Hello.
I am running OpenWrt 22.03 on a router.
This router is configured as Wireguard Server for 4 routers configured as WireGuard clients and implementing Police Based Routing on URL (i.e. these clients will route only www.example.com over the VPN).
I would like to add a second level of "filtering" on the server by blocking every URLs but www.example.com.
I cannot use DNS filtering because this will be bypassed if WireGuard clients use a their own DNS, and they need to resolve the URL to achieve the Police Baser (on URL) Routing.
For this reason I was thinking about SQUID on the server. But I did not manage to filter URLs with squid (v4.17)
My final need would be to configure squid as a transparent proxy ONLY filter URLS different than www.example.com cominq from Wireguard (wg0) interface (by rerouting all traffic on wg0 coming in port 80 to 3128).
Anyway, to start with something much simpler I tried to launch it on port 3128 and to configure my PC browser to use proxy 192.168.3.1:3128 (192.168.3.1 is the IP of the OpenWRT router in my lan)
This is my squid configuration (in this example I tried to have only allow navigation on google.com while blocking all the rest, but I can navigate with no limitation
http_port 3128
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl misc dstdomain google.com
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
http_access allow misc
# And finally deny all other access to this proxy
http_access deny all
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
#cache_dir ufs /etc/squid/squid_cache 100 16 256
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Squid user
cache_effective_user squid
#
# Logs, best to use only for debugging as they can become very large
#
access_log none # daemon:/tmp/squid_access.log
cache_log /dev/null # /tmp/squid_cache.log
Any idea on what I could be wrong on?
Any suggestion?