How to Control Internet Access Using Squid

Free Web Proxy Server Software to Limit Employees' Web Surfing

Oct 26, 2009 Fleur Hupston

A Linux server running squid as a proxy server provides a reliable and stable environment to manage users connectivity to the Internet. Squid is a free web proxy.

Squid can effectively control Internet access based on user name and password, or only at certain times of the day. This gives managers to ability to control and monitor Internet usage within the company. Squid can also be used to block certain unsavory web sites. Many parents have used squid to monitor and control their children's Internet access.

Once a Linux server with Squid has been setup, the next step is to customize it to suit the requirements of the company. The following will provide a guide as to how to configure squid to allow access based on subnet, time and user name and password.

Access only from LAN

For a simple rule that allows access to the Internet from a particular subnet on the LAN continue as follows:

Step 1 - find the “ACL” section of the “squid.conf” file. Scroll down to “recommended minimum configuration” and add the line (or whatever the subnet LAN address should be):

acl lacal src 192.168.1.0/24

Note that the “24” represents the subnet mask – in this case 255.255.255.0

Step 2- Scroll down to the “http_access” section of the ‘squid.conf” file and find “http_access allow manager localhost”. Put a space between it and the one below and insert the following:

http_as allow lan_local

Notice that the part "lan_local" is the rule set up in Step 1

Allowing Access Certain Times of the day:

The following is an example how to restrict access to lunch time and block Internet access at all other times:

Step 1 - Add the following to the bottom of the ACL section of squid.conf

acl luchtime time 12:00-13:00

Step 2 - Add the following to the top of the http_access section of squid.conf

http_access allow lunchtime

Access Controlled by Password:

The following is an example how to restrict access by password using NCSA Password Authentication:

Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file. Tthe htpasswd2 program that comes installed with Apache2 can be used to create passwords. The following requires that Apache2 be installed. Adding user authentication can be accomplished in 6 easy steps.

Step 1:Create the password file.

Create a password file. The name of the password file could be /etc/squid/squid_passwd. Make sure that it’s universally readable by typing the following at the command prompt:

touch /etc/squid/squid_passwd

chmod o+r /etc/squid/squid_passwd

Step 2: Use the”htpasswd2″ program to add users to the password file.

Type the following at the command prompt (example shows the user fred being added):

htpasswd2 /etc/squid/squid_passwd fred

Type in a password when prompted to do so.

Step 3:Find the location of the “ncsa_auth” file using the rpm command as follows:

rpm -ql squid | grep ncsa

Take note of the path to that file.

Step 4:Edit “squid.conf” to define the authentication program in squid.conf, “ncsa_auth” .

Add the following to the”auth_param” section of the “squid.conf” file.

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

Use the path noted earlier when finding the ncsa_auth file.

Step 5: Create an “ACL” named “ncsa_users” with the “REQUIRED” keyword that forces Squid to use the “NCSA auth_param” as follows:

Add the following to the bottom of the “ACL” section of the “squid.conf” file.

acl ncsa_users proxy_auth REQUIRED

Step 6: Create an “http_access” entry that allows traffic that matches the “ncsa_users ACL” entry as follows:

Add the following to the top of the “http_access” section of the “squid.conf” file.

http_access allow ncsa_users

After restarting Squid, users will be asked a user name and password.

The web proxy server can be configured to use a number of rules at the same time. An example would be combining time with user name and password authentication.

Internet Access Control During work Hours but not During Lunch Breaks:

Combine the time control with password control as follows:

Under “http_access”, put the “hours” access above the “password” access.

http_access allow lunchtime

http_access allow ncsa_users

With the above configuration the web proxy server will require a user name and password except during lunchtime when anyone is allowed to access the Internet freely.

Some companies are very conscious of the amount of time their staff devote to surfing the Internet and prefer to block Internet access or limit usage to a certain amount of time and/or bandwidth per user. They also would like to block certain types of web sites with a view to limiting access to non work related web sites. Squid proxy server can be configured to accomplish this as well.

The copyright of the article How to Control Internet Access Using Squid in Internet is owned by Fleur Hupston. Permission to republish How to Control Internet Access Using Squid in print or online must be granted by the author in writing.