This paper describes how to disable the Apache proxy module and use Squid proxy services by hand-tailoring the Squid configuration files.
Under WebTen, the Apache server proxy module is configurable using the WebTen Administration Server. The Squid component of WebTen is used as a caching accelerator front-end to Apache.
But Squid can also provide a very powerful HTTP/1.1 proxy service. Squid proxy access control mechanisms are more extensive than those in Apache 1.2, particularly in the area of proxy blocking, or the ability to prevent access to certain undesirable sites based on URL, browser, day, hour of the day, even minute of the hour! A simple adjustment will enhance Squid's capabilities under WebTen to provide both acceleration and proxy service.
Because Squid proxy configuration is not yet exported into the WebTen Administration Server interface, direct manipulation of the Squid configuration file is necessary. While this may at first appear daunting to someone unfamiliar with UNIX database files, it is really quite a simple process using a text editor such as BBEdit.
That's it! Restart the WebTen server using the Administration interface and direct your clients to the proxy on port 80 of your WebTen system.
The access control lists (ACLs) in squid.conf determine
what the client browsers can access. The basic format of an acl record is:
acl aclname acltype string1 string2 ...
aclname is a unique identifying name you give to the acl
acltype is one of: src dst srcdomain dstdomain urlpath_regex
port proto method browser user time
acl aclname src ip-address/netmask ... (clients IP address)
acl aclname src addr1-addr2/netmask ... (range of addresses)
acl aclname dst ip-address/netmask ... (URL host's IP address)
acl aclname srcdomain foo.com ... (taken from reverse DNS lookup)
acl aclname dstdomain foo.com ... (taken from the URL)
acl aclname url_regex ^http:// ... (regex matching on whole URL)
acl aclname urlpath_regex \.gif$ ... (regex matching on URL path only)
acl aclname port 80 70 21 ... (port number)
acl aclname proto HTTP FTP ... (protocol)
acl aclname method GET POST ... (request method)
acl aclname browser Mozilla$ (browser regex)
acl aclname user username ... (string match on ident output)
acl aclname time [day] [h1:m1-h2:m2] (time of day)
S - Sunday
M - Monday
T - Tuesday
W - Wednesday
H - Thursday
F - Friday
A - Saturday
To activate an acl, use it in an http_accesss statement:
http_access deny aclname
http_access allow aclname
http_access deny !aclname
Deny will deny access to the aclname, while allow allows
access to the aclname. A
'!' preceding the aclname
denies/allows access to all but the aclname.
There are some sample ACLs in the file which you can enhance using the examples shown below. In the examples, we block access to some less than desirable domains (aclname dirty_domains) and we restrict the downloading of files (aclname download_files) ending with .hqx, .bin, and .gz to all machines that access the proxy except for a trusted group of machines (aclname download_allowed).
Here is an example of ACL-based proxy blocking:
# These are some basic ACL definitions that come with Squid.
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443 563
acl Dangerous_ports port 7 9 19
acl CONNECT method CONNECT
# Now some custom ACLs
# Some adult domains that we don't want co-workers to access
acl dirty_domains dstdomain playboy.com hustler.com hh.nl penthouse.com
# These are the most common suffixes for downloadable files
acl download_files urlpath_regex \.hqx$ \.bin$ \.gz$
# These are the machines we want to allow to download files
acl download_allowed src 172.16.1.65/32 172.16.1.66/32 172.16.1.70/32 172.16.1.71/32
# Allow no one to connect to the undesirable domains
http_access deny dirty_domains
# Since Squid processes no rules after a match, first allow downloads to some
http_access allow download_files download_allowed
# Now deny downloads to everyone else
http_access deny download_files
# Continue with standard squid.conf directives
# Only allow access to the cache manager functions from the local host.
http_access deny manager !localhost
http_access deny CONNECT !SSL_ports
http_access deny Dangerous_ports
# Allow everything else
http_access allow all
Page last updated 12/28/1999http://www.tenon.com/support/webten/papers/webten-access-forbidden.html