configuring squid based on groups policies on FC3

Wed Jun 21 16:44:37 UTC 2006

>
> (Note: I haven't tried all this...)
>
> First question: how do you want to identify users? You can either do
> this by the IP address of their PCs (which might be simplest), or by
> insisting that they use usernames and passwords. In that case, you need
> to work out whether you want to use special proxy passwords, their
> standard Linux passwords, or something else (LDAP)?
>
> You will have to edit /etc/squid/squid.conf in any case.
>
> What you will need to do is set up various "access control lists"
> ("acl"s) and allow or deny access based on these acls.
>
> If you want to use IP address, you might use something like
> acl marketing src 192.168.1.1/255.255.255.240
> for computers in the 192.168.1.1 to 192.168.1.15 range.
>
> If you want to use passwords, read the notes in squid.conf file around
> "TAG: auth_param". There are examples in this file: note that the squid
> RPM has a number of external authentication programs that you can get
> Squid to use: see
> rpm -ql squid | grep _auth
>
> You can then use something like
> acl marketing proxy_auth user1 user2
>
> Next you need to set up acls describing what users might want to do:
> > a) Marketing Executives:
> > Category       Most restrictive
> > Limit on download for example no object more than 256 kb is allowed
> > to be downloaded, no messengers allowed, if possible banning of
> > sending & receiving of attachments through any webbased mail for
> > example yahoo,gmail etc, banning of downloading of  movies,mpeg or
> > audio files.
>
> reply_body_max_size 256000 allow marketing
> (See http://www.squid-cache.org/Doc/FAQ/FAQ_long.html#ss4.21 :
>    Note that ``creative'' user-agents will still be able to download
>    really large files through the cache using HTTP/1.1 range requests.
> )
>
> Limiting messengers is difficult: they all use HTTP in different ways.
> I've got a
> acl msn rep_mime_type -i ^application/x-msn-messenger$
> line in my squid.conf, but I haven't checked that for a while. Best
> advice is to get hold of all the messenger programs you can, and check
> the /var/log/squid/access.log to see what they're trying to download.
>
> You can similarly try to limit audio/.* files, video/.* files, and other
> files. Unfortunately, you'll probably also have to try limiting by
> extensions:
> acl virustype urlpath_regex -i .pif$
>
> (Internet Explorer, at least, has the reputation of paying more
> attention to extensions than to MIME filetypes).
>
> What you *won't* be able to (easily) do is to stop users downloading zip
> files containing MPEGs. And gmail and yahoo present attachments for
> download in the same way as other web sites might present PDFs or Word
> documents for download: you either ban based on site, or on file type,
> or both.
>
> Once you've got ACLs set up, then you can use http_access rules to limit
> what users can do.
>
> http_access deny marketing msn
>
> Hope this helps,
>
> James.

Hey Mr.James,

Thanks for your reply. I read the documentation of Squid and many of
my doubts or questions got cleared. Some were left which you cleared.

Thanks once again.

Thanks & Regards

Ankush Grover