Using Squid Proxy Services with iTools
This paper describes how to disable the Apache proxy module and use Squid
proxy services by hand-tailoring the Squid configuration files.
Under iTools, the Apache server proxy module is
configurable using the Administration Server.
The Squid component of iTools is used as a
caching accelerator front-end to Apache.
But Squid can also provide a very powerful HTTP/1.1 proxy service.
Squid proxy access control mechanisms
are more extensive than those in Apache
particularly in the area of proxy blocking or the ability
to prevent access to certain undesirable sites based
on URL, browser, day, hour of the day, even minute of the hour!
A simple adjustment will enhance Squid's capabilities under
iTools to provide both acceleration and proxy service.
Because Squid proxy configuration is not yet
exported into the Administration Server interface, direct
manipulation of the Squid configuration file is necessary. While
this may at first appear daunting to someone unfamiliar with
UNIX database files, it is really quite a simple process using a text
editor such as TextEdit.
First, using the Administration Server interface,
verify these default settings:
Next, edit squid.conf:
The squid.conf configuration file is located in
the /Local/Library/WebServer/tenon/squid/etc directory.
That's it! Restart the web service with "apachectl restart" and direct your clients to the proxy on port 80 of your WebTen
Setting up Squid Access Control
The access control lists (ACLs) in squid.conf determine
what the client browsers can access. The basic format of an acl record is:
acl aclname acltype string1 string2 ...
aclname is a unique identifying name you give to the acl
acltype is one of: src dst srcdomain dstdomain urlpath_regex
port proto method browser user time
acl aclname src ip-address/netmask ... (clients IP address)
acl aclname src addr1-addr2/netmask ... (range of addresses)
acl aclname dst ip-address/netmask ... (URL host's IP address)
acl aclname srcdomain foo.com ... (taken from reverse DNS lookup)
acl aclname dstdomain foo.com ... (taken from the URL)
acl aclname url_regex ^http:// ... (regex matching on whole URL)
acl aclname urlpath_regex \.gif$ ... (regex matching on URL path only)
acl aclname port 80 70 21 ... (port number)
acl aclname proto HTTP FTP ... (protocol)
acl aclname method GET POST ... (request method)
acl aclname browser Mozilla$ (browser regex)
acl aclname user username ... (string match on ident output)
acl aclname time [day] [h1:m1-h2:m2] (time of day)
S - Sunday
M - Monday
T - Tuesday
W - Wednesday
H - Thursday
F - Friday
A - Saturday
To activate an acl, use it in an http_access statement:
http_access deny aclname
http_access allow aclname
http_access deny !aclname
Deny will deny access to the aclname, while allow allows
access to the aclname. A
'!' preceding the aclname
denies/allows access to all but the aclname.
There are some sample ACLs in
the file which you can enhance using the examples shown below.
In the examples, we block access to some less than desirable
domains (aclname dirty_domains) and we restrict the downloading of
files (aclname download_files) ending with .hqx, .bin, and .gz
to all machines that access the proxy
except for a trusted group of machines (aclname download_allowed).
Here is an example of ACL-based proxy blocking:
# These are some basic ACL definitions that come with Squid.
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443 563
acl Dangerous_ports port 7 9 19
acl CONNECT method CONNECT
# Now some custom ACLs
# Some adult domains that we don't want co-workers to access
acl dirty_domains dstdomain playboy.com hustler.com hh.nl penthouse.com
# These are the most common suffixes for downloadable files
acl download_files urlpath_regex \.hqx$ \.bin$ \.gz$
# These are the machines we want to allow to download files
acl download_allowed src 172.16.1.65/32
172.16.1.66/32 172.16.1.70/32 172.16.1.71/32
# Allow no one to connect to the undesirable domains
http_access deny dirty_domains
# Since Squid processes no rules after a match, first allow downloads to some
http_access allow download_files download_allowed
# Now deny downloads to everyone else
http_access deny download_files
# Continue with standard squid.conf directives
# Only allow access to the cache manager functions from the local host.
http_access deny manager !localhost
http_access deny CONNECT !SSL_ports
http_access deny Dangerous_ports
# Allow everything else
http_access allow all
| Tenon Home |
Contact Us |
About Tenon |
Tech Support |
Press Room |
Mailing Lists |
Copyright©2013 Tenon Intersystems, 232 Anacapa Street, Suite 2A, Santa Barbara,
CA 93101. All rights reserved.
Questions about our website - Contact: