Block Facebook using Squid at office


Many weeks ago, almost all people working at office with me stuck at Facebook! They were working on it for hours every day. I do not understand that at all (I don’t see any thing attractive in Facebook, I don’t have a Facebook account yet!). We tried everything to change this bad habit with no luck.

Because I am the Technical Manager at my Company, I have access to all computers and equipments. So I use the extreme solution and block Facebook! I searched the Internet for about 2 days about an easy solution or a free firewall to block websites, but I find nothing. So I decided to do it my way. So if you see that you have a hopeless case at you work like me, here is how I blocked Facebook:

ADSL Router Configuration

In our office we have an ADSL Router which is our connector to the Internet. This router and all our computers are connected through a switch. Our ISP already has a Proxy and all requests at port 80 is redirected to it. Fortunately, Facebook is forbidden at this proxy! so how can my employees open it? I discovered that all my employees have proxies with different ports, so they can bypass ISP Proxy which is filtering port 80 only (no proxy requests).

Now my first challenge is: how can I stop all these proxies? and force all people to use ISP Proxy? The easy way is to close all other proxies ports (normally 3128, 8080). But there is some proxies working on other ports like 808, so you must block all possible ports.

From the web interface of my router I added some rules to block all ports above 80 for all computers (except SQL port and Remote Access port).

Squid Proxy

I thought that my problem is solved and that is right, because now my employees can’t open Facebook but that was wrong!. My problem is just began, unfortunately our ISP proxy blocks many websites not only Facebook. So how can we open these websites now?

The only way to do that is to allow people to connect though a proxy other that ISP one. But I must block Facebook at that proxy too!

So I decided to make my own proxy and install it at the domain controller on my office! I chose squid proxy because I am familiar with it and it can work under Windows or Linux.

First step is installing Squid on the domain controller at some port (default port is 3128, but I used 55555) and change ADSL Router configuration to exclude the domain controller from its rules, so it can connect to any ip on any port. To make squid listen to port 55555 you must add this configurations to squid.conf (you can find it under c:\squid\etc):

http_port 55555

Redirect Squid Proxy

Now we have a proxy installed on the domain controller at my office and employees can connect though it. But it is useless now! When someone connect though this proxy, squid will do nothing with the request so it will go through ISP Proxy and that is not what we want.

The solution is redirect squid proxy to any other free proxy on any port other than 80 (a proxy that my employees were used). To do that you must add this configurations to squid.conf:

cache_peer proxy parent port 0 no-query
acl all src 0.0.0.0/0.0.0.0
http_access allow all
never_direct allow all

Just replace "proxy" and "port" with any proxy at any port (other than 80) you want to redirect squid proxy to. To make sure it works open http://www.whatismyproxy.com/ you must see 2 proxies, first one is squid and other is the proxy you redirect it to.

Block Facebook on Squid

All we need now is block facebook.com on squid proxy. To do this we can define such rules in squid.conf:

acl denyThis dstdomain "c:/squid/acl.txt"
http_access deny denyThis
http_access allow all
acl our_networks src 192.168.1.0/24
http_access allow our_networks

By this lines we allow all requests from any ip that belong to network 192.168.1.0 with mask 255.255.255.0 except requests that have a destination domain contains is file c:/squid/acl.txt. 

Now create file "c:/squid/acl.txt" and put this line in it:

.facebook.com

You are done! evey time you will try to open www.facebook.com (or any subdomain from it) on squid proxy you will get forbidden message from squid.

FTP and Squid

Again I thought that everything is ok, but I discovered that my employees couldn’t use FTP any more! I tried this my self using FileZilla; When I use no proxy option, FileZilla could login but couldn’t retrieve directory list (That is because FTP protocol use random port larger than 1024 to transfer data, and all these ports is closed by my ADSL Router). And when I used squid proxy as HTTP proxy for FileZilla I got forbidden reply from squid and FileZilla couldn’t login at all!

To solve this I googled the internet for about 3 hours and found that squid is not a ftp proxy so I can’t use it to filter ftp connections. But I can use it as a HTTP proxy for FileZilla. To do so I must allow CONNECT method on squid. All you need is add these 2 lines to your squid.conf:

http_access allow CONNECT
always_direct allow CONNECT

First rule allows CONNECT method and second one tells squid not to redirect FTP connection to any other proxy (That is to let FTP clients connect directly to FTP servers).

Deny UltraSurf

Now everything is fine, but my employees are not that simple. They tried to bypass my squid proxy using different methods. One successful method they used was UltraSuf. So I blocked UltraSurf too!

To block UltraSurf you need to block SSL port which is 443, but this will deny you from login to your email! because almost every mailing website uses SSL (HTTPS) to login. You can simply solve that by allowing connections at 443 to each mail website separately like Gmail, Hotmail and Yahoo. But this is not practical.

I found another solution which is deny CONNECT method on ips (I think this will affect FTP connections, so if you do this make sure that you still can connect using FTP client) using this rule at squid.conf (let this rule be the first rule in your squid.conf):

acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ 
http_access deny CONNECT numeric_IPs all

Conclusion

Finally My employees are give up, and I am satisfied about that. Now I can leave my company and be sure that everything is going well. Although there are many ways to bypass my proxy and open facebook using tons of Anonymous browsing websites, but I hope that my employees will not hear about them!

About these ads

16 Responses to “Block Facebook using Squid at office”

  1. don't click here Says:

    This software program http://www.timedoctor.com/1 is better than blocking Facebook because it just monitors Facebook in working hours. Team members can always use Facebook during lunch breaks. Plus some people must use Facebook for work purposes so it’s not good to just block it.

  2. ladyontime Says:

    Ive been using http://bit.ly/bJwmma . It uses a better method than blocking social media sites because it only monitors sites like Facebook in working hours. People/Employees still have the option to use it for a breather or during breaks so its really unnecessary to block it. Sometimes they use it for work too in helping reach decisions.

  3. Ajith Says:

    thanks

    very use full information

  4. Zchelter Says:

    Working like a Charm, nice, thanks!!

  5. Dinesh P Says:

    Thanks Dear Its working well….
    :))

    • mr.dookie Says:

      Block https://www.facebook.com
      vi /etc/hosts
      add 127.0.0.1 facebook.com
      or
      iptables -t filter -I FORWARD -s 192.168.0.0/24 -p tcp -m iprange –dst-range 66.220.144.0-66.220.159.255 –dport 443 -j DROP
      iptables -t filter -I FORWARD -s 192.168.0.0/24 -p tcp -m iprange –dst-range 69.63.176.0-69.63.191.255 –dport 443 -j DROP
      iptables -t filter -I FORWARD -s 192.168.0.0/24 -p tcp -m iprange –dst-range 69.171.220.0-69.171.234.255 –dport 443 -j DROP
      iptables -t filter -I FORWARD -s 192.168.0.0/24 -p tcp -m iprange –dst-range 204.15.20.0-204.15.23.255 –dport 443 -j DROP

  6. http://tinyurl.com/socifido30109 Says:

    “Block Facebook using Squid at office Madhat Alsoos”
    was indeed genuinely engaging and informative! In modern world honestly, that is very difficult to accomplish.

    Thx, Ute

  7. Renovation Singapore Says:

    My spouse and I stumbled over here different website and thought
    I might check things out. I like what I see so now i am
    following you. Look forward to exploring your web page for a second time.

  8. Martin Crumlish & Greg Jacobs Emperor Social Says:

    Everyone loves it when people come together and share opinions.
    Great website, continue the good work!

  9. hidemyass Says:

    Hello, i think that i saw you visited my website so i came to “return the favor”.
    I’m trying to find things to enhance my web site!I suppose its ok to use some of your ideas!!

  10. phat azz white Says:

    Way cool! Some very valid points!I appreciate you writing this article and
    also the rest of the site is very good.

  11. The website Says:

    I have read so many posts concerning the blogger lovers except this post is genuinely a nice post, keep
    it up.

  12. Louise Says:

    Máte nejaké video, ktoré? Ja by som zistiť nejaké ďalšie informácie.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: