Documentation: Blacklists with squid
Dear users of skolelinux,
I found it quite relaxing to be able to just switch out the web while the task
for the class where some exercises with oowriter. As opposed to filtering
"bad URLs", this lock is not automatized, yet, so I invite anybody who is
into webmin/wlus to do so :)
My class room is a set of thin clients, connected to one LTSP server. Thus all
I have to do is deny access for ltsp. Intranet works on if you add
"tjener.intern" to the list of exceptions for proxy usage (which is advisable
anyway, after wlus is not reachable through the proxy).
Here, I dare present our /etc/squid.conf on tjener, without naming its author
(without permission that is :) Note that you have to restart squid to make
changes take effect:
tjener# /etc/init.d/squid restart
tjener# nano /etc/squid.conf
==========================
# Extract from squid.conf on tjener
# Added blacklist and whitelist
# teacher_workstation gets unlimited access
# switch to squidguard later
# blacklist and whitelist are in in /etc/squid
#
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
maximum_object_size 20480 KB
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
#ACLs define rules (sets of computers or lists of keywords):
acl schoolnet src 10.0.2.0/255.255.254.0
acl ltspnet src 192.168.0.0/255.255.255.0
acl all src 0.0.0.0/0.0.0.0
acl teacher_workstation src 10.0.2.236
acl ltsp_server src 10.0.2.10
acl whitelist url_regex "/etc/squid/whitelist"
acl blacklist url_regex "/etc/squid/blacklist"
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
# apply / combine rules:
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
# http_access deny ltsp_server # uncomment to lock ltsp!
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow teacher_workstation # free access
http_access allow whitelist
http_access deny blacklist
http_access allow schoolnet
http_access allow ltspnet # irrelevant AFAIK
http_access allow localhost
http_access deny all
icp_access allow all
======================
I admit not to be too familiar with the logical order these rules are applied
- my impression is that the list is run through until first match. Rules
further down are ignored then.
Regards
Ralf
Reply to: