Re: configuring squid based on groups policies on FC3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ankush Grover wrote:
> I am using Squid 2.5 on FC3. There are different groups for which I
> want to configure squid.

(Note: I haven't tried all this...)

First question: how do you want to identify users? You can either do
this by the IP address of their PCs (which might be simplest), or by
insisting that they use usernames and passwords. In that case, you need
to work out whether you want to use special proxy passwords, their
standard Linux passwords, or something else (LDAP)?

You will have to edit /etc/squid/squid.conf in any case.

What you will need to do is set up various "access control lists"
("acl"s) and allow or deny access based on these acls.

If you want to use IP address, you might use something like
acl marketing src 192.168.1.1/255.255.255.240
for computers in the 192.168.1.1 to 192.168.1.15 range.

If you want to use passwords, read the notes in squid.conf file around
"TAG: auth_param". There are examples in this file: note that the squid
RPM has a number of external authentication programs that you can get
Squid to use: see
rpm -ql squid | grep _auth

You can then use something like
acl marketing proxy_auth user1 user2

Next you need to set up acls describing what users might want to do:
> a) Marketing Executives:
> Category       Most restrictive
> Limit on download for example no object more than 256 kb is allowed
> to be downloaded, no messengers allowed, if possible banning of
> sending & receiving of attachments through any webbased mail for
> example yahoo,gmail etc, banning of downloading of  movies,mpeg or
> audio files.

reply_body_max_size 256000 allow marketing
(See http://www.squid-cache.org/Doc/FAQ/FAQ_long.html#ss4.21 :
    Note that ``creative'' user-agents will still be able to download
    really large files through the cache using HTTP/1.1 range requests.
)

Limiting messengers is difficult: they all use HTTP in different ways.
I've got a
acl msn rep_mime_type -i ^application/x-msn-messenger$
line in my squid.conf, but I haven't checked that for a while. Best
advice is to get hold of all the messenger programs you can, and check
the /var/log/squid/access.log to see what they're trying to download.

You can similarly try to limit audio/.* files, video/.* files, and other
files. Unfortunately, you'll probably also have to try limiting by
extensions:
acl virustype urlpath_regex -i .pif$

(Internet Explorer, at least, has the reputation of paying more
attention to extensions than to MIME filetypes).

What you *won't* be able to (easily) do is to stop users downloading zip
files containing MPEGs. And gmail and yahoo present attachments for
download in the same way as other web sites might present PDFs or Word
documents for download: you either ban based on site, or on file type,
or both.

Once you've got ACLs set up, then you can use http_access rules to limit
what users can do.

http_access deny marketing msn

Hope this helps,

James.

-- 
E-mail address: james | How about an Australian-language version?
@westexe.demon.co.uk  | 'Your program just attempted an illegal instruction.
                      | No worries, mate.'
                      |     -- Paul Tomblin


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux