Restrict access using squid proxy server

→ Are you a new visitor? Please visit the page guidance for new visitors ←

Restrict access using squid proxy server

When using a  proxy you need to think first and foremost about its security, there’s a lot of bad guys out there that are just looking for a way to find new proxy sites for their own purpose, good or bad. But its not just with squid proxy, any software, application or feature that is meant to be public you need to apply security measures in case something bad could happen to your system or to other systems because of your applications. In this article I’m going to show you some nice options you can use when restricting access using squid proxy.

Options for restricting access

To restrict access in squid you use ACL rules to match specific patterns, these could be almost anything you can think logically.

There are different options you can use of course, some include restricting specific destination domains or a pattern on destination domains, specific paths like all .zip files or .mp3 files, or blocking IP addresses or network blocks. But the main ones I’ve seen used are the following 3 specific options that are used to block access:

  • by destination domain
  • by IP address or network
  • by matching a regex pattern

All of them could be combine of course, you can use regex in destination domain for example and match specific words in your domains to block them and so on. I find that you can do almost anything to restrict access in squid proxy.

Blocking access by destination domain

This options I found it the most feasible, you can use regex to match a pattern or use specific domain names for blocking. An example of ACL is below:

I have added comments to show you how you can create the ACL’s for each of the options you want for domains. The other step is to block the access to those ACL rules, this is done by adding:

 Blocking access by IP address or network

This is normally used to block only IP addresses, but in some cases you could also block a network class. This is easily done by creating the below ACL:

Then you can easily deny access as before:

Easy, simple and powerful, that’s how I see this.

Blocking access by matching a regex

This one I personally used it for bandwidth shaping, there a lot of users who believe that unmetered bandwidth gets them unlimited usage, well that’s not really the case, bandwidth is cheap if you don’t use much and some datacenter allows you to pay as much as you use so its alright I guess. Anyway, this can be use to match specific patterns in URLs so that these are blocked directly in the proxy. To do this we can create a similar ACL:

This will match the words in the url so that you can control the access to it, then you just need to deny access like before:

So that wasn’t that hard, was it? Squid proxy allows you to create lots of rules to match specific patterns you wish to block, it is very versatile. If you have any questions please comment below.

Request an article ←