Introducción

Bienvenid@s a la segunda parte de este “Mastering in Squid”, en esta parte del curso, os explicaremos qué son las listas de control de acceso una parte de las directivas de Squid, para qué se utilizan y cómo utilizarlas, no nos lo podemos perder.

¿Qué son las ACL?

Las ACL (Access Control List) o en español Listas de Control de Acceso es un concepto de seguridad informática que utiliza para fomentar la separación de privilegios, en nuestro caso, ayudará a separar url, ips o nombres de máquinas para posteriormente hacer algo con ellas, como por ejemplo, en un instituo, permitir el acceso a redes sociales a los profesores, pero no a los ordenadores de los alumnos…

¿Cómo definimos las ACL?

Existen dos tipos de sintaxis, en línea o apuntando a un archivo.

En línea: Es más cómodo cuando apuntamos 2,3 datos, más se puede volver ilegible y engorroso.
acl nombre_de_lista tipo_acl dato1 dato2 dato3
Apuntando a un archivo: Se utiliza cuando apuntamos más de 3 datos, se permiten comentarios.
acl nomnre_de_lista tipo_acl “/DIRECTORIO/ARCHIVO”

¿Qué tipos de ACL tenemos?

Tenemos multitud de ellos como:

arp [DIRECCION_MAC]: Crea una ACL con una o varias dirección(es) MAC.
- _Notas:
- No funciona con todos los sistemas operativos, según la documentación trabaja correctamente con Linux, Solaris, Windows, FreeBSD y otras variantes de BSD.
- Squid solo puede determinar la dirección MAC/EUI para clientes IPv4 que se encuentren en la misma subred, si están en otras subredes Squid no puede reconocer qué equipo es.
- El protocolo IPv6 no contiene ARP, se utiliza ND (Neighbor Discovery) que es parecido, con lo que esta directiva no funciona para IPv6._
clientside mark[/mask] -Esta aplicación hay que investigarla
srcdomain .google.es: Permite definir un dominio o dirección IP/direcciones origen
dstdomain dirección_destino: Puede ser una url, ip o conjunto de direcciones ips.
srcdom_regex \.google\.* : Igual que srdomain pero con la opción de usar expresiones regulares.
dstdom_regex \.google\.* : Especifica dirección destino haciendo uso de expresiones regulares.
- src_as number
- dst_as number
time [DIA DE LA SEMANA] [HORA1]-[HORA2]: Establece un periodo de conexión:
- Se define la semana como:
  - M -> Lunes
  - T -> Martes
  - W -> Miércoles
  - H -> Jueves
  - F -> Viernes
  - A -> Sábado
- Se define la HORA1 y HORA2 como: hh:mm
url_regex ^http://: Permite bloquear urls haciendo uso de expresiones regulares.
urllogin [^a-zA-Z0-9]: Busca una expresión regular que coincida con un campo login
urlpath_regex \.exe(\?.*)?$: Encuentra un directorio y permite filtrar contenido
port 80 70 120: Permite definir un puerto o varios, se permiten rangos destino TCP
localport 3128: Puerto de cliente TCP conectado a
myportname 3128: Refleja si los detalles de conexión TCP equivalen al puerto declarado en el fichero de configuración de Squid.
proto HTTP FTP...: Se pueden bloquear protocolos como FTP para que no se pueda acceder.
method GET PUT POST: Especifica si se puede utilizar o no los métodos de solicitud del protocolo HTTP.
http_status 404 200: Especifica el código de respuesta del servidor
browser Mozilla: Especifica el navegador al que bloquear o no, se identifica mediante el UserAgent.
referer_regex regexp: Permite encontrar un patrón relacionado con la expresión regular que definimos, es muy difícil de aplicar, por lo que hay que tener cuidado.
ident cadena: Busca una cadena
ident_regex patrón: Busca una cadena relacionada con lo declarado.
acl aclname proxy_auth [-i] username: … acl aclname proxy_auth_regex [-i] pattern …
perform http authentication challenge to the client and match against
supplied credentials [slow]
takes a list of allowed usernames.
use REQUIRED to accept any valid username.
Will use proxy authentication in forward-proxy scenarios, and plain
http authenticaiton in reverse-proxy scenarios
NOTE: when a Proxy-Authentication header is sent but it is not
needed during ACL checking the username is NOT logged
in access.log.
NOTE: proxy_auth requires a EXTERNAL authentication program
to check username/password combinations (see
auth_param directive).
NOTE: proxy_auth can’t be used in a transparent/intercepting proxy
as the browser needs to be configured for using a proxy in order
to respond to proxy authentication.
acl aclname snmp_community string …
A community string to limit access to your SNMP Agent [fast]
Example:
acl snmppublic snmp_community public
acl aclname maxconn number
This will be matched when the client’s IP address has
more than TCP connections established. [fast]
NOTE: This only measures direct TCP links so X-Forwarded-For
indirect clients are not counted.
acl aclname max_user_ip [-s] number
This will be matched when the user attempts to log in from more
than different ip addresses. The authenticate_ip_ttl
parameter controls the timeout on the ip entries. [fast]
If -s is specified the limit is strict, denying browsing
from any further IP addresses until the ttl has expired. Without
-s Squid will just annoy the user by “randomly” denying requests.
(the counter is reset each time the limit is reached and a
request is denied)
NOTE: in acceleration mode or where there is mesh of child proxies,
clients may appear to come from multiple addresses if they are
