Squid.conf
To set up squid to block ads, cookies, referer (sic) to get a lot more privacy when browsing you can do the following:
- Install squid as described under installing software
Note: You may want to do this all as root to stop users editing these files. The following commands are done via a command shell. Also this setup is for a single user running squid on their local machine. To set up squid for more users a few lines will have to be amended (for example blocking access from all machine).
Create config files
- Change to the configuration directory
cd /etc/squid
- This is going to be any sites we want to block
touch blacklist
- Sites we want cookies on (like linuxquestions.org!) so you can log on.
touch cookie_allow
- Site that require the referer. It is spelt referrer however the original spec typod it as referer.
touch referer_allow
- Sites that require a real user agent (as opposed to the spoof one we are going to use)
touch user_agent_allow
Change the config file
Edit /etc/squid/squid.conf. There are lots of things to change here in many places, so listed here are the lines to search for and the lines to add in afterwards. Bulleted lines in italic are the original lines, bulleted lines not in italic are lines to add. Unbulleted lines are explanations.
- # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
- acl blacklist dstdomain "/etc/squid/blacklist"
- http_access deny blacklist
This tells squid to block any matching domains listed in the file blacklist. If you want to block an entire website (linuxquestions.org say, although why you would want to block that!) you can simply edit the blacklist file and put: .linuxquestions.org which blocks www.linuxquestions.org, wiki.linuxquestions.org etc. Putting: wiki.linuxquestions.org would block just the wiki.
#visible_hostname visible_hostname proxy
This tells squid to tell everyone it is called 'proxy'. It defaults to your machine name which could potentially be a security risk.
# forwarded_for on forwarded_for off
This tells squid not to tell anyone it is a proxy. Depending on the setting you may not want to have this one.
# By default, all headers are allowed (no anonymizing is # performed). # #Default: # none header_access From deny all header_access Server deny all header_access WWW-Authenticate deny all header_access Link deny all header_access Cache-Control deny all header_access Proxy-Connection deny all header_access X-Cache deny all header_access X-Cache-Lookup deny all header_access Via deny all header_access Forwarded-For deny all header_access X-Forwarded-For deny all header_access Pragma deny all header_access Keep-Alive deny all acl referer_allow dstdomain "/etc/squid/referer_allow" header_access Referer allow referer_allow header_access Referer deny all acl cookie_allow dstdomain "/etc/squid/cookie_allow" header_access Cookie allow cookie_allow header_access Cookie deny all acl user_agent_allow dstdomain "/etc/squid/user_agent_allow" header_access User-Agent allow user_agent_allow header_access User-Agent deny all
These lines do lots of things. It blocks domains from reading the referer, cookies and user agent. It blocks the 'forwarded for' header lines (which again could be a potential security risk giving actual machine names / IPs). They also block connections to the squid proxy from all machines except local (see note at the beginning of this page).
* #header_replace User-Agent
header_replace User-Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.0.1; .NET CLR 1.1.4322; .NET CLR
This line tells websites that you are running IE7 on Windows XP. Some bad websites have been known to look at your user agent and try to use browser specific exploits, which should fail using this user agent.
# TAG: deny_info
(many more lines until end of section)
# by specifying TCP_RESET. deny_info http://localhost/blacklist.gif blacklist
This line changes any websites in the blacklist to become blacklist.gif. You can create the file as a small transparent gif file to replace any ad with. You will need to make this file yourself otherwise you will get a file not found error. If you don't want to replace the ads, you can skip adding this line however you will see 'access denied' instead of the ads.
Now save the squid.conf file. If you want to block almost all the ads on the internet you can download a hosts file (for example from here) and save it. Unfortunately it is in the wrong format however running the file through:
sed 's/\#.*//' hosts.txt | sed 's/127.0.0.1 *//' | sed 's/localhost//' | sed -e '/^$/d' > blacklist
To pretty much sort file out. Might leave some blank lines at the front so edit blacklist to check. You can remove the hosts.txt file now if you wish. Copy the blacklist file into /etc/squid.
Edit /etc/squid/cookie_allow and add all sites you want to allow cookies for, e.g. .linuxquestions.org
Do the same with referer and user agent.
Restart squid using: squid -k reconfigure
Set browser to use squid port and check it all works!