I would be so glad to do that, but you see, I am not an expert in Linux. I was introduced to SafeSquid by a colleague, who also set it up for me at our office, and is now managed by me. It helped solve a lot of issues that were bugging us. It made me realize that you do not have to be an expert in Linux to make use of it's immense powers. There are so many other poor guys like me, with limited knowledge of Linux, looking for similar solution? Can I, in some way, help them with my experience? That's my only intention. I would seriously like to apologize, if in doing so, I have harmed anyone's feelings.

Regards

Ok so the you used it in you example to block users from connecting to other https ports and only allow 443 to be access by the network... so i guess this can also be used on other ports?

how come i cant find this technique on all Squid tutorials that i found on the internet...

Sort of. When we implement this ACL we are saying "deny the CONNECT method to anything that isn't going to port 443". That's what the exclamation mark means, it inverts the match. We do this because we know we don't need CONNECT used for HTTP, only for HTTPS.

Yes, if you wanted clients to tunnel through to other ports you could use this. Notice how in a default Squid configuration you have an ACL called "SSL_ports" which lists other ports beside 443 that would need to use CONNECT, such as port 563 (NNTP over SSL) for example.

Not sure, but the CONNECT ACL and the rule are part of the default Squid configuration.

I find this on 1 website can this also be possible

Sure, but that's a default-allow (blacklist) approach, which in the long run is much less practical and effective than a default-deny (whitelist) approach.

Speaking of whitelist, in our Squid.conf all sites are whitelisted and i used txt file to store sites that can be accessed. i use this approach:

but what about in port how do you whitelist them and allow only those you want. can they be the same approach?

When you specify a port for each rule you are already whitelisting. Like in my example:That's basically whitelisting HTTPS_port and HTTP_port, because a connection to any other port would not match either of the allow rules and would therefore run into the deny one. Squid confs should always be whitelist-based IMHO.

oh ok...

but when you whitelist ports how do you specify a port where squid will listen? in my squid.conf i used 8080 so if i will whitelist ports do i still have to place it in the squid.conf or not?

ex.

The port Squid listens on doesn't need to be in an ACL. The port ACLs only refer to ports on the destination server. The http_port directive shouldn't be confused with the HTTP_port ACL name I used in my example. If you wish to control who can connect to the port Squid is listening on you'd need to use iptables.

ok now everything is clear... i have also checked dansguardian and it seems that some of its capabilites are the same with squid. correct me if im wrong but isnt it that squid can also block sites if its contents contains word like porn, sex...etc..

Squid is limited to looking for those words in the URL. DansGuardian can look for them anywhere on the web page itself, the actual "content".

Ok....

Just one quick question on dansguardian... can it detect file download and deny it if the user or ip is restricted on downloading file? or will it just block the entire site where the file can be downloaded.

Yes.

No, if you tell DansGuardian to filter .zip files (for example) then http://www.example.net/file.zip would be filtered, while http://www.example.net/ and everything within it will still be accessible, unless they get filtered by another match, such as pornographic content, etc. Oh, and yes, you can specify which IPs the restrictions apply to. Sorry I can't be more specific, it's been a while since I've configured a DansGuardian install.

Wow thats cool. do you know any other documentation of dansguardian aside from those doc in the dansguardian website

Not really, although I would imagine there's several howtos on the web.