Time quota based access control to specific websites
UPDATED: you can read my original post below
As I couldn't find any program that did what I wanted I set out to write my own. My chosen language was C++ because this URL re-writer need to be FAST (faster than python or perl anyway) and because C++ is a language I am familiar with. First things first I chose my method of squid integration. Initially I was using the ACL (access control lists) and ensuring that every request pass an external ACL check to be allowed but I found this to be problematic, I’m not sure exactly why but I think it has something to do with the way squid optimises ACL performance. Using url_rewriter_program alleviated this issue. As per the requirements from my original post I came up with bellow design (in flow chart form) http://www.edspcs.com.au/faceblock.png The database to fulfill this design has three tables that I set up like this: Code:
blacklist: Code:
using namespace std; Well it could be that I am at the wrong place for this kind of help but A: As I said this code needs to be fast, could I get some feedback on my design. One thing of concern to me is that atm all requests to a banned site are logged, this could be a LOT of requests and while this table is emptied every day it could still get way to big. Maybe a solution that used update instead of insert and just updated the request time? B: Code quality, have I made any mistakes with memory management etc. C: [most important] How could I share this code with other people. I only wrote this because I couldn’t find free software which did it for me. What is the best way to get this into a form that other net admins can use? Ill need a lot of help with this I think as I have never used autoconfig before or anything like that. ----------------------------------------------------- ORIGINAL POST: I'm the network administrator of a fairly small network (<100 stations) and my work is generally just doing tech support for the staff here and managing services like samba mail etc. My boss recently approached me with a more difficult task however, she would like to limit the amount of time each staff member can access certain websites, allocating them a quota for example: Bob can only view facebook for 10 minutes before 12:00, betweem 12:00 and 13:00 he gets another 30 minutes of quota, and then after 13:00 he gets another 10 minute sof quota. Ideally this quota would be consumed only when a staff member was viewing a page but I don't think this is entirely possibly, perhaps the quota would simply start counting down once the page is first accessed? This system must be implemented for $0 using entirely free software and hardware we have sitting around the office. Now I understand how to implement more basic filtering I could set up a transparent proxy using squid, which already supports user authentication, and then use something like Dansguardian for URL blacklisting. My questions is: is there free software which can handle this kind of time quota based control? If there is not what would be the best DIY approach. I was thinking I could write a simple squid log parser of my own (in C or python or whatever) but this may be more work than is necessary. Is there perhaps a generic squid parsing tool which supports scripting that could do some of the work for me? I could be totally off the mark and perhaps a proxy is not the best approach at all? I could add special logging rules to iptables and go from there but it seems to me that would be a lot more work. Thanks in advance, capo. |
Well, given that web pages are downloaded to your wkstn browser, not streamed live (although some content may be), I think(?) maybe you'd just have to count num of accesses, rather than amt of 'time' spent reading a page (can't see how you'd do that).
A simpler soln would be to have access time-bands eg only access non-work sites eg gmail between 1200-1300. Of course, I could be completely wrong.. ;) |
Quote:
|
Would it help if you explained (in a simple manner) how webpages work ie they are just simple downloads, so time quotas doesn't really make sense eg if someone surfs to a new page every 60 secs, when would the countdown start/stop??
Would it (time out) renew for each page?? You'd also need a 'global' reset for each user, otherwise they could download 1 page at 9am, which would timeout, then they'd be locked out of the web for the rest of the day. Could get very messy. |
Quote:
|
Quote:
How does the '10 mins' fit in with that method? Note the 'unlimited requests' in the quote' |
Quote:
For those on the list they get say 3 periods of access per day. These periods of access start from the first request to that domain and they are allowed unlimited requests until their time is up. so if I access facebook.com at 11:05 I can then browse facebook until 11:15 at which point requests will be denied until 12:00 when I am allotted a new period of access, but it does not start at 12:00 it starts when I first make a request to facebook.com after 12:00 and then ends 10 minutes after that first request. |
OK, that's a bit clearer.
What happens to time overlaps eg taking your example above, suppose the user logs into facebook at 11:58. How does that affect the 'after 12:00' rule? Would you have a flag that can tell when someone's 'first' access is and then allows them to 'access' facebook from 11:59-12:09, then immediately start (aka continue) a new 10 mins 12:10-12:20 ? Just trying to clarify here. What happens if they don't login to facebook at all until eg 4:30pm: do they get 3 x 10 mins periods or only one? It's the corner cases that make programming interesting ;) |
Quote:
|
I admit I've never tried to do this. I'm kind of surprised no-one else has jumped in by now.
Have you had a look at things like netnanny, websense etc? Theoretically, for a DIY approach, Squid / dansguardian and some Perl is where I'd start looking. I'll be interested to know the answer myself. |
Ok so i started working a solution using squid and python but i'm having some issues wiring up a simple python script to a squid ACL. My python script is:
Code:
import sys My relevant squid config looks like: Code:
With my debug mode set to: Code:
debug_options ALL,1 33,2 28,9 Code:
2009/12/23 13:09:22| aclCheckFast: list: 0x7fc3db15abb8 Any ideas? |
updated original post considerably.
|
All times are GMT -5. The time now is 08:01 PM. |