ACL elements


Note: The information here is current for version 2.5.


Squid knows about the following types of ACL elements:


  • src: source (client) IP addresses
  • dst: destination (server) IP addresses
  • myip: the local IP address of a client’s connection
  • srcdomain: source (client) domain name
  • dstdomain: destination (server) domain name
  • srcdom_regex: source (client) regular expression pattern matching
  • dstdom_regex: destination (server) regular expression pattern matching
  • time: time of day, and day of week
  • url_regex: URL regular expression pattern matching
  • urlpath_regex: URL-path regular expression pattern matching, leaves out the protocol and hostname
  • port: destination (server) port number
  • myport: local port number that client connected to
  • proto: transfer protocol (http, ftp, etc)
  • method: HTTP request method (get, post, etc)
  • browser: regular expression pattern matching on the request’s user-agent header
  • ident: string matching on the user’s name
  • ident_regex: regular expression pattern matching on the user’s name
  • src_as: source (client) Autonomous System number
  • dst_as: destination (server) Autonomous System number
  • proxy_auth: user authentication via external processes
  • proxy_auth_regex: user authentication via external processes
  • snmp_community: SNMP community string matching
  • maxconn: a limit on the maximum number of connections from a single client IP address
  • req_mime_type: regular expression pattern matching on the request content-type header
  • arp: Ethernet (MAC) address matching
  • rep_mime_type: regular expression pattern matching on the reply (downloaded content) content-type header. This is only usable in the http_reply_access directive, not http_access.
  • external: lookup via external acl helper defined by external_acl_type



Access Lists


There are a number of different access lists:


  • http_access: Allows HTTP clients (browsers) to access the HTTP port. This is the primary access control list.
  • http_reply_access: Allows HTTP clients (browsers) to receive the reply to their request. This further restricts permissions given by http_access, and is primarily intended to be used together with the rep_mime_type acl type for blocking different content types.
  • icp_access: Allows neighbor caches to query your cache with ICP.
  • miss_access: Allows certain clients to forward cache misses through your cache. This further restricts permissions given by http_access, and is primarily intended to be used for enforcing sibling relations by denying siblings from forwarding cache misses through your cache.
  • no_cache: Defines responses that should not be cached.
  • redirector_access: Controls which requests are sent through the redirector pool.
  • ident_lookup_access: Controls which requests need an Ident lookup.
  • always_direct: Controls which requests should always be forwarded directly to origin servers.
  • never_direct: Controls which requests should never be forwarded directly to origin servers.
  • snmp_access: Controls SNMP client access to the cache.
  • broken_posts: Defines requests for which squid appends an extra CRLF after POST message bodies as required by some broken origin servers.
  • cache_peer_access: Controls which requests can be forwarded to a given neighbor (peer).