Website blocking and controlled access using ACL

Squid is caching proxy for the Web. It reduces the bandwidth and improves response time by caching and reusing frequently-requested web pages.

Squid has extensive access controls and makes a great content filtering software. Most web browsers available today support proxying and can be easily configured to use a squid server as proxy.Once configured all the http requests will go through proxy and then we can use squid server’s ACL (Access Control List) mechanism to filter out the requests.

Setup

  • Let’s first install the squid server.

sudo apt-get update && sudo apt-get install squid3

  • Take a backup of default configuration.

sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.$(date +%F)

  • Remove the default configuration.

sudo rm /etc/squid3/squid.conf

  • Create a new configuration.

sudo vi /etc/squid3/squid.conf

  • Below is a sample configuration.Change hostname, localnet and cache_dir as per your preference. It allows everything except the access to facebook. Access to facebook is restricted between 12:30-17:30. My server is running in UTC timezone so these timings translate into 6PM-8PM Indian Standard Time.

     visible_hostname raspberrypi
     #ACL List
     acl manager proto cache_object
     acl localhost src 127.0.0.1/32 ::1
     acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
     acl localnet src 192.168.1.0/24
     acl SSL_ports port 443
     acl Safe_ports port 80          # http
     acl Safe_ports port 21          # ftp
     acl Safe_ports port 443         # https
     acl Safe_ports port 70          # gopher
     acl Safe_ports port 210         # wais
     acl Safe_ports port 1025-65535  # unregistered ports
     acl Safe_ports port 280         # http-mgmt
     acl Safe_ports port 488         # gss-http
     acl Safe_ports port 591         # filemaker
     acl Safe_ports port 777         # multiling http
     acl CONNECT method CONNECT
     acl allowfacebooktime time SMTWHFA 12:30-14:30
     acl facebookdotcom  dstdomain .facebook.com
     #HTTP ACCESSES
     http_access allow manager localhost
     http_access deny manager
     http_access deny !Safe_ports
     http_access deny CONNECT !SSL_ports
     http_access allow facebookdotcom allowfacebooktime
     http_access deny facebookdotcom
     http_access allow localnet
     http_access allow localhost
     http_access deny all
     #SQUID PORT
     http_port 3128
     #CACHE DIR LOCATION
     cache_dir ufs /media/usbhdd/anantvijay/cache 1000 16 256
    
  • Restart the squid service

sudo /etc/init.d/squid3 restart
OR
sudo service squid3 restart

Log file locations

sudo tail -200f /var/log/squid3/cache.log
sudo tail -200f /var/log/squid3/access.log

Setting up proxy in IE

We set the proxy server using Internet explorer even if we are using any other browser like chrome, firefox etc. Reason fore doing this is that IE knows the right place to store this setting and chrome/firefox etc reads the proxy settings from that location.

  • Open IE, go to ‘Internet Options’, open ‘Connections’ tab

  • Provide the IP address and port of your squid proxy server

  • If everything is properly setup and you try to access something that is not autorized; following page will be displayed.