The Squid Access Control List (ACL) Element defines a specific condition that can be acted upon when met. Listed below are the different types ACL elements available in Webmin and its equivalent in the Squid configuration file.

You can define multiple ACL elements having the same name and type. It will be acted upon if any one of those condition are met.

Example
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443

You can also define multiple values in a separate file.

Example
acl Safe_ports port "/etc/squid/safe_ports"
/etc/squid/safe_ports contains the lines below
80
21
443

Browser Regexp (browser)

Matches a regular expression pattern against the User-Agent header of a browser. Use the -i option to make the comparison case-insensitive. Visit http://www.useragent.org/ to see your User-Agent header.
acl aclname browser [-i] regexp
Example
acl mozilla_compatible browser Mozilla

Client Address (src)

Matches the IP address of the requesting client. If hostname is specified, it will be converted to an IP address during Squid initialization so it won’t match anymore if the IP address changes afterwards.
acl aclname src ip-address[/netmask]
acl aclname src addr1-addr2/netmask
acl aclname src hostname
Example
acl boss_ip         src 192.168.0.2
acl bosses_ip       src 192.168.0.2-192.168.0.10/255.255.255.0
acl local_network   src 192.168.0.0/24
acl office_networks src 192.168.1.0-192.168.10.0/24

Client Hostname (srcdomain)

Matches the reverse DNS of the requesting client’s IP address.
acl aclname srcdomain hostname.domain.suffix
acl aclname srcdomain .domain.suffix
Example
acl bugs_host   srcdomain bugsbunny.acme.local
acl acme_domain srcdomain .acme.local

Client Regexp (srcdom_regexp)

Matches a regular expression pattern against the the reverse DNS of the requesting client’s IP address. Use the -i option to make the comparison case-insensitive.
acl aclname srcdom_regexp [-i] regexp
Example
acl hostname_starting_with_the_letter_x srcdom_regexp ^x.*

Date and Time (time)

Matches the date and time the client is making the request.
acl aclname time [day-abbreviations] [h1:m1-h2:m2]
Day Abbreviations
  • S – Sunday
  • M – Monday
  • T – Tuesday
  • W – Wednesday
  • H -Thursday
  • F – Friday
  • A – Saturday
  • D – Weekdays (Monday – Friday)
Example
acl lunch_break  time 12:00-13:00
acl office_hours time D 09:00-17:00

Dest AS Number (dest_as)

Matches the Destination Autonomous System Number of the server being queried.
acl aclname dst_as number
Example
acl sampleas dst_as 1234

Ethernet Address (arp)

Matches the ethernet (Media Access Control, MAC) address of the requesting client. Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address.
acl aclname arp mac-address
Example
acl boss_mac arp 01:02:03:04:05:06

External Auth (proxy_auth)

Matches a username acquired using HTTP authentication headers. Use the -i option to make the comparison case-insensitive. Use REQUIRED to match all users.
acl aclname proxy_auth username1 username2
acl aclname proxy_auth REQUIRED
Example
acl acme_top_stars      proxy_auth bugsbunny daffyduck
acl authenticated_users proxy_auth REQUIRED

External Auth Regexp (proxy_auth_regexp)

Matches a regular expression pattern against a username acquired using HTTP authentication headers. Use the -i option to make the comparison case-insensitive.
acl aclname proxy_auth_regexp [-i] regexp
Example
acl usernames_starting_with_the_letter_x proxy_auth_regexp ^x.*

Max User IP (max_user_ip)

Matches when the same user attempts to log in for more than the specified number of times from different ip addresses. Use the -s option to strictly enforce the limit. Without -s, Squid will just annoy the user by “randomly” denying requests.
acl aclname max_user_ip [-s] number
Example
acl max_user_ip_conn max_user_ip 5

Maximum Connections (maxconn)

Matches when the specified number of HTTP connections for a client has been exceeded.
acl aclname maxconn number
Example
acl max_conn_limit maxconn 10

Proxy IP Address (myip)

