Table of Contents
Squid - ACLs - ACL Example Usage
Allowed Subnets
Add default 192.168.1.0/24, and any other LAN subnets, such as my IOT subnet of 192.168.70.0/24 and Guest subnet of 172.16.0.0/24.
Add any other IP that is allowed to use the proxy, for example, 100.1.2.3.
The teachers group always have access to the Internet. The students group only has access between Monday and Friday during lunch time:
acl AllowedHosts src 192.168.1.0/24 acl AllowedHosts src 192.168.70/0/24 acl AllowedHosts src 172.16.0.0/24 acl AllowedHosts src 100.1.2.3 acl teachers src 192.168.10.0/255.255.255.0 acl students src 192.168.20.0-192.168.30.0/255.255.255.0 acl lunch time MTWHF 12:00-13:00 #[ black-list and white-list rules will go in here in the next step ] http_access deny localhost http_access allow teachers http_access allow students lunch time http_access allow AllowedHosts http_access deny all
The AllowedHosts is just a name given to these, but you can call this anything. This name will be referenced later.
Black List Proxy vs Whitelist Proxy
Add additional ACL entries:
Decide which approach you want to follow:
- A black-listing proxy blocks offensive web sites. See black-list examples.
- A white-listing proxy only allows approved sites. A white-list has the benefit of blocking virtually everything that is not known to be “good”, but may take longer to configure. See white-list examples.
Blacklist Proxy Example
Place your rules in a location of your choosing (e.g., /etc/squid/), define them, then apply them something like the following.
#______[ Black List ]_____________________________________________________ acl advdom dstdomain "/etc/squid/ad.domains" acl adv0exp url_regex -i "/etc/squid/ad0.exp" acl adv1exp url_regex -i "/etc/squid/ad1.exp" acl baddom dstdomain "/etc/squid/bad.domains" acl baddom dstdomain "/etc/squid/proxy.domains" acl badexp url_regex -i "/etc/squid/bad.exp" acl violentdom dstdomain "/etc/ffilter/violent.domains" acl hardblock url_regex -i "/etc/squid/hardblock.exp" acl drugdomains dstdomain "/etc/ffilter/drug.domains" acl gambledom dstdomain "/etc/ffilter/gambling.domains" acl offensive dstdomain "/etc/ffilter/offensive.domains" acl offendexp url_regex -i "/etc/ffilter/offensive.exp" acl deceptive dstdomain "/etc/ffilter/deceptive.domains" acl illegal dstdomain "/etc/ffilter/illegal.domains" # If you have children who have their own computers and for whom # you want extra protection, then try this idea: acl children src "/etc/ffilter/kids.IPs" acl curfewOK dstdomain "/etc/ffilter/curfew_ok.domains" # # On week-days the kids need to stop using the Internet at 10pm, # but on Friday and Saturday we let them go until midnight: # acl curfew time SMTWH 22:00-23:59 acl curfew time SMTWHF 00:00-7:00 #______[ White List ]_____________________________________________________ acl safedom dstdomain "/etc/ffilter/safe.domains" acl safeexp url_regex -i "/etc/ffilter/safe.exp" acl christdom dstdomain "/etc/ffilter/christian.domains" acl christexp url_regex -i "/etc/ffilter/christian.exp" acl schooldom dstdomain "/etc/ffilter/school.domains" acl employdom dstdomain "/etc/ffilter/employ.domains" #______[ Rules ]__________________________________________________________ # 0. 'hardblock' regex and IP matches # http_access deny hardblock # 1. Children's curfew # http_access allow curfewOK http_access deny children curfew #http_access deny children gamedom # Now block the stage zero regex blocks that are to come before safe regex # holes; this is to allow certain parts of a regex to be blocked while the # safe.exp match (for example) lets through the rest. For example, we might # have a "safe site" that has ads we want to block. # http_access deny adv0exp http_access deny bad0exp http_access deny offendexp # Let through safe domains, but not regex # http_access allow christdom http_access allow safedom http_access allow schooldom http_access allow employdom # 3. Block bad domains, but not regex # Thus, the domain files should only contain domains which are TOTALLY bad. # If a domain is only mostly bad, it should go in the regex file instead so # that white-list rules can be applied. # Put another way, any domain in a domain blacklist NEVER gets through, even if # a white-list contains a regex pattern match. # http_access deny baddom http_access deny violentIPs http_access deny violentdom http_access deny drugdomains http_access deny gambledom http_access deny deceptive http_access deny offensive http_access deny illegal http_access deny p2p # Ads and spam are last because I'd first want to tell people if the domain # were bad for some other reason, and only as a last resort block it merely # because it was spam. # http_access deny advdom http_access deny spamdom # 4. Let through safe regex # http_access allow christexp http_access allow safeexp # 5. Block bad regex # http_access deny badexp http_access deny violentexp http_access deny drugexp http_access deny gambleexp http_access deny deceptexp # Ads and spam expressions are the last to be blocked. # http_access deny adv1exp # 6. Everything else is permitted for those hosts that are allowed. # http_access allow AllowedHosts http_access deny all
Whitelist Proxy Example
Place your rules in a location of your choosing (e.g., /etc/squid/), define them, then apply them something like the following.
