File: FAQ-9.html

package info (click to toggle)
squid 1.1.21-1
  • links: PTS
  • area: main
  • in suites: hamm
  • size: 2,828 kB
  • ctags: 3,705
  • sloc: ansic: 34,400; sh: 1,975; perl: 899; makefile: 559
file content (299 lines) | stat: -rw-r--r-- 10,018 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
<HTML>
<HEAD>
<TITLE>SQUID Frequently Asked Questions: Access Controls</TITLE>
</HEAD>
<BODY>
<A HREF="FAQ-8.html">Previous</A>
<A HREF="FAQ-10.html">Next</A>
<A HREF="FAQ.html#toc9">Table of Contents</A>
<HR>
<H2><A NAME="s9">9. Access Controls</A></H2>

<H2><A NAME="ss9.1">9.1 How do I implement an ACL ban list?</A></H2>

<P>As an example, we will assume that you would like to prevent users from
accessing cooking recepies.  </P>

<P>One way to implement this would be to deny access to any URLs
that contain the words ``cooking'' or ``recepie.''
You would use these configuration lines:
<PRE>
        acl Cooking1 url_regex cooking
        acl Recepie1 url_regex recepie
        http_access deny Cooking1
        http_access deny Recepie1
        http_access allow all
</PRE>

The <EM>url_regex</EM> means to search the entire URL for the regular
expression you specify.  Note that these regular expressions are case-sensitive,
so a url containing ``Cooking'' would not be denied.</P>

<P>Another way is to deny access to specific servers which are known
to hold recepies.  For example:
<PRE>
        acl Cooking2 dstdomain gourmet-chef.com
        http_access deny Cooking2
        http_access allow all
</PRE>

The <EM>dstdomain</EM> means to search the hostname in the URL for the
string ``gourmet-chef.com.''
Note that when IP addresses are used in URLs (instead of domain names),
Squid-1.1 implements relaxed access controls.  If the a domain name
for the IP address has been saved in Squid's ``FQDN cache,'' then
Squid can compare the destination domain against the access controls.
However, if the domain is not immediately available, Squid allows
the request and makes a lookup for the IP address so that it may
be available for future reqeusts.</P>




<H2><A NAME="ss9.2">9.2 How do I block specific users or groups from accessing my cache?</A></H2>

<H3>Ident</H3>

<P>You can use
<A HREF="http://info.internet.isi.edu:80/in-notes/rfc/files/rfc931.txt">ident lookups</A>
to allow specific users access to your cache.  This requires that an
<A HREF="ftp://ftp.lysator.liu.se/pub/ident/servers">ident server</A>
process runs on the user's machine(s).  
In your <EM>squid.conf</EM> configuration
file you would write something like this:
<PRE>
        ident_lookup on
        acl friends user kim lisa frank joe
        http_access allow friends
        http_access deny all
</PRE>
</P>

<H3>Proxy Authentication</H3>

<P>Another option is to use proxy-authentication.  
<OL>
<LI>Recompile squid with <CODE>-DUSE_PROXY_AUTH=1</CODE>.  Uncomment <CODE>USE_PROXY_AUTH</CODE>
in <CODE>src/Makefile</CODE>.
<PRE>
        make clean
        vi src/Makefile
        make
        make install
</PRE>
</LI>
<LI>Configure proxy authentication in <EM>squid.conf</EM>.
<PRE>
        proxy_auth /usr/local/squid/etc/passwd
</PRE>

<P><EM>passwd</EM> is an apache-style file of passwords for
authenticated proxy access Looks like <I>username:password</I>, with the
password being standard crypt() format.  </P>

</LI>
<LI>Create the <EM>passwd</EM> file and give the passwords to
your users.  You can use
<A HREF="/Squid/htpasswd/">apache's htpasswd program</A>
to generate and maintain the <EM>passwd</EM> file.
The usernames in the <EM>passwd</EM> file do not
need to correspond to system user names.  You may give many
people the same username and password combination to
access your cache.</LI>
</OL>
</P>



<H2><A NAME="ss9.3">9.3 Is there a way to do ident lookups only for a certain host and compare the result with a userlist in squid.conf?</A></H2>

<P>Sort of.</P>

<P>If you use a <EM>user</EM> ACL in squid conf, then Squid will perform
an 
<A HREF="http://info.internet.isi.edu:80/in-notes/rfc/files/rfc931.txt">ident lookup</A>
for every client request.  In other words, Squid-1.1 will perform
ident lookups for all requests or no requests.  Defining a <EM>user</EM> ACL
enables ident lookups, regardless of the <EM>ident_lookup</EM> setting.</P>

<P>However, even though ident lookups are performed for every request, Squid does
not wait for the lookup to complete unless the ACL rules require it.  Consider this
configuration:
<PRE>
        acl host1 src 10.0.0.1
        acl host2 src 10.0.0.2
        acl pals  user kim lisa frank joe
        http_access allow host1
        http_access allow host2 pals
</PRE>

Requests coming from 10.0.0.1 will be allowed immediately because
there are no user requirements for that host.  However, requests
from 10.0.0.2 will be allowed only after the ident lookup completes, and
if the username is in the set kim, lisa, frank, or joe.</P>


