LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   How to allow only particular browsers and deny all other browsers in squid3 (http://www.linuxquestions.org/questions/linux-newbie-8/how-to-allow-only-particular-browsers-and-deny-all-other-browsers-in-squid3-941205/)

roopakl 04-22-2012 08:27 PM

How to allow only particular browsers and deny all other browsers in squid3
 
Hi..All,
We have configured transparent squid3 proxy server on ubuntu 11.04 O/S and also blocked https://www.facebook.com using IPTables rules. Now none of the users are able to open https://www.facebook.com even after multiple tries.
But I heard that still users are browsing facebook site using aurora web browser!!!:confused:
So we don't want allow such browsers to access the internet and please help me in achieving to allow only mozilla firefox and internet explorer browsers and to deny all other browsers in squid.conf file.
Thanks in advance for your kind help.

Satyaveer Arya 04-22-2012 11:38 PM

Quote:

We have configured transparent squid3 proxy server on ubuntu 11.04 O/S and also blocked https://www.facebook.com using IPTables rules. Now none of the users are able to open https://www.facebook.com even after multiple tries.
What policy you put to block facebook?

Quote:

But I heard that still users are browsing facebook site using aurora web browser!!!
How did you come to know that?

linuxlover.chaitanya 04-22-2012 11:46 PM

If you are using IPtables to block some sites, then why use squid in the first place? And how did you block the websites? What are the iptables rules? And if you have iptables rules, then it should not matter what browser the client is using, it should be blocked. Squid can know what browser client is using from the user agent of the browser. You can use this information to block the certain web browsers. But I am still not sure if the issue you think you have is genuine. You might be misinformed about the issue.

Satyaveer Arya 04-23-2012 12:30 AM

And why are you making it typical, blocking facebook using iptables rules. There is acl you can use to block facebook and some browsers also.
Like this, I have blocked facebook in my organisation-
Quote:

acl face dstdomain .facebook.com
acl mynet time MTWHF 8:30-17:30
http_access deny face mynet
It's quite simple and easy to use.

linuxlover.chaitanya 04-23-2012 12:44 AM

The issue with transparent proxy is blocking secure sites. It can not handle https properly as squid is a http proxy.

roopakl 04-23-2012 10:44 PM

Hi..Satyaveer Arya and linuxlover.chaitanya.
in squid.conf file I had already added the entry as
Code:

acl deniedsites dstdomain "/etc/squid3/.denied_sites"
http_access deny deniedsites"

Code:

#cat /etc/squid3/.denied_sites
.facebook.com
#.some-other-sites.com
#and so on

This was blocking for only http sites not for https sites. So then I tried
Code:

acl facebook dstdomain .facebook.com
http_reply_access deny facebook  # for http
http_access deny CONNECT facebook # for https

Since my manager had told me to block facebook at all time I didn't mention that as from what time to what time it should be blocked. So I just added the entry to be blocked at all time. But found since squid is http proxy and since we are using transparent squid proxy, now also it was unable to block https://facebook.com and it was blocked for only http://facebook.com. So again people started with https://facebook.com.
At last I could achieve to block https://facebook.com using IPTables FORWARD rules. Then I found, none of the users were able to open https://facebook.com even after multiple tries and even if they try to access with different browser.:cool:

Today I came to know that again they are using 3rd party softwares like ultrasurf on windows!!!:confused: and one more software(I forgot the name, I will let you know once I reached to office, and I also already checked with that software on linux and found both http://facebook.com & https://facebook.com is opening only if that software service is started and only with aurora broweser but not with any other browser.) on linux to bypass proxy/firewall!!!:confused:

I hope I can block this also using IPTables rules if I could not again I will come and request linuxquestions.org because this is the only one site that always you all are helping me in proper way.

So since I don't want allow such browser I found a link to allow only particular browsers in squid.conf in which that link says to set the rule as
Code:

acl firefox browser firefox
http_access deny !firefox

restared squid3 service and found it is not blocking other browsers. Then I also tried in squid.conf file as
Code:

acl aurora browser aurora
http_access deny aurora

restarted the service but still I can access the internet using aurora browser in my PC(client only) as well as clients PC.
So it would be appreciated if you could post the squid ACLs to block all browsers except mozilla firefox and internet explorer.
Thanks for your kind help.

ccnaraj 04-24-2012 07:01 AM

squid proxy setting
 
Quote:

Originally Posted by Satyaveer Arya (Post 4660372)
And why are you making it typical, blocking facebook using iptables rules. There is acl you can use to block facebook and some browsers also.
Like this, I have blocked facebook in my organisation-

It's quite simple and easy to use.

can you please give me squid proxy transparent configuration.
(i done my squid configurataion, but client site manually give proxy settings 192.168.0.11 3128)

this is my configuration



dns_nameservers 121.242.190.180 121.242.190.211 192.168.2.11
#broken_vary_encoding allow apache
#extension_methods REPORT MERGE MKACTIVITY CHECKOUT
#acl M1 arp 00:18:8B:28:DD:7F
#acl M2 arp 00:21:9b:d3:d8:de
#http_access allow M1
#http_access allow M2
#http_access deny all
#http_port 80
#httpd_accel_host 127.0.0.1
#http_accel_port 80
http_port 80 accel
forwarded_for on
#httpd_accel_single_host on
#httpd_accel_with_proxy on
#httpd_accel_uses_host_header off
cache_mem 1024 MB
acl lan src 115.119.81.194 192.168.2.0/24
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid





#cache_peer 127.0.0.1 parent 3128 0 no-query default

acl web_ports port 80
http_access allow web_ports
acl purge method PURGE
#http_access allow purge localhost
http_access deny purge
hierarchy_stoplist cgi-bin ?





memory_replacement_policy lru
1,1 Top

linuxlover.chaitanya 04-24-2012 07:58 AM

And how about looking at google for help before? LQ also has a very good search functionality. Please search. It should have taken you less time to search google or LQ than write a post here.

Satyaveer Arya 04-24-2012 10:31 PM

ccnaraj,

Here is a quick search on Google Uncle :D for you, https://www.google.co.in/#hl=en&outp...w=1280&bih=831.
First go through some of the links, check what you need in your domain, apply the rules accordingly in your domain if those rules fit in there. And if you face any problem, again first search on google, if that also doesn't work for you then you can try here.
Good Luck!


All times are GMT -5. The time now is 11:04 PM.