Andrew Hudson - Fedora™ Unleashed, 2008 edition

You can add as many rules as you like, although you should be careful to try to order them so that they make sense. Keep in mind that all conditions in a line must be matched for the line to be matched. Here is a more complex example:

► You want a category newssitesthat contains serious websites people need for their work.

► You want a category playsitesthat contains websites people do not need for their work.

► You want a category worktimethat stretches from 09:00 to 18:00.

► You want a category freetimethat stretches from 18:00 to 20:00, when the office closes.

► You want people to be able to access the news sites, but not the play sites, during working hours.

► You want people to be able to access both the news sites and the play sites during the free time hours.

To do that, you need the following rules:

acl newssites dstdomain .bbc.co.uk .slashdot.org

acl playsites dstdomain .tomshardware.com fedora.redhat.com

acl worktime time MTWHF 9:00-18:00

acl freetime time MTWHF 18:00-20:00

http_access allow newssites worktime

http_access allow newssites freetime

http_access allow playsites freetime

The letter Dis equivalent to MTWHFin meaning "all the days of the working week."

Notice that there are two http_accesslines for the newssitescategory: one for worktimeand one for freetime. All the conditions must be matched for a line to be matched. The alternative would be to write this:

http_access allow newssites worktime freetime

However, if you do that and someone visits news.bbc.co.uk at 2:30 p.m. (14:30) on a Tuesday, Squid works like this:

► Is the site in the newssitescategory? Yes, continue.

► Is the time within the worktimecategory? Yes, continue.

► Is the time within the freetimecategory? No; do not match rule, and continue searching for rules.

Two lines therefore are needed for the worktimecategory.

One particularly powerful way to filter requests is with the url_regexACL line. This enables you to specify a regular expression that is checked against each request: If the expression matches the request, the condition matches.

For example, if you want to stop people downloading Windows executable files, you would use this line:

acl noexes url_regex -i exe$

The dollar sign means "end of URL," which means it would match http://www.somesite.com/virus.exe but not http://www.executable.com/innocent.html. The -ipart means "case-insensitive," so the rule matches .exe, .Exe, .EXE, and so on. You can use the caret sign ( ^) for "start of URL."

For example, you could stop some pornography sites by using this ACL:

acl noporn url_regex -i sex

Do not forget to run the kill -SIGHUPcommand each time you make changes to Squid; otherwise, it does not reread your changes. You can have Squid check your configuration files for errors by running squid -k parseas root. If you see no errors, it means your configuration is fine.

It is critical that you run the command kill -SIGHUPand provide it the process ID of your Squid daemon each time you change the configuration; without this, Squid does not reread its configuration files.

The configuration options so far have been basic, and there are many more you can use to enhance the proxying system you want.

After you are past deciding which rules work for you locally, it is time to spread them out to other machines. This is done by specifying IP ranges that should be allowed or disallowed access, and you enter these into Squid by using more ACL lines.

If you want to, you can specify all the IP addresses on your network, one per line. However, for networks of more than about 20 people or that use DHCP, that is more work than necessary. A better solution is to use classless interdomain routing (CIDR) notation, which enables you to specify addresses like this:

192.0.0.0/8

192.168.0.0/16

192.168.0.0/24

Each line has an IP address, followed by a slash and then a number. That last number defines the range of addresses you want covered and refers to the number of bits in an IP address. An IP address is a 32-bit number, but we are used to seeing it in dotted-quad notation: A.B.C.D. Each of those quads can be between 0 and 255 (although in practice some of these are reserved for special purposes), and each is stored as an 8-bit number.

The first line in the previous code covers IP addresses starting from 192.0.0.0; the /8part means that the first 8 bits (the first quad, 192) is fixed and the rest is flexible. So Squid treats that as addresses 192.0.0.0, 192.0.0.1, through to 192.0.0.255, and then 192.0.1.0, 192.0.1.1, all the way through to 192.255.255.255.

The second line uses /16, which means Squid allows IP addresses from 192.168.0.0 to 192.168.255.255. The last line has /24, which allows addresses from 192.168.0.0 to 192.168.0.255.

You can place these addresses into Squid by using the srcACL line, like this:

acl internal_network src 10.0.0.0/24

That line creates a category of addresses from 10.0.0.0 to 10.0.0.255. You can combine multiple address groups together, like this:

acl internal_network src 10.0.0.0/24 10.0.3.0/24 10.0.5.0/24 192.168.0.1

That example allows 10.0.0.0-10.0.0.255, and then 10.0.3.0-10.0.3.255, and finally the single address 192.168.0.1.

Keep in mind that if you are using the local machine and you have the web browser configured to use the proxy at 127.0.0.1, the client IP address will be 127.0.0.1, too. So, make sure that you have rules in place for localhost.

As with other ACL lines, you need to enable them with appropriate http_access allowand http_access denylines.

To help you fully understand how Squid access control works, and also to help give you a head start developing your own rules, the following are some ACL lines you can try. Each line is preceded with one or more comment lines (starting with a #) explaining what it does:

# include the domains news.bbc.co.uk and slashdot.org

# and not newsimg.bbc.co.uk or www.slashdot.org.

acl newssites dstdomain news.bbc.co.uk slashdot.org

# include any subdomains or bbc.co.uk or slashdot.org

acl newssites dstdomain .bbc.co.uk .slashdot.org

# include only sites located in Canada

acl canadasites dstdomain .ca

# include only working hours

acl workhours time MTWHF 9:00-18:00

# include only lunchtimes

acl lunchtimes time MTWHF 13:00-14:00

# include only weekends

acl weekends time AS 00:00-23:59

# include URLs ending in ".zip". Note: the \ is important,

# because "." has a special meaning otherwise

acl zipfiles url_regex -i \.zip$

# include URLs starting with https

acl httpsurls url_regex -i ^https

# include all URLs that match "hotmail"

url_regex hotmail url_regex -i hotmail