Basic Squid setup with file, domain, and ad blocking
Posted by mkeadle
The previous article on Sqiud dealt with Squid and NTLM authentication. This article will be concerned with a basic overall setup that integrates blocking access to specified outside domains and denying access by subnet to download certain file types. It is assumed that you already have Squid up and running successfully with your own configuration. If this is not the case then you may want to visit the Squid homepage for installation documentation and Google for any other help you may need.
Again, this is a fairly basic setup that doesn’t take much time to create. You should be able to implement this in a short time. As a reference, the basic Squif configuration we’ll be starting out with can be found here
CREATING ACL CONTENT
To start, you’re going to create a few files that will hold certain pieces of information. These files will later be referenced by Squid when you create the actual acls. The files you’re going to create are:
- A list of domains to block
- A list of file types to block
- A list of ads to block
- A list of your internal subnets
All of these are just basic text files that can be created with your favorite editor, however the author recommends Vim. Start with the list of blocked domains. This will be a list, one per line, of sites that you want to deny access to to your users. Create a file like the following and save it as /etc/squid/denied_domains.acl .
|Listing 1. Blocked domain list: /etc/squid/denied_domains.acl|
.sex.com .hackers.com .xemacs.org
Next up is the list of file types to block. Create a file called /etc/squid/denied_filetypes.acl and add the following to it.
|Listing 2. Blocked file type list: /etc/squid/denied_filetypes.acl|
\.(exe)$ \.(zip)$ \.(mp3)$
Now for a little ad blocking. I don’t like those pesky advertisement. This won’t block everything, but it makes a good bit of difference. An excerpt from my file is below, but you can find an entire copy of my ad block list here.
|Listing 3. Excerpt from /etc/squid/denied_ads.acl|
/adv/.*\.gif$ /[Aa]ds/.*\.gif$ /[Aa]d[Pp]ix/ /[Aa]d[Ss]erver /[Aa][Dd]/.*\.[GgJj][IiPp][FfGg]$ /[Bb]annerads/
Finally, you need a list of all your internal subnets. Here’s how that one should look.
|Listing 4. Blocked file type list: /etc/squid/student_subnets.acl|
192.168.10.0/24 192.168.11.0/24 192.168.12.0/24 192.168.13.0/24
CREATING USER NOTIFICATION SCREENS
The user notification screen are what will tell a user that they have tried to access a forbidden website, attempted to download an unauthorized file type, or are having advertisements filtered from the page they are viewing. They aren’t extremely necessary, as Squid comes with acceptable defaults, but they help make an impression on the users. You’ll need need three files, one each for denied sites, files, and ads.
The screens I use are simple modified versions of the defaults supplied with a little more color to make them a bit more recognizable. When a user attempts to access a site that is forbidden, they are presented a red screen. After seeing this screen once, users know immediately what it means.
|Listing 5. Site Access Denied User Screen|
(click for larger version)
Attempting to access a denied file type displays a similar screen, only this one is yellow.
|Listing 6. File Access Denied User Screen|
(click for larger version)
The screen used to replace blocked advertisements is a little different. It’s a solid white page and the only text is “Ad filtered!”. However, you never actually see the page. The header of the page contains a meta tag that redirects the user immediatly when that page loads to a 4 pixel by 4 pixel transparent GIF hosted directly on the proxy.
These files need to be saved in your Squid errors directory. In Gentoo this can be reached at /etc/squid/errors, but it may be different for Red Hat and others. Download the following files and place then in that directory. Remove the “.txt” extension once they’re there.
And here’s a 4×4 transparent GIF if you need one.
PUTTING IT ALL TOGETHER
First add the directives for the user error screens since they are the easiest. This is done by adding a couple of deny_info lines to your Squid config.
|Listing 7. Excerpt From File: /etc/squid/squid.conf|
deny_info NOTE_ADS_FILTERED url_ads deny_info NOTE_FILETYPES_FILTERED filetypes
There’s no need to directly reference the ERR_ACCESS_DENIED file since all you’ve really done is tweak an already existing file.
It’s finally time to add your acls that you built content for at the beginning. In the acl block in your configuration, add the following lines.
|Listing 8. Excerpt From File: /etc/squid/squid.conf|
acl denied_domains dstdomain "/etc/squid/denied_domains.acl" acl filetypes urlpath_regex -i "/etc/squid/filetypes.acl" acl url_ads url_regex "/etc/squid/banner-ads.acl" acl students src "/etc/squid/student_domains.acl"
Now that Squid knows what types of information you want to control and what to do when accessed by a user, you need to tell Squid how to tie the pieces of information together. This is easily done with a few http_access rules.
|Listing 9. Excerpt From File: /etc/squid/squid.conf|
http_access deny url_ads http_access deny students filetypes http_access deny denied_domains
It’s important to order your http_access lines correctly, or your users may not get the access you’re expecting to give them! A final version of the config you’ve been working on can be found here so you can see a good order to place them in.
Squidmanage is a tool I wrote a long time ago. It started out as a simple bash script, but was updated and rewritten shortly after as a menu based tool. It requires the dialog package to function.
|Listing 10. Squidmanage Screenshots (click for larger images)|
We use Squidmanage here on a regular basis, but it is very incomplete and still has a few major issues, so don’t expect to just drop it in and have it work. It is deficient in the following ways:
- Poor/nonexistant user input checking. For instance, if you enter an ACL incorrectly it will wipe out your entire list.
- Cannot remove a blocked domain. Blocked domains must still be removed by hand.
- The realtime monitor is utterly useless unless all you’re looking for is a sign that there is actually movement across the proxy. If you’re interested in watching traffic fly by try squidwatch, a small shell script that tails your access log.
Taking the above into acocunt, you are free to download and play with squidmanage. I know how to fix the shortcomings that are present, I’ve just never felt motivated to actually get it over with yet.
7 Responses to “Basic Squid setup with file, domain, and ad blocking”
Leave a Reply