I want to set up my Fedora machines so that
when a student logs in ALL http/s requests go
thru the proxy whereas when a staff member
logs in they don't.

I want this to be machine wide and not just a
specific browser otherwise I am going to have to
purge the machine of anything browser like
( or they might just bring a browser in on
a memory stick )

All staff members have a username that starts st
and all student have a user name that starts
with the last 2 digits of their year of intake

Both get there authentication and users information
from a OpenLDAP server

Any ideas ??

ta

Mal

well i would say that that's a bad design. why wouldn't a student simply remove the proxy?? all requests should hit the proxy, it should be impossible to reach the internet without doing that. you yourself point to their ability to use a isb stick, and if it's *their* software, it's *their* call if they use a proxy or not.

you do have issues in terms of what will and will not pay attention to a shell level proxy detail. there's a firefox plugin which will utilize http_proxy - https://addons.mozilla.org/en-US/firefox/addon/3896 and if that's cool by you then it's just a modified /etc/profile that you need really:

whoami | grep ^st || export http_proxy=http://my.proxy.server:8080

should do the trick i'd say.

I am open to better solutions ...

the rules are:

Students MUST use the proxy
Staff members may choose to bypass it

In XP we use group policies so it's easy

Mal

well i think your rules are wrong.

rules should be

Students and staff MUST use the proxy
Students must be filtered to proxy policy 1
Staff must adhere to proxy policy 2
Mal and dave/matt/pete/mike in IT can do whatever they want

is it easy in XP? unless you're making deep down firewall system level changes, a browser like firefox needn't pay any attention to group policy at all.

OK, how do I do that?

In firefox we play with prefs.js etc

The reason for Fedora is exactly what we are talking about
We have to nail XP machines down so much to prevent
the students doing anything that the parents/governers/LEA/government
may object to it is pretty much useless - then on top of that
we have to 'try' and stop them messing with the machine itself
- we even have to stop right click.

Interestingly having become experts in locking down Windows
machines, Xp and group policies will fail in a 'non-safe' way
if you try hard enough.

Linux offers the chance to improve the computing experience with
out the massive restrictions that a dog like XP forces upon us
We have a competition running to see if the students can break
Fedora and as yet no one has ...but the first thing they did was
launch everything to see if they could get to facebook/myspace etc

regards

Mal


PS we have Dansguardian at the moment

well as acid_kewpie said the best way is to setup to policies
one for the students and one for the teachers
squid also has an authentication method which you can put all the teachers username and password in there so that way they can log on with no problems
Also you can also use ip address to restrict who browses and who cant also you can state what website the can go and most important you can deny them view or download pictures music and any thing you what you could have some fun with that i used to
with out picture believe me students wont enjoy browsing if the actually get through to the internet
also you can put you policies in a file and refer to it in squid
But unfortunately i dont have any link to help you configure squid
if you search you should get some

here's a thought, if you *really* wanted to do so, you could acutally use the owner module in iptables to check the gid of the owner of the process wanting the connection. assuming you had seperate groups for staff and students then it would be feasible for the firewall settings on the system (which *couldn't* be bypassed by the user without root perms) to actually do what you want directly, assuming that a transparent proxy would be sufficient (i.e. no authentication / user name tracking) without direct login sessions.