There are many free and paid of internet filter software available. However, advanced and complex features may require more cost. In this post, we will look into how a powerful internet filter can be built freely using Squid Proxy and Windows firewall. This post is not intended to be a one-stop solution but a kick-start/guide for parents who want to use a powerful solution using squid.
Advantages of Squid+Windows Firewall
Some of the key advantages of using Squid allows having very complex rules.
- Allow a website and/or subdomains.
- Block certain pages from allowed websites
- Allow any website if clicked from a list of websites but the target website is blocked if browsed directly.
- Allow embedded youtube from allowed websites but block youtube.
- Allow list of websites only during a certain time.
- Have authenticated users with different roles/options for each user.
- Block websites based on keywords
- And many more …
Explanation and required configuration are provided below. The below steps may not make sense if you don’t watch the video.
- Squid 3.5.28
- Windows 10 build 1909
- Win64 OpenSSL v1.1.1g Light
- Microsoft Visual C++ 2015-2019 Redistributable (x64) – 14.25.28508
Step 1: Squid Installation
The first step is to download Squid Proxy server from the below location.
Once downloaded, install the software into its default location.
Step 2: Child Account Creation
Child account must be created prior to modifying firewall rules. This is because every time a new account is created, windows automatically add new firewall rules.
Step 3: Configure Windows Firewall
Simple but effective internet filter is by forcing windows to use internet only through squid proxy. This allows a parent to configure the proxy to block or allow what websites to whitelist.
Step 4: Configure Child Account
In this step child account must be configured to point it to proxy. Without proxy, the child will not be able to connect to internet.
Step 5: Configure SSL Decryption
In this step, we require OpenSSL to create a private-key and a self signed CA certificate.
- VC++ Runtime Download: https://aka.ms/vs/16/release/vc_redist.x64.exe (Required for OpenSSL)
- OpenSSL download: https://slproweb.com/products/Win32OpenSSL.html
Command to create key/cert (Assuming Squid is installed in C:\Squid):
openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -keyout C:\Squid\etc\squid\myCA.pem -out C:\Squid\etc\squid\myCA.pem
Modify the squid configuration file to add the key and certificate.
http_port 3128 ssl-bump cert=C:\Squid\etc\squid\myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB ssl_bump bump all sslcrtd_program C:\Squid\lib\squid\ssl_crtd.exe -s C:\Squid\var\cache\squid_ssldb -M 4MB sslcrtd_children 5
Step 6: Simple Whitelisting
Below is a simple configuration for C:\Squid\etc\squid\squid.conf
acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT http_port 3128 ssl-bump cert=C:\Squid\etc\squid\myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB ssl_bump bump all sslcrtd_program C:\Squid\lib\squid\ssl_crtd.exe -s C:\Squid\var\cache\squid_ssldb -M 4MB sslcrtd_children 5 acl AllowedSites dstdomain "C:\Squid\etc\squid\allowed-sites.txt" http_access allow AllowedSites http_access deny !Safe_ports http_access deny all dns_nameservers 22.214.171.124 126.96.36.199
Below are the contents of the file: C:\Squid\etc\squid\allowed-sites.txt
Change permissions to remove Authenticated Users from folder C:\Squid\etc. This stops the child from modifying the configuration folder.
Step 7: Block Specific Pages
Add the following to file: allowed-sites.txt
Add to squid configuration, File: C:\Squid\etc\squid\squid.conf
acl BlockZoomSignUp url_regex -i ^https:\/\/zoom.us\/signup
http_access deny BlockZoomSignUp
Step 8: Undo Firewall and Proxy
If you messed up or want to revert back.
- Reset Network firewall
- Remove Proxy