My requirement is to block certain websites to all users except for certain ips. My SQUID server is running on transparent mode which is redirected all the http requests to this proxy server using IPTABLES. I spent about 3 hours to Google and testing to make it working.
This SQUID transparent proxy does have the following capability.
1. Some websites will be opened in morning and evening for a short period. This settings for permitting the users to use the internet for their personal purpose.
2. This proxy can ban the websites using the keywords.
3. We can exclude any no of certain special ip’s to skip this ‘keyword’ blocking. Here I uses ‘orkut’ keyword to block the ‘www.orkut.com’ domain.
4. We can block any number of domain names. to all the users including “special ip’ users.
After installing squid and added the below lines on it. I added my access control list under the line ends with “acl CONNECT method CONNECT”
acl CONNECT method CONNECT
## Policy is added
acl special_clients src "/etc/squid/whitelistedip.txt"
acl banned_sites url_regex orkut monster sex porn naukri youtube
acl morning_hours time M T W H F 9:00-9:45
acl evening_hours time M T W H F 17:45-18:45
acl blockeddomain dstdomain "/etc/squid/blocked.domains.acl"
And add the http restrictions under on,
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
## Policy Added
http_access allow morning_hours banned_sites
http_access allow evening_hours banned_sites
http_access deny !special_clients banned_sites
http_access deny blockeddomain
acl our_networks src 192.168.0.0/24 192.168.2.0/24
http_access allow our_networks
# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all
Pls be noted that this file (/etc/squid/whitelistedip.txt) having the ip of the users who having unrescticted access and the file (/etc/squid/blocked.domains.acl) having the list of domain name separated by line to be blocked.
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
acl special_clients src "/etc/squid/whitelistedip.txt"
acl banned_sites url_regex orkut monster sex porn naukri youtube debonairblog
acl morning_hours time M T W H F 9:00-9:45
acl evening_hours time M T W H F 17:45-18:45
acl blockeddomain dstdomain "/etc/squid/blocked.domains.acl"
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow morning_hours banned_sites
http_access allow evening_hours banned_sites
http_access deny !special_clients banned_sites
http_access deny blockeddomain
acl our_networks src 192.168.0.0/24 192.168.2.0/24
http_access allow our_networks
http_access allow localhost
http_access deny all
icp_access allow all
http_port 192.168.0.9:3128 transparent
hierarchy_stoplist cgi-bin ?
cache_dir ufs /var/spool/squid 200 16 256
access_log /var/log/squid/access.log squid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mgr admins@rainconcert.in
httpd_suppress_version_string on
visible_hostname Secure-Gateway
coredump_dir /var/spool/squid
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.0.0/24 192.168.2.0/24
http_access allow localhost
http_access allow lan
Hoping this will work for you.
The following post will help you to configure squid as transparent proxy using IPtables.
http://www.serveridol.com/2009/11/04/how-to-configure-a-linux-router/
-enoy
