How do I install and configure SquidGuard – a web filter plugin for Squid to restrict access to domains/URLs based upon access control lists? How do I block porn, gambling, and other web-sites using squid proxy server version 3.x under Debian or Ubuntu Linux server for my school?

Tutorial details
Difficulty level Intermediate
Root privileges Yes
Requirements squid/squidGurd
Est. reading time 20 minutes
squidGuard is flexible and ultra fast filter, redirector and access controller plugin for squid proxy server (it works with both squid version 2.x and 3.x). It lets you define multiple access rules with different restrictions for different user groups on a squid cache. squidGuard uses squid’s standard redirector interface.

Step #1: Install squidguard

Open a terminal and type the following command as root on the server:
# apt-get install squidguard

Step #2: Install Blacklist

The blacklists are the heart of every URL filter. Squidgurd supports both free and commercial distributions of blacklists on the net or create and use your own (or any combination of them). List of free databases:

  1. MESD blacklists (free).
  2. Shalla’s Blacklists (free for non commercial/private use).
  3. Urlblacklist (commercial)

Use wget command to download blacklists from as follows:
# cd /tmp
# wget -c

Sample outputs:

--2012-08-22 00:34:16--
Connecting to||:80... connected.
HTTP request sent, awaiting response... 206 Partial Content
Length: 9935263 (9.5M), 7448411 (7.1M) remaining [application/x-tar]
Saving to: `shallalist.tar.gz'
100%[++++++++++++++============================================>] 99,35,263    475K/s   in 16s     
2012-08-22 00:34:33 (459 KB/s) - `shallalist.tar.gz' saved [9935263/9935263]

Untar tar ball, enter:
# tar -zxvf shallalist.tar.gz
Sample outputs:



In this example, install porn blacklist as follows using the cp command:
# cp -avr BL/porn/ /var/lib/squidguard/db/
Sample outputs:

`BL/porn/' -> `/var/lib/squidguard/db/porn'
`BL/porn/domains' -> `/var/lib/squidguard/db/porn/domains'
`BL/porn/urls' -> `/var/lib/squidguard/db/porn/urls'

Finally, create the database from text files as follows:
# cd /var/lib/squidguard/db/porn
# squidGuard -b -C domains
# squidGuard -b -C urls

Sample outputs:

Processing file and database /var/lib/squidguard/db/porn/domains
    [==================================================] 100 % done
Processing file and database /var/lib/squidguard/db/porn/urls
    [==================================================] 100 % done


  • -b : Show on progress bar when updating the blacklists.
  • -C fileName : Create new .db files from urls/domain files, which are specified in “fileName”.

Set permissions so that squid can read the files using chown command:
# chown proxy:proxy -R /var/lib/squidguard/db/

Step #3: Configure Squid 3

I’m assuming that Squid 3 is installed and configured properly. Edit /etc/squid3/squid.conf, enter:
# vi /etc/squid3/squid.conf
You need to specify the location of the executable for the URL rewriter using url_rewrite_program as follows:

url_rewrite_program /usr/bin/squidGuard

Save and close the file.

Step #4: Configure SquidGuard

Finally edit /etc/squid/squidGuard.conf, enter:
# vi /etc/squid/squidGuard.conf
Add the following directives:

## Block adult/porn sites for school  ##
dest porn {
        domainlist      porn/domains
        urllist         porn/urls

Edit / update acl as follows:

acl {
        default {
                pass  !porn all

Save and close the file. Create a blocked.html on web server:

		<title>URL Blocked</title>
		<h1>URL Blocked</h1>
		<p>Access to this site / url has been blocked.</p>
		<p>If you think this is an error, please contact the help-desk:</p>
		<p>Call us - 123-456-789 (ext. 333)</p>
		<p>Email us -</p>

Finally, reload the squid 2/3 proxy server:
# /usr/sbin/squid3 -k reconfigure
Verify that both squid and squidguard working properly, run:
# tail -f /var/log/squid3/cache.log
Sample outputs:

2012/08/22 01:23:40| Processing Configuration File: /etc/squid3/squid.conf (depth 0)
2012/08/22 01:23:40| Squid modules loaded: 0
2012/08/22 01:23:40| Adaptation support is off.
2012/08/22 01:23:40| Store logging disabled
2012/08/22 01:23:40| DNS Socket created at [::], FD 8
2012/08/22 01:23:40| DNS Socket created at, FD 9
2012/08/22 01:23:40| Adding nameserver from /etc/resolv.conf
2012/08/22 01:23:40| helperOpenServers: Starting 5/5 'squidGuard' processes
2012/08/22 01:23:40| Accepting  HTTP connections at [::]:3128, FD 30.
2012/08/22 01:23:40| HTCP Disabled.
2012/08/22 01:23:40| Loaded Icons.
2012/08/22 01:23:40| Ready to serve requests.

Step #5: Verify the configuration

Type the following command to verify that squidguard is working and blocking the urls:

echo "http://DOMAIN-NAME-HERE / - - GET" | squidGuard -d 
echo " / - - GET" | squidGuard -d

Sample outputs:

2012-08-22 01:26:05 [3365] New setting: dbhome: /var/lib/squidguard/db
2012-08-22 01:26:05 [3365] New setting: logdir: /var/log/squid3
2012-08-22 01:26:05 [3365] destblock good missing active content, set inactive
2012-08-22 01:26:05 [3365] destblock local missing active content, set inactive
2012-08-22 01:26:05 [3365] init domainlist /var/lib/squidguard/db/porn/domains
2012-08-22 01:26:05 [3365] loading dbfile /var/lib/squidguard/db/porn/domains.db
2012-08-22 01:26:05 [3365] init urllist /var/lib/squidguard/db/porn/urls
2012-08-22 01:26:05 [3365] loading dbfile /var/lib/squidguard/db/porn/urls.db
2012-08-22 01:26:05 [3365] squidGuard 1.4 started (1345578965.473)
2012-08-22 01:26:05 [3365] Info: recalculating alarm in 23635 seconds
2012-08-22 01:26:05 [3365] squidGuard ready for requests (1345578965.476)
2012-08-22 01:26:05 [3365] source not found
2012-08-22 01:26:05 [3365] no ACL matching source, using default /- - -
2012-08-22 01:26:05 [3365] squidGuard stopped (1345578965.477)

Or you can see the following in browser:

This URL Has Been Blocked - Opera Browser - SquidGuard with Squid 3 Proxy Server

Fig.01: SquidGuard in action

How do I block other categories?

Update /etc/squid/squidGuard.conf as follows. Define your categories. Just like you did above for porn:

dest gamble {
        domainlist      gamble/domains
        urllist         gamble/urls
dest alcohol {
        domainlist      alcohol/domains
        urllist         alcohol/urls

Update acl entry as follows:

acl {
        default {
                pass  !porn !gamble !alcohol all

You also need to install database in /var/lib/squidguard/db/ directory:
# cd /tmp
# cp -avr BL/alcohol/ /var/lib/squidguard/db/
# cp -avr BL/gamble/ /var/lib/squidguard/db/

To initializing the blacklists, run:
# squidGuard -C all
Or just initializing newly created categories:
# squidGuard -C /var/lib/squidguard/db/alcohol/domains
squidGuard -C /var/lib/squidguard/db/alcohol/urls

Finally, set permissions:
# chown proxy:proxy -R /var/lib/squidguard/db/
Reload the squid 3:
# /usr/sbin/squid3 -k reconfigure

Do not allow URL filter bypass by the IP addresses

To make sure that users don’t bypass the URL filter by simply using the IP addresses instead of the FQDNs, edit acl entry as follows with !in-addr directive:

acl {
        default {
                pass  !porn !gamble !alcohol !in-addr all

Reload the squid as follows:
# /usr/sbin/squid3 -k reconfigure

  • man pages – squidGuard(1)
  • For more information see squidguard website.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 33 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
33 comments… add one
  • muzzo Aug 22, 2012 @ 2:34

    Does it block ultrasurf? How do i blok unwanted or timely block certain http.sites..or httpa site?

