456
456
Defining an Access List
458
acl aclname acltype string1 ...
459
acl aclname acltype "file" ...
461
when using "file", the file should contain one item per line
463
acltype is one of the types described below
458
Every access list definition must begin with an aclname and acltype,
459
followed by either type-specific arguments or a quoted filename that
462
acl aclname acltype argument ...
463
acl aclname acltype "file" ...
465
When using "file", the file should contain one item per line.
465
467
By default, regular expressions are CASE-SENSITIVE. To make
466
468
them case-insensitive, use the -i option.
469
471
***** ACL TYPES AVAILABLE *****
471
acl aclname src ip-address/netmask ... (clients IP address)
472
acl aclname src addr1-addr2/netmask ... (range of addresses)
473
acl aclname dst ip-address/netmask ... (URL host's IP address)
474
acl aclname myip ip-address/netmask ... (local socket IP address)
473
acl aclname src ip-address/netmask ... # clients IP address
474
acl aclname src addr1-addr2/netmask ... # range of addresses
475
acl aclname dst ip-address/netmask ... # URL host's IP address
476
acl aclname myip ip-address/netmask ... # local socket IP address
476
478
acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
477
479
# The arp ACL requires the special configure option --enable-arp-acl.
482
484
# the same subnet. If the client is on a different subnet, then Squid cannot
483
485
# find out its MAC address.
485
acl aclname srcdomain .foo.com ... # reverse lookup, from client IP
486
acl aclname dstdomain .foo.com ... # Destination server from URL
487
acl aclname srcdom_regex [-i] xxx ... # regex matching client name
488
acl aclname dstdom_regex [-i] xxx ... # regex matching server
487
acl aclname srcdomain .foo.com ... # reverse lookup, from client IP
488
acl aclname dstdomain .foo.com ... # Destination server from URL
489
acl aclname srcdom_regex [-i] \.foo\.com ... # regex matching client name
490
acl aclname dstdom_regex [-i] \.foo\.com ... # regex matching server
489
491
# For dstdomain and dstdom_regex a reverse lookup is tried if a IP
490
492
# based URL is used and no match is found. The name "none" is used
491
493
# if the reverse lookup fails.
493
acl aclname src_as number ...
494
acl aclname dst_as number ...
495
acl aclname src_as number ...
496
acl aclname dst_as number ...
495
497
# Except for access control, AS numbers can be used for
496
498
# routing of requests to specific caches. Here's an
497
499
# example for routing all requests for AS#1241 and only
500
502
# cache_peer_access mycache.mydomain.net allow asexample
501
503
# cache_peer_access mycache_mydomain.net deny all
503
acl aclname time [day-abbrevs] [h1:m1-h2:m2]
512
h1:m1 must be less than h2:m2
505
acl aclname time [day-abbrevs] [h1:m1-h2:m2]
514
# h1:m1 must be less than h2:m2
514
acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
516
acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
515
517
acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
517
acl aclname port 80 70 21 ...
518
acl aclname port 0-1024 ... # ranges allowed
519
acl aclname myport 3128 ... # (local socket TCP port)
519
acl aclname port 80 70 21 ...
520
acl aclname port 0-1024 ... # ranges allowed
521
acl aclname myport 3128 ... # (local socket TCP port)
520
522
acl aclname myportname 3128 ... # http(s)_port name
522
acl aclname proto HTTP FTP ...
524
acl aclname proto HTTP FTP ...
524
acl aclname method GET POST ...
526
acl aclname method GET POST ...
526
528
acl aclname http_status 200 301 500- 400-403 ... # status code in reply
528
acl aclname browser [-i] regexp ...
530
acl aclname browser [-i] regexp ...
529
531
# pattern match on User-Agent header (see also req_header below)
531
acl aclname referer_regex [-i] regexp ...
533
acl aclname referer_regex [-i] regexp ...
532
534
# pattern match on Referer header
533
535
# Referer is highly unreliable, so use with care
535
acl aclname ident username ...
537
acl aclname ident username ...
536
538
acl aclname ident_regex [-i] pattern ...
537
539
# string match on ident output.
538
540
# use REQUIRED to accept any non-null ident.
577
579
# clients may appear to come from multiple addresses if they are
578
580
# going through proxy farms, so a limit of 1 may cause user problems.
580
acl aclname req_mime_type [-i] mime-type1 ...
582
acl aclname req_mime_type [-i] mime-type ...
581
583
# regex match against the mime type of the request generated
582
584
# by the client. Can be used to detect file upload or some
583
585
# types HTTP tunneling requests.
589
591
# thought of as a superset of "browser", "referer" and "mime-type"
592
acl aclname rep_mime_type [-i] mime-type1 ...
594
acl aclname rep_mime_type [-i] mime-type ...
593
595
# regex match against the mime type of the reply received by
594
596
# squid. Can be used to detect file download or some
595
597
# types HTTP tunneling requests.
602
604
# thought of as a superset of "browser", "referer" and "mime-type"
605
acl acl_name external class_name [arguments...]
607
acl aclname external class_name [arguments...]
606
608
# external ACL lookup via a helper class defined by the
607
609
# external_acl_type directive.
1383
1387
distributed among the parents based on the CARP load
1384
1388
balancing hash function based on their weight.
1390
use 'userhash' to load-balance amongst a set of parents
1391
based on the client proxy_auth or ident username.
1393
use 'sourcehash' to load-balance amongst a set of parents
1394
based on the client source ip.
1386
1396
'multicast-responder' indicates the named peer
1387
1397
is a member of a multicast group. ICP queries will
1388
1398
not be sent directly to the peer, but ICP replies
2006
2016
et Tag returned by external acl
2007
2017
ea Log string returned by external acl
2008
2018
<st Reply size including HTTP headers
2019
>st Request size including HTTP headers
2020
st Request+Reply size including HTTP headers
2009
2021
<sH Reply high offset sent
2010
2022
<sS Upstream object size
2011
2023
% a literal % character
4579
4591
requests, except those in your local domain use something like:
4581
4593
acl local-servers dstdomain .foo.net
4582
acl all src 0.0.0.0/0.0.0.0
4583
4594
never_direct deny local-servers
4584
4595
never_direct allow all
5473
5485
rounded to 1000.
5488
NAME: windows_ipaddrchangemonitor
5492
LOC: Config.onoff.WIN32_IpAddrChangeMonitor
5494
On Windows Squid by default will monitor IP address changes and will
5495
reconfigure itself after any detected event. This is very useful for
5496
proxies connected to internet with dial-up interfaces.
5497
In some cases (a Proxy server acting as VPN gateway is one) it could be
5498
desiderable to disable this behaviour setting this to 'off'.
5499
Note: after changing this, Squid service must be restarted.