Internet Filter for Parents

There are many free and paid of internet filter software available. However, advanced and complex features may require more cost. In this post, we will look into how a powerful internet filter can be built freely using Squid Proxy and Windows firewall. This post is not intended to be a one-stop solution but a kick-start/guide for parents who want to use a powerful solution using squid.

Advantages of Squid+Windows Firewall

Some of the key advantages of using Squid allows having very complex rules.

  • Allow a website and/or subdomains.
  • Block certain pages from allowed websites
  • Allow any website if clicked from a list of websites but the target website is blocked if browsed directly.
  • Allow embedded youtube from allowed websites but block youtube.
  • Allow list of websites only during a certain time.
  • Have authenticated users with different roles/options for each user.
  • Block websites based on keywords
  • And many more …

Video

Explanation and required configuration are provided below. The below steps may not make sense if you don’t watch the video.

Software/Versions

Step 1: Squid Installation

The first step is to download Squid Proxy server from the below location.

Once downloaded, install the software into its default location.

Step 2: Child Account Creation

Child account must be created prior to modifying firewall rules. This is because every time a new account is created, windows automatically add new firewall rules.

Step 3: Configure Windows Firewall

Simple but effective internet filter is by forcing windows to use internet only through squid proxy. This allows a parent to configure the proxy to block or allow what websites to whitelist.

Step 4: Configure Child Account

In this step child account must be configured to point it to proxy. Without proxy, the child will not be able to connect to internet.

Step 5: Configure SSL Decryption

In this step, we require OpenSSL to create a private-key and a self signed CA certificate.

Command to create key/cert (Assuming Squid is installed in C:\Squid):

openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -keyout C:\Squid\etc\squid\myCA.pem -out C:\Squid\etc\squid\myCA.pem

squid.conf

Modify the squid configuration file to add the key and certificate.

http_port 3128 ssl-bump cert=C:\Squid\etc\squid\myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

ssl_bump bump all

sslcrtd_program C:\Squid\lib\squid\ssl_crtd.exe -s C:\Squid\var\cache\squid_ssldb -M 4MB

sslcrtd_children 5

Step 6: Simple Whitelisting

Below is a simple configuration for C:\Squid\etc\squid\squid.conf

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT

http_port 3128 ssl-bump cert=C:\Squid\etc\squid\myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
ssl_bump bump all
sslcrtd_program C:\Squid\lib\squid\ssl_crtd.exe -s C:\Squid\var\cache\squid_ssldb -M 4MB
sslcrtd_children 5

acl AllowedSites dstdomain "C:\Squid\etc\squid\allowed-sites.txt"
http_access allow AllowedSites

http_access deny !Safe_ports
http_access deny all

dns_nameservers 208.67.222.222 208.67.220.220

Allowed Sites

Below are the contents of the file: C:\Squid\etc\squid\allowed-sites.txt

.superbook.tv
.cbn.com

Change permissions to remove Authenticated Users from folder C:\Squid\etc. This stops the child from modifying the configuration folder.

Step 7: Block Specific Pages

Add the following to file: allowed-sites.txt

.zoom.us

Add to squid configuration, File: C:\Squid\etc\squid\squid.conf

acl BlockZoomSignUp url_regex -i ^https:\/\/zoom.us\/signup
http_access deny BlockZoomSignUp

Step 8: Undo Firewall and Proxy

If you messed up or want to revert back.

  • Reset Network firewall
  • Remove Proxy