Filtering home Internet access with Squid


Even if your kids keep to the times that they are allowed to surf the web, you will not want them accessing sites with pornographic or violent content.

To place websites off limits, you just need to add a couple of lines to your Squid configuration file (see Listing 7) then add entries with strings describing the web content you want to block to the /usr/share/squid/blacklist file (see Listing 8); regular expressions [4] are supported.

Finally, type /etc/init.d/squid reload to tell the proxy to parse the blacklist.

Listing 7

Place websites off limits

01 # defines a blacklist that applies to all clients except the parent's clients
02 acl blacklist url_regex -i "/usr/share/squid/blacklist"
03 http_access deny blacklist !marion !archie
05 # defines a blacklist that additionally applies to Tanja
06 acl blacklist_tanja url_regex -i "/usr/share/squid/blacklist_tanja"
07 http_access deny tanja blacklist_tanja

Listing 8

Block web content

01 # blocks all pages/domains with the following strings
02 violence.tld
03 actionmovies.domain
06 # blocks the address http://(www.),
07 # but grants access to the site otherwise
10 # Prevents downloading of files with the suffixes .mp3 or .exe
11 .mp3
12 .exe

Custom Blacklists

Of course, Squid will let you assign different blacklists to different users. For example, Simon is allowed to browse online auctions, whereas Tanja is still too young for such things. To set this up, just assign the blacklist in Listing 8 as /usr/share/squid/blacklist_tanja.

The example blocks pages that contain the prohibited text. To define more precise filters, you can use regular expressions, but don't rely blindly on the list; it makes far more sense to check at regular intervals to see whether it still has the desired effect. And remember that server and file names do change.


Another approach to filtering, and one that is far more strict, is to use whitelists. If you prefer to restrict Tanja's access to just one or a few sites, a whitelist is probably a good idea. Just add the lines in Listing 9 to your Squid configuration and create a whitelist to match. The syntax is similar to that of the blacklist; however, whitelisting can cause problems when a single website references content from many other locations.

To display the complete page, you would need to list these sites explicitly.

Listing 9

Adding a Whitelist

01 # Tanja is only allowed to access these pages
02 acl whitelist url_regex -i "/usr/share/squid/whitelist"
03 http_access deny tanja ! whitelist

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Squid proxy server

    A proxy server provides safer and more efficient surfing. Although commercial proxy solutions are available, all you really need is Linux and an old PC in the attic.

  • Security Lessons – Squid Filtering

    Kurt describes how to use Squid's ACLs and ICAP when you want to limit Internet access, for whatever reason.

  • Squid Bridge

    Caching proxies remember web pages and serve them up locally, saving both money and time. The most intelligent members of this family also remove dangerous content and provide transparent bridging.

  • SafeSquid

    If you are looking for a secure option for home surfing and want to protect your children against questionable web content, you need a filtering proxy. SafeSquid is a commercial proxy tool, but it comes with a free version for private users.

  • Filter Proxy for AD

    You might want to reap the benefits of active directory’s single sign-on for your virus scanning and content filtering. If you also use Squid to handle user access to the internet, you have a front-row seat for “when worlds collide.”

comments powered by Disqus

Direct Download

Read full article as PDF:

052-054_squid.pdf  (294.58 kB)