Documentation: Blacklists with squid

To: debian-edu@lists.debian.org
Subject: Documentation: Blacklists with squid
From: Ralf Gesel|ensetter <rgx@gmx.de>
Date: Tue, 5 Oct 2004 17:23:23 +0200
Message-id: <[🔎] 200410051723.23833.rgx@gmx.de>

Dear users of skolelinux,

I found it quite relaxing to be able to just switch out the web while the task 
for the class where some exercises with oowriter. As opposed to filtering 
"bad URLs", this lock is not automatized, yet, so I invite anybody who is 
into webmin/wlus to do so :)

My class room is a set of thin clients, connected to one LTSP server. Thus all 
I have to do is deny access for ltsp. Intranet works on if you add 
"tjener.intern" to the list of exceptions for proxy usage (which is advisable 
anyway, after wlus is not reachable through the proxy).

Here, I dare present our /etc/squid.conf on tjener, without naming its author 
(without permission that is :) Note that you have to restart squid to make 
changes take effect:

tjener# /etc/init.d/squid restart


tjener# nano /etc/squid.conf
==========================

# Extract from squid.conf on tjener
# Added blacklist and whitelist 
# teacher_workstation gets unlimited access 
# switch to squidguard later 
# blacklist and whitelist are in in /etc/squid
#
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
maximum_object_size 20480 KB
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880

#ACLs define rules (sets of computers or lists of keywords):

acl schoolnet  src 10.0.2.0/255.255.254.0 
acl ltspnet  src 192.168.0.0/255.255.255.0
acl all   src 0.0.0.0/0.0.0.0
acl teacher_workstation src 10.0.2.236
acl ltsp_server  src 10.0.2.10
acl whitelist   url_regex "/etc/squid/whitelist"
acl blacklist   url_regex "/etc/squid/blacklist"
acl manager   proto cache_object
acl localhost   src 127.0.0.1/255.255.255.255
acl SSL_ports  port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT
acl  purge   method PURGE
acl  CONNECT  method CONNECT

# apply / combine rules:
http_access allow manager localhost
http_access deny  manager
http_access allow purge localhost
http_access deny  purge
# http_access deny  ltsp_server  # uncomment to lock ltsp!
http_access deny  !Safe_ports
http_access deny  CONNECT !SSL_ports
http_access allow teacher_workstation   # free access
http_access allow whitelist
http_access deny  blacklist
http_access allow schoolnet
http_access allow ltspnet  # irrelevant AFAIK
http_access allow localhost
http_access deny all
icp_access  allow all

======================

I admit not to be too familiar with the logical order these rules are applied 
- my impression is that the list is run through until first match. Rules 
further down are ignored then.

Regards
Ralf

Reply to:

Prev by Date: Bug#275032: education-standalone: Please add Mozilla-locale-no-nb
Next by Date: Hint: Extract IP's of Windows Clients from sambalog
Previous by thread: Bug#275032: marked as done (education-standalone: Please add Mozilla-locale-no-nb)
Next by thread: Hint: Extract IP's of Windows Clients from sambalog
Index(es):
- Date
- Thread