Squid is an open source proxy server that comes pre installed with many linux distributions. The software can be used for a lot of neat stuff, but I came across a situation where I wanted to be able to lock down access to the whole web except for a few approved sites – kind of an information kiosk scenario.
Assumptions
I am using Ubuntu Server 9.04, which comes with Squid installed already. Apparently it is not automatically installed with Ubuntu Desktop, but it is available in the repositories and as such can be installed quite easily by:
sudo apt-get install squid
Configuration
Once you’re set with a standard installation, edit /etc/squid/squid.conf and locate the line starting with INSERT YOUR OWN... Now, add the following lines:
acl whitelist dstdomain "/etc/squid/whitelist.txt"
http_access allow whitelist
You may want to comment out the line http_access allow localhost if you want the same rules to apply for localhost as well.
You can now edit /etc/squid/whitelist.txt and add domains using the following pattern:
- example.com will add that domain
- .example.com will add example.com and all subdomains.
It seems possible to be a lot more sophisticated with regular expressions and stuff, but this was good enough for me.
Reload the squid configuration:
/etc/init.d/squid/reload
Error pages are located in /usr/share/squid/errors and can be customized.
Finally, you’ll need to configure your browser to use the proxy server. If you are running Firefox, follow these steps:
- From the Firefox menu, Choose Edit > Preferences. Click “Advanced” and then “Network”
- Click “Settings” and select the “Manual Proxy Configuration” radio button.
- In the “HTTP Proxy” field enter the name or IP address of the machine running your proxy.
- In the “Port” field enter the value 3128 and check “Use this proxy server for all protocols”.
Your should now be able to visit only the sites registered in the whitelist.
Steelmon's tech stuff 
http://nitishkumar.wordpress.com/2009/11/25/squid-server-from-scratch-the-dummies-manual/
http://nitishkumar.wordpress.com/2009/11/27/more-over-squid-configuration/
http://nitishkumar.wordpress.com/2009/12/03/sarg-the-layman-reporting-tool-for-squid/
http://nitishkumar.wordpress.com/2009/12/04/more-systematic-approach-for-squid-configuration/
These links might be helpful while configuring Squid.
Your wordpress theme is a clean one, I also thought to use the same, but it has not much widget options.
Anyway, enjoy blogging
Hey thanks.
I’d like to ask. What about other websites that are not listed in the ‘whitelist’ ?
Are ‘the other sites’ can be accessed as well?
or ‘the other sites’ will be blocked?
Hi Hidrax,
Other sites are automatically blocked, unless you add them to the white list. To achieve what you are after, you might want to look at another of my articles about configuring a blacklist: https://steelmon.wordpress.com/2010/12/09/setting-up-a-blacklist-proxy-with-automatic-updates-using-squid-and-squidguard/
Thankyou for the reply 🙂
it works fine.
Do you have any article that related to the ‘proftpd’ service?
i’d like to learn about it
I’d suggest using a deny rule for anything not on the whitelist instead. You’ll end up allowing any request not already denied by any other rule if you aren’t careful.
http_access deny !whitelist
We have recently made our domain whitelist available to the public. It is for general production use, it contains no adult or piracy related sites, so should be suitable for most networks. It can be downloaded here http://www.squidblacklist.org/downloads/whitelist.txt.
That whitelist allows, amongst other things, the whole of the .xxx TLD. I’d be very surprised if there is no adult material available there.
Pingback: Setting up a strict whitelist proxy server using Squid | Steelmon’s tech stuff | Needle in a Haystack
I know this is an old article, but how do you handle things like CRL lookups and OSCP responses?
My question is, can you block subdirectories without blocking the entire domain; ie. example.com/*** without blocking example.com?
Pingback: Serveur Proxy Squid – Killian Grall
Pingback: Serveur Proxy Squid – Pape Oumar Toure