Squid Time Based Restrictions

FREQUENTLY ASKED QUESTIONS (Linux)
Q: How to enable time based access restrictions in squid proxy server?


    Sometimes you may need to enable a time based access restrictions in your squid server. Squid proxy can do this with "time" access list(ACL). All you need to create a "time" ACL with required time and dates from the week and apply with access restriction ACLs.

Click here for More Advanced Squid posts


Creating time ACL
[root@server ~]# vi /etc/squid/squid.conf
#Configure the time based restrictions like below 
acl james src 192.168.10.66/32

acl officehours time MTWHFA 14:00-17:00
http_access allow james officehours

# Now save the squid.conf file

Where.....

MTWHFA is the days Monday to Saturday in a week

14:00-17:00 is restrict access in between 14:00 to 17:00 (24hr format)

Reload/restart the squid service

[root@server ~]# service squid reload

Now the user james with ip address 192.168.10.66 cannot access the internet from 14:00 to 17:00 Monday to Saturday. You can use the time ACL with any other ACLs to restrict access within the time range.

Read more »

Change Default Squid Proxy Listening Port

FREQUENTLY ASKED QUESTIONS (Squid Proxy)
Q: How to change  Squid server default listening port?

Every network services has a particular port numbers. Same way the Squid proxy server will listen on port 3128/TCP by default. But you can change the listening port by editing the squid.conf file. And you should open the same port in squid servers firewall and in ip packet forwarding devices if required. Below is the way to change Squid listen port number.


Change Squid port number

[root@server ~]# vi /etc/squid/squid.conf
#Go to 64th line if you are using squid version 3.0 or above.

Here changed the port from 3128 to 8080 (see below)

# Squid normally listens to port 3128

http_port 8080                                     

#Now save the squid.conf file and restart squid server

Squid server listen on multiple ports

Squid server can listen on multiple ports at same time, use the below configuration

http_port 8080 9090                            

#Now squid will listen on both 8080 and 9090 ports as well.

Restart Squid server to apply new configurations

[root@server ~]# service squid restart

Stopping squid: ................                           [  OK  ]

Starting squid: .                                               [  OK  ]

Check Squid Related Posts:

• Block Youtube flash videos in Squid 
• Block https Facebook in Squid proxy server 
• Redirect URL In Squid Proxy Server 
• Blocking utorrent Application in Squid. 
• block flash ads in squid 
• Block a Website in squid proxy server 

Read more »

Redirect URL In Squid Proxy Server

FREQUENTLY ASKED QUESTIONS (Squid Proxy)
Q: How to redirect a url in squid proxy?

The actual solution for url redirection is "SquidGuard", and i will explain it in coming days.
Here is a small solution for redirecting a url to another url within Squid proxy. 
And its a simple logic, Basically it works as a denying ACL. Squid deny the access to a specified Website and redirect them to a predefined url as an ERROR MESSAGE.  
So this 


Edit the Squid configuration
[root@server ~]# vi /etc/squid/squid.conf
acl lan src 192.168.10.0/24                           #client acl for the lan
acl badsites dstdomain .bing.com                 #to deny "bing.com"
deny_info http://google.com lan                   #Deny with redirect to google.com for lan
http_reply_access deny badsites lan              # Deny badsites to lan
#Add the 4 lines to the squid.conf configuration file, save and exit.


Reload Squid Server with new configuration
[root@server ~]# service squid reload


As a result when a proxy client access to "bing.com" the Squid server will deny the access and redirect to google.com as an error message.

Read more »

[SOLVED] Blocking utorrent Application in Squid

FREQUENTLY ASKED QUESTIONS (Squid proxy)
Q: How to block utorrent application and torrent large file downloading in squid?


Utorrent application uses all the unregistered posts 1025-65535 with random selection method. So blocking all those port numbers will block the bulk file downloading with utorrent application.


Edit the Squid.conf configuration file
[root@server ~]# vi /etc/squid/squid.conf


By default all the port numbers from 1025-65535 are configured as "Safe_ports" and allowed for browsing. 
So disable that ACL by adding a "#" infront of the line (see below)
#acl Safe_ports port 1025-65535          # unregistered ports


And create a new ACL for the same port range just below the above line (with different acl name, like below)
acl Denied_ports port 1025-65535


And deny browsing to the websites with denied port numbers (both normal and secure)
http_access deny Denied_ports
http_access deny CONNECT Denied_ports
# now save the squid.conf file


Reload Squid server with new configuration.
[root@server ~]# service squid reload


Verify Denying
Verify denying with squid access.log file 
[root@server ~]# vi /var/log/squid/access.log

Extra Tip: You can also block downloading of all ".torrent" files in squid (link below)

• Block downloading file types like .mp3, .exe, .zip, etc in Squid

  

Read more »

Squid limit web connections using maxconn acl

FREQUENTLY ASKED QUESTIONS (Squid proxy)
Q: How to limit number of symultaneous web connections in squid proxy?

Use "maxconn" ACL to limit the total number of symultaneous browser connections from a proxy client. If the maxconn access list configured to 5, the client can only access 5 simultaneous browser windows at a time.

Edit the squid proxy configuration file and create a maxconn acl
[root@server ~]# vi /etc/squid/squid.conf

acl accounts src 192.168.10.66/32                     #create a user acl to apply maxconn

acl limit5conn maxconn 5                                  # create maxconn acl

http_access deny accounts limit5conn                #apply maxconn acl to user acl

#Now save the squid.conf configuration file

Reload or restart squid

[root@server ~]# service squid reload
                  OR

[root@server ~]# service squid restart

Read more »

Block a domain name in squid linux

FREQUENTLY ASKED QUESTIONS (Squid proxy)
Q: How to block a website (domain) in squid proxy server?

Squid can deny users accessing a specific website with a access denied error message. It can be done with squid "dstdomain" access lists (ACL).

Edit the squid.conf configuration file
[root@server ~]# vi /etc/squid/squid.conf

acl lan src 192.168.10.0/24                         # client ip range to block web sites

acl bad_sites dstdomain .foo.com .fooo.com            #Block two domains in single acl

http_reply_access deny bad_sites lan

#Add the above three lines and save the squid.conf file

Now squid server will deny browsing if anyone from the acl "lan" access the domain foo.com and fooo.com.

Note: Squid will also deny all sub domains of the blocked domain. for example if you block google.com, all Google's sub domains like news.google.com, maps.google.com,etc will also be blocked

Restart or reload squid with configuration changes

root@server ~]# service squid restart

or

root@server ~]# service squid reload


More Squid Related Articles
block flash ads in squid

Block Youtube flash videos in Squid

Block https Facebook in Squid proxy server

block a Web Browser in Squid proxy

Read more »

[SOLVED] How to open a port in squid server

FREQUENTLY ASKED QUESTIONS (Squid Proxy)
Q: How to open/allow a particular port number in squid proxy?

By default the following TCP port numbers are opened in squid proxy server. 

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

If a web server listening on custom port 81/TCP, squid server will not allow to browse to  that server due to the port 81/TCP is not listed as Safe_ports.

Follow the steps to enable a port in squid server

[root@server ~]# vi /etc/squid/squid.conf

acl Safe_ports port 81                          # Add this line with the default port acls

http_access allow Safe_ports                # allow access

# add the above two lines to squid,conf

Restart or reload squid server with changes

[root@server ~]# service squid reload
                or
[root@server ~]# service squid restart

Read more »

How to block ports in squid proxy

FREQUENTLY ASKED QUESTIONS (Squid Proxy)
Q: How to block a particular port number in squid proxy?

You can block a specific port number(port filtering) in squid proxy server. By blocking particular ports, you can restrict the use of some protocols/services/websites/applications through squid proxy.
For example to block ftp traffic all you need to do is block the port 21/TCP. same way you can block all https sites by blocking port 443/TCP. and so on...
Login as supersuer(root) and edit the squid's configuration file and block ports via ACLs.
This configuration will work in all linux distros like Fedora, redhat,CentOS,ubuntu, debian.


