Navigation
User login
Quote
Squid whitelist and blacklist (controlled kid browsing)
A simple tutorial or explanation of setting up Squid so that multiple users are present via an auth mechanism, and some are limited to a whitelist (kids), and others have either all access (or optionally whatever limited access you want, different whitelist, blacklist, etc). This is very simple stuff, but the order of acl in squid can get confusing, and I could not find such an existing "recipe" around anywhere when I decided to set this up. Thus I figured this may be useful . . .
1. Get Squid and get it setup in the default manner (rpms work great for those with those type distros). Edit the squid conf file "/etc/squid/squid.conf" and allow access to your local network. Configure a browser to use this "plain/default" squid and make sure things are working as desired before proceeding (make sure you can surf via squid, check the squid logs, optionally tweak the memory and cache sizes and so on, all very well documented in the squid.conf file).
2. Create a "squid_passwd" ncsa auth file using the apache htpasswd program (requires that you have htpasswd, this is distributed with the apache httpd server, most systems will have this, or you may have access to it on another machine). "htpasswd -c /etc/squid/squid_passwd adult" - this creates the file AND sets up the user "adult". It will prompt for passwd. Then add another user to that file (leave out the -c) "htpasswd /etc/squid/squid_passwd kid" - this creates the "kid" users.
Check the file "squid_passwd" with an editor and you should have two entries, adult and kid.
3. Create a squid whitelist file. Create "/etc/squid/whitelist" and put a few "kid" sites in it (for example ".pbskids.org", one per line, domain or host, squid will read this file using the "dstdomain" parameter to its acl mechanism, so simply use the name of the domain or a host and domain).
4. Edit the squid.conf to use the new passwd file and whitelist file.
In the acl area of the squid.conf file create these entries:
acl ncsa_adult_users proxy_auth adult
acl ncsa_kid_users proxy_auth kid
acl whitelist dstdomain "/etc/squid/whitelist"
#acl blacklist dstdomain "/etc/squid/blacklist"
Then in the http_access area of the squid.conf file create these entries:
http_access allow ncsa_adult_users
http_access allow ncsa_kid_users whitelist
http_access deny all
5. Go back to the browser (configured in the "normal" manner in step 1, meaning manual proxy setup pointed at the squid server) and browse again. You should be prompted for a user/pass. If you login as "kid" you will only be allowed access to the whitelist. If you login as "adult" you have access to anything (optionally you could use the "blacklist" but its commented out in this example).
This works well in my setup and the kids use it just fine. The "kid" user/pass is saved by the browser so the kids just click OK and roll to their sites and I know they will not be able to access anything outside of the whitelist. Other users can type in the "adult" user/pass.
This of course can be used with any acl mechanism, any list of users and with any squid setup (such as a transparent proxy) with some minimal changes.
TotSP Search
Community
Chatter
- See you tonight!
14 hours 49 min ago - Really isn't difficult to put
2 days 8 hours ago - It were Oliver Wellington that felled the creature
2 days 23 hours ago - I swear I did not see this before I wrote that
5 days 16 hours ago - LHC and welcome back
6 days 23 hours ago - good rant
2 weeks 6 days ago - Not really impressed either
3 weeks 18 hours ago - This article is useful
4 weeks 1 day ago - Amusing, but seems familiar
4 weeks 4 days ago - Uh Oh
5 weeks 9 hours ago
Popular content
Today's:
- Theme for 2008: Apple and Linux "safer, better, and cheaper to operate"
- JFreeChart tutorial (reprinted)
- Bigotry
- Hacking your PS2?
- James Ward does the Flex and Java show at AJUG tonight
- Sendmail as SMTP AUTH client for ISP mail server relay
- Their reader feeds pretty much sum up the presidential candidates
Comments
RE: Squid whitelist and blacklist (controlled kid browsing)
Useful article!
RE: Squid whitelist and blacklist (controlled kid browsing)
I tried this and restarted squid and I got the following 2006/03/24 08:17:15| aclParseAclLine: IGNORING: Proxy Auth ACL 'acl ncsa_adult_users proxy_auth adult' because no authentication schemes are fully configured.
2006/03/24 08:17:15| aclParseAclLine: IGNORING invalid ACL: acl ncsa_adult_users proxy_auth adult
2006/03/24 08:17:15| aclParseAclLine: IGNORING: Proxy Auth ACL 'acl ncsa_kid_users proxy_auth kid' because no authentication schemes are fully configured.
2006/03/24 08:17:15| aclParseAclLine: IGNORING invalid ACL: acl ncsa_kid_users proxy_auth kid
2006/03/24 08:17:15| squid.conf line 1928: http_access allow ncsa_adult_users
2006/03/24 08:17:15| aclParseAccessLine: ACL name 'ncsa_adult_users' not found.
2006/03/24 08:17:15| squid.conf line 1928: http_access allow ncsa_adult_users
2006/03/24 08:17:15| aclParseAccessLine: Access line contains no ACL's, skipping
2006/03/24 08:17:15| squid.conf line 1929: http_access allow ncsa_kid_users whitelist
2006/03/24 08:17:15| aclParseAccessLine: ACL name 'ncsa_kid_users' not found.
any ideas?
Same problem here
I have the same problem.
I have out of the box configuration of squid accept the network is changed to work with my subnet.
I did your step by step config and i have the same error about unconfigured authentication.
any step by step info how to configure the authentication mechanism for this set up?
Please .
u4david@gmaildotcom
Same problem here
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
i added this line
the authentication error is gone.
now i have this error:
* Restarting Squid HTTP proxy squid * Waiting... * ... * ... * ... * ... * ... * ... [ ok ]
2008/02/05 14:26:50| aclParseAclLine: WARNING: empty ACL: acl whitelist dstdomain "/etc/squid/whitelist"
Same problem here
Ok i head unsaved my changes in white list so now i have :
created the users an passwords with httpsswd
(user and sfsadmin)
user is limited wit white list ,sfsadmin is unlimited
#enabled:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
#added this acl:
acl ncsa_sfsadmin_users proxy_auth sfsadmin
acl ncsa_user_users proxy_auth user
acl whitelist dstdomain "/etc/squid/whitelist"
#acl blacklist dstdomain "/etc/squid/blacklist"
#added this to rules:
http_access allow our_networks
http_access allow localhost
acl our_networks src 192.168.10.0/255.255.255.0
http_access allow ncsa_sfsadmin_users
http_access allow ncsa_user_users whitelist
http_access deny all
in /etc/squid/whitelist i have:
.southernfarmsupply.com
.weeksauction.com
.unitedequipmentauction.com
.unitedequipmentauction.com
.alamoagservicecenter.com
.portal.cnh.com
.dealerportal.irco.com
.doa.state.nc.us
.hudsontrailers.com
.mtadealerconnect.com
.ssconnect.sscoop.com
.wrlonginc.com
.anywho.com
.yp.aol.com
.yp.bellsouth.com
.switchboard.com
.lawnsite.com
.tractorbynet.com
.ridesidebyside.com
.con-way.com
.estes-express.com
.rlcarriers.com
.wilsontrucking.com
.masseyferguson.com
.embmfg.com
.www1.agric.gov.ab.ca
.arcticcat.com
.befco.com
.bransontractor.com
.saltdogg.com
.caseih.com
.gorilla-lift.com
.grasshoppermower.com
.deere.com
.junglejimsap.com
.kascomfg.com
.koryfarm.com
.kubota.com
.newholland.com
.servis-rhino.com
.cabdepot.com
.wellsag.com
.woodsequipment.com
.rockanddirt.com
.msucares.com
.hotlineguides.com
.traderonline.com
.usfarmer.com
.usedfarmequipment.net
.arctic-cat.com
.powersports.honda.com
.kawasaki.com
.thewayout.polarisindustries.com
.suzukicycles.com
.yamaha-motor.com
.bellon.it
.bransontractor.com
.buctraco.com
.casece.com
.caseih.com
.my.dlrportal.com
.s1web4.casecorp.com
.caseih.com
.doa.state.nc.us
.farm.ewg.org
.hotlineguides.com
.my.fastline.com
.fastline.com
.bbispreaders.com
.bbispreaders.com
.con-way.com
.fedexfreight
.fedex.com
.rlcarriers.com
.sefl.com
.ups.com
.wilsontrucking.com
.grasshoppermower.com
.dealer.grasshoppermower.com
.greatbendmfg.com
.evhmfg.com
.gohawkline.com
.hbssystems.com
.dealerportal.irco.com
.kingkutter.com
.fronthitch.com
.lbmfg.com
.my.dlrportal.com
.monroetufline.com
.pyramidequipment.com
.bobcat.com
.briggsandstratton.com
.bushhog.com
.imagemanagement.ws
.curtiscabs.com
.jdpc.deere.com
.johndeere.com
.kubota.com
.kuhn-usa.co
.nadaguides.com
.onlineconversion.com
.multicians.org
.traderonline.com
.servis-rhino.com
.shavermfg.com
.worldispnetwork.com
.ssconnect.sscoop.com
.statesnet.sscoop.com
.homesteadertrailer.com
.hudsontrailers.com
.loadtrail.com
.tractorhouse.com
.tractorhouse.com
.woodsonline.com
.wrlonginc.com
.doa.state.nc.us
Ant when i restart squid i get:
2008/02/05 17:22:53| WARNING: 'bransontractor.com' is a subdomain of '.bransontractor.com'
2008/02/05 17:22:53| WARNING: because of this '.bransontractor.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove 'bransontractor.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.caseih.com' is a subdomain of '.caseih.com'
2008/02/05 17:22:53| WARNING: because of this '.caseih.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.caseih.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.caseih.com' is a subdomain of '.caseih.com'
2008/02/05 17:22:53| WARNING: because of this '.caseih.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.caseih.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.doa.state.nc.us' is a subdomain of '.doa.state.nc.us'
2008/02/05 17:22:53| WARNING: because of this '.doa.state.nc.us' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.doa.state.nc.us' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.hotlineguides.com' is a subdomain of '.hotlineguides.com'
2008/02/05 17:22:53| WARNING: because of this '.hotlineguides.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.hotlineguides.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.hotlineguides.com' is a subdomain of '.hotlineguides.com'
2008/02/05 17:22:53| WARNING: because of this '.hotlineguides.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.hotlineguides.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.my.fastline.com' is a subdomain of '.fastline.com'
2008/02/05 17:22:53| WARNING: because of this '.fastline.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.my.fastline.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.bbispreaders.com' is a subdomain of '.bbispreaders.com'
2008/02/05 17:22:53| WARNING: because of this '.bbispreaders.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.bbispreaders.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.con-way.com' is a subdomain of '.con-way.com'
2008/02/05 17:22:53| WARNING: because of this '.con-way.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.con-way.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.rlcarriers.com' is a subdomain of '.rlcarriers.com'
2008/02/05 17:22:53| WARNING: because of this '.rlcarriers.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.rlcarriers.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.rlcarriers.com' is a subdomain of '.rlcarriers.com'
2008/02/05 17:22:53| WARNING: because of this '.rlcarriers.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.rlcarriers.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.wilsontrucking.com' is a subdomain of '.wilsontrucking.com'
2008/02/05 17:22:53| WARNING: because of this '.wilsontrucking.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.wilsontrucking.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.grasshoppermower.com' is a subdomain of '.grasshoppermower.com'
2008/02/05 17:22:53| WARNING: because of this '.grasshoppermower.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.grasshoppermower.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.dealer.grasshoppermower.com' is a subdomain of '.grasshoppermower.com'
2008/02/05 17:22:53| WARNING: because of this '.dealer.grasshoppermower.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.dealer.grasshoppermower.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.dealerportal.irco.com' is a subdomain of '.dealerportal.irco.com'
2008/02/05 17:22:53| WARNING: because of this '.dealerportal.irco.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.dealerportal.irco.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.dealerportal.irco.com' is a subdomain of '.dealerportal.irco.com'
2008/02/05 17:22:53| WARNING: because of this '.dealerportal.irco.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.dealerportal.irco.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.my.dlrportal.com' is a subdomain of '.my.dlrportal.com'
2008/02/05 17:22:53| WARNING: because of this '.my.dlrportal.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.my.dlrportal.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.my.dlrportal.com' is a subdomain of '.my.dlrportal.com'
2008/02/05 17:22:53| WARNING: because of this '.my.dlrportal.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.my.dlrportal.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.jdpc.deere.com' is a subdomain of '.deere.com'
2008/02/05 17:22:53| WARNING: because of this '.jdpc.deere.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.jdpc.deere.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.jdpc.deere.com' is a subdomain of '.deere.com'
2008/02/05 17:22:53| WARNING: because of this '.jdpc.deere.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.jdpc.deere.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.kubota.com' is a subdomain of '.kubota.com'
2008/02/05 17:22:53| WARNING: because of this '.kubota.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.kubota.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.traderonline.com' is a subdomain of '.traderonline.com'
2008/02/05 17:22:53| WARNING: because of this '.traderonline.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.traderonline.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.traderonline.com' is a subdomain of '.traderonline.com'
2008/02/05 17:22:53| WARNING: because of this '.traderonline.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.traderonline.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.servis-rhino.com' is a subdomain of '.servis-rhino.com'
2008/02/05 17:22:53| WARNING: because of this '.servis-rhino.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.servis-rhino.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.servis-rhino.com' is a subdomain of '.servis-rhino.com'
2008/02/05 17:22:53| WARNING: because of this '.servis-rhino.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.servis-rhino.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.ssconnect.sscoop.com' is a subdomain of '.ssconnect.sscoop.com'
2008/02/05 17:22:53| WARNING: because of this '.ssconnect.sscoop.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.ssconnect.sscoop.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.ssconnect.sscoop.com' is a subdomain of '.ssconnect.sscoop.com'
2008/02/05 17:22:53| WARNING: because of this '.ssconnect.sscoop.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.ssconnect.sscoop.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.hudsontrailers.com' is a subdomain of '.hudsontrailers.com'
2008/02/05 17:22:53| WARNING: because of this '.hudsontrailers.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.hudsontrailers.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.tractorhouse.com' is a subdomain of '.tractorhouse.com'
2008/02/05 17:22:53| WARNING: because of this '.tractorhouse.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.tractorhouse.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.wrlonginc.com' is a subdomain of '.wrlonginc.com'
2008/02/05 17:22:53| WARNING: because of this '.wrlonginc.com' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.wrlonginc.com' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.doa.state.nc.us' is a subdomain of '.doa.state.nc.us'
2008/02/05 17:22:53| WARNING: because of this '.doa.state.nc.us' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.doa.state.nc.us' from the ACL named 'whitelist'
2008/02/05 17:22:53| WARNING: '.doa.state.nc.us' is a subdomain of '.doa.state.nc.us'
2008/02/05 17:22:53| WARNING: because of this '.doa.state.nc.us' is ignored to keep splay tree searching predictable
2008/02/05 17:22:53| WARNING: You should probably remove '.doa.state.nc.us' from the ACL named 'whitelist'
and no password request qnd all sites are available
should i add som more authentication rules ?
And what is up with the websites on white list?
Same problem here
OK I GOT IT.
It did not take me long to figure out that the sub domain I allowed is bypassing the authentication and white list.
And I guess the Error about the web site domains is duplicates but I will check in to that next,.
Other question i will have in near future is multiple white list sets.
I guse just create whitelist 1,whitelist,2.........
create users1,user2........and passwords
add this:
acl whitelist1 dstdomain "/etc/squid/whitelist1
acl whitelist2 dstdomain "/etc/squid/whitelist2
.
.
.
.
.
acl ncsa_user1_users proxy_auth user1
acl ncsa_user2_users proxy_auth user2
.
.
.
.
http_access allow ncsa_user1_users whitelist1
http_access allow ncsa_user2_users whitelist2
AND It should have multiple white lists RIGHT>?
Question 2
how can I block ports using stand alone proxy server?
Stanad alone means that it is on the LAN but it is not the gateway.
Thanx
RE: Squid whitelist and blacklist (controlled kid browsing)
I am not sure why you might be having issues with this, unless, just as it says, there is no auth mechanism configured. Are you using the ncsa_auth?
You may want to check out the Squid auth FAQ (and make sure your ACL definitions are in the file BEFORE you try to use them).
Also make sure to try turning up the debug level and looking around (sometimes file permissions can cause ACL issues) - http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#debug.
Also make sure your ncsa auth is working outside of squid, if need be, then go back to squid and make sure settings are correct (http://httpd.apache.org/docs/1.3/programs/htpasswd.html).
update and clarfication
I have read your how to and have learned much and written one that should clear up sections in your how to.
It is at http://mung.net/~dude/howto/squid_notes.html#id2451606
Does it work with more than 2 users?
Hello,
First thank you for this work, it's almost what i need!
I would like to setup this kind of proxy in my company, but i would prefer more than 2 users:
i've read both this one and http://mung.net/howto/squid_notes.html#i__-1951947776_284.
But i style wander how i can setup 2 diffrent whitelist, (using htpasswd to set up as much user i want will not be a problem i guess :))
if some of you scceed doing this, please let me know...
PS: sorry, as you can see i'm not natural-english-speaker...
thanks you
yohann
RE: Squid whitelist and blacklist (controlled kid browsing)
Thanks dude, that is a nice looking HOWTO and is much more in-depth than my "simple tutorial". Great resource there for folks working with squid and ACLs.
And I am amazed that more people dont do the "whitelist" type thing, regardless of which software they use and what the specific implementation is. I use the whitelist approach with my kids - with a little admin tool I created so that I or my wife can change the list easily - and it works great. The only way to really filter things is the whitelist, all that blacklist nonsense does not work reliably and consistently enough to use as a filter for kids.
RE: Squid whitelist and blacklist (controlled kid browsing)
I like the whitelist angle. Anyone know where I can get a whitelist of domains and urls for squid and/or squidguard specific? A free list, not those pay us to "protect" your kids list...
Thanks!
RE: Squid whitelist and blacklist (controlled kid browsing)
I am still searching without any luck to find a safe white list. ANy one got a list to share?
I have a whitelist
There are perl scripts out there that will parse the dmoz database from an RDF format. I configured the xml file to exclude/include categories at will. When done, I ended up with 1.262 million whitelist sites for our schools.
RE: Squid whitelist and blacklist (controlled kid browsing)
I have a very limited one - specifically for the kids - pbs, nogging, disney, their school, so on - probably not what you want. Really the notion here was to create one yourself and then have an easy admin utility to add sites to the whitelist file (I have the file SMB mounted at home, my wife or I can edit it to allow new sites).
RE: Squid whitelist and blacklist (controlled kid browsing)
For those interested in the tutorial written by \"dude\", it has moved and can be found here: http://mung.net/howto/squid_notes.html
RE: Squid whitelist and blacklist (controlled kid browsing)
I'll make a white list with a few catholic sites and other sites needed to keep computers working (like symantec, etc.) I think it's better to have a white list for a specific area (school, kids, art...), so you can use it if fits what you want. If someone is interested, I can put it somewhere.