LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-30-2014, 06:26 AM   #1
mat1_8
LQ Newbie
 
Registered: Apr 2013
Posts: 10

Rep: Reputation: Disabled
Proxy Server


Hi,

Lately I was configuring Squid + SquidGuard and I noticed that there is a particular limitation. Unfortunately having multiple groups with multiple filters does not work as it should. Reason being is that if a certain condition is met (web filtering), the other rules are ignored. For example:

Filter 1 - allow social; Filter 2 - allow downloads; Filter 3 - allow music.

If I have Group 1 and I assign them Filter 1 + 2, SquidGuard will only take care of the first condition, ie, Filter 1. Filter 2 is completely ignored and therefore Group 1 will not be able to access download sites. Having just three filters is not a big deal, but imagine having multiple and multiple combinations.

I have tried using Dansguardian but it seems that it does not allow this function either. Is there a specific Web Filter for use with Linux that allows such function please? Thanks
 
Old 06-01-2014, 04:53 PM   #2
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
Quote:
Filter 1 - allow social; Filter 2 - allow downloads; Filter 3 - allow music.
Did you try:

Groups:
social_allow
social_deny
download_allow
download_deny
music_allow
music_deny

and do your filtering by groups?

It would make your filters look more like this:
Quote:
Filter 1 -allow social: social_allow Filter 2 -deny social: social_deny ...ect,etc

Last edited by dijetlo; 06-01-2014 at 04:59 PM.
 
Old 06-02-2014, 01:21 AM   #3
mat1_8
LQ Newbie
 
Registered: Apr 2013
Posts: 10

Original Poster
Rep: Reputation: Disabled
Hi,

Thanks for your response. I have tried the following scenario:

Users - User1, User2, User3, User4
Groups - G_Social, G_Downloads, G_Music
Filters - F_Social, F_Downloads, F_Music

User1 is a member of G_Social having F_Social filter and therefore social networking websites are allowed

User2 is a member of G_Downloads and having F_Downloads filter and therefore download websites are allowed

So far so good...

User3 is a member of G_Social + G_Downloads having F_Social and F_Downloads filters respectively. However if the F_Social filter is the FIRST filter that its conditions are being met, User3 will not be able to access download websites. In order for User3 to access download websites, F_Social and F_Downloads need to be combined into one filter such as F_Social_Downloads. In that way, there is only one filter that its conditions need to be met.

The problem here is that you end up with multiple filter combinations. Because if User4 needs to access Social + Downloads + Music these need to be combined too. Imagine having User5 that only wants Music + Social or having User6 that only wants Downloads + Music. The way I see it is that these filters need to be combined into one. Don't know if I have explained better? Thanks
 
Old 06-02-2014, 04:27 AM   #4
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
Code:
logdir /usr/local/squidGuard/log
dbhome /usr/local/squidGuard/db 

     src  nomusic{ user0 user1 user2 user3 user4}
     src  nosocial{ user4 user5 user6 user7 user8}
     src  noftp{ user8 user9 user10 user11 user12}

     dest music {
	 domainlist music/domains
	 urllist    music/urls
     }
    dest ftp {
	 domainlist ftp/domains
	 urllist    ftp/urls
     }
    dest social{
	 domainlist social/domains
	 urllist    social/urls
     }

     acl {
	  {
	     pass !nomusic music
             #redirector
	     redirect http://localhost/cgi/blocked_music?
             pass !noftp ftp
	     #redirector
             redirect http://localhost/cgi/blocked_ftp?
             pass !nosocial music
             #redirector
	     redirect http://localhost/cgi/blocked+social?
 
	 }
     }
Make sure you're putting the redirectors in or SuidGaurd locks on the first "!" in the ACL

Last edited by dijetlo; 06-02-2014 at 04:32 AM.
 
Old 06-03-2014, 01:56 AM   #5
mat1_8
LQ Newbie
 
Registered: Apr 2013
Posts: 10

Original Poster
Rep: Reputation: Disabled
Hi,

I have the following basic configuration:

Code:
dbhome /var/lib/squidguard/db
logdir /var/log/squid

src nosocialnet {
	user0
}
src nodownloads {
	user0
}
dest downloads {
    domainlist     downloads/domains
    urllist        downloads/urls
    logfile        downloads.log
}

dest socialnet {
    domainlist     socialnet/domains
    urllist        socialnet/urls
    logfile        socialnet.log
}

acl {
     default {
	pass !nosocialnet socialnet
	#redirector
	redirect http://www.google.com
	pass !nodownloads downloads
	#redirector
	redirect http://www.google.com
      }
}
I had to put in the word default since it gives me an error in that line. I think reason being is that without having a word before "{" this cannot be done. Secondly, when I put the word default, I was given an error that "ACL destination nosocialnet is not defined in configfile....." since in this case squidGuard looks for the ACL's. The "nosocialnet" is actually a group not an ACL and therefore gives such error. Am I doing something wrong please? Thanks

Last edited by mat1_8; 06-03-2014 at 02:39 AM.
 
Old 06-03-2014, 07:57 AM   #6
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
Quote:
ACL destination nosocialnet is not defined in configfile
Looking at the example I pulled from your manual and tweaked. It's pointing to pages on the localhost (actually cgi scripts, but I'd think it would work with pages as well) The ACLs aren't going to wait for a dns lookup, if you want to redirect your users to google instead of a page you've written and placed in your web server, redirect them in the cgi directory of the web server, not in the ACL.
 
Old 06-03-2014, 08:18 AM   #7
mat1_8
LQ Newbie
 
Registered: Apr 2013
Posts: 10

Original Poster
Rep: Reputation: Disabled
Hi,

I have tried using the local web server but still same problems.

Code:
acl {
	    {
	     pass !nomusic music
             #redirector
	     redirect http://localhost/cgi/blocked_music?
             pass !noftp ftp
	     #redirector
             redirect http://localhost/cgi/blocked_ftp?
             pass !nosocial music
             #redirector
	     redirect http://localhost/cgi/blocked+social?
 
	   }
     }
The code which you gave me I think has bad syntax because there is no name after the ACL such as:

Code:
acl {
      userlist {
	     pass !nomusic music
             #redirector
	     redirect http://localhost/cgi/blocked_music?
             pass !noftp ftp
	     #redirector
             redirect http://localhost/cgi/blocked_ftp?
             pass !nosocial music
             #redirector
	     redirect http://localhost/cgi/blocked+social?
 
	 }
     }
After reading squidGuard manual it appears that at the end you need to have a DEFAULT ACL set too.
 
Old 06-03-2014, 11:17 AM   #8
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
Quote:
After reading squidGuard manual it appears that at the end you need to have a DEFAULT ACL set too.
Did it work when you did that?
Quote:
blocked+social?
heads up, you got a + here instead of a _
Are these real cgi scripts your pointing to? I thought you probably just make a simple page to test.

Last edited by dijetlo; 06-03-2014 at 11:19 AM.
 
Old 06-05-2014, 12:02 AM   #9
mat1_8
LQ Newbie
 
Registered: Apr 2013
Posts: 10

Original Poster
Rep: Reputation: Disabled
Hi,

Yes I have set the DEFAULT option but that did not work too. Also I have pointed the redirect rule to http://localhost and it just displays "hello world" text message but did not make any difference.

Kindly may I ask you if you have tried the code yourself please (the one which you gave me)? Thanks
 
Old 06-05-2014, 12:12 AM   #10
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
No, I pulled those from your manual, I've never used squid or squid-guard however I've admin'd a lot of usergroup based software. Go back to post #2 and you'll see why I first responded.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
hi i am new to proxy server concept please tell me the code how to make proxy server anilchowdary Linux - Newbie 2 05-28-2013 12:48 PM
Unable to connect to proxy server though wi fi connection active proxy settings ok ncpanicker Linux - Wireless Networking 3 04-11-2011 03:27 AM
Squid Proxy Server on Ubuntu and WPAD - Proxy Auto Detection cheesewizz Linux - Networking 1 12-10-2010 02:49 AM
proxy server that accepts PARENT PROXY as a SOCKS PROXY shadyabhi Linux - Server 1 08-10-2010 03:09 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 05:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration