Activities

June 2010
M T W T F S S
« May   Jul »
 123456
78910111213
14151617181920
21222324252627
282930  

Squid : Limiting access to a website, IP and certain domains

My requirement is to block certain websites to all users except for certain ips.

My SQUID server is running on transparent mode which is redirected all the http requests to this proxy server using IPTABLES. I spent about 3 hours to Google and testing to make it working.

This SQUID transparent proxy does have the following capability.

1. Some websites will be opened in morning and evening for a short period. This settings for permitting the users to use the internet for their personal purpose.
2. This proxy can ban the websites using the keywords.
3. We can exclude any no of certain special ip’s to skip this ‘keyword’ blocking. Here I uses ‘orkut’ keyword to block the ‘www.orkut.com’ domain.
4. We can block any number of domain names. to all the users including “special ip’ users.

After installing squid and added the below lines on it. I added my access control list under the line ends with “acl CONNECT method CONNECT”

acl CONNECT method CONNECT

## Policy is added
<strong>acl special_clients src "/etc/squid/whitelistedip.txt"
acl banned_sites url_regex orkut  monster sex porn  naukri youtube
acl morning_hours time M T W H F 9:00-9:45
acl evening_hours time M T W H F 17:45-18:45
acl blockeddomain dstdomain "/etc/squid/blocked.domains.acl"</strong>

And add the http restrictions under on,

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
## Policy Added

<strong>http_access allow morning_hours banned_sites
http_access allow evening_hours banned_sites
http_access deny !special_clients banned_sites
http_access deny blockeddomain
acl our_networks src 192.168.0.0/24 192.168.2.0/24
http_access allow our_networks</strong>

# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all

Pls be noted that this file (/etc/squid/whitelistedip.txt) having the ip of the users who having unrescticted access and the file (/etc/squid/blocked.domains.acl) having the list of domain name separated by line to be blocked.

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
acl special_clients src "/etc/squid/whitelistedip.txt"
acl banned_sites url_regex orkut  monster sex porn  naukri youtube debonairblog
acl morning_hours time M T W H F 9:00-9:45
acl evening_hours time M T W H F 17:45-18:45
acl blockeddomain dstdomain "/etc/squid/blocked.domains.acl"
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow morning_hours banned_sites
http_access allow evening_hours banned_sites
http_access deny !special_clients banned_sites
http_access deny blockeddomain
acl our_networks src 192.168.0.0/24 192.168.2.0/24
http_access allow our_networks
http_access allow localhost
http_access deny all
icp_access allow all
http_port 192.168.0.9:3128 transparent
hierarchy_stoplist cgi-bin ?
 cache_dir ufs /var/spool/squid 200 16 256
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin ?
cache deny QUERY
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
 cache_mgr admins@rainconcert.in
httpd_suppress_version_string on
visible_hostname Secure-Gateway
coredump_dir /var/spool/squid
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.0.0/24 192.168.2.0/24
http_access allow localhost
http_access allow lan

Hoping this will work for you.

The following post will help you to configure squid as transparent proxy using IPtables.
http://www.serveridol.com/2009/11/04/how-to-configure-a-linux-router/

-enoy

21 comments to Squid : Limiting access to a website, IP and certain domains

  • Neil K

    What IPTABLES rules were you used?

  • Neil K

    Sorry but which post? For proxy to work in transparent mode, those iptable rules are essential. So, please list the required rules here or include that in the above post so that the above post will become a complete document to configure transparent proxy.

  • Neil K

    Thanks 🙂 Anyways, here I am pasting the required iptable commands for anyone’s reference.

    # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
    iptables -t nat -A PREROUTING -i $LAN_IN -p tcp –dport 80 -j DNAT –to $SQUID_SERVER:$SQUID_PORT
    # if it is same system
    iptables -t nat -A PREROUTING -i $INTERNET -p tcp –dport 80 -j REDIRECT –to-port $SQUID_PORT

  • irfan khan

    thanks for this information
    this is very good point to every ….

  • Really good post, but this doesn’t always appear to work with my router ip, any hints?

    • hello,

      You need to have a static ip and configure it in bridge mode to work with this proxy setup. Ensure that iptables and squid are configure to run in system start up services.

      Regards,
      Liju

  • GM Cust

    I have a Fresh Installation of CentOS and Also did

    yum install squid

    and Installed Squid also. SQUID 2.6.STABLE21

    I have also activate IP forward.

    Server has 2 Cards :

    Eth0 : Local lan ( 192.168.0.2)
    Eth1 : Internet ( Static IP )

    Now what I want is :

    1) 192.168.0.17 : Access to All Sites
    2) 192.168.0.XX : Block Facebook.com, Orkut.com
    3) 192.168.0.5 : Access to only One Site, yahoo.com

    Can someone guide me How to do it to achieve it ?

    Kindly guide me .

    While playing with Squid, I crashed my system Once, Doesnt want to take risk.

  • Hello,

    why do you need to use separated gateways ? First assign all desktops to a static ip’s (if you are running on dynamic IP, use mac binding ip allocation)

    then you can create ACL list according. Add all the ip in whitelist.txt to get privileged browsing. or run multiple instances of squid or each IP address and set acl accordingly.

    best,
    Liju

  • GM Cust

    Admin , any help to me ?

    Any Step by Step ?

  • GM Cust

    Thanks a Lot.

    Working perfectly.

    I have a Static IP to my server now.

    But I cant access it from outside world.

    Need any changes for that ?

  • Thanks for giving me the chance to read such a well written article, keep up the good work.

  • GM

    Admin , Let me know if any solution for accessing Static IP of the server from Outside world.

  • GM

    How to Open 10000 Port as I use this to access my phpmyadmin ?

  • GM Cust

    Tried

    /sbin/iptables -I INPUT -p tcp –dport ssh -j ACCEPT

    as advised but didn’t work.

  • Mirazel

    Hi..my name is Mirazel and i now doing FYP for my study.
    i need your opinion about certain thing if you dont mind..
    i read your note about “Squid time quota external acl helper”
    i just wan to know if possible if i do a time limit and then blocking?
    the example:
    in the company, the user have be given to login FB for 3 hour for 1 week.
    after 3 hour time, it will block automatic. My big problem is to counting the time.Like the user use to access the FB : monday 15min, tuesday 30min, Wednesday 1hour, and Friday 15min.
    can i hear your opinion?

    • I do not think that it’s so not easy. This squid mechanics and filtering at runtime. It does not store any data in backend to populate reports.

      Your Idea is good, but there will be certain difficulties to achieve it

      • Mirazel

        thanks..yes the idea is simple but to do that is not easy..
        1 year i do the research. Now the solution i have be see is do the token function.
        right now do you have the idea or scrip ” how can the user if he enter (www.faceboo.com), it will kick to other page for enter authentication?”after user enter authentication, he can go to FB login page.

    • Also Squid will not works on https. ie you can not block any sites which running on https using Squid. FB has ability to operate it on https too..

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>