Squid Proxy Access Control (ACL)
Daftar ACL yang dikenali/dipergunakan pada squid.conf :
• src: source (client) IP addresses
• dst: destination (server) IP addresses
• myip: the local IP address of a client’s connection
• arp: Ethernet (MAC) address matching
• srcdomain: source (client) domain name
• dstdomain: destination (server) domain name
• srcdom_regex: source (client) regular expression pattern matching
• dstdom_regex: destination (server) regular expression pattern matching
• src_as: source (client) Autonomous System number
• dst_as: destination (server) Autonomous System number
• peername: name tag assigned to the cache_peer where request is expected to be sent.
• time: time of day, and day of week
• url_regex: URL regular expression pattern matching
• urlpath_regex: URL-path regular expression pattern matching, leaves out the protocol and hostname
• port: destination (server) port number
• myport: local port number that client connected to
• myportname: name tag assigned to the squid listening port that client connected to
• proto: transfer protocol (http, ftp, etc)
• method: HTTP request method (get, post, etc)
• http_status: HTTP response status (200 302 404 etc.)
• browser: regular expression pattern matching on the request user-agent header
• referer_regex: regular expression pattern matching on the request http-referer header
• ident: string matching on the user’s name
• ident_regex: regular expression pattern matching on the user’s name
• proxy_auth: user authentication via external processes
• proxy_auth_regex: regular expression pattern matching on user authentication via external processes
• snmp_community: SNMP community string matching
• maxconn: a limit on the maximum number of connections from a single client IP address
• max_user_ip: a limit on the maximum number of IP addresses one user can login from
• req_mime_type: regular expression pattern matching on the request content-type header
• req_header: regular expression pattern matching on a request header content
• rep_mime_type: regular expression pattern matching on the reply (downloaded content) content-type header. This is only usable in the http_reply_access directive, not http_access.
• rep_header: regular expression pattern matching on a reply header content. This is only usable in the http_reply_access directive, not http_access.
• external: lookup via external acl helper defined by external_acl_type
• user_cert: match against attributes in a user SSL certificate
• ca_cert: match against attributes a users issuing CA SSL certificate
• ext_user: match on user= field returned by external acl helper defined by external_acl_type
• ext_user_regex: regular expression pattern matching on user= field returned by external acl helper defined by external_acl_type
Terdapat dua komponen berbeda yaitu ACL element dan Access list, contoh penggunaan sehari-hari sebagai berikut :
1. Allow client untuk menggunakan cache
IP Client = 192.168.100.0/24
IP Special = 192.168.100.10-192.168.100.20
Blockir beberapa domain
Blockir download(extensi tertentu) untuk semua client KECUALI IP special
Client hanya boleh download dari link IIX
Bypass proxy untuk beberapa domain
1. Buat ACL IIX, daftar IP bisa diperoleh dari dnsstuff atau nice.rsc simpan pada /etc/squid/iix.acl, contoh seperti dibawah ini :
4. Konfigurasi pada squid.conf seperti berikut :
http://wiki.squid-cache.org/SquidFaq/SquidAcl
http://www.squid-cache.org/Doc/config/acl/
http://www.visolve.com/squid/squid24s1/access_controls.php
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch32_:_Controlling_Web_Access_with_Squid
• src: source (client) IP addresses
• dst: destination (server) IP addresses
• myip: the local IP address of a client’s connection
• arp: Ethernet (MAC) address matching
• srcdomain: source (client) domain name
• dstdomain: destination (server) domain name
• srcdom_regex: source (client) regular expression pattern matching
• dstdom_regex: destination (server) regular expression pattern matching
• src_as: source (client) Autonomous System number
• dst_as: destination (server) Autonomous System number
• peername: name tag assigned to the cache_peer where request is expected to be sent.
• time: time of day, and day of week
• url_regex: URL regular expression pattern matching
• urlpath_regex: URL-path regular expression pattern matching, leaves out the protocol and hostname
• port: destination (server) port number
• myport: local port number that client connected to
• myportname: name tag assigned to the squid listening port that client connected to
• proto: transfer protocol (http, ftp, etc)
• method: HTTP request method (get, post, etc)
• http_status: HTTP response status (200 302 404 etc.)
• browser: regular expression pattern matching on the request user-agent header
• referer_regex: regular expression pattern matching on the request http-referer header
• ident: string matching on the user’s name
• ident_regex: regular expression pattern matching on the user’s name
• proxy_auth: user authentication via external processes
• proxy_auth_regex: regular expression pattern matching on user authentication via external processes
• snmp_community: SNMP community string matching
• maxconn: a limit on the maximum number of connections from a single client IP address
• max_user_ip: a limit on the maximum number of IP addresses one user can login from
• req_mime_type: regular expression pattern matching on the request content-type header
• req_header: regular expression pattern matching on a request header content
• rep_mime_type: regular expression pattern matching on the reply (downloaded content) content-type header. This is only usable in the http_reply_access directive, not http_access.
• rep_header: regular expression pattern matching on a reply header content. This is only usable in the http_reply_access directive, not http_access.
• external: lookup via external acl helper defined by external_acl_type
• user_cert: match against attributes in a user SSL certificate
• ca_cert: match against attributes a users issuing CA SSL certificate
• ext_user: match on user= field returned by external acl helper defined by external_acl_type
• ext_user_regex: regular expression pattern matching on user= field returned by external acl helper defined by external_acl_type
Terdapat dua komponen berbeda yaitu ACL element dan Access list, contoh penggunaan sehari-hari sebagai berikut :
1. Allow client untuk menggunakan cache
please login or register. simple registration is needed to see the content2. Konfigurasi squid untuk TIDAK meng-cache spesifik domain
please login or register. simple registration is needed to see the content3. Blocking spesifik contents
please login or register. simple registration is needed to see the content4. Blocking spesifik path/filetypes
please login or register. simple registration is needed to see the content6. Membatasi jumlah koneksi per-client ke proxy
please login or register. simple registration is needed to see the contentContoh kasus :
IP Client = 192.168.100.0/24
IP Special = 192.168.100.10-192.168.100.20
Blockir beberapa domain
Blockir download(extensi tertentu) untuk semua client KECUALI IP special
Client hanya boleh download dari link IIX
Bypass proxy untuk beberapa domain
1. Buat ACL IIX, daftar IP bisa diperoleh dari dnsstuff atau nice.rsc simpan pada /etc/squid/iix.acl, contoh seperti dibawah ini :
please login or register. simple registration is needed to see the content2. Buat ACL IP Special yang berisi daftar IP Special diatas, simpan pada /etc/squid/special.acl, contoh seperti dibawah ini :
please login or register. simple registration is needed to see the content3. Buat pula beberapa ACL untuk blacklist domain, acl filetype dan bypass domain, contoh :
please login or register. simple registration is needed to see the content
please login or register. simple registration is needed to see the content
please login or register. simple registration is needed to see the contentcatatan : ACL diatas HANYA sebagai contoh, silahkan dimodifikasi seperlunya sesuai kebutuhan
4. Konfigurasi pada squid.conf seperti berikut :
please login or register. simple registration is needed to see the contentUntuk lebih lengkapnya bisa baca-baca sumber dibawah ini :
http://wiki.squid-cache.org/SquidFaq/SquidAcl
http://www.squid-cache.org/Doc/config/acl/
http://www.visolve.com/squid/squid24s1/access_controls.php
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch32_:_Controlling_Web_Access_with_Squid
0 comments:
Post a Comment