Re: [squid-users] Content filtering, password-bypass & client configuration.

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 04 Feb 2009 18:13:18 +1300

Stroller wrote:
> Hi there,
>
> I have a small office at which the bosses want to restrict access to
> certain sites. I'm new to Squid - if I understand correctly then Squid
> does the proxying stuff and then I add squidGuard on top to do the
> filtering?

SquidGuard is optional. People use it for speeding up extremely large
list of tests or regex matchings.
Squid provides a set of access controls perfectly capable of filtering
traffic in a fast way.

>
> I haven't even got as far as the proxying, yet, though, because I'm not
> sure the best way to get things up.
>
> The bosses want these sites blocked, but they also want to be able to
> log in & use a password to bypass the restriction themselves.
>
> Am I understanding correctly that they can't do this (proxy_auth?) if
> Squid is running in transparent / invisible mode?

Correct.

>
> Because transparent / invisible mode seems the ideal solution if you
> want to *force* employees to use the proxy. Without that option I'm in a
> bit of a muddle as to the best way to .... hmmmn.... well, configure the
> clients, I guess, basically.
>

I don't see this as a problem for your needs. You can run squid in both
modes at the same time.
Using the proxy properly and authenticating, they get past the
restrictions. If they try to avoid the proxy and get caught by the
interception they get blocked without the possibility of logging in to
get the site.

Hints for newbies trying interception:
  You might hit a rumour that the sites are no "being blocked" nip it
off early by making it clear that certain sites are still available, but
now by password access only.
  Getting the regular users to trust the proxy and not believe you're
watching everything is usually a bigger hassle than setting it up.
  Staying sane and not trying to filter content will get you a long way.

> With transparency, the machine has two NICs and everything goes through
> it, right?

Maybe no, maybe yes. Transparency, Interception, and NICs are not related.
http://wiki.squid-cache.org/ConfigExamples/Intercept

> But if it's not transparent then it's just another IP on the
> LAN (??) and that has to be entered into Internet Explorer's
> configuration options. I can block outgoing connections to port 80
> (except those made by the Squid box) at the ADSL router, and because all
> the PCs are in a Windows domain I can use Policies to set that on all
> clients. However this stitches up 2 or 3 laptop users - if I force them
> to proxy through 192.168.4.2 then they won't be able to surf the net
> when they take their laptops home (where there is no proxy at that
> address).

The solution is to do the above for permanent machines. And try WPAD for
the laptops and guest machines.
http://wiki.squid-cache.org/Technology/WPAD

>
> I can make the client proxy configuration a manual process - or allow
> certain users to override it - but that just seems clumsy to me, having
> these poor folks who don't know anything about computers messing around
> in Control Panel twice a day to tick & untick the proxy options. I find
> that kinda inelegant - the idea of it just bugs me.

With WPAD they get ticked to 'auto-detect' and then left.

>
> I'd prefer not to have the "bypassing" of the block list done by IP,
> mostly because the bosses have mentioned the use of passwords. They
> anticipate the work-related sites as being accessible without a
> password, and only to be prompted for one when they go to facebook or
> sports-scores.com. I'm not sure if this is possible with Squid(guard)? I
> get the impression it might be necessary to log on before browsing ANY
> site if authentication is enabled? Having to log on to use the internet
> at the beginning of the work day would be seen as a bit intrusive, I
> think - I think the bosses see the password thing as a disincentive to
> them themselves to slack off. And if they go through the proxy then the
> slacking off is logged and each boss can monitor the other's slacking.

With the Squid ACLs you can configure a very complex requirement. As
long as you can state it in logical form. This one luckily is quite simple.
  http://www.squid-cache.org/Doc/config/acl/

An example of what you need is:

   http_port 3128 # regular proxy access
   http_port 3129 transparent # caught users

   auth_param ... # auth config

   acl loggedIn proxy_auth REQUIRED
   acl blockedSites dstdomain .example.com

   # block certain sites only if login details provided
   http_access deny blockedSites !loggedIn

   # otherwise allow the local network
   http_access allow localnet

   # but deny everything else.
   http_access deny all

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.5
Received on Wed Feb 04 2009 - 05:13:24 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 20 2009 - 12:00:01 MST