Squid: Configuring Whitelisted URLs

PROBLEM

To configure a proxy server that only allows whitelisted URLs through.

SOLUTION

Install Squid… in this case, on Ubuntu.

sudo apt install -y squid

Ensure the service is running.

my@shittycode:/etc/squid$ sudo systemctl status squid
● squid.service - Squid Web Proxy Server
Loaded: loaded (/lib/systemd/system/squid.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-04-21 17:20:54 CDT; 3min 3s ago
Docs: man:squid(8)
Process: 9008 ExecStartPre=/usr/sbin/squid --foreground -z (code=exited, status=0/SUCCESS)
Process: 9012 ExecStart=/usr/sbin/squid -sYC (code=exited, status=0/SUCCESS)
Main PID: 9013 (squid)
Tasks: 4 (limit: 44379)
Memory: 16.1M
CGroup: /system.slice/squid.service
├─9013 /usr/sbin/squid -sYC
├─9015 (squid-1) --kid squid-1 -sYC
├─9016 (logfile-daemon) /var/log/squid/access.log
└─9017 (pinger)

Apr 21 17:20:54 shittycode squid[9015]: Max Swap size: 0 KB
Apr 21 17:20:54 shittycode squid[9015]: Using Least Load store dir selection
Apr 21 17:20:54 shittycode squid[9015]: Set Current Directory to /var/spool/squid
Apr 21 17:20:54 shittycode squid[9015]: Finished loading MIME types and icons.
Apr 21 17:20:54 shittycode squid[9015]: HTCP Disabled.
Apr 21 17:20:54 shittycode squid[9015]: Pinger socket opened on FD 14
Apr 21 17:20:54 shittycode squid[9015]: Squid plugin modules loaded: 0
Apr 21 17:20:54 shittycode squid[9015]: Adaptation support is off.
Apr 21 17:20:54 shittycode squid[9015]: Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9
Apr 21 17:20:55 shittycode squid[9015]: storeLateRelease: released 0 objects

Create a file ( /etc/squid/whitelist.txt ) containing the whitelisted URLs. In this example, only one URL is whitelisted.

my@shittycode:/etc/squid$ cat whitelist.txt
www.google.com

To simplify the configuration, backup /etc/squid/squid.conf and create the same file with these minimal configurations.

my@shittycode:/etc/squid$ cat squid.conf

# An ACL named 'whitelist'
acl whitelist dstdomain '/etc/squid/whitelist.txt'

# Allow whitelisted URLs through
http_access allow whitelist

# Block the rest
http_access deny all

# Default port
http_port 3128

Restart the service to pick up the change.

sudo systemctl restart squid

To test the configuration, when hitting a non-whitelisted URL, it should return 403.

my@shittycode:/etc/squid$ curl -x localhost:3128 -I -L yahoo.com
HTTP/1.1 403 Forbidden
Server: squid/4.10
Mime-Version: 1.0
Date: Wed, 21 Apr 2021 22:22:02 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3507
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from shittycode
X-Cache-Lookup: NONE from shittycode:3128
Via: 1.1 shittycode (squid/4.10)
Connection: keep-alive

When hitting a whitelisted URL, it should return 200.

my@shittycode:/etc/squid$ curl -x localhost:3128 -I -L www.google.com
HTTP/1.1 200 OK
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Date: Wed, 21 Apr 2021 22:21:03 GMT
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Expires: Wed, 21 Apr 2021 22:21:03 GMT
Cache-Control: private
Set-Cookie: 1P_JAR=2021-04-21-22; expires=Fri, 21-May-2021 22:21:03 GMT; path=/; domain=.google.com; Secure
Set-Cookie: NID=214=AAK1Z6cV4cXlOGLIdHrKhiyzW2iBKpkN5-3OXvVrxEGrw-VekbvM1uFMMUAGubhAciT8NcyCVto2fpDPHJXRBECcqJRFTsUDNb3WBUNIgvK0zWpyxz8bl1aSqB22nQhf2fEwfDM9nAkVZyQG8rst054qOfAHO9kDvkrZRWn9HyM; expires=Thu, 21-Oct-2021 22:21:03 GMT; path=/; domain=.google.com; HttpOnly
X-Cache: MISS from shittycode
X-Cache-Lookup: MISS from shittycode:3128
Via: 1.1 shittycode (squid/4.10)
Connection: keep-alive