You are here: ISP Linux HowTo » Server Guides » Using Squid to make a Black List Proxy
Trace: Using Squid to make a Black List Proxy

Using Squid to make a Black List Proxy

Return to the Proxy Server page

Using Squid to make a Black List Proxy

To block undesired web sites you will do these things:

  1. Define the hosts permitted to use the cache
  2. Define the filter lists (black-lists and also white-list of exceptions to the rules)
  3. Apply the filter lists
  4. Define the error message files that appear when a given filter is triggered

Define the black-list

Place your black-list rules in a location of your choosing (e.g., /etc/squid/), define them, then apply them something like the following. If you intend to use my sample files, you can just copy-and-paste the following into your squid.conf file, in the spot marked by the comment “INSERT YOUR OWN RULE(S) HERE”. 

#______[ Black List ]_____________________________________________________

acl advdom      dstdomain       "/etc/squid/ad.domains"
acl adv0exp     url_regex -i    "/etc/squid/ad0.exp"
acl adv1exp     url_regex -i    "/etc/squid/ad1.exp"

acl baddom      dstdomain       "/etc/squid/bad.domains"
acl baddom      dstdomain       "/etc/squid/proxy.domains"
acl badexp      url_regex -i    "/etc/squid/bad.exp"

acl violentdom  dstdomain       "/etc/ffilter/violent.domains"
acl hardblock   url_regex -i    "/etc/squid/hardblock.exp"
acl drugdomains dstdomain       "/etc/ffilter/drug.domains"
acl gambledom   dstdomain       "/etc/ffilter/gambling.domains"
acl offensive   dstdomain       "/etc/ffilter/offensive.domains"
acl offendexp   url_regex -i    "/etc/ffilter/offensive.exp"
acl deceptive   dstdomain       "/etc/ffilter/deceptive.domains"
acl illegal     dstdomain       "/etc/ffilter/illegal.domains"

# If you have children who have their own computers and for whom
# you want extra protection, then try this idea:

acl children    src             "/etc/ffilter/kids.IPs"
acl curfewOK    dstdomain       "/etc/ffilter/curfew_ok.domains"
#
# On week-days the kids need to stop using the Internet at 10pm,
# but on Friday and Saturday we let them go until midnight:
#
acl curfew time SMTWH   22:00-23:59
acl curfew time SMTWHF  00:00-7:00

#______[ White List ]_____________________________________________________

acl safedom     dstdomain       "/etc/ffilter/safe.domains"
acl safeexp     url_regex -i    "/etc/ffilter/safe.exp"
acl christdom   dstdomain       "/etc/ffilter/christian.domains"
acl christexp   url_regex -i    "/etc/ffilter/christian.exp"
acl schooldom   dstdomain       "/etc/ffilter/school.domains"
acl employdom   dstdomain       "/etc/ffilter/employ.domains"


#______[ Rules ]__________________________________________________________

# 0. 'hardblock' regex and IP matches
#
http_access deny hardblock

# 1. Children's curfew
#
http_access allow curfewOK
http_access deny children curfew
#http_access deny children gamedom

# Now block the stage zero regex blocks that are to come before safe regex
# holes; this is to allow certain parts of a regex to be blocked while the
# safe.exp match (for example) lets through the rest.  For example, we might
# have a "safe site" that has ads we want to block.
#
http_access deny adv0exp
http_access deny bad0exp
http_access deny offendexp

# Let through safe domains, but not regex
#
http_access allow christdom
http_access allow safedom
http_access allow schooldom
http_access allow employdom

# 3. Block bad domains, but not regex
#       Thus, the domain files should only contain domains which are TOTALLY bad.
#   If a domain is only mostly bad, it should go in the regex file instead so
#   that white-list rules can be applied.
#       Put another way, any domain in a domain blacklist NEVER gets through, even if
#   a white-list contains a regex pattern match.
#
http_access deny baddom
http_access deny violentIPs
http_access deny violentdom
http_access deny drugdomains
http_access deny gambledom
http_access deny deceptive
http_access deny offensive
http_access deny illegal
http_access deny p2p

# Ads and spam are last because I'd first want to tell people if the domain
#   were bad for some other reason, and only as a last resort block it merely
#   because it was spam.
#
http_access deny advdom
http_access deny spamdom

# 4. Let through safe regex
#
http_access allow christexp
http_access allow safeexp

# 5. Block bad regex
#
http_access deny badexp
http_access deny violentexp
http_access deny drugexp
http_access deny gambleexp
http_access deny deceptexp

# Ads and spam expressions are the last to be blocked.
#
http_access deny adv1exp

# 6. Everything else is permitted for those hosts that are allowed.
#  
http_access allow AllowedHosts
http_access deny all

FIXME Finish this.