Monday, 25 June 2012

Configure SQUID Proxy Server to BLOCK HTTP Request to specific Web Site.

Open and edit the configuration file of Squid proxy server that usually located under /etc/squid/squid.conf

#vi /etc/squid/squid.conf 

1.  Find and edit ACCESS CONTROL part and put in the ( acl bad_url dstdomain "/etc/squid/bad-sites.squid" ) as shown in example below.
 
# ACCESS CONTROLS
# ---------------------------
----------- **** +++++
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 2083 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 2083 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl FTP proto FTP
acl bad_url dstdomain "/etc/squid/bad-sites.squid"
 
2.  Then put the (http_access deny bad_url) on http_access part.
 
# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
http_access deny bad_url
 
3.  Then save and exit the Squid configuration file.
 
4.  Create file new file called bad-sites.squid and then enter sites URI that clients not suppose to access, save and exit the file:.
 
# cat /etc/squid/bad-sites.squid

facebook.com
youtube.com
yahoo.com
orkut.com

5.  Restart or reload the Squid proxy server to make sure the new configuration apply.
 
RESTART:
# /sbin/service squid stop
# /sbin/service squid start
 
RELOAD:
# /sbin/service squid reload
 
6.  Then point the browser URL adrress to the site that you put in the bad site list to verify the changes that you made, if nothing goes wrong you should see the ERROR page that say "The requested URL could not be retrived".

Squid Proxy Server Configuration

Sure Squid Server is a popular open source Proxy and Web Cache Server. It has a variety of uses, from speeding up a Web Server by caching repeated requests, to caching Web, name server query , and other network lookups for a group of people sharing network resources. It is primarily designed to run on Linux / Unix-like systems. Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests. 

Install Squid on CentOS / REDHAT

 # yum install squid

Squid Configuration

Squid configuration file located at /etc/squid/squid.conf. Open file using a text editor:

# vi /etc/squid/squid.conf

At least you need to define ACL (access control list) to work with squid. The defaults port is TCP 3128. Following example ACL allowing access from your local networks 192.168.1.0/24 and 192.168.2.0/24. Make sure you adapt to list your internal IP networks from where browsing should be allowed:

acl our_networks src 192.168.1.0/24 192.168.2.0/24

http_access allow our_networks

Save and close the file. Start squid proxy server:

# chkconfig squid on

# /etc/init.d/squid start

Output:
init_cache_dir /var/spool/squid... Starting squid: . [ OK ]
Verify port 3128 is open:

# netstat -tulpn | grep 3128

Output:
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 20653/(squid)
Open TCP port 3128
Finally make sure iptables is allowing to access squid proxy server. Just open /etc/sysconfig/iptables file:

# vi /etc/sysconfig/iptables

Append configuration:

-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 3128 -j ACCEPT

Restart iptables based firewall:

# /etc/init.d/iptables restart

Output:
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n [ OK ]