Complete Advanced Configuration
Here’s the recommended complete configuration with all advanced rules:squid.conf
Allow Rule for Essential Domains
Purpose
Useallowdomains.txt to exclude essential domains or subdomains that might be blocked by BlackWeb but are necessary for legitimate services.
Configuration
Why This Matters
According to Squid’s documentation, subdomains like
accounts.google.com and accounts.youtube.com may be used by Google for authentication within its ecosystem. Blocking them could disrupt access to services like Gmail, Drive, Docs, and others.Example allowdomains.txt
allowdomains.txt
Block Rule for Additional Domains
Purpose
Useblockdomains.txt to block domains not included in blackweb.txt, such as organization-specific blocked sites.
Configuration
Example blockdomains.txt
blockdomains.txt
Block Rule for Top-Level Domains
Purpose
Useblocktlds.txt to block entire top-level domains (gTLD, sTLD, ccTLD, etc.) that are commonly associated with spam, malware, or unwanted content.
Configuration
How It Works
Input domains:.xxx, .adult, .porn, and .ru domains are blocked based on their TLD, while .com remains accessible.
Example blocktlds.txt
blocktlds.txt
Punycode Protection (IDN Homograph Attack)
Purpose
Block Punycode - RFC3492 and internationalized domain names (IDN) to prevent IDN homograph attacks, where attackers use similar-looking characters to create fake domains.Configuration
How It Works
Input domains:xn-- (Punycode prefix) are blocked to prevent homograph attacks.
For more information, visit welivesecurity: Homograph attacks.
Block Rule for Patterns (Words)
Purpose
Block URLs containing specific keywords or patterns in the URL path.Configuration
How It Works
Input URLs:Streaming Control (Optional)
Purpose
Usestreaming.txt to block streaming domains not included in blackweb.txt, such as YouTube, Facebook Live, or other video platforms.
Configuration
Important Considerations
This list may contain overlapping domains. It’s important to manually clean it according to your objective:Option 1: Block entire platform (e.g., Facebook)This blocks Facebook entirely.Option 2: Block specific features (e.g., Facebook streaming only)This blocks streaming content while allowing general Facebook access.
streaming.txt
streaming.txt
Example streaming.txt
streaming.txt
Testing Your Advanced Rules
After configuring advanced rules:Best Practices
Start with allowlists
Start with allowlists
Before deploying BlackWeb broadly, create a comprehensive
allowdomains.txt with all essential business and authentication domains.Test in stages
Test in stages
Implement rules gradually:
- Start with basic BlackWeb blocking
- Add allowlists
- Enable punycode protection
- Add TLD blocking
- Finally, add pattern matching and streaming controls
Document your customizations
Document your customizations
Keep detailed notes on which domains you’ve added to custom lists and why, especially for
allowdomains.txt.Regular review
Regular review
Periodically review your custom lists and remove entries that are no longer needed.