going through proxy farms, so a limit of 1 may cause user problems.
acl aclname random probability
Pseudo-randomly match requests. Based on the probability given.
Probability may be written as a decimal (0.333), fraction (1/3)
or ratio of matches:non-matches (3:5).
acl aclname req_mime_type [-i] mime-type …
regex match against the mime type of the request generated
by the client. Can be used to detect file upload or some
types HTTP tunneling requests [fast]
NOTE: This does NOT match the reply. You cannot use this
to match the returned file type.
acl aclname req_header header-name [-i] any.regex.here
regex match against any of the known request headers. May be
thought of as a superset of “browser”, “referer” and “mime-type”
ACL [fast]
acl aclname rep_mime_type [-i] mime-type …
regex match against the mime type of the reply received by
squid. Can be used to detect file download or some
types HTTP tunneling requests. [fast]
NOTE: This has no effect in http_access rules. It only has
effect in rules that affect the reply data stream such as
http_reply_access.
acl aclname rep_header header-name [-i] any.regex.here
regex match against any of the known reply headers. May be
thought of as a superset of “browser”, “referer” and “mime-type”
ACLs [fast]
acl aclname external class_name [arguments…]
external ACL lookup via a helper class defined by the
external_acl_type directive [slow]
acl aclname user_cert attribute values…
match against attributes in a user SSL certificate
attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
acl aclname ca_cert attribute values…
match against attributes a users issuing CA SSL certificate
attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
acl aclname ext_user username … acl aclname ext_user_regex [-i] pattern …
string match on username returned by external acl helper [slow]
use REQUIRED to accept any non-null user name.
acl aclname tag tagvalue …
string match on tag returned by external acl helper [fast]
DEPRECATED. Only the first tag will match with this ACL.
Use the ’note’ ACL instead for handling multiple tag values.
acl aclname hier_code codename …
string match against squid hierarchy code(s); [fast]
e.g., DIRECT, PARENT_HIT, NONE, etc.
NOTE: This has no effect in http_access rules. It only has
effect in rules that affect the reply data stream such as
http_reply_access.
acl aclname note [-m[=delimiters]] name [value …]
match transaction annotation [fast]
Without values, matches any annotation with a given name.
With value(s), matches any annotation with a given name that
also has one of the given values.
If the -m flag is used, then the value of the named
annotation is interpreted as a list of tokens, and the ACL
matches individual name=token pairs rather than whole
name=value pairs. See “ACL Options” above for more info.
Annotation sources include note and adaptation_meta directives
as well as helper and eCAP responses.
acl aclname adaptation_service service …
Matches the name of any icap_service, ecap_service,
adaptation_service_set, or adaptation_service_chain that Squid
has used (or attempted to use) for the master transaction.
This ACL must be defined after the corresponding adaptation
service is named in squid.conf. This ACL is usable with
adaptation_meta because it starts matching immediately after
the service has been selected for adaptation.
acl aclname transaction_initiator initiator …
Matches transaction’s initiator [fast]
Supported initiators are:
esi: matches transactions fetching ESI resources
certificate-fetching: matches transactions fetching
a missing intermediate TLS certificate
cache-digest: matches transactions fetching Cache Digests
from a cache_peer
htcp: matches HTCP requests from peers
icp: matches ICP requests to peers
icmp: matches ICMP RTT database (NetDB) requests to peers
asn: matches asns db requests
internal: matches any of the above
client: matches transactions containing an HTTP or FTP
client request received at a Squid *_port
all: matches any transaction, including internal transactions
without a configurable initiator and hopefully rare
transactions without a known-to-Squid initiator
Multiple initiators are ORed.
acl aclname has component
matches a transaction “component” [fast]
Supported transaction components are:
request: transaction has a request header (at least)
response: transaction has a response header (at least)
ALE: transaction has an internally-generated Access Log Entry
structure; bugs notwithstanding, all transaction have it
For example, the following configuration helps when dealing with HTTP
clients that close connections without sending a request header:
acl hasRequest has request
acl logMe note important_transaction
# avoid “logMe ACL is used in context without an HTTP request” warnings
access_log … logformat=detailed hasRequest logMe
# log request-less transactions, instead of ignoring them
access_log … logformat=brief !hasRequest
Multiple components are not supported for one “acl” rule, but
can be specified (and are ORed) using multiple same-name rules:
# OK, this strange logging daemon needs request or response,
# but can work without either a request or a response:
acl hasWhatMyLoggingDaemonNeeds has request
acl hasWhatMyLoggingDaemonNeeds has response

IF USE_OPENSSL acl aclname ssl_error errorname # match against SSL certificate validation error [fast] # # For valid error names see in /usr/local/squid/share/errors/templates/error-details.txt # template file. # # The following can be used as shortcuts for certificate properties: # [ssl::]certHasExpired: the “not after” field is in the past # [ssl::]certNotYetValid: the “not before” field is in the future # [ssl::]certUntrusted: The certificate issuer is not to be trusted. # [ssl::]certSelfSigned: The certificate is self signed. # [ssl::]certDomainMismatch: The certificate CN domain does not # match the name the name of the host we are connecting to. # # The ssl::certHasExpired, ssl::certNotYetValid, ssl::certDomainMismatch, # ssl::certUntrusted, and ssl::certSelfSigned can also be used as # predefined ACLs, just like the ‘all’ ACL. # # NOTE: The ssl_error ACL is only supported with sslproxy_cert_error, # sslproxy_cert_sign, and sslproxy_cert_adapt options.

acl aclname server_cert_fingerprint [-sha1] fingerprint
  # match against server SSL certificate fingerprint [fast]
  #
  # The fingerprint is the digest of the DER encoded version 
  # of the whole certificate. The user should use the form: XX:XX:...
  # Optional argument specifies the digest algorithm to use.
  # The SHA1 digest algorithm is the default and is currently
  # the only algorithm supported (-sha1).

acl aclname at_step step
  # match against the current step during ssl_bump evaluation [fast]
  # Never matches and should not be used outside the ssl_bump context.
  #
  # At each SslBump step, Squid evaluates ssl_bump directives to find
  # the next bumping action (e.g., peek or splice). Valid SslBump step
  # values and the corresponding ssl_bump evaluation moments are:
  #   SslBump1: After getting TCP-level and HTTP CONNECT info.
  #   SslBump2: After getting SSL Client Hello info.
  #   SslBump3: After getting SSL Server Hello info.

acl aclname ssl::server_name [option] .foo.com ...
  # matches server name obtained from various sources [fast]
  #
  # The ACL computes server name(s) using such information sources as
  # CONNECT request URI, TLS client SNI, and TLS server certificate 
  # subject (CN and SubjectAltName). The computed server name(s) usually
  # change with each SslBump step, as more info becomes available:
  # * SNI is used as the server name instead of the request URI,
  # * subject name(s) from the server certificate (CN and
  #   SubjectAltName) are used as the server names instead of SNI.
  #
  # When the ACL computes multiple server names, matching any single
  # computed name is sufficient for the ACL to match.
  #
  # The "none" name can be used to match transactions where the ACL
  # could not compute the server name using any information source
  # that was both available and allowed to be used by the ACL options at
  # the ACL evaluation time.
  #
  # Unlike dstdomain, this ACL does not perform DNS lookups.
  #
  # An ACL option below may be used to restrict what information 
  # sources are used to extract the server names from:
  #
  # --client-requested
  #   The server name is SNI regardless of what the server says.
  # --server-provided
  #   The server name(s) are the certificate subject name(s), regardless
  #   of what the client has requested. If the server certificate is
  #   unavailable, then the name is "none".
  # --consensus
  #   The server name is either SNI (if SNI matches at least one of the
  #   certificate subject names) or "none" (otherwise). When the server
  #   certificate is unavailable, the consensus server name is SNI.
  #
  # Combining multiple options in one ACL is a fatal configuration
  # error.
  #
  # For all options: If no SNI is available, then the CONNECT request
  # target (a.k.a. URI) is used instead of SNI (for an intercepted
  # connection, this target is the destination IP address).

