Linux Mail Server Setup and Howto Guide

Example

acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443

Example

acl Safe_ports port "/etc/squid/safe_ports"

/etc/squid/safe_ports contains the lines below

80
21
443

Matches a regular expression pattern against the User-Agent header of a browser. Use the -i option to make the comparison case-insensitive. Visit http://www.useragent.org/ to see your User-Agent header.

acl aclname browser [-i] regexp

Example

acl mozilla_compatible browser Mozilla

Matches the IP address of the requesting client. If hostname is specified, it will be converted to an IP address during Squid initialization so it won’t match anymore if the IP address changes afterwards.

acl aclname src ip-address[/netmask]
acl aclname src addr1-addr2/netmask
acl aclname src hostname

Example

acl boss_ip         src 192.168.0.2
acl bosses_ip       src 192.168.0.2-192.168.0.10/255.255.255.0
acl local_network   src 192.168.0.0/24
acl office_networks src 192.168.1.0-192.168.10.0/24

Matches the reverse DNS of the requesting client’s IP address.

acl aclname srcdomain hostname.domain.suffix
acl aclname srcdomain .domain.suffix

Example

acl bugs_host   srcdomain bugsbunny.acme.local
acl acme_domain srcdomain .acme.local

Matches a regular expression pattern against the the reverse DNS of the requesting client’s IP address. Use the -i option to make the comparison case-insensitive.

acl aclname srcdom_regexp [-i] regexp

Example

acl hostname_starting_with_the_letter_x srcdom_regexp ^x.*

Matches the date and time the client is making the request.

acl aclname time [day-abbreviations] [h1:m1-h2:m2]

Day Abbreviations

• S - Sunday
• M - Monday
• T - Tuesday
• W - Wednesday
• H -Thursday
• F - Friday
• A - Saturday
• D - Weekdays (Monday - Friday)

Example

acl lunch_break  time 12:00-13:00
acl office_hours time D 09:00-17:00

Matches the Destination Autonomous System Number of the server being queried.

acl aclname dst_as number

Example

acl sampleas dst_as 1234

Matches the ethernet (Media Access Control, MAC) address of the requesting client. Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.

acl aclname arp mac-address

Example

acl boss_mac arp 01:02:03:04:05:06

Matches a username acquired using HTTP authentication headers. Use the -i option to make the comparison case-insensitive. Use REQUIRED to match all users.

acl aclname proxy_auth username1 username2
acl aclname proxy_auth REQUIRED

Example

acl acme_top_stars      proxy_auth bugsbunny daffyduck
acl authenticated_users proxy_auth REQUIRED

Matches a regular expression pattern against a username acquired using HTTP authentication headers. Use the -i option to make the comparison case-insensitive.

acl aclname proxy_auth_regexp [-i] regexp

Example

acl usernames_starting_with_the_letter_x proxy_auth_regexp ^x.*

Matches when the same user attempts to log in for more than the specified number of times from different ip addresses. Use the -s option to strictly enforce the limit. Without -s, Squid will just annoy the user by “randomly” denying requests.

acl aclname max_user_ip [-s] number

Example

acl max_user_ip_conn max_user_ip 5

Matches when the specified number of HTTP connections for a client has been exceeded.

acl aclname maxconn number

Example

acl max_conn_limit maxconn 10

Matches the IP address of the Squid server where the client connected. Useful for servers with multiple IP addresses. If hostname is specified, it will be converted to an IP address during Squid initialization so it won’t match anymore if the IP address changes afterwards.

acl aclname myip ip-address[/netmask]
acl aclname myip addr1-addr2/netmask
acl aclname myip hostname

Example

acl dialup_ip 192.168.0.2

Matches the port of the Squid server where the client connected to. Useful for servers listening in multiple ports.

acl aclname myport portnumber

Example

acl accel_port myport 80
acl proxy_port myport 3128

Matches a username against an external ident server running on the client machines.

acl aclname ident username

Example

acl friends ident bugsbunny daffyduck

Matches a regular expression pattern against an external ident server running on the client machines. Use the -i option to make the comparison case-insensitive.

acl aclname ident_regexp [-i] regexp

Example

acl usernames_starting_with_the_letter_x ident_regexp ^x.*

Matches the regular expression pattern against the Content-Type header of the origin server’s HTTP response. Useful only when used in an http_reply_access rule. Use the -i option to make the comparison case-insensitive.

acl aclname rep_mime_type [-i] regexp

Example

acl java_download rep_mime_type application/x-java

Matches the regular express pattern against the Content-Type header of the client’s HTTP request. You can use this to detect certain file uploads and some types of HTTP tunneling requests. Use the -i option to make the comparison case-insensitive.

acl aclname req_mime_type [-i] regexp

Example

acl audio_file_upload req_mime_type -i ^audio/

Matches the HTTP request method sent by the client. Squid recognizes the following methods: GET,POST,PUT,HEAD, CONNECT,TRACE,OPTIONS and DELETE.

acl aclname method method-type

Example

acl get_post_method method GET POST

Matches a string against an SNMP query, which is controlled by the snmp_access directive.

acl aclname snmp_community string

Example

acl my_community snmp_community MyCommunity

Matches the Autonomous System Number of the requesting client.

acl aclname src_as number

Example

acl my_isp src_as 1234

Matches a regular expression pattern against the requested URL path. The URL path specifies the path only and does not include the protocol and the hostname. Use the -i option to make the comparison case-insensitive.

acl aclname urlpath_regexp [-i] regexp

Example

acl images_path urlpath_regexp ^/images

Matches the destination port number of the request.

acl aclname port number
acl aclname port range

Example

acl web_port  port 80
acl voip_port port 10000-11000

Matches the protocol of the request.

acl aclname proto protocol

Example

acl ftp proto FTP

Matches a regular expression pattern against the requested URL. Use the -i option to make the comparison case-insensitive.

acl aclname url_regexp [-i] regexp

Example

acl ftp_mp3 url_regexp ^ftp://.*\.mp3$

Matches the IP address of the destination server. If hostname is specified, it will be converted to an IP address during Squid initialization so it won’t match anymore if the IP address changes afterwards.

acl aclname dst ip-address[/netmask]
acl aclname dst addr1-addr2/netmask
acl aclname dst hostname

Example

acl google dst www.google.com

Matches the domain of the destination server.

acl aclname dstdomain hostname.domain.suffix
acl aclname dstdomain .domain.suffix 

Example

acl www_google dstdomain www.google.com
acl www_google dstdomain google.com  # matches exactly google.com
acl google_dom dstdomain .google.com # all subdomains of google.com

Matches the regular expression pattern against the domain of the destination server.

acl aclname dstdom_regexp regexp

Example

acl domains_starting_with_the_letter_x dstdom_regexp ^x.*