Solved

squid proxy

Posted on 2011-03-02
12
1,460 Views
Last Modified: 2012-05-11
i have a proxy server running on a fedora linux box running in a windows 2003 domain using squid and i use it to block everything but a few website for a few computers i take care of, but not all the computer i am responsible for. now managment wants to have all computers blocked for things like facebook - so this is the opposite of how my proxy is currently setup. it seemed easy to block everything  and have a list of accepted site - now i have to have a list of un-accepted site and allow everything else.
Any ideas on how to do this?
0
Comment
Question by:JeffBeall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 12

Accepted Solution

by:
asidu earned 125 total points
ID: 35018083
You will need to modify the squid proxy conf.
Its easy to block sites based on IP or partial domain name.
The difficult part is that you will have to decide what sites you intent to block.

You could divert all the traffic via the squid proxy first, study the log files.
The unoffical traffic could slowly be tightened.

You could run a new proxy server for the new scenario and leave the old one
as its running.

User will try all sorts of means to by pass the proxy and fault rate will shoot up initially. It will make sense to let the users know that a filter has been incorporated and some sites are blocked.


0
 
LVL 2

Expert Comment

by:Xav720
ID: 35018094
use squid with shuidguard you can you pfsense you have some package for squid and squid guard

http://www.squidguard.org/
www.pfsense.org
0
 
LVL 2

Expert Comment

by:silvanx
ID: 35024766
SquidGuard is what you're looking for. It allows you set up some ACLs (Access Control Lists) to restrict access basing on destination, source host (or subnet) or even date and time.

Some configuration examples are located here:
http://www.squidguard.org/Doc/extended.html

Then, you'd want to put those hosts which are allowed to access only a few sites in one "group" and the rest in the other - this way you could handle them differently and even redirect people to website that says "Sorry, no facebook at work".
0
What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

 
LVL 11

Expert Comment

by:Pieter Jordaan
ID: 35024920
Hi

I agree with Xav720.
pfSense is the easiest way to do that.

The web GUI simplifies the whole thing.
Just install the following packages on pfSense:
Squid 3
SquidGuard
LightSquid - This is a brilliant web usage report for SquidGuard.

Then add the black list URL to SquidGuard - http://www.shallalist.de/Downloads/shallalist.tar.gz
That will add millions of URLs to groups, then you can give users or groups access to these URL groups.
The group that contains facebook is - blk_BL_socialnet which also includes twitter and other time wasters.

pfSense will run on any desktop computer with at least one network card installed, two preferred, but you can VLAN if you only have one.

The combination of packages will give you even more options. I am sure they will want to block Gambling and Pornography as well.

BitFreeze.
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 35028903
so is pfSense like a linux distro? or do i install it on my fedora box?
0
 
LVL 2

Assisted Solution

by:silvanx
silvanx earned 125 total points
ID: 35029070
It's a microdistribution based on FreeBSD, meant to serve primarily as a firewall.

I guess you could install it using VirtualBox or some other virtualization system but setting network configuration to reroute entire dataflow through it could be tricky (if possible at all).
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 35029186
i didn't mean i wanted to install on my fedora box, i just was wondering what it is. it sounds something like ipcop. with ipcop, i downloaded it, burned the iso to a cd, booted to that cd and installed ipcop which was some form of linux so that after the install, when the computer boots, it goes right into ipcop.
0
 
LVL 2

Assisted Solution

by:Xav720
Xav720 earned 125 total points
ID: 35029503
PFsense is the best OS for firewalling , proxying you have . With the web based interface it's so easy to setup.
0
 
LVL 1

Author Comment

by:JeffBeall
ID: 35030134
sounds good, I'll look into it. but i just thought of something else. can PFSense act as just a proxy? we currently have a firewall, and i would like to leave it as is.
0
 
LVL 2

Expert Comment

by:Xav720
ID: 35030175
yes ,only point your browser to it without no problem
0
 
LVL 11

Assisted Solution

by:Pieter Jordaan
Pieter Jordaan earned 125 total points
ID: 35030671
I have two installations of pfSense running at our head office.
my Firewall installation does multi-WAN with fail-over and traffic shaping, and another is only a proxy.

Version 1.2.3 has issues with multi-WAN and proxy on the same machine, which was solved on the new release as far as I know, but it makes sense to split the two, especially if you are not the only administrator.

It is better to keep the noobs away from the firewall rules. =)

I am the only firewall administrator, but I allow the other guys to fiddle with the proxy rules.
0
 
LVL 1

Author Closing Comment

by:JeffBeall
ID: 35039188
thanks for the help
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question