acl aclname ssl::server_name_regex [-i] \.foo\.com ...
  # regex matches server name obtained from various sources [fast]

acl aclname connections_encrypted
  # matches transactions with all HTTP messages received over TLS
  # transport connections. [fast]
  #
  # The master transaction deals with HTTP messages received from
  # various sources. All sources used by the master transaction in the
  # past are considered by the ACL. The following rules define whether
  # a given message source taints the entire master transaction,
  # resulting in ACL mismatches:
  #
  #  * The HTTP client transport connection is not TLS.
  #  * An adaptation service connection-encryption flag is off.
  #  * The peer or origin server transport connection is not TLS.
  #
  # Caching currently does not affect these rules. This cache ignorance
  # implies that only the current HTTP client transport and REQMOD
  # services status determine whether this ACL matches a from-cache
  # transaction. The source of the cached response does not have any
  # effect on future transaction that use the cached response without
  # revalidation. This may change.
  #
  # DNS, ICP, and HTCP exchanges during the master transaction do not
  # affect these rules.

ENDIF acl aclname any-of acl1 acl2 … # match any one of the acls [fast or slow] # The first matching ACL stops further ACL evaluation. # # ACLs from multiple any-of lines with the same name are ORed. # For example, A = (a1 or a2) or (a3 or a4) can be written as # acl A any-of a1 a2 # acl A any-of a3 a4 # # This group ACL is fast if all evaluated ACLs in the group are fast # and slow otherwise.

acl aclname all-of acl1 acl2 ... 
  # match all of the acls [fast or slow]
  # The first mismatching ACL stops further ACL evaluation.
  #
  # ACLs from multiple all-of lines with the same name are ORed.
  # For example, B = (b1 and b2) or (b3 and b4) can be written as
  #   acl B all-of b1 b2
  #   acl B all-of b3 b4
  #
  # This group ACL is fast if all evaluated ACLs in the group are fast
  # and slow otherwise.

