Many organizations face the dilemma of balancing productivity and reasonable internet access. After successfully implementing Facebook blocking through Squid proxy with basic authentication on our Ubuntu server, management requested a more nuanced solution - allowing access only during designated lunch hours.
Squid's flexible ACL system allows time-based restrictions through the time ACL type. The syntax follows:
acl LUNCHTIME time MTWHF 12:00-13:00
acl FACEBOOK dstdomain .facebook.com
http_access deny FACEBOOK !LUNCHTIMEHere's a complete implementation for a Monday-to-Friday lunch break policy:
# Define time window (Mon-Fri 12PM-1PM)
acl WORKDAYS time MTWHF 08:00-18:00
acl LUNCHBREAK time MTWHF 12:00-13:00
# Define social media domains
acl SOCIAL_MEDIA dstdomain .facebook.com .fb.com
# Allow access only during lunch
http_access allow SOCIAL_MEDIA LUNCHBREAK
http_access deny SOCIAL_MEDIA WORKDAYS
http_access deny SOCIAL_MEDIAFor more complex scenarios with multiple allowed periods:
acl MORNING_BREAK time MTWHF 10:30-10:45
acl LUNCH_BREAK time MTWHF 12:00-13:00
acl AFTERNOON_BREAK time MTWHF 15:00-15:15
http_access allow SOCIAL_MEDIA MORNING_BREAK
http_access allow SOCIAL_MEDIA LUNCH_BREAK
http_access allow SOCIAL_MEDIA AFTERNOON_BREAK
http_access deny SOCIAL_MEDIAAfter modifying squid.conf, always:
sudo squid -k parse
sudo squid -k reconfigureVerify the restrictions using Squid's access.log:
tail -f /var/log/squid/access.log | grep facebookFor environments needing different policies per user group:
acl MARKETING_GROUP external ldap_group Marketing
acl ENGINEERING_GROUP external ldap_group Engineering
# Marketing gets 2-hour lunch access
http_access allow SOCIAL_MEDIA MARKETING_GROUP time MTWHF 12:00-14:00
# Engineering gets standard 1-hour
http_access allow SOCIAL_MEDIA ENGINEERING_GROUP time MTWHF 12:00-13:00Recently, I configured Squid proxy on an Ubuntu server with basic authentication to manage web access for our office network. Initially, we blocked Facebook entirely using ACL rules, but now there's a new requirement: allow access only during lunchtime (e.g., 12:00 PM to 2:00 PM). Here's how to implement this time-based filtering.
Squid's time ACL type is perfect for this scenario. The syntax follows:
acl ACL_NAME time [day-abbrevs] [start_hour:min-end_hour:min]
Key components:
- day-abbrevs: SMTWHFAS (Sunday-Saturday)
- time range: 24-hour format
Here's the complete configuration to allow Facebook only during lunch hours:
# Define lunchtime period (weekdays only)
acl LUNCH_TIME time MTWHF 12:00-14:00
# Facebook domains (keep this updated)
acl FACEBOOK dstdomain .facebook.com
acl FACEBOOK dstdomain .fbcdn.net
acl FACEBOOK dstdomain .fb.com
# Apply restrictions
http_access deny FACEBOOK !LUNCH_TIME
http_access allow FACEBOOK LUNCH_TIME
For more granular control, consider these enhancements:
1. Multiple Time Windows
acl BREAK_TIME time MTWHF 10:00-10:15
http_access allow FACEBOOK BREAK_TIME
2. Weekend Exception
acl WEEKEND time AS
http_access deny FACEBOOK WEEKEND
3. Logging for Monitoring
acl FACEBOOK_ATTEMPT dstdomain .facebook.com
access_log /var/log/squid/facebook.log FACEBOOK_ATTEMPT
Facebook uses multiple domains and CDNs. Regularly update your ACL list with:
nslookup facebook.com
dig +short facebook.com
For automated updates, create a cron job that refreshes the Squid configuration when new domains are detected.
If the time restrictions aren't working:
- Verify system time:
date - Check timezone:
timedatectl - Test ACL matching:
squid -k parse - Monitor real-time access:
tail -f /var/log/squid/access.log
Remember to reload Squid after changes: systemctl reload squid