Solved

squid proxy

Posted on 2011-03-02
12
1,454 Views
Last Modified: 2012-05-11
i have a proxy server running on a fedora linux box running in a windows 2003 domain using squid and i use it to block everything but a few website for a few computers i take care of, but not all the computer i am responsible for. now managment wants to have all computers blocked for things like facebook - so this is the opposite of how my proxy is currently setup. it seemed easy to block everything  and have a list of accepted site - now i have to have a list of un-accepted site and allow everything else.
Any ideas on how to do this?
0
Comment
Question by:JeffBeall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 12

Accepted Solution

by:
asidu earned 125 total points
ID: 35018083
You will need to modify the squid proxy conf.
Its easy to block sites based on IP or partial domain name.
The difficult part is that you will have to decide what sites you intent to block.

You could divert all the traffic via the squid proxy first, study the log files.
The unoffical traffic could slowly be tightened.

You could run a new proxy server for the new scenario and leave the old one
as its running.

User will try all sorts of means to by pass the proxy and fault rate will shoot up initially. It will make sense to let the users know that a filter has been incorporated and some sites are blocked.


0
 
LVL 2

Expert Comment

by:Xav720
ID: 35018094
use squid with shuidguard you can you pfsense you have some package for squid and squid guard

http://www.squidguard.org/
www.pfsense.org
0
 
LVL 2

Expert Comment

by:silvanx
ID: 35024766
SquidGuard is what you're looking for. It allows you set up some ACLs (Access Control Lists) to restrict access basing on destination, source host (or subnet) or even date and time.

Some configuration examples are located here:
http://www.squidguard.org/Doc/extended.html

Then, you'd want to put those hosts which are allowed to access only a few sites in one "group" and the rest in the other - this way you could handle them differently and even redirect people to website that says "Sorry, no facebook at work".
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 11

Expert Comment

by:Pieter Jordaan
ID: 35024920
Hi

I agree with Xav720.
pfSense is the easiest way to do that.

The web GUI simplifies the whole thing.
Just install the following packages on pfSense:
Squid 3
SquidGuard
LightSquid - This is a brilliant web usage report for SquidGuard.

Then add the black list URL to SquidGuard - http://www.shallalist.de/Downloads/shallalist.tar.gz
That will add millions of URLs to groups, then you can give users or groups access to these URL groups.
The group that contains facebook is - blk_BL_socialnet which also includes twitter and other time wasters.

pfSense will run on any desktop computer with at least one network card installed, two preferred, but you can VLAN if you only have one.

The combination of packages will give you even more options. I am sure they will want to block Gambling and Pornography as well.

BitFreeze.
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 35028903
so is pfSense like a linux distro? or do i install it on my fedora box?
0
 
LVL 2

Assisted Solution

by:silvanx
silvanx earned 125 total points
ID: 35029070
It's a microdistribution based on FreeBSD, meant to serve primarily as a firewall.

I guess you could install it using VirtualBox or some other virtualization system but setting network configuration to reroute entire dataflow through it could be tricky (if possible at all).
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 35029186
i didn't mean i wanted to install on my fedora box, i just was wondering what it is. it sounds something like ipcop. with ipcop, i downloaded it, burned the iso to a cd, booted to that cd and installed ipcop which was some form of linux so that after the install, when the computer boots, it goes right into ipcop.
0
 
LVL 2

Assisted Solution

by:Xav720
Xav720 earned 125 total points
ID: 35029503
PFsense is the best OS for firewalling , proxying you have . With the web based interface it's so easy to setup.
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 35030134
sounds good, I'll look into it. but i just thought of something else. can PFSense act as just a proxy? we currently have a firewall, and i would like to leave it as is.
0
 
LVL 2

Expert Comment

by:Xav720
ID: 35030175
yes ,only point your browser to it without no problem
0
 
LVL 11

Assisted Solution

by:Pieter Jordaan
Pieter Jordaan earned 125 total points
ID: 35030671
I have two installations of pfSense running at our head office.
my Firewall installation does multi-WAN with fail-over and traffic shaping, and another is only a proxy.

Version 1.2.3 has issues with multi-WAN and proxy on the same machine, which was solved on the new release as far as I know, but it makes sense to split the two, especially if you are not the only administrator.

It is better to keep the noobs away from the firewall rules. =)

I am the only firewall administrator, but I allow the other guys to fiddle with the proxy rules.
0
 
LVL 1

Author Closing Comment

by:JeffBeall
ID: 35039188
thanks for the help
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Edit file on Ubuntu as root 23 140
How to Edit Files in Linux 6 132
Linux Login using LDAP or Active Directory 4 159
Automate the blocking off IP's from a list file in Ubuntu 9 83
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Fine Tune your automatic Updates for Ubuntu / Debian
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question