LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-25-2013, 08:48 AM   #1
swaggerlee
Member
 
Registered: Jul 2012
Location: India,Kolkata
Distribution: fedora,ubuntu
Posts: 35

Rep: Reputation: Disabled
Question squid proxy queries


Hi All
I am using a squid proxy in a desktop with fedora 14, through which all users are accessing internet
i want to block some sites.. for that i have declare some ACl here as follows
Quote:
======================================================

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl morning_hours time M T W H F 9:00-12:59
acl evening_hours time M T W H F 14:00-18:45
acl deniedDomains url_regex "/usr/local/etc/deniedDomains"
acl blacklistIP src "/usr/local/etc/blacklistIP"
http_access deny deniedDomains morning_hours blacklistIP
http_access deny deniedDomains evening_hours blacklistIP
acl myNetwork src "/usr/local/etc/whitelistIP"
http_access allow myNetwork
================================================================
*[deniedDomains list are as follow]
.facebook.com
.server14.kproxy.com
.kproxy.com
.myspace.com
.metacafe.com
.kproxyfree.com
.orkut.com
.jabong.com
.snapdeal.com
================================================================
*[blacklistIP list are as follow]
192.168.100.10
192.168.100.12
192.168.100.15
etc etc etc..and so on
================================================================
*[whitelistIP list are as follow]
192.168.100.100
192.168.100.120
192.168.100.150
======================================================
NOTE: we have DHCP configured on another machine by which wi-fi user can access internet using automatic assigned IP i.e. DHCP

NOW my questions are

1> How to block or define DHCP IP in blacklistIP so that DHCP user also cannot browse the deniedDomains, by default DHCP user can access facebook,orkut,etc etc. Don't know how they can access !!

2>How to block gmail browser chat(not Gtalk),yahoo chat for all user

3>Since all my users are connected to internet through my proxy machine, how to know which user IP address is utilizing heavy internet resource i.e. downloading stuffs or streaming live videos which may cause slow internet connectivity to rest of the users.
Can i view/detect the particular IP address

Hope I am brief enough to explain my problems

Awaiting for you answer ....
 
Old 10-25-2013, 10:20 AM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 27,331

Rep: Reputation: 8089Reputation: 8089Reputation: 8089Reputation: 8089Reputation: 8089Reputation: 8089Reputation: 8089Reputation: 8089Reputation: 8089Reputation: 8089Reputation: 8089
Quote:
Originally Posted by swaggerlee View Post
Hi All
I am using a squid proxy in a desktop with fedora 14, through which all users are accessing internet i want to block some sites.. for that i have declare some ACl here as follows

NOTE: we have DHCP configured on another machine by which wi-fi user can access internet using automatic assigned IP i.e. DHCP NOW my questions are

1> How to block or define DHCP IP in blacklistIP so that DHCP user also cannot browse the deniedDomains, by default DHCP user can access facebook,orkut,etc etc. Don't know how they can access !!
They can access those sites, because you probably don't have them in the ACL. You're not posting all of your squid configurations, but chances are you're only applying the deny ACL to 'known' users...however they're 'known'. If you're identifying them by IP address, then there's your answer...the DHCP users don't HAVE static addresses, so the DENY,ALLOW takes effect, letting them out. So modify your ACL to deny those sites to ANYONE, on ANY address, or add the DHCP address range to the deny ACL.
Quote:
2>How to block gmail browser chat(not Gtalk),yahoo chat for all user
You don't, at least not with Squid...this has been asked and answered on here MANY times.
Quote:
3>Since all my users are connected to internet through my proxy machine, how to know which user IP address is utilizing heavy internet resource i.e. downloading stuffs or streaming live videos which may cause slow internet connectivity to rest of the users. Can i view/detect the particular IP address
You go to the Squid website, and look up one of the VERY easily-found Squid reporting tools, install them, and run them. Find out which one fits your needs best.
 
Old 10-28-2013, 12:19 AM   #3
swaggerlee
Member
 
Registered: Jul 2012
Location: India,Kolkata
Distribution: fedora,ubuntu
Posts: 35

Original Poster
Rep: Reputation: Disabled
OKAY here is my complete squid config file for you ... can you tell me what's wrong i am doing.

Quote:
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines


acl SSL_ports port 443 8100
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8100 #java socket
acl CONNECT method CONNECT
acl ftp proto FTP #(Creating a new acl for ftp protocol)

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
#http_access allow Safe_ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
http_access allow ftp


# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl morning_hours time M T W H F 9:00-12:59
acl evening_hours time M T W H F 14:00-18:45
acl deniedDomains url_regex "/usr/local/etc/deniedDomains"
acl blacklistIP src "/usr/local/etc/blacklistIP"
http_access deny deniedDomains morning_hours blacklistIP
http_access deny deniedDomains evening_hours blacklistIP
acl myNetwork src "/usr/local/etc/whitelistIP"
http_access allow myNetwork


# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
notify me if i missed something to post ..
 
Old 10-28-2013, 10:28 AM   #4
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 27,331

Rep: Reputation: 8089Reputation: 8089Reputation: 8089Reputation: 8089Reputation: 8089Reputation: 8089Reputation: 8089Reputation: 8089Reputation: 8089Reputation: 8089Reputation: 8089
Quote:
Originally Posted by swaggerlee View Post
OKAY here is my complete squid config file for you ... can you tell me what's wrong i am doing.

notify me if i missed something to post ..
From my first post, I told you what the problem was and how to correct it. Did you read/understand it?

You're still allowing access from that network range somehow. You mention the 'whitelistIP' range, but you don't give any details about what range/network your DHCP server is on. Again...create an ACL with the address range of your DHCP server, and apply your rules to it.
 
  


Reply

Tags
squidproxy


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
configure squid proxy with microsoft proxy as a parent proxy nintykola Linux - Software 1 08-28-2007 02:38 AM
How does a client resolve dns queries with transparent proxy ? amitsharma_26 Linux - Security 5 09-17-2006 12:49 PM
Squid Compilation Queries AMMullan Linux - Software 0 10-26-2003 06:22 PM
Apache as proxy for http & https queries gosha Linux - Networking 0 07-21-2003 08:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration