Squid: Restrict access to websites

If you have followed my guidelines on how to install Squid, you might have noticed that the assumption was, that your home-user base would not abuse the net.

You add a ten-year old on school-holidays and YouTube to the mix and you will realise that spending 2GB on Youtube in a few hours is nothing …. eeek.

I needed a quick fix, without denying the young padawan access to the internet. After some research, I found that I could implement access-controls on a source-IP basis via Squid resulting in the following page:

The implementation is really simple and sufficient for my means – read the details after the jump.

If you are setting up Squid from scratch, go back to my original post as I have adjusted the squid.conf and then come back here to understand what it does.

  1. Edit the Squid.conf (on the Synology it will be in /opt/etc/squid/squid.conf)
  2. In the ACL settings as the last line, add the following section: acl nonblockedip src 172.16.0.3 172.16.0.5. Specify the IP’s which should have access to the restricted sites (why should you deny yourself access to You Tube???)
  3. Below it, add the ACL for the blocked sites: acl blocksites dstdomain “/opt/etc/squid/restricted-sites.squid”. Note that you have to specify the correct location of the restricted-sites.squid-file, which is a simple text file containing a list of domain-names to be blocked (one domain per line).
  4. Add the following before all http_access entries: http_access deny blocksites !nonblockedip all. This will in essence block all websites for all IP-addresses other than the ones listed in the nonblockedip-ACL list.
  5. You might want to adjust Squid’s boring default error pages. In this case I modified the access-denied page located at /opt/share/squid/errors/English/ERR_ACCESS_DENIED to look the way you see it above.