<H2><A NAME="ss9.4">9.4 Common Mistakes</A></H2>

<H3>And/Or logic</H3>

<P>You've probably noticed (and been frustrated by) the fact that
you cannot combine access controls with terms like ``and'' or ``or.''
These operations are already built in to the access control scheme
in a fundamental way which you must understand.
<UL>
<LI><B>All elements of an <EM>acl</EM> entry are OR'ed together</B>.</LI>
<LI><B>All elements of an <EM>access</EM> entry are AND'ed together</B>.
e.g. <EM>http_access</EM> and <EM>icp_access</EM>.</LI>
</UL>
</P>

<P>For example, the following access control configuration will never work:
<PRE>
        acl ME src 10.0.0.1
        acl YOU src 10.0.0.2
        http_access allow ME YOU
</PRE>

In order for the request to be allowed, it must match the ``ME'' acl AND the ``YOU'' acl.
This is impossible because any IP address could only match one or the other.  This 
should instead be rewritten as:
<PRE>
        acl ME src 10.0.0.1
        acl YOU src 10.0.0.2
        http_access allow ME
        http_access allow YOU
</PRE>

Or, alternatively, this would also work:
<PRE>
        acl US src 10.0.0.1 10.0.0.2
        http_access allow US
</PRE>
</P>

<H3>allow/deny mixups</H3>

<P><I>I have read through my squid.conf numerous times, spoken to my
neighbors, read the FAQ and Squid Docs and cannot for the life of
me work out why the following will not work.</I></P>

<P><I>I can successfully access cachemgr.cgi from our web server machine here,
but I would like to use MRTG to monitor various aspects of our proxy.
When I try to use 'client' or GET cache_object from the machine the
proxy is running on, I always get access denied.</I></P>
<P>
<PRE>
        acl manager proto cache_object
        acl localhost src 127.0.0.1/255.255.255.255
        acl server    src 1.2.3.4/255.255.255.255
        acl all src 0.0.0.0/0.0.0.0
        acl ourhosts src 1.2.0.0/255.255.0.0

        http_access deny manager !localhost !server
        http_access allow ourhosts
        http_access deny all
</PRE>
</P>

<P>The intent here is to allow cache manager requests from the <EM>localhost</EM>
and <EM>server</EM> addresses, and deny all others.  This policy has been
expressed here:
<PRE>
        http_access deny manager !localhost !server
</PRE>
</P>

<P>The problem here is that for allowable requests, this access rule is
not matched.  For example, if the source IP address is <EM>localhost</EM>,
then ``!localhost'' is <EM>false</EM> and the access rule is not matched, so
Squid continues checking the other rules.  Cache manager requests from
the <EM>server</EM> address work because <EM>server</EM> is a subset of <EM>ourhosts</EM>
and the second access rule will match and allow the request.  Also note that
this means any cache manager request from <EM>ourhosts</EM> would be allowed.</P>

<P>To implement the desired policy correctly, the access rules should be
rewritten as
<PRE>
        http_access allow manager localhost
        http_access allow manager server
        http_access deny manager
        http_access allow ourhosts
        http_access deny all
</PRE>

If you're using <EM>miss_access</EM>, then don't forget to also add
a <EM>miss_access</EM> rule for the cache manager:
<PRE>
        miss_access allow manager
</PRE>
</P>

<P>You may be concerned that the having five access rules instead of three
may have an impact on the cache performance.  In our experience this is
not the case.  Squid is able to handle a moderate amount of access control
checking without degrading overall performance.  You may like to verify
that for yourself, however.</P>



<H2><A NAME="ss9.5">9.5 I set up my access controls, but they don't work!  why?</A></H2>

<P>You can debug your access control configuration by setting the 
<EM>debug_options</EM> parameter in <EM>squid.conf</EM> and
watching <EM>cache.log</EM> as requests are made.  The access control
routes correspond to debug section 28, so you might enter:
<PRE>
        debug_options ALL,1 28,9
</PRE>
 </P>


<H2><A NAME="ss9.6">9.6 Proxy-authentication and neighbor caches</A></H2>

<P>The problem...
<BLOCKQUOTE>
<PRE>
                       [ Parents ]
                       /         \
                      /           \
               [ Proxy A ] --- [ Proxy B ]
                   |
                   |
                  USER
</PRE>

<P><I>Proxy A sends and ICP query to Proxy B about an object, Proxy B replies with an
ICP_HIT.  Proxy A forwards the HTTP request to Proxy B, but
does not pass on the authentication details, therefore the HTTP GET from
Proxy A fails.</I></P>
</BLOCKQUOTE>
</P>

<P>Only ONE proxy cache in a chain is allowed to ``use'' the Proxy-Authentication
request header.  Once the header is used, it must not be passed on to
other proxies.</P>

<P>Therefore, you must allow the neighbor caches to request from each other
without proxy authentication.  This is simply accomplished by listing
the neighbor ACL's first in the list of <EM>http_access</EM> lines.  For example:
<PRE>
        acl proxy-A src 10.0.0.1
        acl proxy-B src 10.0.0.2
        acl user_passwords proxy_auth /tmp/user_passwds

        http_access allow proxy-A
        http_access allow proxy-B
        http_access allow user_passwords
        http_access deny all
</PRE>
</P>



<HR>
<A HREF="FAQ-8.html">Previous</A>
<A HREF="FAQ-10.html">Next</A>
<A HREF="FAQ.html#toc9">Table of Contents</A>
</BODY>
</HTML>