Using Squid to filter Internet access
ACLs – Time Based
Restricting access by time is an especially useful feature of Squid for kids. Virtually every computing device now has WiFi, and I suspect at some point WiFi-capable devices will become cheap enough to give away in cereal packets. Given this trend, it seems clear that I won't be catching my kids hiding under their blankets reading a book with a flashlight; instead, they'll be surfing the web or playing online games.
To restrict web access on weekdays and leave it more open on weekends, you can use rules such as:
acl basic time MTWHF 18:00-20:00 acl basic time SA 9:00-20:00
These lines would set an ACL that allows traffic Monday through Friday from 6pm until 8pm, and on Saturday and Sunday from 9am until 8pm.
ACLs – URL Based
Squid really shines in the variety of ways it allows you to filter. For example, you can filter access based on source and destination IP, on the domain of the client, the destination domain of the request, regular expression versions of these domains, the URL, the URL excluding the protocol and hostname, and the HTTP method (GET, PUT, POST), just to name a few. One way to make all this more manageable is to use include files:
acl good_domains dstdomain "/etc/squid/good_domains.acl"
The named file would then contain entries such as
and so on. Basically, for any ACL type, you can use an external file. I strongly recommend doing so, because it makes things much more manageable.
Restricting by File Type and Mime Type
Some things never get old, and apparently serving malware in the form of hostile executables or files such as PDFs is still a popular and effective way to attack users. You can block files based on the
urlpath_regex, usually by blocking the file extension. However, some operating systems and applications will still load content, even if the file extensions are "wrong," so you should also block by mime type, just to be on the safe side. To block Flash videos, for example, you can do:
acl flashvideo rep_mime_type video/flv video/x-flv acl flashvideo urlpath_regex \.flv(\?.*)?$
Using Squid ACLs does have some down sides, however. For one thing, you'll need to maintain files manually and reload Squid every time you update them. To deal with this, you can use the ICAP protocol.
Buy this article as PDF
VMware bids for a stake in the container industry with a bold effort to integrate containers with its classic virtualization system.
3ROS attack tool lowers the technical bar so anyone can be an intruder.
Mozilla's latest browser offers powerful new privacy feature
If attackers are on your system, saving your passwords in a password vault is no protection.
Faulty hash algorithm persists, despite efforts by experts to raise awareness.
Powerful man-in-the-middle attack is now targeting online shopping.
Another high-profile coder says the kernel team needs a kinder, gentler culture.
Bug database has a bug of its own that could allow an intruder to create an unauthorized account.
Report focuses federal resources on achieving universal Internet access.
Leading browser makers say “no” to porous encryption algorithm