Using Squid Proxy Services with WebTen


This paper describes how to disable the Apache proxy module and use Squid proxy services by hand-tailoring the Squid configuration files.

Under WebTen, the Apache server proxy module is configurable using the WebTen Administration Server. The Squid component of WebTen is used as a caching accelerator front-end to Apache.

But Squid can also provide a very powerful HTTP/1.1 proxy service. Squid proxy access control mechanisms are more extensive than those in Apache 1.2, particularly in the area of proxy blocking, or the ability to prevent access to certain undesirable sites based on URL, browser, day, hour of the day, even minute of the hour! A simple adjustment will enhance Squid's capabilities under WebTen to provide both acceleration and proxy service.

Because Squid proxy configuration is not yet exported into the WebTen Administration Server interface, direct manipulation of the Squid configuration file is necessary. While this may at first appear daunting to someone unfamiliar with UNIX database files, it is really quite a simple process using a text editor such as BBEdit.

First, using the Administration Server interface, verify these default WebTen settings:

Next, put on UNIX scuba gear and dive into squid.conf:

The squid.conf configuration file is located in the tenon/squid/etc folder in your WebTen distribution.

That's it! Restart the WebTen server using the Administration interface and direct your clients to the proxy on port 80 of your WebTen system.

Setting up Squid Access Control

The access control lists (ACLs) in squid.conf determine what the client browsers can access. The basic format of an acl record is:

    acl aclname acltype string1 string2 ...

aclname is a unique identifying name you give to the acl

acltype is one of:  src dst srcdomain dstdomain urlpath_regex
                    port proto method browser user time


For example:

    acl aclname src ip-address/netmask ...    (clients IP address)
    acl aclname src addr1-addr2/netmask ...    (range of addresses)
    acl aclname dst ip-address/netmask ...    (URL host's IP address)
    acl aclname srcdomain foo.com ...    (taken from reverse DNS lookup)
    acl aclname dstdomain foo.com ...    (taken from the URL)
    acl aclname url_regex ^http:// ...    (regex matching on whole URL)
    acl aclname urlpath_regex  \.gif$ ...    (regex matching on URL path only)
    acl aclname port     80 70 21 ...    (port number)
    acl aclname proto    HTTP FTP ...    (protocol)
    acl aclname method   GET POST ...    (request method)
    acl aclname browser  Mozilla$    (browser regex)
    acl aclname user     username ...    (string match on ident output)
    acl aclname time [day]  [h1:m1-h2:m2]    (time of day)

        day:
            S - Sunday
            M - Monday
            T - Tuesday
            W - Wednesday
            H - Thursday
            F - Friday
            A - Saturday


To activate an acl, use it in an http_accesss statement:

    http_access deny aclname 
    http_access allow aclname 
    http_access deny !aclname 

Deny will deny access to the aclname, while allow allows
access to the aclname.  A '!' preceding the aclname
denies/allows access to all but the aclname.

There are some sample ACLs in the file which you can enhance using the examples shown below. In the examples, we block access to some less than desirable domains (aclname dirty_domains) and we restrict the downloading of files (aclname download_files) ending with .hqx, .bin, and .gz to all machines that access the proxy except for a trusted group of machines (aclname download_allowed).

Here is an example of ACL-based proxy blocking:

#
# These are some basic ACL definitions that come with Squid.
#


acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0

acl SSL_ports port 443 563
acl Dangerous_ports port 7 9 19
acl CONNECT method CONNECT

#
# Now some custom ACLs
#

#
# Some adult domains that we don't want co-workers to access
#


acl dirty_domains dstdomain playboy.com hustler.com hh.nl penthouse.com
playgirl.com penthouselive.com


#
# These are the most common suffixes for downloadable files
#

acl download_files urlpath_regex \.hqx$ \.bin$ \.gz$

#
# These are the machines we want to allow to download files
#

acl download_allowed src 172.16.1.65/32 172.16.1.66/32 172.16.1.70/32 172.16.1.71/32

#
# Allow no one to connect to the undesirable domains
#


http_access deny dirty_domains


#
# Since Squid processes no rules after a match, first allow downloads to some
#

http_access allow download_files download_allowed

#
# Now deny downloads to everyone else
#

http_access deny download_files

#
# Continue with standard squid.conf directives
#


#
# Only allow access to the cache manager functions from the local host.
#


http_access deny manager !localhost
http_access deny CONNECT !SSL_ports
http_access deny Dangerous_ports


# Allow everything else

http_access allow  all


Page last updated 12/28/1999

http://www.tenon.com/support/webten/papers/webten-access-forbidden.html