[SOLVED] Block https Facebook in Squid proxy server


FREQUENTLY ASKED QUESTIONS (Linux)
Q: How to block Facebook in squid proxy? (any secure https sites)


Here the post will show you how to block complete "http" and "https" facebook access in office times in your squid proxy server. Create an acl with facebook domain (dstdomain) and deny both http and https access.

Add the Configurations to squid.conf
[root@server ~#]vi /etc/squid/squid.conf

#1: Create an acl for proxy clients.
acl accountant src 192.168.10.50/32


#2: Create an acl for facebook domain  (any required sites)
acl fb dstdomain .facebook.com

#3: Create an acl office time for Mon-Sat, 10:00 to 17:00 (24hrs)
acl officetime time MTWHFA 10:00-17:00

#4: Deny access to "http" facebook to accountant only in office times
http_reply_access deny  fb accountant officetime

#5: The below line will deny access to "https" secured facebook to the proxy user "accountant" in office times. Squid proxy will deny access to "https" facebook to accountant only in office times. 
http_access deny CONNECT fb accountant officetime
#(save the squid.conf configuration file)

#6: And finaly reload squid service to take effect changes
[root@server ~#]service squid reload

Tips: The way to include multiple sites in one ACL
acl badsites dstdomain .facebook.com .twitter.com .blogger.com

Note: Tested in squid-3.1       (tested using squid-3.1.16-1.fc15.x86_64   in CentOS 6)
Post ur comments....

Check Squid Related Posts:

Was this helpfull ?

36 comments:

Anonymous said...

Hi, does the line:

#3: Create an acl office time for Mon-Sat, 10:00 to 17:00 (24hrs)
acl officetime time MTWHFA 10:00-17:00

Use the system time?

Thanks.
Leo

Author said...

@Leo,
Yes, the ACL use the system time in Squid server.

rizaaal said...

hope this working. i want to try it, thanks for sharing :)

Poon said...

it's work on squid 3.1.10
Thanks for sharing too:)

Author said...

@rizaal,
always place the facebook deny ACLs above of all other browse allowing ACL
like below
http_reply_access deny fb accountant
http_reply_access allow lan

Author said...

@Poon, Thanks..

Anonymous said...

Thanks , its working in my fedora squid 3.1

Unknown said...

im new on squid operation. may i know how to create an acl with facebook domain?

Author said...

@Unknown, As mentioned in this post, add the fillowing
3 lines to squid.conf (most simplest solution)
acl fb dstdomain .facebook.com
http_access deny CONNECT fb
http_reply_access deny fb

Done, now restart the squid daemon
#service squid restart

rajasekaran said...

service squid reload
2012/04/24 05:45:20| aclParseAclList: ACL name 'CONNECT' not found.
FATAL: Bungled squid.conf line 65: http_access deny CONNECT fb accountant officetime
Squid Cache (Version 3.1.4): Terminated abnormally.
CPU Usage: 0.013 seconds = 0.004 user + 0.009 sys
Maximum Resident Size: 21968 KB
Page faults with physical i/o: 0

Author said...

@rajasekaran, thanks for feedback.
Add the below "CONNECT" acl to your squid.conf file
acl CONNECT method CONNECT

#then try restarting squid

Aneesh said...

What if the user/client uses an anonymous proxy like kproxy.com? There are 1000's of free proxies available. What can we do?

Csaba said...

Is this working in tranparent mode?
I have ipcop v2 with squid 3.1.19 and can not block https facebook.

acl szamtec-termek src 10.205.206.150
acl facebook dstdomain .facebook.com
http_reply_access deny facebook szamtec-termek
http_access deny CONNECT facebook szamtec-termek

What could be wrong?

crystal kate Raymundo said...

It doesnt work for squid 2.6 :( any ideas?

sofallo bile said...

Thumbs up guys your doing a really good job.
Unblock Facebook

Chirwa Aubre said...

Am using CentOS 5.6 and squid 2.6, what shouls i do in order to setup a transparent proxy?

Auronrev said...

Thanks, very nice info!! ;)

But, I've a little problem. When squid blocks any https site, squid page error isn't shown, it's shown an explorer error. Http blocked page works fine, it shows squid error page. Any idea to solve this?

Next Gen Robotic Car said...

I have tested it on squid 3.2.7 and its not working ...

Driv3n 817 said...

Does this work by blocking all https sites except those IP Address that I place in the bypass proxy server list?

blocker25 said...

is not working on my transparent setup!

Vinicius Pessotti said...

