(although in practice some of these are reserved for special purposes), and each is stored as an 8-bit number.
The first line in the previous code covers IP addresses starting from 192.0.0.0; the /8 part means that the first 8 bits (the first quad, 192) is fixed and the rest is flexible. So Squid treats that as addresses 192.0.0.0, 192.0.0.1, through to 192.0.0.255, and then 192.0.1.0, 192.0.1.1, all the way through to 192.255.255.255.
The second line uses /16, which means Squid allows IP addresses from 192.168.0.0 to 192.168.255.255. The last line has /24, which allows addresses from 192.168.0.0 to 192.168.0.255.
You can place these addresses into Squid by using the src ACL line, like this:
acl internal_network src 10.0.0.0/24
That line creates a category of addresses from 10.0.0.0 to 10.0.0.255. You can combine multiple address groups together, like this:
acl internal_network src 10.0.0.0/24 10.0.3.0/24 10.0.5.0/24 192.168.0.1
That example allows 10.0.0.0-10.0.0.255, and then 10.0.3.0-10.0.3.255, and finally the single address 192.168.0.1.
Keep in mind that if you are using the local machine and you have the web browser configured to use the proxy at 127.0.0.1, the client IP address will be 127.0.0.1, too. So, make sure that you have rules in place for localhost.
As with other ACL lines, you need to enable them with appropriate http_access allow and http_access deny lines.
Sample Configurations
To help you fully understand how Squid access control works, and also to help give you a head start developing your own rules, the following are some ACL lines you can try. Each line is preceded with one or more comment lines (starting with a #) explaining what it does:
# include the domains news.bbc.co.uk and slashdot.org
# and not newsimg.bbc.co.uk or www.slashdot.org.
acl newssites dstdomain news.bbc.co.uk slashdot.org
# include any subdomains or bbc.co.uk or slashdot.org
acl newssites dstdomain .bbc.co.uk .slashdot.org
# include only sites located in Canada
acl canadasites dstdomain .ca
# include only working hours
acl workhours time MTWHF 9:00-18:00
# include only lunchtimes
acl lunchtimes time MTWHF 13:00-14:00
# include only weekends
acl weekends time AS 00:00-23:59
# include URLs ending in '.zip'. Note: the is important,
# because '.' has a special meaning otherwise
acl zipfiles url_regex -i .zip$
# include URLs starting with https
acl httpsurls url_regex -i ^https
# include all URLs that match 'hotmail'
url_regex hotmail url_regex -i hotmail
# include three specific IP addresses
acl directors src 10.0.0.14 10.0.0.28 10.0.0.31
# include all IPs from 192.168.0.0 to 192.168.0.255
acl internal src 192.168.0.0/24
# include all IPs from 192.168.0.0 to 192.168.0.255
# and all IPs from 10.0.0.0 to 10.255.255.255
acl internal src 192.168.0.0/24 10.0.0.0/8
When you have your ACL lines in place, you can put together appropriate http_access lines. For example, you might want to use a multilayered access system so that certain users (for example, company directors) have full access, whereas others are filtered. For example:
http_access allow directors
http_access deny hotmail
http_access deny zipfiles
http_access allow internal lunchtimes
http_access deny all
Because Squid matches those lines in order, directors will have full, unfiltered access to the web. If the client IP address is not in the directors list, the two deny lines are processed so that the user cannot download .zip files or read online mail at Hotmail. After blocking those two types of requests, the allow on the fourth line allows internal users to access the web, as long as they do so only at lunch time. The last line (which is highly recommended) blocks all other users from the proxy.
Reference
> http://www.squid-cache.org/ — The home page of the Squid Web Proxy Cache.
> http://www.deckle.co.za/squid-users-guide/Main_Page — The home page of
> http://www.faqs.org/docs/securing/netproxy-squid.html — A brief online guide to configuring a local Squid server.
> http://squid.visolve.com/squid/index.htm/ — The home page of a company that can provide commercial support and deployment of Squid.
> http://squid.visolve.com/squid/reverseproxy.htm — ViSolve's guide to setting up Squid to reverse proxy to cache a local web server for external visitors.
As well as these URLs, there are two excellent books on the topic of web caching. The first is
Of the two, the former is more practical and covers the Squid server in depth. The latter is more theoretical, discussing how caching is implemented. Wessels is one of the leading developers on Squid, so both books are of