  • CTime Aug 22, 2012 @ 5:56

    Very good tutorial. Thank you very much!

    Seems really useful to me!

  • Astax Aug 22, 2012 @ 6:25

    Is it possible to block https websites?

    • milano94 Sep 3, 2012 @ 13:57

      I don’t think squidguard capable to blocking https website,but you could consider using iptables as an alternative

      • diego Jul 13, 2013 @ 12:58

        you should block from squid.conf

        Look for

        acl Safe_ports port 443 # https

        and comment the line, then reload squid.

  • bords300 Aug 23, 2012 @ 1:41

    Can you put the server inline (between the router and cable modem) to filter the URL of the all PC’s behind the router?

    • iAppleFanBoie Aug 23, 2012 @ 14:00

      Yes, just put squid proxy in transparent mode and users won’t notice it at all.

  • Ugyen Nov 19, 2012 @ 4:50

    i was just confused, i did everything as show here, but the main problem is that all sites are getting blocked?
    i m not sure, maybe i lacked somewhere in the configuration?
    need some help pls…Thanks

  • mmajor Dec 19, 2012 @ 14:41

    Very good tutorial. Thank you very much!

  • Anish Jan 29, 2013 @ 14:21

    Yes, we block the porn sites. Is it possible to block particular URL- ??

  • Pitto Mar 25, 2013 @ 14:54

    Lovely tutorial but my squid will not start if I add “url_rewrite_program /usr/bin/squidGuard” to my squid.conf

    If I do a test with “echo “ / – – GET” | squidGuard -d” it works perfectly…

    What is wrong?

    • ukfromit Mar 7, 2014 @ 11:42

      Attention Pitto.

      You have to check our squidGuard.conf file

      sudo vi /etc/squid/squidGuard.conf

  • Andrew Apr 30, 2013 @ 4:26

    I do not understand the line:

    Save and close the file. Create a blocked.html on web server:

    what web server? I made the blocked.html file but where do I put it?

  • sanny May 1, 2013 @ 14:33


    I am also confused about this line:
    Create a blocked.html on web server:

    what is the location to save this file?

    • 🐧 nixCraft Jun 11, 2013 @ 13:18

      @ Andrew / sanny,

      You need to install Apache2 and put file in /var/www/ directory.


      • Harkirat Behl Dec 5, 2014 @ 10:51

        Enter the IP address of your new Proxy server
        what does this mean?

  • Charles Jun 10, 2013 @ 20:51


    I’ve put together a little script that will update that blacklists. Basically it will download, extract, move the files into place, rebuild the squidGuard databases, and reload the squidGuard processes. Will also send email notifying of success or failure.

    With minor modifications it should work on any system. Tested on Ubuntu 10.04 with distro squid3, and squidGuard 1.6 compiled from

    Feel free to download at hopefully it will be of use to someone.

  • SAMEE ULLAH Dec 14, 2013 @ 3:17

    Dear Tutor,

    Please help us in blocking facebook with I have tried it using Squid on CentOS and DansGuardian for url filtering. But all in vain because users are successful in wasting their time by using fb all day long.

    Please provide UNIX based perfect and industry standard solution to block specifically fb with HTTPS.

    Best Regards,
    Virtual University of Pakistan

  • Prosper Mar 20, 2014 @ 14:24


    I tried to follow through with the tutorial, but the thing is, I’m new and a novice, so I will just describe my situation and you guys should help me through it pls.

    I have a simple network with about 20 users, A Cisco 1940 Series router with IOS 15.01, which is connected to the ISP modem on port g0/1.

