Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

15.5. Using Squid for Restricting Access

Mostly, Squid is used for blocking access to certain web content. Typically, either certain ports are blocked or particular web sites.

15.5.1. Restricting Access by Blocking a Port

By this method, also called port filtering, you can block a specific port number with the Squid proxy server. Doing so, you can restrict the use of some protocols, services, websites, applications. For example, to block FTP traffic, it is enough to block port 21/TCP. In the same way you can block all HTTPS sites by blocking port 443/TCP.

Procedure 15.5. Blocking Port Numbers

  1. Log in as the root user and open the Squid configuration file:
    ~]# vi /etc/squid/squid.conf
  2. Block ports using ACLs.
    acl Bad_ports port 443           #(create acl for port 443/tcp)
  3. Save the changes.
  4. Restart Squid to apply the new configuration:
    ~]# service squid reload
The Squid configuration file contains lines with acl Safe_ports port. By default, these port numbers are added as "Safe_Ports" and open for browsing.
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
You can disable each of the lines in /etc/squid/squid.conf to block the appropriate ports.

Example 15.7. Blocking port 777/tcp

To block port 777/tcp, add a hash sign in front of the respective line as follows:
#acl Safe_ports port 777         # multiling http

15.5.2. Restricting Access by Blocking Specific Sites or Addresses

Configure Squid for your network to disable access to specific sites.

Procedure 15.6. Blocking a Specific Website

  1. Enable access to Squid on your network. Open the /etc/squid/squid.conf file and search for "Access Controls". Scroll down to INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS. Make sure you adapt the list to your internal IP networks from where browsing should be allowed. In this example, ACL allows access from the local networks 192.168.1.0/24 and 192.168.2.0/24.
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    acl our_networks src 192.168.1.0/24 192.168.2.0/24
    http_access allow our_networks
  2. Create a file containing a list of sites you want to block. Name the files, for example, /usr/local/etc/allowed-sites.squid and /usr/local/etc/restricted-sites.squid.
    ~]# cat /usr/local/etc/allowed-sites.squid
    www.redhat.com
    fedoraproject.org
    ~]# cat /usr/local/etc/restricted-sites.squid
    www.badsites.com
    illegal.com
    These can then be used to block the restricted sites.
    ~]# vi /etc/squid/squid.conf
    acl our_networks src 192.168.1.0/24 192.168.2.0/24
    acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid"
    acl BadSites dstdomain "/usr/local/etc/restricted-sites.squid"
    
    http_access allow our_networks
    http_access deny BadSites
    http_access allow home_network business_hours GoodSites
    Save and close the file.
  3. Restart the Squid proxy server:
    ~]# systemctl restart squid
  4. Configure your web browser to use the DNS name or IP address of your Squid server and match the running port.