Me only works when the page is closed https and try to open in time OfficeTime. If you are released and remain with the window open, entering the OfficeTime it does not block. This only happens to me? I am redirected to the https port 3128 by iptables. I'm using Squid 3.1.19 on ubuntu. I appreciate the help.


  Sorry my english. I am Brazilian and I'm using google translate. rs

Knev said...

Hi

Which version of squid, blocks https?

Thanks
knev
Tech blog

Sensei Grant said...

On Squid 2.7
Just after safe ports and just before http access.

I have am blocking specific https sites with the following




acl stop_https_sites dstdomain .facebook.com
acl stop_https_sites dstdomain .myspace.com
acl stop_https_sites dstdomain .google.com
acl stop_https_sites dstdomain .tagged.com
acl stop_https_sites dstdomain .badoo.com
acl stop_https_sites dstdomain .flickr.com
acl stop_https_sites dstdomain .twitter.com
acl stop_https_sites dstdomain .halowaypoint.com

http_access deny CONNECT stop_https_sites

Adriaan van Blerk said...

create script
vi facebookblock.sh

add this to the script

# Facebook Block------
for ip in `whois -h whois.radb.net '!gAS32934' | grep /`
do
iptables -A FORWARD -p all -d $ip -j REJECT
done
#End Facebook Block-----

save and run it.
It will update the latest IP blocks used by facebook.

venky said...

using the file blocksite.acl, facebook is not getting blocked.

is this syntax is wrong ?

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl morning_hours time SMTWHFA 09:45-12:45
acl afternoon_hours time SMTWHFA 14:15-18:15
acl blocksite dstdomain "/etc/squid/blocksite.acl"
http_reply_access deny morning_hours blocksite Ittechsolution
http_access deny CONNECT morning_hours blocksite Ittechsolution
http_reply_access deny afternoon_hours blocksite Ittechsolution
http_access deny CONNECT afternoon_hours blocksite Ittechsolution

oya asr said...

the https site facebook is not blocked using squid proxy server. i had tried the above one http://www.facebook.com got blocked. but https://www.facebook.com also need to be blocked using squid proxy server. pls update with reply

Unknown said...

check Artica Proxy is a frontend GUI for squid, is open source project...

Angel Abiha said...

How To Use Block Sites On Google Chrome?
http://unitedhackingarticle.blogspot.com/2014/08/how-to-use-block-sites-on-google-chrome.html
How To Use Block Websites On Mozilla Firefox?
http://unitedhackingarticle.blogspot.com/2014/08/how-to-use-block-websites-on-mozilla-firefox.html

Pramudika Harshanath said...

Add this two access controll list

acl badport port 443
acl fb dstdomain .facebook.com
http_reply_access deny badport fb

runa laila said...

Hay Dear, Do you find to web proxy free,proxy web free,unblock web proxy,secure proxy,unblock website proxy. I suggest you to visit this site. There are a lot of web proxy . For details: unblock website proxy

Squidblacklist said...

Squidblacklist.org is the worlds leading publisher of native acl
blacklists tailored specifically for Squid proxy, and alternative formats for all major third party plugins as well as
many other filtering platforms. Including SquidGuard, DansGuardian, and ufDBGuard, as well as pfSense and more.

There is room for better blacklists, we intend to fill that gap.


It would be our pleasure to serve you.

Signed,

Benjamin E. Nichols
http://www.squidblacklist.org

Squidblacklist said...

Squidblacklist.org is the worlds leading publisher of native acl
blacklists tailored specifically for Squid proxy, and alternative formats for all major third party plugins as well as
many other filtering platforms. Including SquidGuard, DansGuardian, and ufDBGuard, as well as pfSense and more.

There is room for better blacklists, we intend to fill that gap.


It would be our pleasure to serve you.

Signed,

Benjamin E. Nichols
http://www.squidblacklist.org

Sylvester Stallone said...

That is really nice and easy! My son would enjoy this!
Mp3Raid UK proxy

Naikwadi Arvind said...

Simply, save this to your firewall

iptables -t filter -I FORWARD -s x.x.x.x/32 -m layer7 --l7proto youtube -j DROP

x.x.x.x=Static lease of your DHCP/IP

Naikwadi Arvind said...

iptables -t filter -I FORWARD -s x.x.x.x/32 -m layer7 --l7proto facebook -j DROP

niaziakmal khan said...

Blogging is incredible and every blogger playing a great role to introduce new things in blogging. I always like to fly on different blogs and read the strategies of different blogger to understand the blogging in more depth. Being a bloggers I really appreciate your works and no doubt your blog is awesome.
Love from Asad Niazi

Related Posts Plugin for WordPress, Blogger...

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Bluehost Coupons