    The router’s g0/0 interface is connected to a switch where all the hosts are connected. the Router’s g0/0 interface is, cos I’m using a network

    I also have a Linux Server with Ubuntu 12.04LTS installed which will act my my Transparent Proxy server to block all unwanted websites (facebook, politics, porn, https) and manage bandwidth, I have installed Squid on the Linux Server. The Linux server IP is

    Can anyone please help me with the configuration (on squid, linux and router) required to achieve this?


  • Vasanth Aug 26, 2014 @ 18:29

    please let me know is there have any possibilities to unblock sites by domain names using wiildcard *.ph

  • mrd3 Nov 16, 2014 @ 7:02

    Having error i this part sir. What seems to be the error? I already chown to proxy:proxy
    Finally, create the database from text files as follows:
    # cd /var/lib/squidguard/db/porn
    # squidGuard -b -C domains
    # squidGuard -b -C urls

  • mrd3 Nov 16, 2014 @ 7:04

    Having error i this part sir. What seems to be the error? I already chown to proxy:proxy.

    Finally, create the database from text files as follows:
    # cd /var/lib/squidguard/db/porn
    # squidGuard -b -C domains
    # squidGuard -b -C urls

    Nothing happens when I typed these commands.

  • Muhammad anis Nov 19, 2014 @ 7:15

    Please provide UNIX based perfect and industry standard solution to block specifically facebook with HTTPS

  • Harkirat Behl Dec 2, 2014 @ 7:53

    Squidguard works fine with the echo command but
    Squidguard is not blocking via browser

  • mohit Dec 31, 2014 @ 5:01

    is there any process to unblock the proxy site…

  • Jose Fuentes Mar 11, 2015 @ 21:56

    Only works witch echo blocking websites but is not working via broser, what can i do?

  • Justin Apr 22, 2015 @ 14:26

    The echo command works fine, howerver when I try through a web browser it fails

    Through echo
    2015-04-22 15:24:50 [3339] INFO: squidGuard ready for requests (1429712690.990)
    2015-04-22 15:24:50 [3339] source not found
    2015-04-22 15:24:50 [3339] no ACL matching source, using default
    http// -/- – GET
    2015-04-22 15:24:50 [3339] INFO: squidGuard stopped (1429712690.990)

    Through browser (line from /var/log/squid3/cache.log)

    2015/04/22 15:25:17| ERROR: URL-rewrite produces invalid request: GET http// HTTP1.1

  • Gowtham Saran D Jul 1, 2015 @ 11:51

    squidGuard -b -C domains command not working. Says unable to do and booting in emergency mode

    Please help me

  • thusitha Nov 27, 2015 @ 6:54

    hey ,
    After copy porn folder to “/var/lib/squidguard/db/”
    and “cd porn/”
    then “squidguard -b -C domains”
    when I add this it gives an error,says that “squidguard: command not found”.How to correct that?Give some help.

  • thusitha Nov 27, 2015 @ 7:15

    My mistake,
    command “squidguard” typo must be “squidGuard”

  • Ricardo Nov 3, 2016 @ 8:24

    Found this link by chance. Is this still valid today or is there a better service?

  • Ioannis Jan 17, 2017 @ 8:59

    Hello,I was stuck on step #2 at
    # cd /var/lib/squidguard/db/porn
    # squidGuard -b -C domains
    # squidGuard -b -C urls

    i go to the directory with the first command, i run either the first or the second command and after pressing enter, the following message comes out:
    “BDB1565 DB->put: method not permitted before handle’s open method”
    if i continue with the following steps,squidguard goes to emergency mode..So,any help please?

  • Sanzaru Jan 18, 2017 @ 16:41

    I have an issue while i try to compile the backlist with
    # sudo squidGuard -C all
    Nothing happens…
    I’ve tested it with just 2 or 3 domians and it works fine but with Shalla’s Blacklist it does nothing.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum