Website blocking and controlled access using ACL

Squid is caching proxy for the Web. It reduces the bandwidth and improves response time by caching and reusing frequently-requested web pages.

Squid has extensive access controls and makes a great content filtering software. Most web browsers available today support proxying and can be easily configured to use a squid server as proxy.Once configured all the http requests will go through proxy and then we can use squid server’s ACL (Access Control List) mechanism to filter out the requests.

Setup

• Let’s first install the squid server.

sudo apt-get update && sudo apt-get install squid3

• Take a backup of default configuration.

sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.$(date +%F)

• Remove the default configuration.

sudo rm /etc/squid3/squid.conf

• Create a new configuration.

sudo vi /etc/squid3/squid.conf

• Below is a sample configuration.Change hostname, localnet and cache_dir as per your preference. It allows everything except the access to facebook. Access to facebook is restricted between 12:30-17:30. My server is running in UTC timezone so these timings translate into 6PM-8PM Indian Standard Time.

   visible_hostname raspberrypi
   #ACL List
   acl manager proto cache_object
   acl localhost src 127.0.0.1/32 ::1
   acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
   acl localnet src 192.168.1.0/24
   acl SSL_ports port 443
   acl Safe_ports port 80          # http
   acl Safe_ports port 21          # ftp
   acl Safe_ports port 443         # https
   acl Safe_ports port 70          # gopher
   acl Safe_ports port 210         # wais
   acl Safe_ports port 1025-65535  # unregistered ports
   acl Safe_ports port 280         # http-mgmt
   acl Safe_ports port 488         # gss-http
   acl Safe_ports port 591         # filemaker
   acl Safe_ports port 777         # multiling http
   acl CONNECT method CONNECT
   acl allowfacebooktime time SMTWHFA 12:30-14:30
   acl facebookdotcom  dstdomain .facebook.com
   #HTTP ACCESSES
   http_access allow manager localhost
   http_access deny manager
   http_access deny !Safe_ports
   http_access deny CONNECT !SSL_ports
   http_access allow facebookdotcom allowfacebooktime
   http_access deny facebookdotcom
   http_access allow localnet
   http_access allow localhost
   http_access deny all
   #SQUID PORT
   http_port 3128
   #CACHE DIR LOCATION
   cache_dir ufs /media/usbhdd/anantvijay/cache 1000 16 256
  

• Restart the squid service

sudo /etc/init.d/squid3 restart
OR
sudo service squid3 restart

Log file locations

sudo tail -200f /var/log/squid3/cache.log
sudo tail -200f /var/log/squid3/access.log

Setting up proxy in IE

We set the proxy server using Internet explorer even if we are using any other browser like chrome, firefox etc. Reason fore doing this is that IE knows the right place to store this setting and chrome/firefox etc reads the proxy settings from that location.

• Open IE, go to ‘Internet Options’, open ‘Connections’ tab

de118152db5973c1.png409×531 16.9 KB

• Provide the IP address and port of your squid proxy server

• If everything is properly setup and you try to access something that is not autorized; following page will be displayed.

b06c9d3904a35ff6.png1364×374 23.2 KB