Restrict access using squid proxy server
Restrict access using squid proxy server
When using a proxy you need to think first and foremost about its security, there’s a lot of bad guys out there that are just looking for a way to find new proxy sites for their own purpose, good or bad. But its not just with squid proxy, any software, application or feature that is meant to be public you need to apply security measures in case something bad could happen to your system or to other systems because of your applications. In this article I’m going to show you some nice options you can use when restricting access using squid proxy.
Options for restricting access
To restrict access in squid you use ACL rules to match specific patterns, these could be almost anything you can think logically.
There are different options you can use of course, some include restricting specific destination domains or a pattern on destination domains, specific paths like all .zip files or .mp3 files, or blocking IP addresses or network blocks. But the main ones I’ve seen used are the following 3 specific options that are used to block access:
- by destination domain
- by IP address or network
- by matching a regex pattern
All of them could be combine of course, you can use regex in destination domain for example and match specific words in your domains to block them and so on. I find that you can do almost anything to restrict access in squid proxy.
Blocking access by destination domain
This options I found it the most feasible, you can use regex to match a pattern or use specific domain names for blocking. An example of ACL is below:
1 2 3 4 5 6 7 8 |
## block specific domain name acl block_destination_domain destdomain .domain1.com .domain2.com .domain3.com ## block a pattern domain name using regex acl block_pattern_destination_domain dstdom_regex mp3 adult txt ## block domains from file, you add one domain per line in the file acl block_destination_domain destdomain "/etc/squid/var/blocked_domains.txt" |
I have added comments to show you how you can create the ACL’s for each of the options you want for domains. The other step is to block the access to those ACL rules, this is done by adding:
1 |
http_access deny block_destination_domain block_pattern_destination_domain |
Blocking access by IP address or network
This is normally used to block only IP addresses, but in some cases you could also block a network class. This is easily done by creating the below ACL:
1 2 3 4 5 |
## Block individual IP address acl banned_clients src 192.168.1.2 ## Block network class, eg. /24 acl banned_clients_network src 192.168.1.0/255.255.255.0 |
Then you can easily deny access as before:
1 |
http_access deny banned_clients banned_clients_network |
Easy, simple and powerful, that’s how I see this.
Blocking access by matching a regex
This one I personally used it for bandwidth shaping, there a lot of users who believe that unmetered bandwidth gets them unlimited usage, well that’s not really the case, bandwidth is cheap if you don’t use much and some datacenter allows you to pay as much as you use so its alright I guess. Anyway, this can be use to match specific patterns in URLs so that these are blocked directly in the proxy. To do this we can create a similar ACL:
1 |
acl blocked_words url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .zip |
This will match the words in the url so that you can control the access to it, then you just need to deny access like before:
1 |
http_access deny blocked_words |
So that wasn’t that hard, was it? Squid proxy allows you to create lots of rules to match specific patterns you wish to block, it is very versatile. If you have any questions please comment below.