ACL based port blocking in squid
For example to block port number 443/tcp,(all the "https" sites will be blocked)
[root@server ~]# vi /etc/squid/squid.conf
acl Bad_ports port 443           #(create acl for port 443/tcp)
http_access deny Bad_ports             #(block port 443/tcp)
#now save the squid.conf file


Restart or reload squid with new configurations
[root@server ~]# service squid reload
                or
[root@server ~]# service squid restart


Test: Try to access some https sites eg: https://www.google.com (will be denied normally)


Important: By default the following port numbers will be added as "Safe_Ports" and open for browsing. and all the ports except listed below will be blocked by default.
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

Disabling the each above lines in squid.conf will block the appropriate ports. For example to block port 777/tcp, add a "#" infront of the same line (see below)

#acl Safe_ports port 777         # multiling http

Thanks for visiting...... add your comments and share with friends...

Read more »

Mac address based filtering in squid proxy

FREQUENTLY ASKED QUESTIONS (Squid proxy)
Q: How to filter mac address in squid server?

Q: How to configure a mac address based squid server?


Squid can filter Mac address of its clients. Configure mac address based ACLs in squid server. So squid will mach the Mac address of the client with the Mac ACLs and allow/deny browsing.

Create a MAC based ACL
[root@server ~]# vi /etc/squid/squid.conf

acl mac1 arp 00:e0:4d:9f:55:7d               (Mac address of client)
http_access allow mac1                          (allow browsing to above created mac acl)

#Add the above two lines to squid.conf and save the file

Restart or reload squid service

[root@server ~]# service squid restart

[root@server ~]# service squid reload

Important: Always seperate the mac address digits with colons (:). In windows operating systems mac address are shown as hyphen(-) seperated. 

Read more »

[SOLVED] Block Downloading File Types Like mp3, exe, zip, etc In Squid

FREQUENTLY ASKED QUESTIONS (Squid proxy)
Q: How to block particular file types or file extensions in squid proxy ?


Squid server can block/deny downloading particular file types like pictures, musics, videos, executable files etc. This file content filtering in squid is based on the file extension types like .exe, .mp3, .avi, .jpeg, .torrent, .zip etc. 


Blocking file types in squid
First of all, create an ACL file includes all the file types to block downloading them.
[root@server ~]# vi /etc/squid/bad_files.acl
\.[Ee][Xx][Ee]$                                       #block downloading exe executable files
\.[Mm][Pp]3 $                                         #Block mp3 music files
\.[Zz][Ii][Pp]$                                          #Block ZIP archive files
\.[Jj][Pp][Ee][Gg]$                                  #Block jpeg picture files
\.[Aa][Vv][Ii]$                                          #Block avi video files
\.[Tt][Oo][Rr][Rr][Ee][Nn][Tt]$                 #Block torrent files

#(Add the above required file extensions types and save the file)

Then, edit the squid configuration file and add an ACL for above created acl file.

[root@server ~]# vi /etc/squid/squid.conf
acl lan src 192.168.10.0/24                  (specify address range to deny downloading files)
acl badfiles urlpath_regex "/etc/squid/bad_files.acl"             (ACL for blocked file types)
http_access deny badfiles lan                                               (Deny the file types to lan)
#(Add the above three lines and save the squid.conf file)


Restart or reload squid server 
[root@server ~]# service squid reload
                       OR
[root@server ~]# service squid restart


#Verify the file type filtering/blocking by downloading any files from the Internet

Other Squid Related Articles

• Block Youtube flash videos in Squid 
• Redirect URL In Squid Proxy Server 
• Blocking utorrent Application in Squid. 
• block flash ads in squid
• Block a Website in squid proxy server

Read more »

Block Flash Ads In Squid

FREQUENTLY ASKED QUESTIONS (Squid Proxy)
Q: How to block flash ads in squid proxy server?

Configure your Squid proxy server to block flash ads (advertisements) in websites. So squid server filter flash ads contents. 

Steps to block all flash ads in squid proxy server.
Edit squid configuration file and add the below configurations to squid.conf file.

[root@server ~]# vi /etc/squid/squid.conf

#1: Create an acl for ads content type
acl flash_ads rep_mime_type application/x-shockwave-flash

#2: Deny flash ads by denying the above acl (against any ipaddress acl)
http_reply_access deny flash_ads 
#Now Save the squid.conf file

#3: Reload squid service to take effect changes
[root@server ~]# service squid reload

                          or

[root@server ~]# service squid restart

Important: Sometimes clearing the client browser's cache/cookie is required.)

Read more »

Block Youtube flash videos in Squid

FREQUENTLY ASKED QUESTIONS  (Squid proxy)

Q: How to block Youtube fash videos in squid proxy server?

Steps to block all youtube flash videos in Squid proxy server. 

Add the below configurations to squid.conf file. 

[root@server ~#]vi /etc/squid/squid.conf


#1: Create an acl for flash video contents
acl flash rep_mime_type video/x-flv


#2: Deny flash videos by denying the above acl
http_reply_access deny flash

#Save the squid.conf file

#3: Reload squid service to take effect changes

[root@server ~#]service squid reload




More Squid Related Articles
block flash ads in squid

Block a domain name in squid linux

Block https Facebook in Squid proxy server

block a Web Browser in Squid proxy

Read more »

[SOLVED] Block https Facebook in Squid proxy server

FREQUENTLY ASKED QUESTIONS (Linux)
Q: How to block Facebook in squid proxy? (any secure https sites)

Here the post will show you how to block complete "http" and "https" facebook access in office times in your squid proxy server. Create an acl with facebook domain (dstdomain) and deny both http and https access.

Add the Configurations to squid.conf
[root@server ~#]vi /etc/squid/squid.conf

#1: Create an acl for proxy clients.
acl accountant src 192.168.10.50/32

#2: Create an acl for facebook domain  (any required sites)
acl fb dstdomain .facebook.com

#3: Create an acl office time for Mon-Sat, 10:00 to 17:00 (24hrs)

acl officetime time MTWHFA 10:00-17:00

#4: Deny access to "http" facebook to accountant only in office times

http_reply_access deny  fb accountant officetime

#5: The below line will deny access to "https" secured facebook to the proxy user "accountant" in office times. Squid proxy will deny access to "https" facebook to accountant only in office times. 
http_access deny CONNECT fb accountant officetime

#(save the squid.conf configuration file)

#6: And finaly reload squid service to take effect changes

[root@server ~#]service squid reload

Tips: The way to include multiple sites in one ACL
acl badsites dstdomain .facebook.com .twitter.com .blogger.com

Note: Tested in squid-3.1       (tested using squid-3.1.16-1.fc15.x86_64   in CentOS 6)
Post ur comments....

Check Squid Related Posts:

• Block Youtube flash videos in Squid 
• Redirect URL In Squid Proxy Server 
• Blocking utorrent Application in Squid. 
• block flash ads in squid 
• Block a Website in squid proxy server 

Read more »

How to Limit download size in Squid

FREQUENTLY ASKED QUESTIONS  (Squid Proxy)
Q: How to limit download size in squid proxy ?


  By specifying the maximum allowed size as "reply_body_max_size", Squid can prevent users downloading large files. For example prevent users downloading files larger than 50MB. 

So when a replay body comes the "reply_body_max_size" parameter checks and deny if file size is larger than 50MB.

Add the below acl configurations to squid configuration file
[root@server ~#]vi /etc/squid/squid.conf


#First create an acl

acl limited_users src 192.168.0.0/24

#Deny downloading larger than 50MB for above acl

reply_body_max_size 50 MB limited_users

Reload squid service

[root@server ~#]service squid reload

Read more »

How to block a Web Browser in Squid proxy

FREQUENTLY ASKED QUESTIONS  (Linux)
Q: How to block a browser in squid proxy?


   Blocking  some web browsers is possible in squid proxy server. Squid can block all the requests from web browsers like Internet explorer, Chrome, Firefox, etc. 


Create an "acl" with the bad web browser types and finaly deny the access. Add all the below configurations to the Squid server configuration file "/etc/squid/squid.conf".    
[root@server ~#]vim /etc/squid/squid.conf


#Block Chrome in squid proxy
acl bad_browser browser Chrome
#Deny the requests from chrome 

http_access deny bad_browser all

#Block Mozilla Firefox in squid proxy

acl bad_browser browser Firefox

#Deny the requests from firefox 
http_access deny bad_browser all

#Block Opera in squid proxy

acl bad_browser browser Chrome

#Deny the requests from chrome 
http_access deny bad_browser all



#Block Internet Explorer in squid proxy

acl bad_browser browser IE

#Deny the requests from Internet explorer 

http_access deny bad_browser all

Read more »

[SOLVED] How to enable ftp access through squid

FREQUENTLY ASKED QUESTIONS  (Squid proxy)
Q: How to enable ftp access through squid proxy server?

 Squid work as a http proxy with default configurations and will not process ftp requests from clients. You can configure squid as ftp proxy by editing the "squid.conf" configuration file in "/etc/squid/" directory.
Follow the steps below..

[root@server ~#]vi /etc/squid/squid.conf

acl SSL_ports port 443 21                 #(Edit add the ftp port 21 to SSL port acl)

acl ftp proto FTP                              #(Create a new acl for ftp protocol)
http_access allow ftp                       #(Allow browsing above created ftp acl) 
#save the squid.conf file


Reload squid service with changes
[root@server ~#]service squid reload

*/Use Internet explorer for ftp upload and download/*

specify ftp proxy address 

Other Squid Related Articles

• Block Youtube flash videos in Squid 
• Redirect URL In Squid Proxy Server 
• Blocking utorrent Application in Squid. 
• block flash ads in squid 
• Block a Website in squid proxy server 
• Squid time based Restrictions
• Change default Squid listening port
• How to block a port in squid proxy server

Read more »

Squid Advanced configurations manual

Advanced Squid configuration manual
              This post includes blocking https facebook, download size limiting, ftp access and  some more advanced configuration for building a perfect squid proxy server. Hope you visited my previous post on  Basic squid configuration. And hope this will help you alot..
Note:Add the following lines to /etc/squid/squid.conf

To allow FTP traffic through squid
Step1:First of all, Add the ftp port number to squid's SSL ports and Safe ports list (default ftp port: 21/tcp)
acl SSL_ports port 443 21
acl Safe_ports port 21          # ftp

Step2:Add an "ACL" (access control list) with your normal ACLs

#Add the below line as a new acl   (add in /etc/squid/squid.conf )
acl ftp proto FTP
Step3:And finaly allow the above ftp acl
http_access allow ftp
#to access a ftp server use this way     ftp://username:password@ipaddress:port     (press enter)


Block WEBSITES (Block only Monday to Saturday 10:00 to 18:00)
Step1: First of all create two ACLs with your requirements(eg: to block facebook and orkut )
acl badsites dstdomain .facebook.com .orkut.com
acl officetime time MTWHFA 10:00-18:00
Step2: And deny the badsites ACL
http_reply_access deny badsites officetime
Note: The normal website blocking method using "http_reply_access deny badsites" option mentioned above will not work for https connections. so http://www.facebook.com will be blocked while https://www.facebook.com will work fine


Block https sites in squid (eg: block  https://www.facebook.com)
Step1: Create a new acl with facebook.com (Dont forget to add a dot (".") before facebook.com)
acl badsites dstdomain .facebook.com
Step2: Deny the above domain to connect via ssl connection (https)
http_access deny CONNECT badsites


Limit maximum download file size
This example shows How to limit the maximum file size to 100MB. So users cannot download the files greater than 100MB
Add the below line to the bottom of squid.conf
reply_body_max_size 100 MB


Change visible hostname
Add the below line to the bottom of squid.conf
visible_hostname servercomputing


Change Listening port number
Edit the 62nd line of squid.conf as below(default will be 3128)
http_port 8080


Block Flash Videos (eg: Youtube.com)
Step1: Add a new ACL as below
acl flash rep_mime_type video/x-flv
Step2: And finaly deny the newly created mime type
http_reply_access deny flash
(Tip: can also block other mime types, eg: pdf,doc,php,etc)


Click Here for More Advanced Squid Configurations

Squid Related posts

• Block Youtube flash videos in Squid 
• Redirect URL In Squid Proxy Server 
• Blocking utorrent Application in Squid. 
• block flash ads in squid 
• Block a Website in squid proxy server 
• Squid time based Restrictions

Read more »