[HowTo]Filter Some Website During Work Hour With Squid

In most of case, a company want to efficient and maximize their bandwidth use. In which you know you can speed up your loading time when browsing by using squid as a web cache. I’m not gonna tell you how squid do it or how to install it. For more details about squid you can refer to my old post about how to install squid and monitor it. Now the next case is you feel your internet connection is slow, even you using squid as web cache.

After take sometimes to the squid log, you know that some of your friend are watching video online like youtube, metacafe, google video, facebook etc and you do want to finish your work at the time. This is very annoying then. And also because of this the company productivity is getting lower. And i’m sure you know this would be great lost for a company.

In this article i will show you how to solve that with squid. You can block/filter some websites or even IPs during work hour. This would increase your productivity and efficient your bandwidth use. Let’s begin then.

Now i will show you step by step to make a filter in squid, and i’m sure you familiar with shell command in linux.

Please follow these steps:

  1. Make a file in /etc/squid/ call it denied_domains.acl with this command:
    touch /etc/squid/denied_domains.acl
  2. Open that denied_domain.acl wtih this command:
    vim /etc/squid/denied_domains.acl
  3. Now put every website that you want to block (one per line). Mine is look like this:

    Note: you can add as many as you like, and later you can add or remove it just by edit this file

  4. Now save and close that file.
  5. Open squid.conf, usually it will in /etc/squid/ folder. Or type this command:
    vim /etc/squid/squid.conf
  6. Add this lines in your squid.conf:
    acl workinghour time MTWHFA 09:00-16.59
    acl restricted-domain dstdomain "/etc/squid/denied_domains.acl"
    acl blacklist_ip src

    explanation: The first line is means you create your working hour variable, which MTWHFA means days (M-Monday, T-Tuesday, W-Wednesday, H-Thursday, F-Friday, A-Saturday, S-Sunday) and working time with this format h1:m1-h2:m2 where h1:m1 should lower than h2.m2. The second line is you create a variable which domain should block. Third line is, you define which IP should be block to the restricted domain.

  7. Now add the filter action, put this at the rule line:
    http_access deny restricted-domain workinghour blacklist_ip
  8. Ok now it’s finish, save and close squid.conf file.
  9. Restart your squid with this command:
    /etc/init.d/squid restart

Test it with the defined ip to the restricted domain on working hour. And you will see the page show “Access is denied”.

It’s easy right? Leave any comment if you have any tips or tricks that i missed, or just say hi if you like this article. Thanks and have a nice day.


  1. Vojtech Vyslouzil says:

    Does not work for me at localhost with Ubuntu 9.04. Any suggestions?

  2. Vojtech Vyslouzil says:

    Does not work for me at localhost with Ubuntu 9.04. Any suggestions?

  3. Ralphlinkus says:

    Thank you Ivan.I love you tutorials they are very easy.Pls can u guide me through how to configure authentication on ubuntu server for internet users of about 1000 and give then a specific bandwith.I want each user to only log on to internet with username and password.Thank you

  4. Hi Ralphlinkus,
    if you want to do such an advance configuration, you can try Mikrotik instead of Ubuntu with squid.
    But maybe it will be a little pricy, but it is worth it. And you can create a specific account for each user and with specific mac address too. Try it.
    To know about Mikrotik more, just google it 🙂

  5. Hadjie says:

    HI Ivan,

    I'm new here and probably you can help me also with my problem in squid. It is just when other restricted accounts is accessing the mesenger in Yahoo it says in the logs that TCP_DENIED http://<IP address>/crossdomain.xml. Here the Chat features hangs on Loading Chat…. By the way Im using Squid 3.0. How can I allow this to them or how can I tricked this in order for them to access the messenger in yahoomail. Just let me know what logs do you want and Im happy to give to you.

    Thanks in Advance.


  6. You can make whitelist in squid conf. The whitelist ip won't be filtered by the squid.

    • Hadjie says:

      Hi Ivan, if I will add this to whitelist then they can access all sites they want which is not allowed from our environment. by the way how can I allow them. thanks

      • Hi Hadjie, i'm not quite understand what do you mean.
        But you can filter some website from some ip range. For example:
        from ip – (that maybe sign by DHCP) cannot access Facebook or twitter.
        So when you have public access point like in School which will sign IP by ip address, it won't allowed the student to access Facebook nor twitter. While admin or officer can access it.

        • Hadjie says:

          Hi Ivan, sorry to bother you, here it goes, we have different subnets per branch. Those branches is having problem in accessing the Yahoo Messenger. By the way I have restricted users per group. So from here they cannot access YM even I allowed it to them. Can I email you my squid.conf? Please advice. Thanks for your time.

  7. Gubsrey says:

    Hi sir IVAN im new to Squid Proxy i think the problem on the 3rd line is for example Facebook using a different ns record, sir ivan is that 3rd line is required? how about i want to block the following domain without using or list the IP or DNS?

  8. Sajumply says:

    Hi Ivan…….
    If an user using for eg. https://www.facebook.com
    then its working……
    How can block this ? Plz suggest…..


  9. jong says:

    Hi Ivan,

    How about time acl in between hours, say 08:00-12:00, 13:00-17:00? is it possible in squid?


  10. Manoj919319 says:

    i try it. it work, but still some employee open it using ip address. how can i prevent it

    [email protected]

  11. Jonasolavidez says:

    2011/03/16 21:26:57| aclParseIpData: WARNING: Netmask masks away part of the specified IP in ''

    I come up this message I dont know if this is wrong input that I made.

  12. Olá !! Ainda que não seja se tratando do conteúdo, mas sim do template , desejo comentar que seu
    visual é excelente . Adorei navegar por ele . Tem muito site por aí que apesar de ter
    ótimos artigos é tão chato de navegar, que saímos fora .
    Sucesso !

  13. Wowie Sy says:

    say given the following:

    acl study_hours time MTWHF 07:30-12:00
    acl restrict_clients src 192.168.254.x,192.168.254.y
    acl restrict_domain dstdomain .youtube.com

    I’ve set up basic authentication..

    how do you setup the acl / http_access when what we want is the following:

    – deny “restrict_clients” access to “restrict_domain” during “study_hours”

    this should be like this, ya?:

    http_access deny restrict_clients restrict_domain study_hours

    however, should the need arise that indeed, access to youtube be given at any instance (provided an elder is around to provide user credentials to the proxy), what should the config lines then be?

Give me your feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.