Allowing/Blocking Websites Using Squid

In this article, we'll be looking into how Squid can be used to block or allow access to websites in a network.


We've written an article on how to set up Squid (4.17) with ICAP & SSL that will be beneficial to continue with this article.


Squid ACLs


Simply put, ACL is a way of controlling who is allowed to access which web pages when.

The two Squid configuration directives we'll be using are acl and http_access, where we define the access rules and then allow or deny them, respectively.


ACL Syntax:

acl name type definition1 definition2 definition3 ...

Examples:

#direct: in squid.conf
acl accesses_to_google dstdomain .google.com
acl accesses_to_search_engines dstdomain .yahoo.com .google.com 
acl accesses_from_marketing_dept src 10.51.0.0/16

If we isolated the sites to be allowed or blocked into files, like so:

/etc/squid/search-engines-urls.txt:
.google.com
.bing.com
.yahoo.com

The ACL definition would look like this:

acl accessess_to_search_engines dstdomain "/etc/squid/search-engines-urls.txt"

HTTP_ACCESS Syntax:

http_access (allow|deny) acl1 acl2 acl3 ...

Examples:

http_access allow accesses_to_search_engines
http_access deny accesses_from_marketing_dept
http_access deny all

This would allow all access to search engines, deny any access from the marketing department, and finally deny all other accesses.


Block Websites

You can either define a list of websites to block or find a domains blocklist for Squid. In this example, we'll be using Blackweb, a project that collects and unifies public blocklists of domains to make them compatible with Squid.


So, download the .txt file as per the repository instructions, then copy it to Squid's service folder:

$ sudo cp /home/linux/blackweb.txt /etc/squid/

Modify Squid's configuration file

$ sudo nano /etc/squid/squid.conf
acl blackweb dstdomain "/path_to/blackweb.txt"
http_access deny blackweb

Note: if you're creating your own list, make sure the file contains one item per line.


Reconfigure squid after changes are made (if squid is already running):

$ sudo squid -k reconfigure

If squid isn't running already then run

$ sudo squid

Verify from the client browser that access is denied as shown below:




Allow Websites


For this example, I've created a file similar to blackweb.txt, except that it contains the whitelisted websites.

                                                            /etc/squid/allowedlist.txt:                                                                                           
.ubuntu.com
wiki.squid-cache.org

Modify Squid's configuration file

$ sudo nano /etc/squid/squid.conf
acl allowedlist dstdomain "allowedlist.txt"
http_access allow allowedlist

If you get the following error when reconfiguring squid:

2022/01/25 13:20:31| ERROR: Can not open file allowedlist.txt for reading
2022/01/25 13:20:31| Warning: empty ACL: acl allowedsites dstdomain "allowedlist.txt"

Modify the configuration file like so:

acl allowedsites dstdomain parameters("allowedlist.txt")
http_access allow allowedlist

Reconfigure Squid

$ sudo squid -k reconfigure

You should now be able to verify it all working through your client browser.




in News
Configuring SSH, User Manager, & Interfaces on pfSense