#______[ Black List ]_____________________________________________________ acl advIPs dst "/etc/squid/ad.IPs" acl advdom dstdomain "/etc/squid/ad.domains" acl adv0exp url_regex -i "/etc/squid/ad0.exp" acl baddom dstdomain "/etc/squid/bad.domains" acl baddom dstdomain "/etc/squid/proxy.domains" acl bad0exp url_regex -i "/etc/squid/bad.exp" acl violentdom dstdomain "/etc/ffilter/violent.domains" acl hardblock url_regex -i "/etc/squid/hardblock.exp" acl drugdomains dstdomain "/etc/ffilter/drug.domains" acl gambledom dstdomain "/etc/ffilter/gambling.domains" acl offensive dstdomain "/etc/ffilter/offensive.domains" acl deceptive dstdomain "/etc/ffilter/deceptive.domains" acl illegal dstdomain "/etc/ffilter/illegal.domains" # If you have children who have their own computers and for whom # you want extra protection, then try this idea: acl children src "/etc/ffilter/kids.IPs" acl curfewOK dstdomain "/etc/ffilter/curfew_ok.domains" # # On week-days the kids need to stop using the Internet at 10pm, # but on Friday and Saturday we let them go until midnight: # acl curfew time SMTWH 22:00-23:59 acl curfew time SMTWHF 00:00-7:00 #______[ White List ]_____________________________________________________ acl safedom dstdomain "/etc/ffilter/safe.domains" acl safeexp url_regex -i "/etc/ffilter/safe.exp" acl christdom dstdomain "/etc/ffilter/christian.domains" acl christexp url_regex -i "/etc/ffilter/christian.exp" acl schooldom dstdomain "/etc/ffilter/school.domains" acl employdom dstdomain "/etc/ffilter/employ.domains" #______[ Rules ]__________________________________________________________ # 0. 'hardblock' regex and IP matches # http_access deny hardblock # 1. Children's curfew # http_access allow curfewOK http_access deny children curfew #http_access deny children gamedom # Now block the stage zero regex blocks that are to come before safe regex # holes; this is to allow certain parts of a regex to be blocked while the # safe.exp match (for example) lets through the rest. For example, we might # have a "safe site" that has ads we want to block. # http_access deny adv0exp http_access deny bad0exp # Let through safe domains, but not expressions yet # http_access allow christdom http_access allow safedom http_access allow schooldom http_access allow employdom # 3. Block bad domains (domains which have no desirable content). # http_access deny baddom http_access deny violentdom http_access deny drugdomains http_access deny gambledom http_access deny deceptive http_access deny offensive http_access deny illegal http_access deny p2p # Ads and spam are last because I'd first want to tell people if the domain # were bad for some other reason, and only as a last resort block it merely # because it was spam. # http_access deny advdom http_access deny spamdom # 4. Let through safe expressions # http_access allow christexp http_access allow safeexp # 5. Everything else is denied. Do NOT put the AllowedHosts ACL in here # or you will defeat the white-list. # http_access deny all
Children's curfew
Include the following into the same Allowed Subnets box. Place the RULES section at the bottom, but remember that RULES are processed top to bottom order until the first one that matches the criteria is met.
# If you have children who have their own computers and for whom # you want extra protection, then try this idea: # acl children src "/etc/ffilter/kids.IPs" acl curfewOK dstdomain "/etc/ffilter/curfew_ok.domains" # # On week-days the kids need to stop using the Internet at 10pm, # but on Friday and Saturday we let them go until midnight: # acl curfew time SMTWH 22:00-23:59 acl curfew time SMTWHF 00:00-7:00 # RULES: # # Children's curfew # http_access allow curfewOK http_access deny children curfew #http_access deny children gamedom
url_rewrite_program PATH
- With this option, specify a URL rewriter.
- Squid doesn't know how to run external helpers based on scripts, like .bat, .cmd, .vbs, .pl, etc. So in squid.conf the interpreter path must be always specified, for example:
url_rewrite_program c:/perl/bin/perl.exe c:/squid/libexec/redir.pl
The actual rewriter script that is called would be something like this:
#!/usr/bin/env perl $|=1; while (<>) { $url = m/^([^ ]*)/; if ($url !~ /^http:\/\/www\.hostname\.com/) { $url =~ s@^http://www\.hostname\.com/(.*)@http://www.hostname.com/\1@; print "301:$url\n"; } else { print "$url\n"; } }
If it exists with abnormal program termination and this is in the cache.log:
2012/03/23 19:26:12| helperOpenServers: Starting 5 'c:\squid\php\redirect.pl' processes 2012/03/23 19:26:12| ipcCreate: CHILD: c:\squid\php\redirect.pl: (8) Exec format error 2012/03/23 19:26:12| ipcCreate: PARENT: OK read test failed 2012/03/23 19:26:13| --> read returned 4
Then could be to not place quotes around the path…
auth_param basic program PATH
- If users must be authenticated on the proxy, set a corresponding program, such as /usr/sbin/pam_auth. When accessing pam_auth for the first time, the user sees a login window in which they need to specify a user name and a password. In addition, you need an ACL, so only clients with a valid login can use the Internet:
acl password proxy_auth REQUIRED http_access allow password http_access deny all
- In the acl proxy_auth option, using REQUIRED means that all valid user names are accepted. REQUIRED can also be replaced with a list of permitted user names.
ident_lookup_access allow ACL_NAME
- With this option, have an ident request run to find each user's identity for all clients defined by an ACL of the type src. Alternatively, use this for all clients, apply the predefined ACL all as the ACL_NAME.
- All clients covered by ident_lookup_access must run an ident daemon. On Linux, you can use pidentd (package pidentd ) as the ident daemon. For other operating systems, free software is usually available. To ensure that only clients with a successful ident lookup are permitted, define a corresponding ACL:
acl identhosts ident REQUIRED http_access allow identhosts http_access deny all
- In the acl identhosts ident option, using REQUIRED means that all valid user names are accepted. REQUIRED can also be replaced with a list of permitted user names.
- Using ident can slow down access time, because ident lookups are repeated for each request.