.
In addition to the already mentioned types src, port, dstdomain, proxy_auth, there are dozens of other types, for example:
For a complete list, see the squid documentation.
By themselves, acl elements do not change anything in the behavior of the proxy server, they are only lists for further use with Access List Rules. As the documentation quirky says, these tests themselves do nothing, for example, the word “Sunday” corresponds to the day of the week, but does not indicate what day of the week you are reading it.
Using ACL: http_access
If you only wrote down ACLs, then nothing is actually blocked – these are just definitions. ACLs can be used in various places in your squid.conf. The most useful function they can be paired with is the http_access instruction. It works in a similar way to how a firewall handles rules. For every request that Squid receives, it will look through all http_access statements in order until it finds a matching string. It then either accepts or rejects the request depending on your settings. The rest of the rules following the triggered one are ignored.
The general syntax for http_access is as follows:
http_access (allow|deny) acl1 acl2 acl3 ...
http_access allow localnet http_access allow localhost http_access deny !Safe_ports http_access deny all http_access allow auth_users http_access allow all
The next set will allow admin access (no matter what this ACL looks like; the src ACL probably points to the subnet on which the administrator workstations are located). For everyone else, it will deny access to porn urls. The third rule will allow everyone to access the websites at lunchtime (except for porn sites). And finally, in all other cases, there will be a ban on connecting to the Internet.
http_access allow accesses_from_admins http_access deny accesses_to_porn_urls http_access allow accesses_during_lunchtime http_access deny all
That is, administrators have access to all sites (even porn) at any time, while other users have access to the network only during lunchtime.
Combining ACLs (AND/OR)
You often need to combine ACLs. Let's say you want to allow only back office access to google.com. To do this, you need to combine two ACLs using a logical AND. It would look like this:
http_access allow accesses_to_google.com accesses_from_back_office
If you want to use OR and say that either access from back office or access to google.com is allowed, the rule would look like this:
http_access allow accesses_to_google.com http_access allow accesses_from_back_office
To summarize: for AND, you need to place conditions on one line. OR requires separate lines.
The following set of rules is wrong, it will never work:
acl ME src 10.0.0.1 acl YOU src 10.0.0.2 http_access allow ME YOU
To allow access through a proxy to IP addresses 10.0.0.1 and 10.0.0.2, the rule must be written as follows:
acl ME src 10.0.0.1 acl YOU src 10.0.0.2 http_access allow ME http_access allow YOU
Other access list rules
Besides http_access, there are a couple of dozen other types, for example:
Full list in the documentation: http://www.squid-cache.org/Doc/config/
Default http_access rule
If there are no lines with “http_access” in the entire configuration file, the request is rejected by default.
If none of the “http_access” lines match, the default is the opposite of the last line in the list. If the last line was deny, the default is allow. Conversely, if the last line is allow, deny will be applied by default. Tricky, right? For these reasons, it is recommended that you have a “deny all” entry at the end of your access lists to avoid possible confusion. That is, after all the rules, just add the line:
http_access deny all
So, back to our combination of rules “blocking sites + authorization on a proxy server”, why is the following set incorrect?
http_port 4080 via off auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Squid Basic Authentication auth_param basic credentialsttl 2 hours auth_param basic casesensitive on auth_param basic realm Squid proxy for HackWare.ru acl auth_users proxy_auth REQUIRED http_access allow auth_users acl bad_urls dstdomain "/etc/squid/blacklisted_sites.acl" http_access deny bad_urls
The fact is that first the rule that requires authorization on the server is triggered, namely “http_access allow auth_users”. All subsequent http_access directives are simply skipped, so sites are not blocked.
http_access usage mistakes
Consider the following example:
http_port 4080 via off # Site blocking here acl bad_urls dstdomain "/etc/squid/blacklisted_sites.acl" http_access deny bad_urls auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Squid Basic Authentication auth_param basic credentialsttl 2 hours auth_param basic casesensitive on auth_param basic realm Squid proxy for HackWare.ru acl auth_users proxy_auth REQUIRED http_access allow auth_users
The site-blocking directive moved up is the first to fire. Moreover, this happens even before authorization on the proxy.
http_port 4080 via off auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Squid Basic Authentication auth_param basic credentialsttl 2 hours auth_param basic casesensitive on auth_param basic realm Squid proxy for HackWare.ru acl auth_users proxy_auth REQUIRED acl bad_urls dstdomain "/etc/squid/blacklisted_sites.acl" http_access allow auth_users !bad_urls
In this case, the rule is triggered if two conditions are met: authentication and the site is not included in the blocked list. An exclamation point means logical NOT. The last option is the best, it is logically more understandable and it performs any actions (blocking the site) only after the user has entered the proxy server login and password.
See also the Squid setup guide: How to create and configure a Squid proxy server
- Error “Authentication helper program /usr/lib64/squid/basic_ncsa_auth: (2) No such file or directory” (SOLVED) (100%)
- How to configure Squid to use IPv4 (100%)
- Configuring Squid Proxy with Multiple IP Addresses (100%)
- How to configure HTTP Digest Authentication in Squid (100%)
- How to use Kali Linux to check web-sites (50%)
- How to change the language of Google Chrome and Chromium on Linux (RANDOM - 50%)