- 论坛徽章:
- 0
|
回复 #4 jinl 的帖子
基本上在squid里没有添加什么acl控制语句,除了
acl our_networking src 192.168.1.0/24
http_access allow our_networking
允许客户机上网 其他都没动,我把
acl badfile1 urlpath_regex -i \.mp3$\.exe$\.rar$
http_access deny badfile1 加在它前面和后面都没有用.我也不知道怎么回事.下面是squid2.6的部分语句,请看看有什么问题
# ACCESS CONTROLS
# -----------------------------------------------------------------------------
# TAG: acl
# Defining an Access List
#
# acl aclname acltype string1 ...
# acl aclname acltype "file" ...
#
# when using "file", the file should contain one item per line
#
# acltype is one of the types described below
#
# By default, regular expressions are CASE-SENSITIVE. To make
# them case-insensitive, use the -i option.
#
# acl aclname src ip-address/netmask ... (clients IP address)
# acl aclname src addr1-addr2/netmask ... (range of addresses)
# acl aclname dst ip-address/netmask ... (URL host's IP address)
# acl aclname myip ip-address/netmask ... (local socket IP address)
#
# acl aclname arp mac-address ... (xx xxxxx notation)
# # The arp ACL requires the special configure option --enable-arp-acl.
# # Furthermore, the arp ACL code is not portable to all operating systems.
# # It works on Linux, Solaris, FreeBSD and some other *BSD variants.
# #
# # NOTE: Squid can only determine the MAC address for clients that are on
# # the same subnet. If the client is on a different subnet, then Squid cannot
# # find out its MAC address.
#
# acl aclname srcdomain .foo.com ... # reverse lookup, client IP
# acl aclname dstdomain .foo.com ... # Destination server from URL
# acl aclname srcdom_regex [-i] xxx ... # regex matching client name
# acl aclname dstdom_regex [-i] xxx ... # regex matching server
# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
# # based URL is used and no match is found. The name "none" is used
# # if the reverse lookup fails.
#
# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
# day-abbrevs:
# S - Sunday
# M - Monday
# T - Tuesday
# W - Wednesday
# H - Thursday
# F - Friday
# A - Saturday
# h1:m1 must be less than h2:m2
# acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
# acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
# acl aclname urllogin [-i] [^a-zA-Z0-9] ... # regex matching on URL login field
# acl aclname port 80 70 21 ...
# acl aclname port 0-1024 ... # ranges allowed
# acl aclname myport 3128 ... # (local socket TCP port)
# acl aclname proto HTTP FTP ...
# acl aclname method GET POST ...
# acl aclname browser [-i] regexp ...
# # pattern match on User-Agent header (see also req_header below)
# acl aclname referer_regex [-i] regexp ...
# # pattern match on Referer header
# # Referer is highly unreliable, so use with care
# acl aclname ident username ...
# acl aclname ident_regex [-i] pattern ...
# # string match on ident output.
# # use REQUIRED to accept any non-null ident.
# acl aclname src_as number ...
# acl aclname dst_as number ...
# # Except for access control, AS numbers can be used for
# # routing of requests to specific caches. Here's an
# # example for routing all requests for AS#1241 and only
# # those to mycache.mydomain.net:
# # acl asexample dst_as 1241
# # cache_peer_access mycache.mydomain.net allow asexample
# # cache_peer_access mycache_mydomain.net deny all
#
# acl aclname proxy_auth [-i] username ...
# acl aclname proxy_auth_regex [-i] pattern ...
# # list of valid usernames
# # use REQUIRED to accept any valid username.
# #
# # NOTE: when a Proxy-Authentication header is sent but it is not
# # needed during ACL checking the username is NOT logged
# # in access.log.
# #
# # NOTE: proxy_auth requires a EXTERNAL authentication program
# # to check username/password combinations (see
# # auth_param directive).
# #
# # WARNING: proxy_auth can't be used in a transparent proxy. It
# # collides with any authentication done by origin servers. It may
# # seem like it works at first, but it doesn't.
#
# acl aclname snmp_community string ...
# # A community string to limit access to your SNMP Agent
# # Example:
# #
# # acl snmppublic snmp_community public
#
# acl aclname maxconn number
# # This will be matched when the client's IP address has
# # more than <number> HTTP connections established.
#
# acl aclname max_user_ip [-s] number
# # This will be matched when the user attempts to log in from more
# # than <number> different ip addresses. The authenticate_ip_ttl
# # parameter controls the timeout on the ip entries.
# # If -s is specified the limit is strict, denying browsing
# # from any further IP addresses until the ttl has expired. Without
# # -s Squid will just annoy the user by "randomly" denying requests.
