In this article, we'll be looking into how Squid can be used to block or allow access to websites in a network.
We've written an article on how to set up Squid (4.17) with ICAP & SSL that will be beneficial to continue with this article.
Squid ACLs
Simply put, ACL is a way of controlling who is allowed to access which web pages when.
The two Squid configuration directives we'll be using are acl and http_access, where we define the access rules and then allow or deny them, respectively.
ACL Syntax:
acl name type definition1 definition2 definition3 ...
Examples:
#direct: in squid.conf acl accesses_to_google dstdomain .google.com acl accesses_to_search_engines dstdomain .yahoo.com .google.com acl accesses_from_marketing_dept src 10.51.0.0/16
If we isolated the sites to be allowed or blocked into files, like so:
/etc/squid/search-engines-urls.txt: .google.com .bing.com .yahoo.com
The ACL definition would look like this:
acl accessess_to_search_engines dstdomain "/etc/squid/search-engines-urls.txt"
HTTP_ACCESS Syntax:
http_access (allow|deny) acl1 acl2 acl3 ...
Examples:
http_access allow accesses_to_search_engines http_access deny accesses_from_marketing_dept http_access deny all
This would allow all access to search engines, deny any access from the marketing department, and finally deny all other accesses.
Block Websites
You can either define a list of websites to block or find a domains blocklist for Squid. In this example, we'll be using Blackweb, a project that collects and unifies public blocklists of domains to make them compatible with Squid.
So, download the .txt file as per the repository instructions, then copy it to Squid's service folder:
$ sudo cp /home/linux/blackweb.txt /etc/squid/
Modify Squid's configuration file
$ sudo nano /etc/squid/squid.conf
acl blackweb dstdomain "/path_to/blackweb.txt"
http_access deny blackweb
Note: if you're creating your own list, make sure the file contains one item per line.
Reconfigure squid after changes are made (if squid is already running):
$ sudo squid -k reconfigure
If squid isn't running already then run
$ sudo squid
Verify from the client browser that access is denied as shown below:
Allow Websites
For this example, I've created a file similar to blackweb.txt, except that it contains the whitelisted websites.
/etc/squid/allowedlist.txt: .ubuntu.com wiki.squid-cache.org
Modify Squid's configuration file
$ sudo nano /etc/squid/squid.conf
acl allowedlist dstdomain "allowedlist.txt"
http_access allow allowedlist
If you get the following error when reconfiguring squid:
2022/01/25 13:20:31| ERROR: Can not open file allowedlist.txt for reading 2022/01/25 13:20:31| Warning: empty ACL: acl allowedsites dstdomain "allowedlist.txt"
Modify the configuration file like so:
acl allowedsites dstdomain parameters("allowedlist.txt") http_access allow allowedlist
Reconfigure Squid
$ sudo squid -k reconfigure
You should now be able to verify it all working through your client browser.
