Solved

squid proxy

Posted on 2011-03-02
12
1,435 Views
Last Modified: 2012-05-11
i have a proxy server running on a fedora linux box running in a windows 2003 domain using squid and i use it to block everything but a few website for a few computers i take care of, but not all the computer i am responsible for. now managment wants to have all computers blocked for things like facebook - so this is the opposite of how my proxy is currently setup. it seemed easy to block everything  and have a list of accepted site - now i have to have a list of un-accepted site and allow everything else.
Any ideas on how to do this?
0
Comment
Question by:JeffBeall
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 12

Accepted Solution

by:
asidu earned 125 total points
ID: 35018083
You will need to modify the squid proxy conf.
Its easy to block sites based on IP or partial domain name.
The difficult part is that you will have to decide what sites you intent to block.

You could divert all the traffic via the squid proxy first, study the log files.
The unoffical traffic could slowly be tightened.

You could run a new proxy server for the new scenario and leave the old one
as its running.

User will try all sorts of means to by pass the proxy and fault rate will shoot up initially. It will make sense to let the users know that a filter has been incorporated and some sites are blocked.


0
 
LVL 2

Expert Comment

by:Xav720
ID: 35018094
use squid with shuidguard you can you pfsense you have some package for squid and squid guard

http://www.squidguard.org/
www.pfsense.org
0
 
LVL 2

Expert Comment

by:silvanx
ID: 35024766
SquidGuard is what you're looking for. It allows you set up some ACLs (Access Control Lists) to restrict access basing on destination, source host (or subnet) or even date and time.

Some configuration examples are located here:
http://www.squidguard.org/Doc/extended.html

Then, you'd want to put those hosts which are allowed to access only a few sites in one "group" and the rest in the other - this way you could handle them differently and even redirect people to website that says "Sorry, no facebook at work".
0
 
LVL 11

Expert Comment

by:Pieter Jordaan
ID: 35024920
Hi

I agree with Xav720.
pfSense is the easiest way to do that.

The web GUI simplifies the whole thing.
Just install the following packages on pfSense:
Squid 3
SquidGuard
LightSquid - This is a brilliant web usage report for SquidGuard.

Then add the black list URL to SquidGuard - http://www.shallalist.de/Downloads/shallalist.tar.gz
That will add millions of URLs to groups, then you can give users or groups access to these URL groups.
The group that contains facebook is - blk_BL_socialnet which also includes twitter and other time wasters.

pfSense will run on any desktop computer with at least one network card installed, two preferred, but you can VLAN if you only have one.

The combination of packages will give you even more options. I am sure they will want to block Gambling and Pornography as well.

BitFreeze.
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 35028903
so is pfSense like a linux distro? or do i install it on my fedora box?
0
 
LVL 2

Assisted Solution

by:silvanx
silvanx earned 125 total points
ID: 35029070
It's a microdistribution based on FreeBSD, meant to serve primarily as a firewall.

I guess you could install it using VirtualBox or some other virtualization system but setting network configuration to reroute entire dataflow through it could be tricky (if possible at all).
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 1

Author Comment

by:JeffBeall
ID: 35029186
i didn't mean i wanted to install on my fedora box, i just was wondering what it is. it sounds something like ipcop. with ipcop, i downloaded it, burned the iso to a cd, booted to that cd and installed ipcop which was some form of linux so that after the install, when the computer boots, it goes right into ipcop.
0
 
LVL 2

Assisted Solution

by:Xav720
Xav720 earned 125 total points
ID: 35029503
PFsense is the best OS for firewalling , proxying you have . With the web based interface it's so easy to setup.
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 35030134
sounds good, I'll look into it. but i just thought of something else. can PFSense act as just a proxy? we currently have a firewall, and i would like to leave it as is.
0
 
LVL 2

Expert Comment

by:Xav720
ID: 35030175
yes ,only point your browser to it without no problem
0
 
LVL 11

Assisted Solution

by:Pieter Jordaan
Pieter Jordaan earned 125 total points
ID: 35030671
I have two installations of pfSense running at our head office.
my Firewall installation does multi-WAN with fail-over and traffic shaping, and another is only a proxy.

Version 1.2.3 has issues with multi-WAN and proxy on the same machine, which was solved on the new release as far as I know, but it makes sense to split the two, especially if you are not the only administrator.

It is better to keep the noobs away from the firewall rules. =)

I am the only firewall administrator, but I allow the other guys to fiddle with the proxy rules.
0
 
LVL 1

Author Closing Comment

by:JeffBeall
ID: 35039188
thanks for the help
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now