Squid proxy block all websites except white listed domains



  • Hi,

    I have around 5000 domains in a notepad. I only need to allow the website which is there in notepad and the rest all websites has to be blocked.

    Could you please advise how do we achieve this in pfsense which is hosted in AWS?



  • You could use the pfBlocker package or squid+squidguard packages. pfBlocker can block DNS for those domains, and squid+squidguard is an URL filter. They do the same job in a different way.



  • Thanks Kom for the response.

    What is required is: I want to allow custom domains which are there in notepad (around 5k websites) and rest of the domains should be blocked.

    I understand its a strange requirement. I have installed Squid and Squid Gaurd, However how do I create my own category of 5k domains and mention in Target categories and allow only that and rest of them are blocked?

    Is there anyway I can create a list in console as WebGUI may not handle the list as its huge.



  • Squidguard has no easy way to import 5000 URLs manually. pfBlocker may have a method but I don't know since I don't use it.

    It might be easier for you to fake a squidguard blacklist by packaging up your domain list the same way the blacklists are packaged. Then you could easily import it.

    For example, the Shallalist is a commonly-used blacklist which can be found here:

    http://www.shallalist.de/Downloads/shallalist.tar.gz

    It's a tar.gz file. Inside is a tar file. Inside the tar file is a folder structure with 'urls' and 'domains' files nested inside catagory folders under BL (for blacklist). You could create your own tar.gz file and then use the Blacklist page to import it.



  • Wow!! Awesome genius Idea... its working like a charm.

    Thank you so much!! KOM :-)



  • Glad it worked for you.



  • @kom can you make a step by step how to block all website except white listed domains



  • @lesther123 I don't really have time for that, and there are lots of tutorials online. The short version is:

    Install Squid & configure
    Install Squidguard & configure
    Configure WPAD
    Force users to use proxy by blocking tcp80,443
    In Squidguard, set default ACL to Deny
    In Squidguard, create Whitelist ACL group and then add your allowed domains to it.

    That's basically it.



  • @kom it is possible to block all https??


  • LAYER 8 Rebel Alliance

    Port 443/TCP is HTTPS.

    -Rico



  • @kom Force users to use proxy by blocking tcp80,443, blocking in firewall rule??



  • Yes. How do you expect to enforce your web-browing rules if anyone can just go around the proxy by not using it?? If you block all tcp80,443 traffic on LAN, then NOBODY will be able to use the web except via proxy.