Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi..everybody,
I am running squid-3.1.11 on ubuntu 11.04 as transparent proxy. I need rules in which there is no restrictions in size for some authorized PCs even during office hours and there is no restrictions in size to others after office hours. First I tried
Code:
reply_body_max_size 100 MB
This is restricting also authorized IPs while downloading who are already able to access restricted sites. Then I commented out above rule and tried
Code:
acl officehours time 09:00-18:00
reply_body_max_size 104857600 allow officehours
Now none of sites(even google) are opening from the clients. So please help me to add rules to restrict downloads to everyone apart from some authorized IPs which is more than 100 MB.
Last edited by mandyapenguin; 12-06-2011 at 07:11 AM.
Reason: correction
acl official_hours time 09:00-18:00
reply_body_max_size none
http_access allow official_hours
If I put above rule, now everyone is able to download even large files and there is no limitation to any of the user.
I don't want this, I want 2 rules
1) I want to allow download upto only 100 MB for everyone during 9AM to 6PM. After 6PM to 9AM everyone should be able download large files even it is more than 100MB in size.
2) There should not be any download limitation for some authorized PCs even during office hours and these authorized PCs should be able to download even more than 100MB files at any time.
If I try this below
Now time and auth_IP rule is not applied and everyone including auth_IP is able to download upto only 100 MB at anytime.
So please help me to add 2 rules that I have requested in the beginning.
The above rule are not applying and I am getting the error as below
Code:
#service squid3 restart
* Restarting Squid HTTP Proxy 3.x squid3 2011/12/08 20:42:55| aclIpParseIpData: WARNING: Netmask masks away part of the specified IP in '192.168.0.1/24'
2011/12/08 20:42:55| aclParseAclList: ACL name 'allow' not found.
FATAL: Bungled squid.conf line 1062: reply_body_max_size 0 allow imp_users
Squid Cache (Version 3.1.11): Terminated abnormally.
CPU Usage: 0.000 seconds = 0.000 user + 0.000 sys
Maximum Resident Size: 16544 KB
Page faults with physical i/o: 0 [fail]
The problem is, none of the rule is applying with reply_body_max_size line. If we add as only
Code:
reply_body_max_size 100 MB
then the rule can apply but it is affecting to all including important users for all time.
So I also tried by putting "!imp_users", 100 MB instead of 104857600, 0 instead of none. but none of the rule is applying. I request you to check it once with squid-3.1.11 and please let me know if those two rules are applying in your machine.
Last edited by mandyapenguin; 12-08-2011 at 09:30 AM.
acl non_official_hours time 18:00-23:59
acl non_official_hours time 00:01-09:00
http_access allow non_official_hours
reply_body_max_size none non_official_hours
Hi..Deepak,
Thanks a lot. The above rules are working fine. I tried also with a file and mentioned imp_users IPs. Now those imp_users IPs which are listed in /etc/squid3/.imp_users file can download unlimited size at any time while others can only upto 100 MB during office hours. After office hours others also can download unlimited size. This is what I had expected from Linux guru's. Thanks Deepak.
But still others can download using https while getting error for http using same url even it is more than 100 MB and also even I have prevented some suffixes in a file like this in squid.conf.
and so on
For example others are prevented from download with "http://ftp-stud.hs-esslingen.de/pub/Mirrors/ftp.openoffice.org/stable/3.3.0/OOo_3.3.0_Linux_x86_install-rpm-wJRE_en-US.tar.gz"
but they can download with "https://ftp-stud.hs-esslingen.de/pub/Mirrors/ftp.openoffice.org/stable/3.3.0/OOo_3.3.0_Linux_x86_install-rpm-wJRE_en-US.tar.gz"
So it would be much better if you could post a rule to prevent downloads using https which is more than 100 MB and prevented during office hours.
I will be waiting for your kind reply
Once again thank you very much.
Last edited by mandyapenguin; 12-13-2011 at 08:48 PM.
Hi..Thank you very much linuxmen.
This site is very useful. I could prevent youtube videos for unauthorized users during office hours. But not with metacafe.com. Could you please guide me or send me an url by which I will be able to prevent other site's flash videos.
Even I was new to this problem which you mentioned.
I never noticed that squid was only blocking http and allowing https
I don't know if this would be helpful as it works in my machine
you can block the access to port 443 which is for ssl during office hours.
i.e give the access to http and https only to important users and deny to all others and after office hours everyone will have full access
Code:
acl bad_port port 443
acl no_block_port_ip src 192.168.0.100
http_access deny bad_port !no_block_port_ip
http_access allow all
don't forget to comment this line in squid.conf
Code:
#acl Safe_ports port 443 # https
to block downloads with following extensions you can also try this
Now the above rules are working fine and no one can download the file which is more than 100 mb apart from imp_users, but only if the users goes with browser settings and none of the https sites will open in browser settings with above rule. Fine, but I am using transparent mode with squid3.*, so still the users can download the files using https. Anyway at last you helped me for those two rules that I had requested in the beginning. Thank you very much Deepak.
Last edited by mandyapenguin; 12-16-2011 at 11:05 AM.
Hi..Deepak me too glad to help.
I followed this link. I just copied the script and executed.
Here is the my configuration
Code:
eth0(internet)
IP 192.168.1.2/24
g/w 192.168.1.1
eth1(LAN)
IP 192.168.0.1/24
cat /etc/resolv.conf
search mydomain.com
nameserver 192.168.0.1
dhcp server 192.168.0.1for the clients
dhcp range 192.168.0.200 192.168.0.253
pdns 192.168.0.254(again this will forward to 192.168.0.1 only)
sdns 192.168.0.1
I hope, I don't want to explain with configuration files under /etc/bind directory. Because I know that you are already an expert in DNS configuration.
I just changed the server IP in script as 192.168.0.1 because I have given in squid.conf file as acl my_lan src 192.168.0.1/24. I executed the script now everything ftp, mail clients and all working fine. I went for transparent mode because I struggled a lot to enable mail client access with IPTable rules. If the mail clients are working fine for you please help me how to with IPTable rules in non transparent mode.
In RedHat based O/S for transparent mode you have to put these 4 lines
Code:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
I have tried in ubuntu-11.04/11.10 without above 4 rules, the users are able to access internet without browser settings. I think in centO/S-6 also you are not required above 4 rules. I am not sure in this. But make sure the line as below in squid.conf file
Code:
http_port 3128 transparent
Please find my squid.conf file which is in attachment which is working fine including mail client, ftp access. This attachment from ubuntu-11.10. And please let me know if it is possible to enable access to mail clients with non transparent mode.
Last edited by mandyapenguin; 12-19-2011 at 09:47 AM.
Reason: correction
Thanks for your help I will try your suggestion, as these for my personal practice so once I am through with my work I'll give a update
I am quite confused with the term mail client+squid
by mail client do you mean outlook, Thunderbird ?
do you face problem using these mail clients with non transparent squid ?
if you can tell me where you face errors or what sort of errors as I had connected thunderbird with my sendmail and was working fine but no idea about using squid and mail clients
I am quite confused with the term mail client+squid
by mail client do you mean outlook, Thunderbird ?
do you face problem using these mail clients with non transparent squid ?
if you can tell me where you face errors or what sort of errors as I had connected thunderbird with my sendmail and was working fine but no idea about using squid and mail clients
If you can be little more specific I might help:)
Yes, mail client is nothing but thunderbird and outlook only. This will be working fine because of nat configuration for transparent mode. For example if I configure my gmail account with tunderbird/outlook while I am on transparent mode, I will be able to send/receive mails.
But I am not able send/recieve while I am on non transparent mode. Just think, for non transparent I'll just install squid and configure the squid.conf file and doing nothing with IPTable rules and the client machine can access internet only then if they configure browser settings. But in this condition the mail client does not work. I request you to check it once by configuring your gmail/yahoomail account with thunderbir/outlook without trasparent mode. If you are able send/receive mails then please let me know that how you could do it.
As I found in the google search there is nothing to do with squid.conf for mail client access since squid does not proxy pop3, imap and smtp. So I think these protocol should masquerade in the nat table. But I dont have much experience with IPTable rules. I need such setup that the client machine can access internet only then if they configure browser settings, and also mail client should works fine. I will be waiting for your kind reply.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.