topic Re: Controling interenet access with Squid proxy in Operating System - Linux

Controling interenet access with Squid proxy

mvr — Mon, 23 May 2005 09:44:22 GMT

I would like to know if it is possible to control user access to internet with Squid proxy. I would like to be able to restrict some users to use just a few websites (like lookup for UPS or FedEx) and the rest should be unavailable for them.
Do I need to user RADIUS server for authentication, or Squid proxy can authenticate them?

Miro

Re: Controling interenet access with Squid proxy

Ian Meyer_2 — Mon, 23 May 2005 10:21:46 GMT

You can control access through squid using ACL's in the squid.conf file.

acl ups dstdomain www.ups.com
http_access deny all
http_access allow ups

A good resource is the Squid faq located here: http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.1

It explains ACL's and the different ways you can go about setting them up quite well.

Re: Controling interenet access with Squid proxy

mvr — Mon, 23 May 2005 10:31:39 GMT

Thank you for information. This looks to me like it will deny access for EVERYBODY to anything except UPS. My next question would be if I could accomplish the same, but based on a single user or group.

Miro

Re: Controling interenet access with Squid proxy

Stuart Browne — Mon, 23 May 2005 10:44:42 GMT

Squid has a number of different authentication plugins (i'm sure there's a radius one around somewhere), and yes, you can tie the logged-in-user to given acl classes.

The FAQ (url in the previous answer) has all the answers you are looking for. Just read through it a bit more, and you'll answer your questions.

Re: Controling interenet access with Squid proxy

Ian Meyer_2 — Mon, 23 May 2005 10:55:07 GMT

Depending on how complex your network is, you
could use something like the following:

acl client src 192.168.2.0
acl domain dstdomain .ups.com
http_access allow client domain
http_access deny all

If you are looking to implement this for more than 10 users, I would look into proxy_auth.. you can find all of the relevant informaton for proxy_auth here: http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#configuring-proxy-auth

Re: Controling interenet access with Squid proxy

mvr — Mon, 23 May 2005 12:34:54 GMT

I read the document that you sent me. A lot of great information.
I still don't understaned how can this be done if the Squid proxy is in DMZ, and computers are running in trusted zone.

Miro

Re: Controling interenet access with Squid proxy

Ian Meyer_2 — Mon, 23 May 2005 12:44:12 GMT

Not knowing your network topology, I can only add that Squid knows who is accessing it and what IP they are coming from as long as that IP address is not forwarded by a firewall or anything similar. So as long as Squid can see each machine's individual IP address you should be fine.. if not, that's a definite need for proxy_auth.

Does that make any sense?

Re: Controling interenet access with Squid proxy

Stuart Browne — Mon, 23 May 2005 19:13:37 GMT

Given that you've got a trusted (which is probably being NAT'd out), and Squid in the DMZ (Huh? why? Put that inside too!), you'd probably have to go with some form of user authentication..

Expanding on Ian's example..

acl Courier_Users proxy_auth
acl ALL proxy_auth REQUIRED
acl domain dstdomain .ups.com .fedex.com
http_access allow Courier_Users domain
http_access deny all Courier_Users

(expanded from sections 10 and 19 of the FAQ)

You'll need to set up an external Auth program (see the documentation on that), but this should restrict '' etc. to only accessing those domains.

If you aren't in a NAT'd environment, then you can tie it down to workstation, either by src, or by something else.