[Tutorial] Custom squid ACL (user based filtering)

Started by Amr, March 07, 2020, 02:56:54 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 07, 2020, 02:56:54 PM Last Edit: August 17, 2021, 09:38:10 AM by Amr
Disclaimer:
You proceed at your own risk and I'm not responsible if you break anything attempting these changes.

Explanation:
-The idea is to drop your custom ACL in pre-auth which gets evaluated before the squid.conf rules.
-You can also drop them in auth and post-auth (read the "/usr/local/etc/squid/squid.conf" to see how rules are evaluated).
-FTP is preferred since you can easily push and fetch the configurations to/from opnsense for backup reasons, as simply taking opnsense backup from the GUI won't back-up your pre-auth data.

prerequisites:
-This guide assumes you can write custom squid ACLs.
-FTP server  (preferred, just google it it's pretty easy).
-alternatively, you can use ssh or the CLI to directly create and edit the ACLs in that case you'll need to install your favorite editor (nano, vim, etc).
-Knowing FreeBSD CLI commands is a plus (stuff like "ls" to list directory contents, "cd .." to go up a directory, "ctrl+c" to stop the current command from executing, "rm" to removes files,... etc)

Steps:
1-Create your custom ACL.
2-Login to the CLI and go to Shell (option 8 ).
2-install wget package by typing
Code Select
pkg install wget( or use built in ftp command)
3-navigate to /usr/local/etc/squid/pre-auth by typing:
Code Select
cd /usr/local/etc/squid/pre-auth
4-Download the file from the FTP server by typing
Code Select
wget FTP://[ip address or FQDN]/[filename.conf] --user=[username] --password=[password]
ex: wget FTP://192.168.1.100/kids.conf --user=dad --password=U$h411N0tP4ss
5-Reload squid from GUI or CLI whatever suits you
6-Magic


Extra (simple ACL):
Let's say you want to block your kids from accessing pedobear.com
the approach would to create an alias for blocked sites and one for kids IPs or MACs:

#   alias                     sites   
acl badsites dstdomain .pedobear.com
acl badsites dstdomain .bearpedo.com

#   alias      their IP
acl kids src 192.168.1.200
acl kids src 192.168.1.201

http_access deny kids badsites

ps: Refer to squid user forms on how to write ACL, separating src IP ranges and Whitelisted/Denied domains in seperate files and refering to the files is preferable and easier to maintain.
Disclaimer: All advice presented is "AS IS", no warranties.
I'm not part of the opnsense team, just trying to help.
Print
Go Up Pages1
User actions