Sample Configurations

To help you fully understand how Squid access control works, and also to help give you a head start developing your own rules, the following are some ACL lines you can try. Each line is preceded with one or more comment lines (starting with a #) explaining what it does:

 # include the domains news.bbc.co.uk and slashdot.org # and not newsimg.bbc.co.uk or www.slashdot.org. acl newssites dstdomain news.bbc.co.uk slashdot.org # include any subdomains or bbc.co.uk or slashdot.org acl newssites dstdomain .bbc.co.uk .slashdot.org # only include sites located in Canada acl canadasites dstdomain .ca # only include working hours acl workhours time MTWHF 9:00-18:00 # only include lunchtimes acl lunchtimes time MTWHF 13:00-14:00 # only include weekends acl weekends time AS 00:00-23:59 # include URLs ending in ".zip". Note: the \ is important, # because "." has a special meaning otherwise acl zipfiles url_regex -i \.zip$ # include URLs starting with https acl httpsurls url_regex -i ^https # include all URLs that match "hotmail" url_regex hotmail url_regex -i hotmail # include three specific IP addresses acl directors src 10.0.0.14 10.0.0.28 10.0.0.31 # include all IPs from 192.168.0.0 to 192.168.0.255 acl internal src 192.168.0.0/24 # include all IPs from 192.168.0.0 to 192.168.0.255 # and all IPs from 10.0.0.0 to 10.255.255.255 acl internal src 192.168.0.0/24 10.0.0.0/8 

When you have your ACL lines in place, you can put together appropriate http_access lines. For example, you might want to use a multilayered access system so that certain users (for example, company directors) have full access, whereas others are filtered. For example:

 http_access allow directors http_access deny hotmail http_access deny zipfiles http_access allow internal lunchtimes http_access deny all 

Because Squid matches those in order, directors will have full, unfiltered access to the Web. If the client IP address is not in the directors list, the two deny lines are processed so that the user cannot download .zip files or read online mail at Hotmail. After blocking those two types of requests, the allow on line four allows internal users to access the Web, as long as they do so only at lunch time. The last line (which is highly recommended) blocks all other users from the proxy.