# # (the counter is reset each time the limit is reached and a
# # request is denied)
# # NOTE: in acceleration mode or where there is mesh of child proxies,
# # clients may appear to come from multiple addresses if they are
# # going through proxy farms, so a limit of 1 may cause user problems.
#
# acl aclname req_mime_type mime-type1 ...
# # regex match against the mime type of the request generated
# # by the client. Can be used to detect file upload or some
# # types HTTP tunneling requests.
# # NOTE: This does NOT match the reply. You cannot use this
# # to match the returned file type.
#
# acl aclname req_header header-name [-i] any\.regex\.here
# # regex match against any of the known request headers. May be
# # thought of as a superset of "browser", "referer" and "mime-type"
# # ACLs.
#
# acl aclname rep_mime_type mime-type1 ...
# # regex match against the mime type of the reply received by
# # squid. Can be used to detect file download or some
# # types HTTP tunneling requests.
# # NOTE: This has no effect in http_access rules. It only has
# # effect in rules that affect the reply data stream such as
# # http_reply_access.
#
# acl aclname rep_header header-name [-i] any\.regex\.here
# # regex match against any of the known response headers.
# # Example:
# #
# # acl many_spaces rep_header Content-Disposition -i [[:space:]]{3,}
#
# acl acl_name external class_name [arguments...]
# # external ACL lookup via a helper class defined by the
# # external_acl_type directive.
#
# acl urlgroup group1 ...
# # match against the urlgroup as indicated by redirectors
#
# acl aclname user_cert attribute values...
# # match against attributes in a user SSL certificate
# # attribute is one of DN/C/O/CN/L/ST
#
# acl aclname ca_cert attribute values...
# # match against attributes a users issuing CA SSL certificate
# # attribute is one of DN/C/O/CN/L/ST
#
# acl aclname ext_user username ...
# acl aclname ext_user_regex [-i] pattern ...
# # string match on username returned by external acl
# # use REQUIRED to accept any user name.
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# TAG: follow_x_forwarded_for
# Allowing or Denying the X-Forwarded-For header to be followed to
# find the original source of a request.
#
# Requests may pass through a chain of several other proxies
# before reaching us. The X-Forwarded-For header will contain a
# comma-separated list of the IP addresses in the chain, with the
# rightmost address being the most recent.
#
# If a request reaches us from a source that is allowed by this
# configuration item, then we consult the X-Forwarded-For header
# to see where that host received the request from. If the
# X-Forwarded-For header contains multiple addresses, and if
# acl_uses_indirect_client is on, then we continue backtracking
# until we reach an address for which we are not allowed to
# follow the X-Forwarded-For header, or until we reach the first
# address in the list. (If acl_uses_indirect_client is off, then
# it's impossible to backtrack through more than one level of
# X-Forwarded-For addresses.)
#
# The end result of this process is an IP address that we will
# refer to as the indirect client address. This address may
# be treated as the client address for access control, delay
# pools and logging, depending on the acl_uses_indirect_client,
# delay_pool_uses_indirect_client and log_uses_indirect_client
# options.
#
# SECURITY CONSIDERATIONS:
#
# Any host for which we follow the X-Forwarded-For header
# can place incorrect information in the header, and Squid
# will use the incorrect information as if it were the
# source address of the request. This may enable remote
# hosts to bypass any access control restrictions that are
# based on the client's source addresses.
#
# For example:
#
# acl localhost src 127.0.0.1
# acl my_other_proxy srcdomain .proxy.example.com
# follow_x_forwarded_for allow localhost
# follow_x_forwarded_for allow my_other_proxy
#
#Default:
# follow_x_forwarded_for deny all
# TAG: acl_uses_indirect_client on|off
# Controls whether the indirect client address
# (see follow_x_forwarded_for) is used instead of the
# direct client address in acl matching.
#
#Default:
# acl_uses_indirect_client on
# TAG: delay_pool_uses_indirect_client on|off
# Controls whether the indirect client address
# (see follow_x_forwarded_for) is used instead of the
# direct client address in delay pools.
#
#Default:
# delay_pool_uses_indirect_client on
# TAG: log_uses_indirect_client on|off
# Controls whether the indirect client address
# (see follow_x_forwarded_for) is used instead of the
# direct client address in the access log.
#
#Default:
# log_uses_indirect_client on
# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
acl our_networking src 192.168.1.0/24
http_access allow our_networking
acl badfile1 urlpath_regex -i \.mp3$\.exe$\.zip$\.rar$
http_access deny badfile1 |
|
免费注册
发表于 2007-09-10 09:34
