Re: Using debian as a proxy/masq. server.
On Fri, 21 Feb 1997, Adam Shand wrote:
> > I am currently using a debian system to masquerade all the traffic
> > from my high school's win95 lan to the internet. This is ok for a
> > temporary manner, but my school wants me to implement a way to track
> > where all the students are going, can't have them going to sighs
> > which arn't kosher, if you know what I mean. Well, is there a way to
> > do this, in that they authenicate themselves to the debian box, with
> > a username and password, and the proxy server will record wherever
> > they go (until the logout). or is there an easier way.
> It can be done. I am pretty sure that the local University does this
> with (I think) a hacked cern httpd.
> I believe that either Squid or Apache will support this as well...
> I've been meaning to investigate it but haven't yet had a chance.
Squid 1.1 can be set up to require users to login before they can access
the web. I haven't used it yet, but I would presume that it logs the IP
address of users when they log in (if it doesn't it should be too hard
to hack that in). It definitely logs the originating IP address of every
request, so it should be easy to keep track of which students are doing
intensive academic research on www.dirtypicturess.com etc :-)
also, you can use squid's access control lists to block access to such
You'll want to turn off masquerading for the common web ports (80, 8080
and 3128 for squid) if you run squid - firewall www access and force them
to use the proxy where you can log & control access.
i do this sort of thing a lot. i'm systems administrator at Schoolsnet
P/L (an ISP specialising in internet gateways, support, training, etc
for schools) here in Melbourne. Unfortunately I have to do most of it on
NextStep boxes rather than on debian linux.
# TAG: proxy_auth
# Usage: proxy_auth passwd_file [ ignore-domain ]
# 'passwd_file' is an apache-style file of passwords for
# authenticated proxy access Looks like user:password, with the
# password being standard crypt() format. Proxy authentication
# is disabled by default.
# 'ignore-domain' is a domain name for which authorization will
# *not* be required.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com