Squid.conf

From LQWiki
Jump to navigation Jump to search

To set up squid to block ads, cookies, referer (sic) to get a lot more privacy when browsing you can do the following:

Note: You may want to do this all as root to stop users editing these files. The following commands are done via a command shell. Also this setup is for a single user running squid on their local machine. To set up squid for more users a few lines will have to be amended (for example blocking access from all machine).

Create config files

cd /etc/squid
  • This is going to be any sites we want to block
touch blacklist
  • Sites we want cookies on (like linuxquestions.org!) so you can log on.
touch cookie_allow
  • Site that require the referer. It is spelt referrer however the original spec typod it as referer.
touch referer_allow
  • Sites that require a real user agent (as opposed to the spoof one we are going to use)
touch user_agent_allow

Change the config file

Edit /etc/squid/squid.conf. There are lots of things to change here in many places, so listed here are the lines to search for and the lines to add in afterwards. Bulleted lines in italic are the original lines, bulleted lines not in italic are lines to add. Unbulleted lines are explanations.

  • # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
  • acl blacklist dstdomain "/etc/squid/blacklist"
  • http_access deny blacklist

This tells squid to block any matching domains listed in the file blacklist. If you want to block an entire website (linuxquestions.org say, although why you would want to block that!) you can simply edit the blacklist file and put: .linuxquestions.org which blocks www.linuxquestions.org, wiki.linuxquestions.org etc. Putting: wiki.linuxquestions.org would block just the wiki.

#visible_hostname
visible_hostname proxy

This tells squid to tell everyone it is called 'proxy'. It defaults to your machine name which could potentially be a security risk.

# forwarded_for on
forwarded_for off

This tells squid not to tell anyone it is a proxy. Depending on the setting you may not want to have this one.

# By default, all headers are allowed (no anonymizing is
#	performed).
#
#Default:
# none
header_access From deny all
header_access Server deny all
header_access WWW-Authenticate deny all
header_access Link deny all
header_access Cache-Control deny all
header_access Proxy-Connection deny all
header_access X-Cache deny all
header_access X-Cache-Lookup deny all
header_access Via deny all
header_access Forwarded-For deny all
header_access X-Forwarded-For deny all
header_access Pragma deny all
header_access Keep-Alive deny all
acl referer_allow dstdomain "/etc/squid/referer_allow"
header_access Referer allow referer_allow
header_access Referer deny all
acl cookie_allow dstdomain "/etc/squid/cookie_allow"
header_access Cookie allow cookie_allow
header_access Cookie deny all
acl user_agent_allow dstdomain "/etc/squid/user_agent_allow"
header_access User-Agent allow user_agent_allow
header_access User-Agent deny all

These lines do lots of things. It blocks domains from reading the referer, cookies and user agent. It blocks the 'forwarded for' header lines (which again could be a potential security risk giving actual machine names / IPs). They also block connections to the squid proxy from all machines except local (see note at the beginning of this page).

* #header_replace User-Agent

header_replace User-Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; YPC 3.0.1; .NET CLR 1.1.4322; .NET CLR

This line tells websites that you are running IE7 on Windows XP. Some bad websites have been known to look at your user agent and try to use browser specific exploits, which should fail using this user agent.

# TAG: deny_info

(many more lines until end of section)

# by specifying TCP_RESET.
deny_info http://localhost/blacklist.gif blacklist

This line changes any websites in the blacklist to become blacklist.gif. You can create the file as a small transparent gif file to replace any ad with. You will need to make this file yourself otherwise you will get a file not found error. If you don't want to replace the ads, you can skip adding this line however you will see 'access denied' instead of the ads.

Now save the squid.conf file. If you want to block almost all the ads on the internet you can download a hosts file (for example from here) and save it. Unfortunately it is in the wrong format however running the file through:

sed 's/\#.*//' hosts.txt | sed 's/127.0.0.1 *//' | sed 's/localhost//' | sed -e '/^$/d' > blacklist

To pretty much sort file out. Might leave some blank lines at the front so edit blacklist to check. You can remove the hosts.txt file now if you wish. Copy the blacklist file into /etc/squid.

Edit /etc/squid/cookie_allow and add all sites you want to allow cookies for, e.g. .linuxquestions.org

Do the same with referer and user agent.

Restart squid using: squid -k reconfigure

Set browser to use squid port and check it all works!