HomeSquid whitelist and blacklist (controlled kid browsing)

Reply to comment

Squid whitelist and blacklist (controlled kid browsing)

Mon, 04/11/2005 - 05:56 — charlie.collins

A simple tutorial or explanation of setting up Squid so that multiple users are present via an auth mechanism, and some are limited to a whitelist (kids), and others have either all access (or optionally whatever limited access you want, different whitelist, blacklist, etc). This is very simple stuff, but the order of acl in squid can get confusing, and I could not find such an existing "recipe" around anywhere when I decided to set this up. Thus I figured this may be useful . . .

1. Get Squid and get it setup in the default manner (rpms work great for those with those type distros). Edit the squid conf file "/etc/squid/squid.conf" and allow access to your local network. Configure a browser to use this "plain/default" squid and make sure things are working as desired before proceeding (make sure you can surf via squid, check the squid logs, optionally tweak the memory and cache sizes and so on, all very well documented in the squid.conf file).

2. Create a "squid_passwd" ncsa auth file using the apache htpasswd program (requires that you have htpasswd, this is distributed with the apache httpd server, most systems will have this, or you may have access to it on another machine). "htpasswd -c /etc/squid/squid_passwd adult" - this creates the file AND sets up the user "adult". It will prompt for passwd. Then add another user to that file (leave out the -c) "htpasswd /etc/squid/squid_passwd kid" - this creates the "kid" users.
Check the file "squid_passwd" with an editor and you should have two entries, adult and kid.

3. Create a squid whitelist file. Create "/etc/squid/whitelist" and put a few "kid" sites in it (for example ".pbskids.org", one per line, domain or host, squid will read this file using the "dstdomain" parameter to its acl mechanism, so simply use the name of the domain or a host and domain).

4. Edit the squid.conf to use the new passwd file and whitelist file.

In the acl area of the squid.conf file create these entries:

acl ncsa_adult_users proxy_auth adult
acl ncsa_kid_users proxy_auth kid
acl whitelist dstdomain "/etc/squid/whitelist"
#acl blacklist dstdomain "/etc/squid/blacklist"

Then in the http_access area of the squid.conf file create these entries:

http_access allow ncsa_adult_users
http_access allow ncsa_kid_users whitelist
http_access deny all

5. Go back to the browser (configured in the "normal" manner in step 1, meaning manual proxy setup pointed at the squid server) and browse again. You should be prompted for a user/pass. If you login as "kid" you will only be allowed access to the whitelist. If you login as "adult" you have access to anything (optionally you could use the "blacklist" but its commented out in this example).

This works well in my setup and the kids use it just fine. The "kid" user/pass is saved by the browser so the kids just click OK and roll to their sites and I know they will not be able to access anything outside of the whitelist. Other users can type in the "adult" user/pass.

This of course can be used with any acl mechanism, any list of users and with any squid setup (such as a transparent proxy) with some minimal changes.

Reply

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <img> <a> <em> <strong> <cite> <code> <ul> <ol> <hr> <li> <dl> <dt> <dd> <pre> <b> <h1> <h2> <h3> <blockquote>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
2 + 5 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.