Do, or do not. There is no ‘try’

CREATING ACL CONTENT

To start, you’re going to create a few files that will hold certain pieces of information. These files will later be referenced by Squid when you create the actual acls. The files you’re going to create are:

* A list of domains to block
* A list of file types to block
* A list of ads to block
* A list of your internal subnets

All of these are just basic text files that can be created with your favorite editor, however the author recommends Vim. Start with the list of blocked domains. This will be a list, one per line, of sites that you want to deny access to to your users. Create a file like the following and save it as /etc/squid/denied_domains.acl .

Listing 1. Blocked domain list: /etc/squid/denied_domains.acl

.sex.com
.hackers.com
.xemacs.org

Next up is the list of file types to block. Create a file called /etc/squid/denied_filetypes.acl and add the following to it.
Listing 2. Blocked file type list: /etc/squid/denied_filetypes.acl
.(exe)$
.(zip)$
.(mp3)$
Now for a little ad blocking. I don’t like those pesky advertisement. This won’t block everything, but it makes a good bit of difference. An excerpt from my file is below, but you can find an entire copy of my ad block list here.
Listing 3. Excerpt from /etc/squid/denied_ads.acl
/adv/.*.gif$
/[Aa]ds/.*.gif$
/[Aa]d[Pp]ix/
/[Aa]d[Ss]erver
/[Aa][Dd]/.*.[GgJj][IiPp][FfGg]$
/[Bb]annerads/

Finally, you need a list of all your internal subnets. Here’s how that one should look.
Listing 4. Blocked file type list: /etc/squid/student_subnets.acl

192.168.10.0/24
192.168.11.0/24
192.168.12.0/24
192.168.13.0/24

CREATING USER NOTIFICATION SCREENS

The user notification screen are what will tell a user that they have tried to access a forbidden website, attempted to download an unauthorized file type, or are having advertisements filtered from the page they are viewing. They aren’t extremely necessary, as Squid comes with acceptable defaults, but they help make an impression on the users. You’ll need need three files, one each for denied sites, files, and ads.

The screens I use are simple modified versions of the defaults supplied with a little more color to make them a bit more recognizable. When a user attempts to access a site that is forbidden, they are presented a red screen. After seeing this screen once, users know immediately what it means.
Listing 5. Site Access Denied User Screen

Listing 6. File Access Denied User Screen
Attempting to access a denied file type displays a similar screen, only this one is yellow.

The screen used to replace blocked advertisements is a little different. It’s a solid white page and the only text is “Ad filtered!”. However, you never actually see the page. The header of the page contains a meta tag that redirects the user immediatly when that page loads to a 4 pixel by 4 pixel transparent GIF hosted directly on the proxy.

These files need to be saved in your Squid errors directory. In Gentoo this can be reached at /etc/squid/errors, but it may be different for Red Hat and others. Download the following files and place then in that directory. Remove the “.txt” extension once they’re there.

* Denied site
* Denied file
* Denied ad

And here’s a 4×4 transparent GIF if you need one.

* 4×4.gif

PUTTING IT ALL TOGETHER

First add the directives for the user error screens since they are the easiest. This is done by adding a couple of deny_info lines to your Squid config.
Listing 7. Excerpt From File: /etc/squid/squid.conf

deny_info NOTE_ADS_FILTERED url_ads
deny_info NOTE_FILETYPES_FILTERED filetypes

There’s no need to directly reference the ERR_ACCESS_DENIED file since all you’ve really done is tweak an already existing file.

It’s finally time to add your acls that you built content for at the beginning. In the acl block in your configuration, add the following lines.
Listing 8. Excerpt From File: /etc/squid/squid.conf

acl denied_domains dstdomain "/etc/squid/denied_domains.acl"
acl filetypes urlpath_regex -i "/etc/squid/filetypes.acl"
acl url_ads url_regex "/etc/squid/banner-ads.acl"
acl students src "/etc/squid/student_domains.acl"

Now that Squid knows what types of information you want to control and what to do when accessed by a user, you need to tell Squid how to tie the pieces of information together. This is easily done with a few http_access rules.
Listing 9. Excerpt From File: /etc/squid/squid.conf

http_access deny url_ads
http_access deny students filetypes
http_access deny denied_domains

It’s important to order your http_access lines correctly, or your users may not get the access you’re expecting to give them! A final version of the config you’ve been working on can be found here so you can see a good order to place them in.

Config example:
#http_port 3128
cache_mgr you@yourdomain.com
log_fqdn on
ftp_user anonymous@yourdomain.com
log_icp_queries off
httpd_accel_with_proxy off
httpd_accel_uses_host_header off
visible_hostname hostname
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

deny_info NOTE_ADS_FILTERED url_ads
deny_info NOTE_FILETYPES_FILTERED filetypes
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny url_ads
http_access deny students filetypes
http_access deny denied_domains
http_access allow all