Thursday, September 07, 2006

Configuring a Whitelist Proxy for Kid-safe Internet Access

I want my children to have access to the internet, but I also know there is a lot of stuff out there I don't want them to have access to. For me, I only want to let them visit web sites that I have reviewed and approved for their consumption. This list, known as a whitelist, is something I want to be able to easily control, update, and adapt for use over time, and I want to be able to have them use it from any of multiple computers.

This article offered a good start to getting a squid server up and running to do just this. As an added bonus, this is a caching server, so once they load things once they can access them quickly from server cache. I had a headstart on the process since I already had a box running Fedora Core 3, and it already had squid rpm installed, but not configured or activated. Let me summarize exactly what I did to get squid configured.

  1. Installed squid (already done) via rpm (rpm -Uvh packagename) on Fedora Core 3.

  2. Edit /full/path/squid.conf starting with the default configuration file. My changes / additions are marked below:

    #CHANGE: Use a more standard proxy port

    http_port 8080

    #CHANGE: Set my cache directory onto my local raid

    cache_dir ufs /raid/squid 100 16 256

    #CHANGE: Set the ftp user as my email address
    #(not included here)


    #ADD: Setup the authentication as ncsa through
    # the files we will set up in the next step

    auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

    #CHANGE: Set up visible hostname since squid seemed to need it

  3. Create a "squid_passwd" ncsa auth file:

    htpasswd -c /etc/squid/squid_passwd adult
    htpasswd /etc/squid/squid_passwd kid

  4. Create a whitelist file /full/path/squid/whitelist. It is simply a flat file with one host/domain or domain per list. I started with a simple one:

  5. Edit /full/path/suid.conf to use these files:

    In the acl area of the squid.conf file create these entries:

    acl ncsa_adult_users proxy_auth adult
    acl ncsa_kid_users proxy_auth kid
    acl whitelist dstdomain "/etc/squid/whitelist"

    Then in the http_access area of the squid.conf file create these entries:

    http_access allow ncsa_adult_users
    http_access allow ncsa_kid_users whitelist
    http_access deny all

  6. Activate squid by adding it to the boot process and then starting it.

    chkconfig squid on
    /etc/init.d/squid start

  7. Configure my test browser to use hostname:8080 as its proxy for all protocols. When trying to get to a website, it now asks for a username /password. If you enter the kid password, all non-whitelisted sites should be block. If the adult password is entered, you have full access.

  8. To ensure that there is no way around the proxy, I block access to the internet from all machines but the proxy machine, or atleast all machines that I want on the proxy. This avoids the kids from just bypassing the proxy.


Bryan Chung said...


Do you have a website where I can grab a list of whitelisted domains for kids? Preferably one that is updated often.

Bryan Chung said...

Oh you can e-mail me at mail[at] if you can reply. Thanks!