Using Squid to filter Internet access
ACLs – Time Based
Restricting access by time is an especially useful feature of Squid for kids. Virtually every computing device now has WiFi, and I suspect at some point WiFi-capable devices will become cheap enough to give away in cereal packets. Given this trend, it seems clear that I won't be catching my kids hiding under their blankets reading a book with a flashlight; instead, they'll be surfing the web or playing online games.
To restrict web access on weekdays and leave it more open on weekends, you can use rules such as:
acl basic time MTWHF 18:00-20:00 acl basic time SA 9:00-20:00
These lines would set an ACL that allows traffic Monday through Friday from 6pm until 8pm, and on Saturday and Sunday from 9am until 8pm.
ACLs – URL Based
Squid really shines in the variety of ways it allows you to filter. For example, you can filter access based on source and destination IP, on the domain of the client, the destination domain of the request, regular expression versions of these domains, the URL, the URL excluding the protocol and hostname, and the HTTP method (GET, PUT, POST), just to name a few. One way to make all this more manageable is to use include files:
acl good_domains dstdomain "/etc/squid/good_domains.acl"
The named file would then contain entries such as
and so on. Basically, for any ACL type, you can use an external file. I strongly recommend doing so, because it makes things much more manageable.
Restricting by File Type and Mime Type
Some things never get old, and apparently serving malware in the form of hostile executables or files such as PDFs is still a popular and effective way to attack users. You can block files based on the
urlpath_regex, usually by blocking the file extension. However, some operating systems and applications will still load content, even if the file extensions are "wrong," so you should also block by mime type, just to be on the safe side. To block Flash videos, for example, you can do:
acl flashvideo rep_mime_type video/flv video/x-flv acl flashvideo urlpath_regex \.flv(\?.*)?$
Using Squid ACLs does have some down sides, however. For one thing, you'll need to maintain files manually and reload Squid every time you update them. To deal with this, you can use the ICAP protocol.
Buy this article as PDF
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.
Klaus Knopper announces the latest version of his iconic Live Linux system.
All websites that use these popular CMS tools could be vulnerable to denial of service attacks if users don't install the updates.
According to a report, many potential victims of the Heartbleed attack have patched their systems, but few have cleaned up the crime scene to protect themselves from the effects of a previous intrusion.
DARPA and NICTA release the code for the ultra-secure microkernel system used in aerial drones.
Should you trust an online service to store your online passwords?
New B+ board lets you build cool things without the complication of a powered USB hub.