How to Configure Squid ACL for IP Range Access Control (70.*.*.* to 90.*.*.*)


4 views

When implementing access control in Squid proxy, you'll frequently need to allow or deny traffic from specific IP ranges. The standard acl directive with single IP addresses (like 77.86.72.49) works well for individual hosts, but network administrators often need to handle entire subnets or IP ranges.

The most efficient way to handle IP ranges in Squid is using CIDR notation:

acl permitted_range src 70.0.0.0/8 90.0.0.0/8
http_access allow permitted_range
http_access deny all

This configuration:

  • Creates an ACL named permitted_range
  • Allows all IPs starting with 70.x.x.x and 90.x.x.x
  • Denies all other traffic (security best practice)

If you need more granular control between 70.*.*.* and 90.*.*.*, you can specify multiple ACLs:

acl permitted_range src 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 
  74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 
  79.0.0.0/8 80.0.0.0/8 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 
  84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 88.0.0.0/8 
  89.0.0.0/8 90.0.0.0/8
http_access allow permitted_range

After modifying your squid.conf, always:

squid -k parse
squid -k reconfigure

Test with different client IPs using curl through your proxy:

curl --proxy http://yourproxy:3128 http://example.com

For large ACLs (like our 70-90 range example):

  • Use external ACL files (acl permitted_range external /path/to/ip_list)
  • Consider Squid's quick_abort settings for faster IP matching
  • Monitor performance with squidclient mgr:info

For complex patterns within ranges, Squid supports regex ACLs:

acl special_range srcdom_regex -i ^70\.12\.|^89\.45\.
http_access allow special_range

When managing Squid proxy servers, administrators often need to allow access from specific IP ranges rather than individual addresses. The common use case is permitting traffic from entire network blocks (e.g., 70.0.0.0/8 to 90.0.0.0/8) while maintaining security.

The proper Squid ACL syntax uses CIDR notation for efficient IP range definitions:

acl permitted_range1 src 70.0.0.0/8
acl permitted_range2 src 80.0.0.0/8 
acl permitted_range3 src 90.0.0.0/8

http_access allow permitted_range1
http_access allow permitted_range2
http_access allow permitted_range3

For more granular control between 70-90 ranges, consider these alternatives:

# Option 1: Multiple CIDR blocks
acl range_70 src 70.0.0.0/8
acl range_80 src 80.0.0.0/8
acl range_90 src 90.0.0.0/8

# Option 2: Sequential IP ranges (when subnets aren't /8)
acl custom_range src 70.0.0.0/255.0.0.0 80.0.0.0/255.0.0.0 90.0.0.0/255.0.0.0
  • Place range ACLs near the top of squid.conf for better performance
  • Always follow allow rules with explicit deny: http_access deny all
  • Test configurations with squid -k parse before reloading
  • Use separate ACLs for distinct ranges for better audit capability

If ranges aren't working as expected:

  1. Verify CIDR notation matches your intended range
  2. Check for conflicting ACL rules later in the configuration
  3. Inspect Squid access.log for connection attempts
  4. Confirm network routes allow traffic to reach Squid