LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 04-22-2012, 08:27 PM   #1
roopakl
Member
 
Registered: Sep 2011
Posts: 92

Rep: Reputation: Disabled
How to allow only particular browsers and deny all other browsers in squid3


Hi..All,
We have configured transparent squid3 proxy server on ubuntu 11.04 O/S and also blocked https://www.facebook.com using IPTables rules. Now none of the users are able to open https://www.facebook.com even after multiple tries.
But I heard that still users are browsing facebook site using aurora web browser!!!
So we don't want allow such browsers to access the internet and please help me in achieving to allow only mozilla firefox and internet explorer browsers and to deny all other browsers in squid.conf file.
Thanks in advance for your kind help.
 
Old 04-22-2012, 11:38 PM   #2
Satyaveer Arya
Senior Member
 
Registered: May 2010
Location: Dehradun, Uttarakhand, India
Distribution: RHEL, CentOS, Debian, Oracle Solaris 10
Posts: 1,413

Rep: Reputation: 303Reputation: 303Reputation: 303Reputation: 303
Quote:
We have configured transparent squid3 proxy server on ubuntu 11.04 O/S and also blocked https://www.facebook.com using IPTables rules. Now none of the users are able to open https://www.facebook.com even after multiple tries.
What policy you put to block facebook?

Quote:
But I heard that still users are browsing facebook site using aurora web browser!!!
How did you come to know that?
 
1 members found this post helpful.
Old 04-22-2012, 11:46 PM   #3
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,627

Rep: Reputation: Disabled
If you are using IPtables to block some sites, then why use squid in the first place? And how did you block the websites? What are the iptables rules? And if you have iptables rules, then it should not matter what browser the client is using, it should be blocked. Squid can know what browser client is using from the user agent of the browser. You can use this information to block the certain web browsers. But I am still not sure if the issue you think you have is genuine. You might be misinformed about the issue.
 
1 members found this post helpful.
Old 04-23-2012, 12:30 AM   #4
Satyaveer Arya
Senior Member
 
Registered: May 2010
Location: Dehradun, Uttarakhand, India
Distribution: RHEL, CentOS, Debian, Oracle Solaris 10
Posts: 1,413

Rep: Reputation: 303Reputation: 303Reputation: 303Reputation: 303
And why are you making it typical, blocking facebook using iptables rules. There is acl you can use to block facebook and some browsers also.
Like this, I have blocked facebook in my organisation-
Quote:
acl face dstdomain .facebook.com
acl mynet time MTWHF 8:30-17:30
http_access deny face mynet
It's quite simple and easy to use.
 
1 members found this post helpful.
Old 04-23-2012, 12:44 AM   #5
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,627

Rep: Reputation: Disabled
The issue with transparent proxy is blocking secure sites. It can not handle https properly as squid is a http proxy.
 
1 members found this post helpful.
Old 04-23-2012, 10:44 PM   #6
roopakl
Member
 
Registered: Sep 2011
Posts: 92

Original Poster
Rep: Reputation: Disabled
Hi..Satyaveer Arya and linuxlover.chaitanya.
in squid.conf file I had already added the entry as
Code:
acl deniedsites dstdomain "/etc/squid3/.denied_sites"
http_access deny deniedsites"
Code:
#cat /etc/squid3/.denied_sites
.facebook.com
#.some-other-sites.com
#and so on
This was blocking for only http sites not for https sites. So then I tried
Code:
acl facebook dstdomain .facebook.com
http_reply_access deny facebook   # for http
http_access deny CONNECT facebook # for https
Since my manager had told me to block facebook at all time I didn't mention that as from what time to what time it should be blocked. So I just added the entry to be blocked at all time. But found since squid is http proxy and since we are using transparent squid proxy, now also it was unable to block https://facebook.com and it was blocked for only http://facebook.com. So again people started with https://facebook.com.
At last I could achieve to block https://facebook.com using IPTables FORWARD rules. Then I found, none of the users were able to open https://facebook.com even after multiple tries and even if they try to access with different browser.

Today I came to know that again they are using 3rd party softwares like ultrasurf on windows!!! and one more software(I forgot the name, I will let you know once I reached to office, and I also already checked with that software on linux and found both http://facebook.com & https://facebook.com is opening only if that software service is started and only with aurora broweser but not with any other browser.) on linux to bypass proxy/firewall!!!

I hope I can block this also using IPTables rules if I could not again I will come and request linuxquestions.org because this is the only one site that always you all are helping me in proper way.

So since I don't want allow such browser I found a link to allow only particular browsers in squid.conf in which that link says to set the rule as
Code:
acl firefox browser firefox
http_access deny !firefox
restared squid3 service and found it is not blocking other browsers. Then I also tried in squid.conf file as
Code:
acl aurora browser aurora
http_access deny aurora
restarted the service but still I can access the internet using aurora browser in my PC(client only) as well as clients PC.
So it would be appreciated if you could post the squid ACLs to block all browsers except mozilla firefox and internet explorer.
Thanks for your kind help.

Last edited by roopakl; 04-23-2012 at 11:34 PM.
 
Old 04-24-2012, 07:01 AM   #7
ccnaraj
LQ Newbie
 
Registered: Apr 2012
Posts: 2

Rep: Reputation: Disabled
squid proxy setting

Quote:
Originally Posted by Satyaveer Arya View Post
And why are you making it typical, blocking facebook using iptables rules. There is acl you can use to block facebook and some browsers also.
Like this, I have blocked facebook in my organisation-

It's quite simple and easy to use.
can you please give me squid proxy transparent configuration.
(i done my squid configurataion, but client site manually give proxy settings 192.168.0.11 3128)

this is my configuration



dns_nameservers 121.242.190.180 121.242.190.211 192.168.2.11
#broken_vary_encoding allow apache
#extension_methods REPORT MERGE MKACTIVITY CHECKOUT
#acl M1 arp 00:18:8B:28D:7F
#acl M2 arp 00:21:9b:d3:d8:de
#http_access allow M1
#http_access allow M2
#http_access deny all
#http_port 80
#httpd_accel_host 127.0.0.1
#http_accel_port 80
http_port 80 accel
forwarded_for on
#httpd_accel_single_host on
#httpd_accel_with_proxy on
#httpd_accel_uses_host_header off
cache_mem 1024 MB
acl lan src 115.119.81.194 192.168.2.0/24
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid





#cache_peer 127.0.0.1 parent 3128 0 no-query default

acl web_ports port 80
http_access allow web_ports
acl purge method PURGE
#http_access allow purge localhost
http_access deny purge
hierarchy_stoplist cgi-bin ?





memory_replacement_policy lru
1,1 Top
 
Old 04-24-2012, 07:58 AM   #8
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,627

Rep: Reputation: Disabled
And how about looking at google for help before? LQ also has a very good search functionality. Please search. It should have taken you less time to search google or LQ than write a post here.
 
Old 04-24-2012, 10:31 PM   #9
Satyaveer Arya
Senior Member
 
Registered: May 2010
Location: Dehradun, Uttarakhand, India
Distribution: RHEL, CentOS, Debian, Oracle Solaris 10
Posts: 1,413

Rep: Reputation: 303Reputation: 303Reputation: 303Reputation: 303
ccnaraj,

Here is a quick search on Google Uncle for you, https://www.google.co.in/#hl=en&outp...w=1280&bih=831.
First go through some of the links, check what you need in your domain, apply the rules accordingly in your domain if those rules fit in there. And if you face any problem, again first search on google, if that also doesn't work for you then you can try here.
Good Luck!

Last edited by Satyaveer Arya; 04-24-2012 at 10:34 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to allow only particular browsers in squid3 and IPTables forward rules roopakl Linux - Newbie 1 04-21-2012 10:59 AM
[SOLVED] Squid3 Deny all traffic (Ignoring ACL) pliqui Linux - Server 3 02-18-2010 02:24 PM
LXer: Proprietary browsers built on proprietary browsers: the blind leading the blind LXer Syndicated Linux News 0 09-15-2009 12:20 AM
LXer: Comparison Between Linux Web Browsers - Review of 5 Linux Browsers LXer Syndicated Linux News 0 05-17-2008 01:21 PM
Browsers? Winux Linux - Newbie 2 04-09-2003 06:46 AM


All times are GMT -5. The time now is 02:04 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration