Squid "Anti-Ad" Server Blocker

---

The proxy server Squid (Squid Web Proxy Cache) has the ability to read a list of ips from a text file and block those ips from clients using the proxy. This is perfect for blocking ad servers for your internal clients. Your clients in turn will not have to be bothered with ads, they will save bandwidth and you wont have to worry as much about that user that will click on any shiny animated object in front of them. This script works similarly to SafeSquid, but gives you full control of the list and allows for increased flexability.

Getting Started

The following three(3) lines need to be added anywhere in your squid.conf file. We are going to assume your squid.conf file is in /etc/squid/ and you will be putting your list of ad servers called ad_block.txt in the same directory.

NOTE: If you need assistance with Squid check out the Calomel.org Squid proxy "how to". You can also setup a proxy auto configuration (PAC) file in the browser using our Proxy Auto Config for Firefox (PAC) "how to".

The first line below is a comment and reminder where you are getting your list from. The second line is the regular expression that reads the "/etc/squid/ad_block.txt" file when the squid daemon loads or when you reconfigure the daemon with "squid -k reconfigure". The next line instructs squid to deny access to those ips in the list from clients using the squid proxy. The last line (deny_info) is optional, it just sends back a tcp rest to the client instead of sending an infomational error page. You may want this option if you do not want clients provided with any ifo about your proxy or why the error was triggered.

## disable ads ( http://pgl.yoyo.org/adservers/ )
acl ads dstdom_regex "/etc/squid/ad_block.txt"
http_access deny ads
#deny_info TCP_RESET ads

Fetching the list of ad servers

The next step is to fetch the list of known advertising hostnames and save them to a file so squid can read it. The following script uses curl to download the list from pgl.yoyo.org and save the list to a file in /etc/squid/ad_block.txt. The last line in the script tells squid to re-read the ad_block.txt list after the file is downloaded to load in any new ad servers.

#### Calomel.org  ad_servers_newlist.sh 
#
## get new ad server list
curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=0&mimetype=plaintext" > /etc/squid/ad_block.txt 

## refresh squid
/usr/local/sbin/squid -k reconfigure

Automating with cron

Lastly, you may want to setup and cron job to get the latest list every few days. The site you get the ad list from (pgl.yoyo.org) updates their ips every 3 days or so on average. With a cron job running you can make sure you have the latest list. Below is a cron job line to get the ad servers list every 3 days at 5:35am (0535).

#minute (0-59)
#|   hour (0-23)
#|   |    day of the month (1-31)
#|   |    |   month of the year (1-12 or Jan-Dec)
#|   |    |   |   day of the week (0-6 with 0=Sun or Sun-Sat)
#|   |    |   |   |   commands
#|   |    |   |   |   |
#### refresh squid's anti-ad server list
35   5    *   *   */3 /scripts_dir/ad_servers_newlist.sh >> /dev/null 2>&1

Distribute Certificates to Client Computers by Using Group Policy

You can use the following procedure to push down the appropriate Secure Sockets Layer (SSL) certificates (or equivalent certificates that chain to a trusted root) for account federation servers, resource federation servers, and Web servers to each client computer in the account partner forest by using Group Policy.

Membership in Domain Admins or Enterprise Admins, or equivalent, in Active Directory Domain Services (AD DS) is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To distribute certificates to client computers by using Group Policy

1. On a domain controller in the forest of the account partner organization, start the Group Policy Management snap-in.
2. Find an existing Group Policy Object (GPO) or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit (OU) where the appropriate user and computer accounts reside.
3. Right-click the GPO, and then click Edit.
4. In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies, right-click Trusted Root Certification Authorities, and then click Import.
5. On the Welcome to the Certificate Import Wizard page, click Next.
6. On the File to Import page, type the path to the appropriate certificate files (for example, \\fs1\c$\fs1.cer), and then click Next.
7. On the Certificate Store page, click Place all certificates in the following store, and then click Next.
8. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish.
9. Repeat steps 2 through 6 to add additional certificates for each of the federation servers in the farm.

Squid web proxy with cache for windows

第一步: https://blog.csdn.net/qy20115549/article/details/83375817#squid_87

第二步: https proxy https://docs.diladele.com/faq/squid/sslbump_squid_windows.html

第三步: gen tructed root ca: https://docs.diladele.com/administrator_guide_5_2/https_filtering/generate_certificates/manually.html