In most of case, a company want to efficient and maximize their bandwidth use. In which you know you can speed up your loading time when browsing by using squid as a web cache. I’m not gonna tell you how squid do it or how to install it. For more details about squid you can refer to my old post about how to install squid and monitor it. Now the next case is you feel your internet connection is slow, even you using squid as web cache.
After take sometimes to the squid log, you know that some of your friend are watching video online like youtube, metacafe, google video, facebook etc and you do want to finish your work at the time. This is very annoying then. And also because of this the company productivity is getting lower. And i’m sure you know this would be great lost for a company.
In this article i will show you how to solve that with squid. You can block/filter some websites or even IPs during work hour. This would increase your productivity and efficient your bandwidth use. Let’s begin then.
Now i will show you step by step to make a filter in squid, and i’m sure you familiar with shell command in linux.
Please follow these steps:
- Make a file in /etc/squid/ call it denied_domains.acl with this command:
touch /etc/squid/denied_domains.acl
- Open that denied_domain.acl wtih this command:
vim /etc/squid/denied_domains.acl
- Now put every website that you want to block (one per line). Mine is look like this:
.friendster.com .metacafe.com .myspace.com .videos.google.com .youtube.com .metacafe.com .facebook.com
Note: you can add as many as you like, and later you can add or remove it just by edit this file
- Now save and close that file.
- Open squid.conf, usually it will in /etc/squid/ folder. Or type this command:
vim /etc/squid/squid.conf
- Add this lines in your squid.conf:
acl workinghour time MTWHFA 09:00-16.59 acl restricted-domain dstdomain "/etc/squid/denied_domains.acl" acl blacklist_ip src 172.16.144.11-172.16.144.100/32
explanation: The first line is means you create your working hour variable, which MTWHFA means days (M-Monday, T-Tuesday, W-Wednesday, H-Thursday, F-Friday, A-Saturday, S-Sunday) and working time with this format h1:m1-h2:m2 where h1:m1 should lower than h2.m2. The second line is you create a variable which domain should block. Third line is, you define which IP should be block to the restricted domain.
- Now add the filter action, put this at the rule line:
http_access deny restricted-domain workinghour blacklist_ip
- Ok now it’s finish, save and close squid.conf file.
- Restart your squid with this command:
/etc/init.d/squid restart
Test it with the defined ip to the restricted domain on working hour. And you will see the page show “Access is denied”.
It’s easy right? Leave any comment if you have any tips or tricks that i missed, or just say hi if you like this article. Thanks and have a nice day.
Does not work for me at localhost with Ubuntu 9.04. Any suggestions?
Hi Ivan,
How about time acl in between hours, say 08:00-12:00, 13:00-17:00? is it possible in squid?
Thanks.
Hi Jong
Yes it is possible 🙂
Hi
How we can block https Gmail and yahoo mail ?
Plz suggest…..
i have tried but fr me its not working i have given all the things as u said its not blocking. give me sme snap shot procedure
Does not work for me at localhost with Ubuntu 9.04. Any suggestions?
Thank you Ivan.I love you tutorials they are very easy.Pls can u guide me through how to configure authentication on ubuntu server for internet users of about 1000 and give then a specific bandwith.I want each user to only log on to internet with username and password.Thank you
Hi Ralphlinkus,
if you want to do such an advance configuration, you can try Mikrotik instead of Ubuntu with squid.
But maybe it will be a little pricy, but it is worth it. And you can create a specific account for each user and with specific mac address too. Try it.
To know about Mikrotik more, just google it 🙂
HI Ivan,
I'm new here and probably you can help me also with my problem in squid. It is just when other restricted accounts is accessing the mesenger in Yahoo it says in the logs that TCP_DENIED http://<IP address>/crossdomain.xml. Here the Chat features hangs on Loading Chat…. By the way Im using Squid 3.0. How can I allow this to them or how can I tricked this in order for them to access the messenger in yahoomail. Just let me know what logs do you want and Im happy to give to you.
Thanks in Advance.
Hadjie
You can make whitelist in squid conf. The whitelist ip won't be filtered by the squid.
Hi Ivan, if I will add this to whitelist then they can access all sites they want which is not allowed from our environment. by the way how can I allow them. thanks
Hi Hadjie, i'm not quite understand what do you mean.
But you can filter some website from some ip range. For example:
from ip 192.168.1.100 – 192.168.1.200 (that maybe sign by DHCP) cannot access Facebook or twitter.
So when you have public access point like in School which will sign IP by ip address, it won't allowed the student to access Facebook nor twitter. While admin or officer can access it.
Hi Ivan, sorry to bother you, here it goes, we have different subnets per branch. Those branches is having problem in accessing the Yahoo Messenger. By the way I have restricted users per group. So from here they cannot access YM even I allowed it to them. Can I email you my squid.conf? Please advice. Thanks for your time.
Sure Hadjie,
Send to ivan[at]ivankristianto.com
i will try to help you.
Hi sir IVAN im new to Squid Proxy i think the problem on the 3rd line is for example Facebook using a different ns record, sir ivan is that 3rd line is required? how about i want to block the following domain without using or list the IP or DNS?
Hi Ivan…….
If an user using for eg. https://www.facebook.com
then its working……
How can block this ? Plz suggest…..
Saju
try using asterisk in your denied domain acl fil.
sample:
*.facebook.com
Hi Ivan,
How about time acl in between hours, say 08:00-12:00, 13:00-17:00? is it possible in squid?
Thanks.
i try it. it work, but still some employee open it using ip address. how can i prevent it
[email protected]
2011/03/16 21:26:57| aclParseIpData: WARNING: Netmask masks away part of the specified IP in '192.168.5.101-192.168.5.120/24'
I come up this message I dont know if this is wrong input that I made.
it is /32 not /24
Olá !! Ainda que não seja se tratando do conteúdo, mas sim do template , desejo comentar que seu
visual é excelente . Adorei navegar por ele . Tem muito site por aà que apesar de ter
ótimos artigos é tão chato de navegar, que saÃmos fora .
Sucesso !
say given the following:
acl study_hours time MTWHF 07:30-12:00
acl restrict_clients src 192.168.254.x,192.168.254.y
acl restrict_domain dstdomain .youtube.com
I’ve set up basic authentication..
how do you setup the acl / http_access when what we want is the following:
– deny “restrict_clients” access to “restrict_domain” during “study_hours”
this should be like this, ya?:
http_access deny restrict_clients restrict_domain study_hours
however, should the need arise that indeed, access to youtube be given at any instance (provided an elder is around to provide user credentials to the proxy), what should the config lines then be?