Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

squid proxy

Posted on 2011-03-02
12
Medium Priority
?
1,484 Views
Last Modified: 2012-05-11
i have a proxy server running on a fedora linux box running in a windows 2003 domain using squid and i use it to block everything but a few website for a few computers i take care of, but not all the computer i am responsible for. now managment wants to have all computers blocked for things like facebook - so this is the opposite of how my proxy is currently setup. it seemed easy to block everything  and have a list of accepted site - now i have to have a list of un-accepted site and allow everything else.
Any ideas on how to do this?
0
Comment
Question by:JeffBeall
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 12

Accepted Solution

by:
asidu earned 500 total points
ID: 35018083
You will need to modify the squid proxy conf.
Its easy to block sites based on IP or partial domain name.
The difficult part is that you will have to decide what sites you intent to block.

You could divert all the traffic via the squid proxy first, study the log files.
The unoffical traffic could slowly be tightened.

You could run a new proxy server for the new scenario and leave the old one
as its running.

User will try all sorts of means to by pass the proxy and fault rate will shoot up initially. It will make sense to let the users know that a filter has been incorporated and some sites are blocked.


0
 
LVL 2

Expert Comment

by:Xav720
ID: 35018094
use squid with shuidguard you can you pfsense you have some package for squid and squid guard

http://www.squidguard.org/
www.pfsense.org
0
 
LVL 2

Expert Comment

by:silvanx
ID: 35024766
SquidGuard is what you're looking for. It allows you set up some ACLs (Access Control Lists) to restrict access basing on destination, source host (or subnet) or even date and time.

Some configuration examples are located here:
http://www.squidguard.org/Doc/extended.html

Then, you'd want to put those hosts which are allowed to access only a few sites in one "group" and the rest in the other - this way you could handle them differently and even redirect people to website that says "Sorry, no facebook at work".
0
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

 
LVL 11

Expert Comment

by:Pieter Jordaan
ID: 35024920
Hi

I agree with Xav720.
pfSense is the easiest way to do that.

The web GUI simplifies the whole thing.
Just install the following packages on pfSense:
Squid 3
SquidGuard
LightSquid - This is a brilliant web usage report for SquidGuard.

Then add the black list URL to SquidGuard - http://www.shallalist.de/Downloads/shallalist.tar.gz
That will add millions of URLs to groups, then you can give users or groups access to these URL groups.
The group that contains facebook is - blk_BL_socialnet which also includes twitter and other time wasters.

pfSense will run on any desktop computer with at least one network card installed, two preferred, but you can VLAN if you only have one.

The combination of packages will give you even more options. I am sure they will want to block Gambling and Pornography as well.

BitFreeze.
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 35028903
so is pfSense like a linux distro? or do i install it on my fedora box?
0
 
LVL 2

Assisted Solution

by:silvanx
silvanx earned 500 total points
ID: 35029070
It's a microdistribution based on FreeBSD, meant to serve primarily as a firewall.

I guess you could install it using VirtualBox or some other virtualization system but setting network configuration to reroute entire dataflow through it could be tricky (if possible at all).
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 35029186
i didn't mean i wanted to install on my fedora box, i just was wondering what it is. it sounds something like ipcop. with ipcop, i downloaded it, burned the iso to a cd, booted to that cd and installed ipcop which was some form of linux so that after the install, when the computer boots, it goes right into ipcop.
0
 
LVL 2

Assisted Solution

by:Xav720
Xav720 earned 500 total points
ID: 35029503
PFsense is the best OS for firewalling , proxying you have . With the web based interface it's so easy to setup.
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 35030134
sounds good, I'll look into it. but i just thought of something else. can PFSense act as just a proxy? we currently have a firewall, and i would like to leave it as is.
0
 
LVL 2

Expert Comment

by:Xav720
ID: 35030175
yes ,only point your browser to it without no problem
0
 
LVL 11

Assisted Solution

by:Pieter Jordaan
Pieter Jordaan earned 500 total points
ID: 35030671
I have two installations of pfSense running at our head office.
my Firewall installation does multi-WAN with fail-over and traffic shaping, and another is only a proxy.

Version 1.2.3 has issues with multi-WAN and proxy on the same machine, which was solved on the new release as far as I know, but it makes sense to split the two, especially if you are not the only administrator.

It is better to keep the noobs away from the firewall rules. =)

I am the only firewall administrator, but I allow the other guys to fiddle with the proxy rules.
0
 
LVL 1

Author Closing Comment

by:JeffBeall
ID: 35039188
thanks for the help
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Fine Tune your automatic Updates for Ubuntu / Debian
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Loops Section Overview
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question