Banned sites with Squid proxy
Common problem at companies is the Internet access.
Many employees are using their working time in social networking (facebook, youtube….)
Today I will explain the “solution” we used 3 years a go in a medium size company (400 employees).
The idea was to allow Internet surfing just to the sites we thought they need it to use. This would be done by disabling all sites and having a list of allowed sites (you can do it the other way around).
This example was implemented in a Pentium III 800Mhz, 196mb Ram, 20gb HD and 1 ethernet card running Debian server. As far as I know still works perfect.
Of course first we need a system full working.
After that we install squid (is the proxy) and iptables (for port redirection).
apt-get install squid iptables
Now we configure squid:
vi /etc/squid/squid.conf
And inside maybe something like this:
http_port 8080 cache_mem 16 MB#memory for the cache cache_dir ufs /var/spool/squid 100 16 256#here is the cache httpd_accel_host virtual httpd_accel_port 80 httpd_accel_single_host off httpd_accel_with_proxy on httpd_accel_uses_host_header on offline_mode on ie_refresh on acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl redlocal src 172.16.0.0/255.255.255.0 acl allowed_sites url_regex "/etc/squid/allowed_sites" http_access allow allowed_sites http_access allow localhost http_access deny all
Of course you need to replace the IP’s for yours.
Now we need to allow some sites, you can be really specific here or allow more, example:
vi /etc/squid/allowed_sites
And inside you can use:
google – will allow any url with the word google in it
google.com – only with the url google.com and all the subdomains
Now we restart squid:
squid restart
Something important is to configure iptables to redirect the traffic to the right port, in this way the proxy is transparent:
vi /etc/init.d/squid_redirect.sh iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080
And make it work as a service:
update-rc.d squid_redirectl.sh defaults
Once all of this is done, we have two ways of usage for the user.
- We change in the browser connection to use proxy. Problem, they can disable it.
- Changing connection properties from the machine as default gateway!, this one is my favorite since if you disable the other gateway they don’t have another option ;)
Hope this manual it’s useful. Regards
Related posts:
Si la máquina solo tiene una tarjeta de red cómo deshabilitáis el segundo gateway? Que me imagino que será el router que da conexión a internet y si la máquina solo tiene una tarjeta de red me imagino que estará todo en la misma red. ¿Algún tipo de filtro en el router?
Recientemente he tenido que montar algo parecido pero para cachear en vez de filtrar, pero en vez de cambiar la configuración de todas las máquinas hemos modificado el servidor DHCP para que indique como gateway la máquina que tiene squid.
Nosotros solo teníamos una red…era una chapuza, entonces lo que hicimos es simplemente es poner a los equipos como gateway el squid y tirando (además configuramos el router para que solo se pudiera usar desde el squid :P).
Lo mejor es tener 2 tarjetas en el equipo, entonces creas dos redes una con conexión y la otra para el resto de equipos ;)