Banned sites with Squid proxy

Common problem at companies is the Internet access.

Many employees are using their working time in social networking (facebook, youtube….)

Today I will explain the “solution” we used 3 years a go in a medium size company (400 employees).

The idea was to allow Internet surfing just to the sites we thought they need it to use. This would be done by disabling all sites and having a list of allowed sites (you can do it the other way around).

This example was implemented in a Pentium III 800Mhz, 196mb Ram, 20gb HD and 1 ethernet card running Debian server. As far as I know still works perfect.

Of course first we need a system full working.

After that we install squid (is the proxy) and iptables (for port redirection).

apt-get install squid iptables

Now we configure squid:

vi /etc/squid/squid.conf

And inside maybe something like this:

http_port 8080
cache_mem 16 MB#memory for the cache
cache_dir ufs /var/spool/squid 100 16 256#here is the cache
 
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_single_host off
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
offline_mode on
ie_refresh on
 
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl redlocal src 172.16.0.0/255.255.255.0
acl allowed_sites url_regex "/etc/squid/allowed_sites"
 
http_access allow allowed_sites
http_access allow localhost
http_access deny all

Of course you need to replace the IP’s for yours.

Now we need to allow some sites, you can be really specific here or allow more, example:

vi /etc/squid/allowed_sites

And inside you can use:
google – will allow any url with the word google in it
google.com – only with the url google.com and all the subdomains

Now we restart squid:

squid restart

Something important is to configure iptables to redirect the traffic to the right port, in this way the proxy is transparent:

vi /etc/init.d/squid_redirect.sh
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080

And make it work as a service:

update-rc.d squid_redirectl.sh defaults

Once all of this is done, we have two ways of usage for the user.

We change in the browser connection to use proxy. Problem, they can disable it.
Changing connection properties from the machine as default gateway!, this one is my favorite since if you disable the other gateway they don’t have another option ;)

Hope this manual it’s useful. Regards

This entry was posted by Chema on November 11, 2009 at 1:07 PM, and is filed under Linux. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.

2 comments

Nenillo (816 days)

Si la máquina solo tiene una tarjeta de red cómo deshabilitáis el segundo gateway? Que me imagino que será el router que da conexión a internet y si la máquina solo tiene una tarjeta de red me imagino que estará todo en la misma red. ¿Algún tipo de filtro en el router?

Recientemente he tenido que montar algo parecido pero para cachear en vez de filtrar, pero en vez de cambiar la configuración de todas las máquinas hemos modificado el servidor DHCP para que indique como gateway la máquina que tiene squid.

Reply ↓
Chema (816 days)

Nosotros solo teníamos una red…era una chapuza, entonces lo que hicimos es simplemente es poner a los equipos como gateway el squid y tirando (además configuramos el router para que solo se pudiera usar desde el squid :P).

Lo mejor es tener 2 tarjetas en el equipo, entonces creas dos redes una con conexión y la otra para el resto de equipos ;)

Reply ↓

Banned sites with Squid proxy

2 comments

Leave a Reply Cancel reply

Spam please

Archives

Projects

Twitter

RSS