Setting Squid to filter web content based on authentication credentials on Ubuntu and Fedora.

Apr 19, 2007 10:23 GMT  ·  By

A proxy server can allow computers to make indirect connections to other network services through the machine running the proxy. The most stable and commonly available proxy server for Linux is Squid: a proxy caching server for HTTP/FTP requests. Squid caches data from the Internet on your local network so the next time the same data is being accessed, whether it?s a web page or image file, it gets served-up from the local server rather than over the Internet. This will save you significant bandwidth but can also provide a few other advantages. For example, if you're at school and certain websites you'd like to visit are blocked, you can use your proxy server to access them. Also, another common use of Squid is for setting-up web filtering for kids. Whenever the browser is used, you will be prompted to enter a username and password, based on which the proxy will determine whether to filter the request or not.

Let's start by installing Squid. On Debian-based systems (Ubuntu), type the following command in a terminal (press Alt+F2, type gnome-terminal and press enter):

code
$ sudo apt-get install squid
On systems running Fedora, type:
code
$ sudo yum install squid
Configure Squid by opening /etc/squid/squid.conf using your favorite text editor. In the configuration file, search for the following directives and modify (or add, if they don't exist) as it follows:

http_port 3128 - The port Squid will listen for connections. If your system has two or more interfaces, you can specify which IP address to use. Eg: http_port 192.168.0.1:3128

http_access deny all - Search for it in the config file, uncomment it (remove the # in front), and replace deny with allow so it becomes http_access allow all.

Restart the Squid proxy with:

code
$ sudo /etc/init.d/squid restart
Now you should have a fully functional HTTP proxy. To try it out, open a browser, open its preferences dialog and go to proxy settings. Here, enter the IP address of the machine running Squid and the port set in squid.conf. Now load a webpage.

SETTING UP SQUID AUTHENTICATION AND WEB FILTERING

This section will allow you to set up a web site filter for kids. The first time an address is entered in the browser's address bar, an authentication dialog will pop-up, prompting for a username and password. We will set-up two usernames, one with full and another with restricted access.

First, open the /etc/squid/squid.conf and add the following line in the auth_param section:

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd

Now create the user accounts using htpasswd (use -c only for the first user):

code
$ sudo htpasswd -c /etc/squid/passwd dad
Enter a password for user 'dad':
Again:

$ sudo htpasswd /etc/squid/passwd kid
Another password:
Again:
Create the ACLs by adding the following lines in the ACCESS CONTROLS (acl) sections in Squid.conf:
code
acl dadUser proxy_auth dad
acl kidUser proxy_auth kid
acl whitelist dstdomain "/etc/squid/whitelist"
http_access allow dadUser
http_access allow kidUser whitelist
Create the whitelist by opening a text editor, adding allowed domains like this: .google.com .kids-play.com .yahoo.com .msn.com

and save it as /etc/squid/whitelist.

Finally, search for http_access allow all in the Squid config file and modify it so it looks like this: http_access deny all

This is how my Squid config sections look like:

code
# NETWORK OPTIONS
# Squid normally listens to port 3128
http_port 192.168.0.1:3128

# TAG: auth_param
#Recommended minimum configuration per scheme:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd

# ACCESS CONTROLS
# TAG: acl
acl dadUser proxy_auth dad
acl kidUser proxy_auth kid
acl whitelist dstdomain "/etc/squid/whitelist"
http_access allow dadUser
http_access allow kidUser whitelist

# TAG: http_access
# And finally deny all other access to this proxy
http_access deny all
Use deny all for squid with authentication and allow all for basic squid configuration.