Sunday, August 5, 2012

Access Control Lists


The importance of access controls cannot be overstated.  It is important to have a good understanding of how to control who uses squid.  When access controls are created you will use two components.  The first is the acl which defines, clients, IP Addresses, hostnames, origin port numbers and request methods.  Once these are created they are combined with rules for the acls.

The acls are created using a basic structure.

acl name type value

Here is an example which shows the name as “net”, the type is “src” which is the source and the vlaue is the network address.

acl net src 192.168.7.0/24

ACL Types
There are about 25 acl types which can be used.

src, dst, myip
Several types use ip addresses as a value.  The following three examples are all acceptable to squid.  Squid will try to calculate the subnet if it is not included, however, it is a good practice to add the correct subnet when the acl is written.

acl net src 192.168.7.0/24
acl net src 192.168.7.0/255.255.255.0
acl net src 192.168.7.0

Hostnames may be used in the acls but this is not a god idea and squid will convert hostnames on startup but will not make DNS lookups after that so if the address of the host changes it will be incorrect.

src
The src is the source or where the request is coming from.


acl myworkstation src 192.168.7.56


Here the source is the specific ip address of 192.168.7.56.

dst
dst is where the request is directed at.  One of the problems of using dst is that it must make a host lookup before it can process the request and this may take too long.  Better to use dstdomain.


myip
This type is useful only when squid will use several ip addresses.  It is used to indicate which ip address for squid to use.  This may be very useful for setting up squid so that it will listen on two separate networks with different ip addresses.


srcdomian, dstdomain, cache_host_domain
These types use domain names.  Be careful with domain names because of the difference between domain names and subdomains.  If the acl begins with a “.” then it is used as a wildcard and it will
match all domains and subdomians.  If it is without the “.”, then it will be considered an exact match.

acl example1 srcdomain example.com
acl example2 srcdomain .example.com


In the examples above the acl example1 will not match mail.example.com nor www.example.com because it must be an exact match.  However,
mail.example.com, www.example.com and example.com all will match the second acl.

The differences between dst and dstdomain.
The dst type only checks the domain one time, so that if it changes you will not have the correct information.  However, when using dstdomain, squid will check it every time it is accessed, which is a
safer situation.


srcdomain
The srcdomain will force squid to do a reverse DNS lookup to verify the IP Address. If a domain is not configured correctly, then it will not be able to complete the reverse lookup and fail.  This is the biggest
drawback to using srcdomain.
ident, proxy_auth
These two types use usernames.
srcdom_regex, dstdom_regex, url_regex, urlpath_regex,
browser, referer_regex, ident_regex, proxy_auth_regex,
req_mime_type, rep_mime_type


^http://
The regular expression matches any URL that begins with http://.
\.jpg$
The regular expression matches any file extension that ends in .jpg.
the \ is added because “.” is also a wildcard.
acl net url_regex ^http://www
Squid is case sensitive by default. In order to make it
case insensitive use the -i option.
acl net url_regex -i ^http://www


port, myport
The port number is a number that is used by a service on a server or workstation to communicate with another service.

acl net port 22
acl net port 20-21

port
Ports are an area to be careful with.  The best configuration will deny all ports and only allow those determined to be safe.  The configuration below allows only ports 21,80.443,1209 and unregistered ports.  Port 21 is used
for ftp, port 80 for web services, port 443 for encrypted sites and port 1209 is a special port used for a web
based learning site.  Unregistered ports are ports that  are used to connect to services on the Internet and are generally accepted as safe when they are outgoing ports.


acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 1209        # plato
acl Safe_ports port 1025-65535  # unregistered ports

http_access deny !Safe_ports

myport
Myport is used when a squid server may receive different types of requests for specific services.  For example if the squid server was accepting connections as a proxy for  users and also accepting connections as a HTTP accelerator.


acl accelerator myport 80
acl proxy myport 3128
acl net src 192.168.7.0/24

0 comments:

Post a Comment