Introducción#

¿Qué son las ACL?#

¿Cómo definimos las ACL?#

¿Qué tipos de ACL tenemos?#

perform http authentication challenge to the client and match against#

supplied credentials [slow]#

takes a list of allowed usernames.#

use REQUIRED to accept any valid username.#

Will use proxy authentication in forward-proxy scenarios, and plain#

http authenticaiton in reverse-proxy scenarios#

NOTE: when a Proxy-Authentication header is sent but it is not#

needed during ACL checking the username is NOT logged#

in access.log.#

NOTE: proxy_auth requires a EXTERNAL authentication program#

to check username/password combinations (see#

auth_param directive).#

NOTE: proxy_auth can’t be used in a transparent/intercepting proxy#

as the browser needs to be configured for using a proxy in order#

to respond to proxy authentication.#

A community string to limit access to your SNMP Agent [fast]#

Example:#

acl snmppublic snmp_community public#

This will be matched when the client’s IP address has#

more than TCP connections established. [fast]#

NOTE: This only measures direct TCP links so X-Forwarded-For#

indirect clients are not counted.#

This will be matched when the user attempts to log in from more#

than different ip addresses. The authenticate_ip_ttl#

parameter controls the timeout on the ip entries. [fast]#

If -s is specified the limit is strict, denying browsing#

from any further IP addresses until the ttl has expired. Without#

-s Squid will just annoy the user by “randomly” denying requests.#

(the counter is reset each time the limit is reached and a#

request is denied)#

NOTE: in acceleration mode or where there is mesh of child proxies,#

clients may appear to come from multiple addresses if they are#

going through proxy farms, so a limit of 1 may cause user problems.#

Pseudo-randomly match requests. Based on the probability given.#

Probability may be written as a decimal (0.333), fraction (1/3)#

or ratio of matches:non-matches (3:5).#

regex match against the mime type of the request generated#

by the client. Can be used to detect file upload or some#

types HTTP tunneling requests [fast]#

NOTE: This does NOT match the reply. You cannot use this#

to match the returned file type.#

regex match against any of the known request headers. May be#

thought of as a superset of “browser”, “referer” and “mime-type”#

ACL [fast]#

regex match against the mime type of the reply received by#

squid. Can be used to detect file download or some#

types HTTP tunneling requests. [fast]#

NOTE: This has no effect in http_access rules. It only has#

effect in rules that affect the reply data stream such as#

http_reply_access.#

regex match against any of the known reply headers. May be#

thought of as a superset of “browser”, “referer” and “mime-type”#

ACLs [fast]#

external ACL lookup via a helper class defined by the#

external_acl_type directive [slow]#

match against attributes in a user SSL certificate#

attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]#

match against attributes a users issuing CA SSL certificate#

attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]#

string match on username returned by external acl helper [slow]#

use REQUIRED to accept any non-null user name.#

string match on tag returned by external acl helper [fast]#

DEPRECATED. Only the first tag will match with this ACL.#

Use the ’note’ ACL instead for handling multiple tag values.#

string match against squid hierarchy code(s); [fast]#

e.g., DIRECT, PARENT_HIT, NONE, etc.#

NOTE: This has no effect in http_access rules. It only has#

effect in rules that affect the reply data stream such as#

http_reply_access.#

match transaction annotation [fast]#

Without values, matches any annotation with a given name.#

With value(s), matches any annotation with a given name that#

also has one of the given values.#

If the -m flag is used, then the value of the named#

annotation is interpreted as a list of tokens, and the ACL#

matches individual name=token pairs rather than whole#

Introducción

¿Qué son las ACL?

¿Cómo definimos las ACL?

¿Qué tipos de ACL tenemos?

perform http authentication challenge to the client and match against

supplied credentials [slow]

takes a list of allowed usernames.

use REQUIRED to accept any valid username.

Will use proxy authentication in forward-proxy scenarios, and plain

http authenticaiton in reverse-proxy scenarios

NOTE: when a Proxy-Authentication header is sent but it is not

needed during ACL checking the username is NOT logged

in access.log.

NOTE: proxy_auth requires a EXTERNAL authentication program

to check username/password combinations (see

auth_param directive).

NOTE: proxy_auth can’t be used in a transparent/intercepting proxy

as the browser needs to be configured for using a proxy in order

to respond to proxy authentication.

A community string to limit access to your SNMP Agent [fast]

Example:

acl snmppublic snmp_community public

This will be matched when the client’s IP address has

more than TCP connections established. [fast]

NOTE: This only measures direct TCP links so X-Forwarded-For

indirect clients are not counted.

This will be matched when the user attempts to log in from more

than different ip addresses. The authenticate_ip_ttl

parameter controls the timeout on the ip entries. [fast]

If -s is specified the limit is strict, denying browsing

from any further IP addresses until the ttl has expired. Without

-s Squid will just annoy the user by “randomly” denying requests.

(the counter is reset each time the limit is reached and a

request is denied)

NOTE: in acceleration mode or where there is mesh of child proxies,

clients may appear to come from multiple addresses if they are

going through proxy farms, so a limit of 1 may cause user problems.

Pseudo-randomly match requests. Based on the probability given.

Probability may be written as a decimal (0.333), fraction (1/3)

or ratio of matches:non-matches (3:5).

regex match against the mime type of the request generated

by the client. Can be used to detect file upload or some

types HTTP tunneling requests [fast]

NOTE: This does NOT match the reply. You cannot use this

to match the returned file type.

regex match against any of the known request headers. May be

thought of as a superset of “browser”, “referer” and “mime-type”

ACL [fast]

regex match against the mime type of the reply received by

squid. Can be used to detect file download or some

types HTTP tunneling requests. [fast]

NOTE: This has no effect in http_access rules. It only has

effect in rules that affect the reply data stream such as

http_reply_access.

regex match against any of the known reply headers. May be

thought of as a superset of “browser”, “referer” and “mime-type”

ACLs [fast]

external ACL lookup via a helper class defined by the

external_acl_type directive [slow]

match against attributes in a user SSL certificate

attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]

match against attributes a users issuing CA SSL certificate

attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]

string match on username returned by external acl helper [slow]

use REQUIRED to accept any non-null user name.

string match on tag returned by external acl helper [fast]

DEPRECATED. Only the first tag will match with this ACL.

Use the ’note’ ACL instead for handling multiple tag values.

string match against squid hierarchy code(s); [fast]

e.g., DIRECT, PARENT_HIT, NONE, etc.

NOTE: This has no effect in http_access rules. It only has

effect in rules that affect the reply data stream such as

http_reply_access.

match transaction annotation [fast]

Without values, matches any annotation with a given name.

With value(s), matches any annotation with a given name that

also has one of the given values.

If the -m flag is used, then the value of the named

annotation is interpreted as a list of tokens, and the ACL

matches individual name=token pairs rather than whole