Access Control

Limiting and/or controlling access of users on your Local network can be done with Behalf.
This is not intended to replace a firewall.

Tag: A name that can be given to a user or group of users with which an allow or deny  access can be given to.
src: this checks that the source of the request is within the given IP range.
dst: this checks that the destination of the request is within the given IP range.
url_regex: means to search the entire URL for the regular expression you specify. Note that these regular expressions are case-sensitive.
urpath_regex: regular expression pattern matching from URL but without protocol and hostname. Note that these regular expressions are case-sensitive.
port: Access can be controlled by destination (server) port address.
proto: specifies the transfer protocol.
method: specifies the type of the method of the request.
max_conn: A limit on the maximum number of connections from a single client IP address.
req_mime_type: Regular expression pattern matching on the request content-type header.

Ip/mask: A dotted decimal value followed by "/" and a mask value.
ie: 10.0.1.0/24 for a complete subnet.
Single workstation: 10.0.1.20/32 or 10.0.1.20

Access: Give or deny access to the newly created user or group. This rule can be inverted by selecting the ! symbol in the drop down box next to it.

Access Type: In most cases 'http' will be given.
http: The port number where the cache listens for proxy requests.
icp: Allowing or denying access to the ICP port based on defined access lists.
miss: Use to force your neighbors to use you as a sibling instead of a parent.
no_cache: A list of ACL elements, which, if matched, cause the reply to immediately, removed from the cache. In other words, use this to force certain objects to never be cached.
redirector: This tag is used to specify the location of the executable for the URL redirector. Since they can perform almost any function there isn't one included.
always: Here you can use ACL elements to specify requests, which should ALWAYS be forwarded directly to origin servers. This is mostly used while using cache_peer.
never: is the opposite of 'always'. Please read the description for always if you have not already. With 'never' you can use ACL elements to specify requests, which should NEVER be forwarded directly to origin servers. When 'always' and 'never' are deny (By default), Behalf selects based on the request type and a number of other factors if a parent should be used or not, and if a parent could not be reached it will always fall back on direct. If 'always' is allow then Behlaf will always go direct to the source without considering any peers. If 'never' is allow then Behalf will never attempt to go direct to the source. Instead it tries to find a parent to send the request to. If no parent can be found then an error is returned.
broken: A list of ACL elements which, if matched, causes Squid to send a extra CRLF pair after the body of a PUT/POST request. Some HTTP servers have broken implementations of PUT/POST, and rely on an extra CRLF pair sent by some WWW clients.
cache_peer: This tag is used to specify the other caches in the hierarchy. The cache_peer option is split into five fields. The first field is the hostname or IP of the cache that is to be queried. The second field indicates the type of relationship. The third field sets the HTTP port of the destination server, while the fourth sets the ICP (UDP) query port. The fifth field can contain more than zero or more keywords. Here are the detailed explanations on each field.

Click the Add button to insert the newly customized rule into Behalf.

Note:
Access control rules are checked in the order that they occur in the file (ie from top to bottom). The first access control rule line that matches causes Behalf to drop out of the access control rule list. Behalf will not check through all access control rule if the first denies the request.

Use the Up and Down button to put the rules in desired order and click Act. Now to activate.