Show Table of Contents
15.5. Using Squid for Restricting Access
Mostly,
Squid is used for blocking access to certain web content. Typically, either certain ports are blocked or particular web sites.
15.5.1. Restricting Access by Blocking a Port
By this method, also called port filtering, you can block a specific port number with the
Squid proxy server. Doing so, you can restrict the use of some protocols, services, websites, applications. For example, to block FTP traffic, it is enough to block port 21/TCP. In the same way you can block all HTTPS sites by blocking port 443/TCP.
Procedure 15.5. Blocking Port Numbers
- Log in as the root user and open the
Squidconfiguration file:~]#
vi /etc/squid/squid.conf - Block ports using ACLs.
acl Bad_ports port 443 #(create acl for port 443/tcp)
- Save the changes.
- Restart
Squidto apply the new configuration:~]#
service squid reload
The
Squid configuration file contains lines with acl Safe_ports port. By default, these port numbers are added as "Safe_Ports" and open for browsing.
acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777
You can disable each of the lines in
/etc/squid/squid.conf to block the appropriate ports.
Example 15.7. Blocking port 777/tcp
To block port 777/tcp, add a hash sign in front of the respective line as follows:
#acl Safe_ports port 777 # multiling http
15.5.2. Restricting Access by Blocking Specific Sites or Addresses
Configure
Squid for your network to disable access to specific sites.
Procedure 15.6. Blocking a Specific Website
- Enable access to
Squidon your network. Open the/etc/squid/squid.conffile and search for "Access Controls". Scroll down to INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS. Make sure you adapt the list to your internal IP networks from where browsing should be allowed. In this example, ACL allows access from the local networks 192.168.1.0/24 and 192.168.2.0/24.# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS acl our_networks src 192.168.1.0/24 192.168.2.0/24 http_access allow our_networks
- Create a file containing a list of sites you want to block. Name the files, for example,
/usr/local/etc/allowed-sites.squidand/usr/local/etc/restricted-sites.squid.~]#
cat /usr/local/etc/allowed-sites.squidwww.redhat.com fedoraproject.org~]#
cat /usr/local/etc/restricted-sites.squidwww.badsites.com illegal.comThese can then be used to block the restricted sites.~]#
vi /etc/squid/squid.confacl our_networks src 192.168.1.0/24 192.168.2.0/24 acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid" acl BadSites dstdomain "/usr/local/etc/restricted-sites.squid" http_access allow our_networks http_access deny BadSites http_access allow home_network business_hours GoodSites
Save and close the file. - Restart the
Squidproxy server:~]#
systemctl restart squid - Configure your web browser to use the DNS name or IP address of your
Squidserver and match the running port.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.