Matches the IP address of the Squid server where the client connected. Useful for servers with multiple IP addresses. If hostname is specified, it will be converted to an IP address during Squid initialization so it won’t match anymore if the IP address changes afterwards.
acl aclname myip ip-address[/netmask]
acl aclname myip addr1-addr2/netmask
acl aclname myip hostname
Example
acl dialup_ip 192.168.0.2

Proxy Port (myport)

Matches the port of the Squid server where the client connected to. Useful for servers listening in multiple ports.
acl aclname myport portnumber
Example
acl accel_port myport 80
acl proxy_port myport 3128

RFC931 User (ident)

Matches a username against an external ident server running on the client machines.
acl aclname ident username

Example
acl friends ident bugsbunny daffyduck

RFC931 User Regexp (ident_regexp)

Matches a regular expression pattern against an external ident server running on the client machines. Use the -i option to make the comparison case-insensitive.
acl aclname ident_regexp [-i] regexp
Example
acl usernames_starting_with_the_letter_x ident_regexp ^x.*

Reply MIME Type (rep_mime_type)

Matches the regular expression pattern against the Content-Type header of the origin server’s HTTP response. Useful only when used in an http_reply_access rule. Use the -i option to make the comparison case-insensitive.
acl aclname rep_mime_type [-i] regexp
Example
acl java_download rep_mime_type application/x-java

Request MIME Type (req_mime_type)

Matches the regular express pattern against the Content-Type header of the client’s HTTP request. You can use this to detect certain file uploads and some types of HTTP tunneling requests. Use the -i option to make the comparison case-insensitive.
acl aclname req_mime_type [-i] regexp
Example
acl audio_file_upload req_mime_type -i ^audio/

Request Method (method)

Matches the HTTP request method sent by the client. Squid recognizes the following methods: GET,POST,PUT,HEAD, CONNECT,TRACE,OPTIONS and DELETE.
acl aclname method method-type
Example
acl get_post_method method GET POST

SNMP Community (snmp_community)

Matches a string against an SNMP query, which is controlled by the snmp_access directive.
acl aclname snmp_community string
Example
acl my_community snmp_community MyCommunity

Source AS Number (src_as)

Matches the Autonomous System Number of the requesting client.
acl aclname src_as number
Example
acl my_isp src_as 1234

URL Path Regexp (urlpath_regexp)

Matches a regular expression pattern against the requested URL path. The URL path specifies the path only and does not include the protocol and the hostname. Use the -i option to make the comparison case-insensitive.
acl aclname urlpath_regexp [-i] regexp
Example
acl images_path urlpath_regexp ^/images

URL Port (port)

Matches the destination port number of the request.
acl aclname port number
acl aclname port range
Example
acl web_port  port 80
acl voip_port port 10000-11000

URL Protocol (proto)

Matches the protocol of the request.
acl aclname proto protocol
Example
acl ftp proto FTP

URL Regexp (url_regexp)

Matches a regular expression pattern against the requested URL. Use the -i option to make the comparison case-insensitive.
acl aclname url_regexp [-i] regexp
Example
acl ftp_mp3 url_regexp ^ftp://.*\.mp3$

Web Server Address (dst)

Matches the IP address of the destination server. If hostname is specified, it will be converted to an IP address during Squid initialization so it won’t match anymore if the IP address changes afterwards.
acl aclname dst ip-address[/netmask]
acl aclname dst addr1-addr2/netmask
acl aclname dst hostname
Example
acl google dst www.google.com

Web Server Hostname (dstdomain)

Matches the domain of the destination server.
acl aclname dstdomain hostname.domain.suffix
acl aclname dstdomain .domain.suffix 
Example
acl www_google dstdomain www.google.com
acl www_google dstdomain google.com  # matches exactly google.com
acl google_dom dstdomain .google.com # all subdomains of google.com

Web Server Regexp (dstdom_regexp)

Matches the regular expression pattern against the domain of the destination server.
acl aclname dstdom_regexp regexp
Example
acl domains_starting_with_the_letter_x dstdom_regexp ^x.*

Visit the forum to ask for help or to give a comment.

***
Posted on 10/19/2008 and last updated on 11/6/2009
Filed under Squid Proxy Server