Red Hat [Electronic resources] : The Complete Reference Enterprise Linux Fedora Edition؛ The Complete Reference نسخه متنی

Security

Squid can use its role as an intermediary between Web clients and a Web server to implement access controls, determining who can access the Web server and how. Squid does this by checking access control lists (ACLs) of hosts and domains that have had controls placed on them. When it finds a Web client from one of those hosts attempting to connect to the Web server, it executes the control. Squid supports a number of controls with which it can deny or allow access to the Web server by the remote host's Web client (see Table 23-1). In effect, Squid sets up a firewall just for the Web server.

The first step in configuring Squid security is to create ACLs. These are lists of hosts and domains for which you want to set up controls. You define ACLs using the

acl command, in which you create a label for the systems on which you are setting controls. You then use commands such as

http_access to define these controls. You can define a system, or a group of systems, by use of several

acl options, such as the source IP address, the domain name, or even the time and date. For example, the

src option is used to define a system or group of systems with a certain source address. To define a

mylan

acl entry for systems in a local network with the addresses 192.168.0.0 through 192.168.0.255, use the following ACL definition:

acl mylan src 192.168.0.0/255.255.255.0

Once it is defined, you can use an ACL definition in a Squid option to specify a control you want to place on those systems. For example, to allow access by the mylan group of local systems to the Web through the proxy, use an

http_access option with the

allow action specifying

mylan as the

acl definition to use, as shown here:

http_access allow mylan

By defining ACLs and using them in Squid options, you can tailor your Web site with the kind of security you want. The following example allows access to the Web through the proxy by only the mylan group of local systems, denying access to all others. Two

acl entries are set up: one for the local system and one for all others.

http_access options first allow access to the local system and then deny access to all others.

acl mylan src 192.168.0.0/255.255.255.0
acl all src 0.0.0.0/0.0.0.0
http_access allow mylan
http_access deny all

The default entries you will find in your squid.conf file, along with an entry for the mylan sample network, are shown here. You will find these entries in the ACCESS CONTROLS section of the squid.conf file.

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl mylan src 192.168.0.0/255.255.255.0
acl SSL_ports port 443 563

The order of the

http_access options is important. Squid starts from the first and works its way down, stopping at the first

http_access option with an ACL entry that matches. In the preceding example, local systems that match the first

http_access command are allowed, whereas others fall through to the second

http_access command and are denied.

For systems using the proxy, you can also control what sites they can access. For a destination address, you create an

acl entry with the

dst qualifier. The

dst qualifier takes as its argument the site address. Then you can create an

http_access option to control access to that address. The following example denies access by anyone using the proxy to the destination site rabbit.mytrek.com. If you have a local network accessing the Web through the proxy, you can use such commands to restrict access to certain sites.

acl myrabbit dst rabbit.mytrek.com
http_access deny myrabbit

The

http_access entries already defined in the squid.conf file, along with an entry for the mylan network, are shown here. Access to outside users is denied, whereas access by hosts on the local network and the local host (Squid server host) is allowed.

http_access allow localhost
http_access allow mylan
http_access deny all

You can also qualify addresses by domain. Often, Web sites can be referenced using only the domain. For example, a site called www.mybeach.com can be referenced using just the domain mybeach.com. To create an

acl entry to reference a domain, use either the dstdomain or

srcdomain option for destination and source domains, respectively. Remember, such a reference refers to all hosts in that domain. An

acl entry with the

dstdomain option for mybeach.com restricts access to www.mybeach.com, ftp.mybeach.com, surf.mybeach.com, and so on. The following example restricts access to the www.mybeach.com site along with all other .mybeach.com sites and any hosts in the mybeach.com domain:

acl thebeach dstdomain .mybeach.com
http_access deny thebeach

You can list several domains or addresses in an

acl entry to reference them as a group, but you cannot have one domain that is a subdomain of another. For example, if mybeachblanket.com is a subdomain of mybeach.com, you cannot list both in the same

acl list. The following example restricts access to both mybeach.com and mysurf.com:

acl beaches dstdomain .mybeach.com .mysurf.com
http_access deny beaches

An

acl entry can also use a pattern to specify certain addresses and domains. In the following example, access is denied to any URL with the pattern "chocolate" but allowed to all others:

acl Choc1 url_regex chocolate
http_access deny Choc1
http_access allow all

Squid also supports ident and proxy authentication methods to control user access. The following example allows only the users dylan and chris to use the Squid cache:

ident_lookup on
acl goodusers user chris dylan
http_access allow goodusers
http_access deny all