Security

Squid can use its role as an intermediary between Web clients and a Web server to implement access controls, determining who can access the Web server and how. Squid does this by checking access control lists (ACLs) of hosts and domains that have had controls placed on them. When it finds a Web client from one of those hosts attempting to connect to the Web server, it executes the control. Squid supports a number of controls with which it can deny or allow access to the Web server by the remote host's Web client (see Table 23-1). In effect, Squid sets up a firewall just for the Web server.

The first step in configuring Squid security is to create ACLs. These are lists of hosts and domains for which you want to set up controls. You define ACLs using the acl command, in which you create a label for the systems on which you are setting controls. You then use commands such as http_access to define these controls. You can define a system, or a group of systems, by use of several acl options, such as the source IP address, the domain name, or even the time and date. For example, the src option is used to define a system or group of systems with a certain source address. To define a mylan acl entry for systems in a local network with the addresses 192.168.0.0 through 192.168.0.255, use the following ACL definition:

acl mylan src 192.168.0.0/255.255.255.0

Once it is defined, you can use an ACL definition in a Squid option to specify a control you want to place on those systems. For example, to allow access by the mylan group of local systems to the Web through the proxy, use an http_access option with the allow action specifying mylan as the acl definition to use, as shown here:

http_access allow mylan

By defining ACLs and using them in Squid options, you can tailor your Web site with the kind of security you want. The following example allows access to the Web through the proxy by only the mylan group of local systems, denying access to all others. Two acl entries are set up: one for the local system and one for all others. http_access options first allow access to the local system and then deny access to all others.

acl mylan src 192.168.0.0/255.255.255.0 acl all src 0.0.0.0/0.0.0.0 http_access allow mylan http_access deny all

The default entries you will find in your squid.conf file, along with an entry for the mylan sample network, are shown here. You will find these entries in the ACCESS CONTROLS section of the squid.conf file.

acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl mylan src 192.168.0.0/255.255.255.0 acl SSL_ports port 443 563 

The order of the http_access options is important. Squid starts from the first and works its way down, stopping at the first http_access option with an ACL entry that matches. In the preceding example, local systems that match the first http_access command are allowed, whereas others fall through to the second http_access command and are denied.

For systems using the proxy, you can also control what sites they can access. For a destination address, you create an acl entry with the dst qualifier. The dst qualifier takes as its argument the site address. Then you can create an http_access option to control access to that address. The following example denies access by anyone using the proxy to the destination site rabbit.mytrek.com. If you have a local network accessing the Web through the proxy, you can use such commands to restrict access to certain sites.

acl myrabbit dst rabbit.mytrek.com http_access deny myrabbit

The http_access entries already defined in the squid.conf file, along with an entry for the mylan network, are shown here. Access to outside users is denied, whereas access by hosts on the local network and the local host (Squid server host) is allowed.

http_access allow localhost http_access allow mylan http_access deny all

You can also qualify addresses by domain. Often, Web sites can be referenced using only the domain. For example, a site called www.mybeach.com can be referenced using just the domain mybeach.com. To create an acl entry to reference a domain, use either the dstdomain or srcdomain option for destination and source domains, respectively. Remember, such a reference refers to all hosts in that domain. An acl entry with the dstdomain option for mybeach.com restricts access to www.mybeach.com, ftp.mybeach.com, surf.mybeach.com, and so on. The following example restricts access to the www.mybeach.com site along with all other .mybeach.com sites and any hosts in the mybeach.com domain:

acl thebeach dstdomain .mybeach.com http_access deny thebeach

You can list several domains or addresses in an acl entry to reference them as a group, but you cannot have one domain that is a subdomain of another. For example, if mybeachblanket.com is a subdomain of mybeach.com, you cannot list both in the same acl list. The following example restricts access to both mybeach.com and mysurf.com:

acl beaches dstdomain .mybeach.com .mysurf.com http_access deny beaches

An acl entry can also use a pattern to specify certain addresses and domains. In the following example, access is denied to any URL with the pattern "chocolate" but allowed to all others:

acl Choc1 url_regex chocolate http_access deny Choc1 http_access allow all 

Squid also supports ident and proxy authentication methods to control user access. The following example allows only the users dylan and chris to use the Squid cache:

ident_lookup on acl goodusers user chris dylan http_access allow goodusers http_access deny all