OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Web Proxy Filtering and Caching (Moderator: fabian) »
  • [Tutorial] Custom squid ACL (user based filtering)
« previous next »
  • Print
Pages: [1]

Author Topic: [Tutorial] Custom squid ACL (user based filtering)  (Read 5824 times)

Amr

  • Jr. Member
  • **
  • Posts: 78
  • Karma: 4
    • View Profile
[Tutorial] Custom squid ACL (user based filtering)
« on: March 07, 2020, 02:56:54 pm »
Disclaimer:
You proceed at your own risk and I'm not responsible if you break anything attempting these changes.

Explanation:
-The idea is to drop your custom ACL in pre-auth which gets evaluated before the squid.conf rules.
-You can also drop them in auth and post-auth (read the "/usr/local/etc/squid/squid.conf" to see how rules are evaluated).
-FTP is preferred since you can easily push and fetch the configurations to/from opnsense for backup reasons, as simply taking opnsense backup from the GUI won't back-up your pre-auth data.

prerequisites:
-This guide assumes you can write custom squid ACLs.
-FTP server  (preferred, just google it it's pretty easy).
-alternatively, you can use ssh or the CLI to directly create and edit the ACLs in that case you'll need to install your favorite editor (nano, vim, etc).
-Knowing FreeBSD CLI commands is a plus (stuff like "ls" to list directory contents, "cd .." to go up a directory, "ctrl+c" to stop the current command from executing, "rm" to removes files,... etc)

Steps:
1-Create your custom ACL.
2-Login to the CLI and go to Shell (option 8 ).
2-install wget package by typing
Code: [Select]
pkg install wget( or use built in ftp command)
3-navigate to /usr/local/etc/squid/pre-auth by typing:
Code: [Select]
cd /usr/local/etc/squid/pre-auth4-Download the file from the FTP server by typing
Code: [Select]
wget FTP://[ip address or FQDN]/[filename.conf] --user=[username] --password=[password]ex: wget ftp://FTP://192.168.1.100/kids.conf --user=dad --password=U$h411N0tP4ss
5-Reload squid from GUI or CLI whatever suits you
6-Magic


Extra (simple ACL):
Let's say you want to block your kids from accessing pedobear.com
the approach would to create an alias for blocked sites and one for kids IPs or MACs:

#   alias                     sites   
acl badsites dstdomain .pedobear.com
acl badsites dstdomain .bearpedo.com

#   alias      their IP
acl kids src 192.168.1.200
acl kids src 192.168.1.201

http_access deny kids badsites

ps: Refer to squid user forms on how to write ACL, separating src IP ranges and Whitelisted/Denied domains in seperate files and refering to the files is preferable and easier to maintain.
« Last Edit: August 17, 2021, 09:38:10 am by Amr »
Logged
Disclaimer: All advice presented is "AS IS", no warranties.
I'm not part of the opnsense team, just trying to help.
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Web Proxy Filtering and Caching (Moderator: fabian) »
  • [Tutorial] Custom squid ACL (user based filtering)
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2