PROBLEM
To configure a proxy server that only allows whitelisted URLs through.
SOLUTION
Install Squid… in this case, on Ubuntu.
sudo apt install -y squid
Ensure the service is running.
my@shittycode:/etc/squid$ sudo systemctl status squid ● squid.service - Squid Web Proxy Server Loaded: loaded (/lib/systemd/system/squid.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2021-04-21 17:20:54 CDT; 3min 3s ago Docs: man:squid(8) Process: 9008 ExecStartPre=/usr/sbin/squid --foreground -z (code=exited, status=0/SUCCESS) Process: 9012 ExecStart=/usr/sbin/squid -sYC (code=exited, status=0/SUCCESS) Main PID: 9013 (squid) Tasks: 4 (limit: 44379) Memory: 16.1M CGroup: /system.slice/squid.service ├─9013 /usr/sbin/squid -sYC ├─9015 (squid-1) --kid squid-1 -sYC ├─9016 (logfile-daemon) /var/log/squid/access.log └─9017 (pinger) Apr 21 17:20:54 shittycode squid[9015]: Max Swap size: 0 KB Apr 21 17:20:54 shittycode squid[9015]: Using Least Load store dir selection Apr 21 17:20:54 shittycode squid[9015]: Set Current Directory to /var/spool/squid Apr 21 17:20:54 shittycode squid[9015]: Finished loading MIME types and icons. Apr 21 17:20:54 shittycode squid[9015]: HTCP Disabled. Apr 21 17:20:54 shittycode squid[9015]: Pinger socket opened on FD 14 Apr 21 17:20:54 shittycode squid[9015]: Squid plugin modules loaded: 0 Apr 21 17:20:54 shittycode squid[9015]: Adaptation support is off. Apr 21 17:20:54 shittycode squid[9015]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9 Apr 21 17:20:55 shittycode squid[9015]: storeLateRelease: released 0 objects
Create a file ( /etc/squid/whitelist.txt
) containing the whitelisted URLs. In this example, only one URL is whitelisted.
my@shittycode:/etc/squid$ cat whitelist.txt www.google.com
To simplify the configuration, backup /etc/squid/squid.conf
and create the same file with these minimal configurations.
my@shittycode:/etc/squid$ cat squid.conf # An ACL named 'whitelist' acl whitelist dstdomain '/etc/squid/whitelist.txt' # Allow whitelisted URLs through http_access allow whitelist # Block the rest http_access deny all # Default port http_port 3128
Restart the service to pick up the change.
sudo systemctl restart squid
To test the configuration, when hitting a non-whitelisted URL, it should return 403.
my@shittycode:/etc/squid$ curl -x localhost:3128 -I -L yahoo.com HTTP/1.1 403 Forbidden Server: squid/4.10 Mime-Version: 1.0 Date: Wed, 21 Apr 2021 22:22:02 GMT Content-Type: text/html;charset=utf-8 Content-Length: 3507 X-Squid-Error: ERR_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from shittycode X-Cache-Lookup: NONE from shittycode:3128 Via: 1.1 shittycode (squid/4.10) Connection: keep-alive
When hitting a whitelisted URL, it should return 200.
my@shittycode:/etc/squid$ curl -x localhost:3128 -I -L www.google.com HTTP/1.1 200 OK Content-Type: text/html; charset=ISO-8859-1 P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Wed, 21 Apr 2021 22:21:03 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Expires: Wed, 21 Apr 2021 22:21:03 GMT Cache-Control: private Set-Cookie: 1P_JAR=2021-04-21-22; expires=Fri, 21-May-2021 22:21:03 GMT; path=/; domain=.google.com; Secure Set-Cookie: NID=214=AAK1Z6cV4cXlOGLIdHrKhiyzW2iBKpkN5-3OXvVrxEGrw-VekbvM1uFMMUAGubhAciT8NcyCVto2fpDPHJXRBECcqJRFTsUDNb3WBUNIgvK0zWpyxz8bl1aSqB22nQhf2fEwfDM9nAkVZyQG8rst054qOfAHO9kDvkrZRWn9HyM; expires=Thu, 21-Oct-2021 22:21:03 GMT; path=/; domain=.google.com; HttpOnly X-Cache: MISS from shittycode X-Cache-Lookup: MISS from shittycode:3128 Via: 1.1 shittycode (squid/4.10) Connection: keep-alive