Squid Proxy Access Control (ACL)

---

Daftar ACL yang dikenali/dipergunakan pada squid.conf :
• src: source (client) IP addresses
• dst: destination (server) IP addresses
• myip: the local IP address of a client’s connection
• arp: Ethernet (MAC) address matching
• srcdomain: source (client) domain name
• dstdomain: destination (server) domain name
• srcdom_regex: source (client) regular expression pattern matching
• dstdom_regex: destination (server) regular expression pattern matching
• src_as: source (client) Autonomous System number
• dst_as: destination (server) Autonomous System number
• peername: name tag assigned to the cache_peer where request is expected to be sent.
• time: time of day, and day of week
• url_regex: URL regular expression pattern matching
• urlpath_regex: URL-path regular expression pattern matching, leaves out the protocol and hostname
• port: destination (server) port number
• myport: local port number that client connected to
• myportname: name tag assigned to the squid listening port that client connected to
• proto: transfer protocol (http, ftp, etc)
• method: HTTP request method (get, post, etc)
• http_status: HTTP response status (200 302 404 etc.)
• browser: regular expression pattern matching on the request user-agent header
• referer_regex: regular expression pattern matching on the request http-referer header
• ident: string matching on the user’s name
• ident_regex: regular expression pattern matching on the user’s name
• proxy_auth: user authentication via external processes
• proxy_auth_regex: regular expression pattern matching on user authentication via external processes
• snmp_community: SNMP community string matching
• maxconn: a limit on the maximum number of connections from a single client IP address
• max_user_ip: a limit on the maximum number of IP addresses one user can login from
• req_mime_type: regular expression pattern matching on the request content-type header
• req_header: regular expression pattern matching on a request header content
• rep_mime_type: regular expression pattern matching on the reply (downloaded content) content-type header. This is only usable in the http_reply_access directive, not http_access.
• rep_header: regular expression pattern matching on a reply header content. This is only usable in the http_reply_access directive, not http_access.
• external: lookup via external acl helper defined by external_acl_type
• user_cert: match against attributes in a user SSL certificate
• ca_cert: match against attributes a users issuing CA SSL certificate
• ext_user: match on user= field returned by external acl helper defined by external_acl_type
• ext_user_regex: regular expression pattern matching on user= field returned by external acl helper defined by external_acl_type

Terdapat dua komponen berbeda yaitu ACL element dan Access list, contoh penggunaan sehari-hari sebagai berikut :

1. Allow client untuk menggunakan cache

 please login or register. simple registration is needed to see the content

2. Konfigurasi squid untuk TIDAK meng-cache spesifik domain

 please login or register. simple registration is needed to see the content

3. Blocking spesifik contents

 please login or register. simple registration is needed to see the content

4. Blocking spesifik path/filetypes

 please login or register. simple registration is needed to see the content

6. Membatasi jumlah koneksi per-client ke proxy

 please login or register. simple registration is needed to see the content

Contoh kasus :

IP Client = 192.168.100.0/24
IP Special = 192.168.100.10-192.168.100.20
Blockir beberapa domain
Blockir download(extensi tertentu) untuk semua client KECUALI IP special
Client hanya boleh download dari link IIX
Bypass proxy untuk beberapa domain

1. Buat ACL IIX, daftar IP bisa diperoleh dari dnsstuff atau nice.rsc simpan pada /etc/squid/iix.acl, contoh seperti dibawah ini :

 please login or register. simple registration is needed to see the content

2. Buat ACL IP Special yang berisi daftar IP Special diatas, simpan pada /etc/squid/special.acl, contoh seperti dibawah ini :

 please login or register. simple registration is needed to see the content

3. Buat pula beberapa ACL untuk blacklist domain, acl filetype dan bypass domain, contoh :

 please login or register. simple registration is needed to see the content

 please login or register. simple registration is needed to see the content

 please login or register. simple registration is needed to see the content

catatan : ACL diatas HANYA sebagai contoh, silahkan dimodifikasi seperlunya sesuai kebutuhan

4. Konfigurasi pada squid.conf seperti berikut :

 please login or register. simple registration is needed to see the content

Untuk lebih lengkapnya bisa baca-baca sumber dibawah ini :
http://wiki.squid-cache.org/SquidFaq/SquidAcl
http://www.squid-cache.org/Doc/config/acl/
http://www.visolve.com/squid/squid24s1/access_controls.php
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch32_:_Controlling_Web_Access_with_Squid

-=Fin=-