Solved

squid proxy

Posted on 2011-03-02
12
1,431 Views
Last Modified: 2012-05-11
i have a proxy server running on a fedora linux box running in a windows 2003 domain using squid and i use it to block everything but a few website for a few computers i take care of, but not all the computer i am responsible for. now managment wants to have all computers blocked for things like facebook - so this is the opposite of how my proxy is currently setup. it seemed easy to block everything  and have a list of accepted site - now i have to have a list of un-accepted site and allow everything else.
Any ideas on how to do this?
0
Comment
Question by:JeffBeall
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 12

Accepted Solution

by:
asidu earned 125 total points
ID: 35018083
You will need to modify the squid proxy conf.
Its easy to block sites based on IP or partial domain name.
The difficult part is that you will have to decide what sites you intent to block.

You could divert all the traffic via the squid proxy first, study the log files.
The unoffical traffic could slowly be tightened.

You could run a new proxy server for the new scenario and leave the old one
as its running.

User will try all sorts of means to by pass the proxy and fault rate will shoot up initially. It will make sense to let the users know that a filter has been incorporated and some sites are blocked.


0
 
LVL 2

Expert Comment

by:Xav720
ID: 35018094
use squid with shuidguard you can you pfsense you have some package for squid and squid guard

http://www.squidguard.org/
www.pfsense.org
0
 
LVL 2

Expert Comment

by:silvanx
ID: 35024766
SquidGuard is what you're looking for. It allows you set up some ACLs (Access Control Lists) to restrict access basing on destination, source host (or subnet) or even date and time.

Some configuration examples are located here:
http://www.squidguard.org/Doc/extended.html

Then, you'd want to put those hosts which are allowed to access only a few sites in one "group" and the rest in the other - this way you could handle them differently and even redirect people to website that says "Sorry, no facebook at work".
0
 
LVL 11

Expert Comment

by:Pieter Jordaan
ID: 35024920
Hi

I agree with Xav720.
pfSense is the easiest way to do that.

The web GUI simplifies the whole thing.
Just install the following packages on pfSense:
Squid 3
SquidGuard
LightSquid - This is a brilliant web usage report for SquidGuard.

Then add the black list URL to SquidGuard - http://www.shallalist.de/Downloads/shallalist.tar.gz
That will add millions of URLs to groups, then you can give users or groups access to these URL groups.
The group that contains facebook is - blk_BL_socialnet which also includes twitter and other time wasters.

pfSense will run on any desktop computer with at least one network card installed, two preferred, but you can VLAN if you only have one.

The combination of packages will give you even more options. I am sure they will want to block Gambling and Pornography as well.

BitFreeze.
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 35028903
so is pfSense like a linux distro? or do i install it on my fedora box?
0
 
LVL 2

Assisted Solution

by:silvanx
silvanx earned 125 total points
ID: 35029070
It's a microdistribution based on FreeBSD, meant to serve primarily as a firewall.

I guess you could install it using VirtualBox or some other virtualization system but setting network configuration to reroute entire dataflow through it could be tricky (if possible at all).
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:JeffBeall
ID: 35029186
i didn't mean i wanted to install on my fedora box, i just was wondering what it is. it sounds something like ipcop. with ipcop, i downloaded it, burned the iso to a cd, booted to that cd and installed ipcop which was some form of linux so that after the install, when the computer boots, it goes right into ipcop.
0
 
LVL 2

Assisted Solution

by:Xav720
Xav720 earned 125 total points
ID: 35029503
PFsense is the best OS for firewalling , proxying you have . With the web based interface it's so easy to setup.
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 35030134
sounds good, I'll look into it. but i just thought of something else. can PFSense act as just a proxy? we currently have a firewall, and i would like to leave it as is.
0
 
LVL 2

Expert Comment

by:Xav720
ID: 35030175
yes ,only point your browser to it without no problem
0
 
LVL 11

Assisted Solution

by:Pieter Jordaan
Pieter Jordaan earned 125 total points
ID: 35030671
I have two installations of pfSense running at our head office.
my Firewall installation does multi-WAN with fail-over and traffic shaping, and another is only a proxy.

Version 1.2.3 has issues with multi-WAN and proxy on the same machine, which was solved on the new release as far as I know, but it makes sense to split the two, especially if you are not the only administrator.

It is better to keep the noobs away from the firewall rules. =)

I am the only firewall administrator, but I allow the other guys to fiddle with the proxy rules.
0
 
LVL 1

Author Closing Comment

by:JeffBeall
ID: 35039188
thanks for the help
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now