A, ACL concept
Squid proxy provides a powerful control mechanism, through a reasonable set of ACL (Access Control List, ACL) and restrictions,
can target the source address, destination address, URL path access, the access time
to filter a variety of conditions.
ACL access control steps of:
1, using the conditions defined configuration items to be controlled acl
2, by http_access configuration items to make a list of defined "allow" or "deny" access control
Two, ACL usage overview
(1) the definition of ACL access list
Definition Format: acl list name list type list content ...
Example: source IP control segment
vim etc/squid.conf
acl smile src 192.168.1.0/24 192.168.4.0/24
Common types of ACL list
1 src 2 dst destination address source address destination address 3 port 4 dstdomain target domain 5 time the maximum access time of concurrent connections 6 maxconn target URL address # 7 url_regex wide range may be defined such http://www.baidu.com 8 urlpath_regex entire target URL path # can be targeted to specific objectives of each site's url, such as a song url Baidu music
(2) ACL access control
After the definition of a good variety of access control lists, you need to control configuration item httpd_access
format:
~]#vim etc/squid.conf
http_access allow or deny list name ......
In each http_access rule, can contain both multiple access control list name,
separated by a space between each list, the relationship of "AND"
to indicate the conditions that must be met before all access control lists corresponding limit
Rule matching principle:
没有设置任何规则时,Squid服务将拒绝客户端的请求,有规则但找不到相匹配的项时,Squid将采用与最后一条规则相反的权限,即如果最后一条规则时allow,就拒绝客户端的请求,否则允许该请求,但是我们要尽量避免找不到相匹配的情况。
三、ACL列表的详细应用
1、
禁止任何客户机使用此代理服务
:
定义一条名为all的列表,匹配来自任意源地址的代理访问;然后拒绝此列表,注意ACL列表要写在前面
1.vi /etc/squid.conf 2 .acl all src 0.0.0.0/0.0.0.0 3 .http_access deny all 4 .systemctl reload squid.service
2、
允许多个局域网段在工作时间上网
1 .#vim /etc/squid.conf 2. acl all src 0.0.0.0/0.0.0.0 (有些版本要这么写acl all src all) 3. acl smile src 192.168.1.0/24 192.168.4.0/24 4.acl smiletime time MTWHF 08:30-17:30 (其中MTWHF是周一到周五的英文首字母) 5. http_access allow smile smiletime 6. http_access deny all 7. systemctl reload squid.service
3、
通过黑名单限制目标网站
(1)
首先创建地址列表文件
(直接在配置文件里写也行,但是这种用列表文件的方式适合拒绝或允许的网站域名比较多的情况,而且方便增删管理)
1.vim /etc/squid/ipblock.list 2. 61.135.167.36 3. 60.28.14.0/24 4. vim /etc/squid/dmblock.list 5 .qq.com
(2)配置acl
1 .vim /etc/squid.conf 2 .acl IPBLOCK dst "/etc/squid/ipblock.list" 3 .acl DMBLOCK dstdomain "/etc/squid/dmblock.list" 4 .http_access deny IPBLOCK 5. http_access deny DMBLOCK 6 .systemctl reload squid.service