Re: [squid-users] ditch squid or not?

Quoting Nick Duda <nduda@VistaPrint.com>:

>
> I've been fighting this fight for far to long without resolution. I've
> emailed the list at times with no resolution to my problem. I'm now
> faced with ditching Squid and SquidGuard as our corporate content
> filtering product because it can not do what we need. I'll offer the
> problem one more time in hopes of getting an answer , or at least
> pointed in the direction.
>
> Things to note: SquidGuard is no longer in dev (at least until someone
> picks its up) so gettign any support whatsoever isn't happening.
>
> The setup:
> I run Squid with SquidGuard in a branch office of about 400 employees.
> This branch office only has 2 dedicated private line 1.5mb (bonded for
> 3mb total) to the corporate office, no internet access directly. All
> internet traffic is routed over these private lines to the corporate
> office then routed to the internet from there. In this branch office is
> the Squid server. Only this server has the rights to go out to the
> internet over the private lines, nothing else. If something in this
> branch office isn't configured to use the Squid proxy server (which uses
> NT authentication with the AD domain) its not going anywhere. Pretty
> straight forward.
>
> On the Squid server I run SquidGuard, and subscribe to use the
> Blacklists from urlblacklist.com (which puts the files in a format
> natively that squidguard likes but not what squid likes). I use pretty
> much all the blacklist files in some way or another.
>
> My Problem:
>
> I want to block certain people/groups from using certain blacklists (the
> ones from urlblacklist.com) while allowing other access to them. Based
> on previous emails to the squid group and the fact that nobody answers
> or knows anything about squidguard on the squidguard mailing list
> (ironic), squidguard can't do what i want.
>
> In active directory, I setup Security groups with the people I want for
> a squidguard rule. For instance, I have an active directory group called
> "Can access webmail" and "Can access IM". In this group I add all the
> people that I want to access online webmail like gmail, yahoo mail...etc
> and in the other people that can access Instant Messaging urls.
>
> On the proxy I run a script:
>
> ##### Start Script #####
>
> #!/bin/sh
>
> DC='x.x.x.x'
> EMAIL=/usr/local/squidGuard/db/users/EmailUsers
> IM=/usr/local/squidGuard/db/users/IMUsers
>
> EMAILemployees=`net rpc group members "Can access webmail" -S $DC -U
> username%password | awk '{print substr($0,14,10)}' > $EMAIL`
> EMAILemployees=`net rpc group members "Can access IM" -S $DC -U
> username%password | awk '{print substr($0,14,10)}' > $IM`
>
> chown squid.squid /usr/local/squidGuard/db/users/* -Rf
>
> /usr/local/squid/sbin/squid -k reconfigure
>
> ##### End SCript #####
>
> This script runs every x minutes and the output is a file with a list of
> users in the format of first inital last name (ie. jdoh)
>
> In the squidguard.conf file I setup something like this:
>
> source EmailUsers {
> userlist users/EmailUsers
> }
>
> source IMUsers {
> userlist users/IMUsers
> }
>
> EmailUsers {
> pass webmail mail !ads !adult !aggressive !antispyware !artnudes
> !banking !beerliquorinfo !beerliquorsale !cellphones !chat !childcare
> !clothing !culinary !customblocked !dating !dialers !drugs !ecommerce
> !frencheducation !gambling !government !hacking !homerepair !jewelry
> !jobsearch !kidstimewasting !naturism !onlineauctions !onlinegames
> !onlinepayment !personalfinance !phishing !porn !proxy !radio !religion
> !ringtones !sexuality !spyware !vacation !violence !virusinfected !warez
> !weapons all
> redirect
> http://localhost/errors/aclerror.php?clientaddr=%a&clientname=%n&clientu
> ser=%i&clientgroup=%s&url=%u&targetgroup=%t
> }
>
> IMUsers {
> pass instantmessaging !ads !adult !aggressive !antispyware
> !artnudes !banking !beerliquorinfo !beerliquorsale !cellphones !chat
> !childcare !clothing !culinary !customblocked !dating !dialers !drugs
> !ecommerce !frencheducation !gambling !government !hacking !homerepair
> !jewelry !jobsearch !kidstimewasting !mail !naturism !onlineauctions
> !onlinegames !onlinepayment !personalfinance !phishing !porn !proxy
> !radio !religion !ringtones !sexuality !spyware !vacation !violence
> !virusinfected !warez !weapons !webmail all
> redirect
> http://localhost/errors/aclerror.php?clientaddr=%a&clientname=%n&clientu
> ser=%i&clientgroup=%s&url=%u&targetgroup=%t
> }
>
> default {
> pass !ads !adult !aggressive !antispyware !artnudes !banking
> !beerliquorinfo !beerliquorsale !cellphones !chat !childcare !clothing
> !culinary !customblocked !dating !dialers !drugs !ecommerce
> !frencheducation !gambling !government !hacking !homerepair
> !instantmessaging !jewelry !jobsearch !kidstimewasting !mail !naturism
> !onlineauctions !onlinegames !onlinepayment !personalfinance !phishing
> !porn !proxy !radio !religion !ringtones !sexuality !spyware !vacation
> !violence !virusinfected !warez !weapons !webmail all
> redirect
> http://localhost/errors/aclerror.php?clientaddr=%a&clientname=%n&clientu
> ser=%i&clientgroup=%s&url=%u&targetgroup=%t
> }
>
>
> The problem i have is that If I have a user that I want to have access
> to both Webmail and Instant messaging when it hits the first rule
> "EmailUsers" it is getting denied the instant messaging.
>
> I need a way to run a content filtering solution that I can customize
> who can access certain url blacklist files and who can't. It's as if I
> want squidguard to look at the first rule and then continue to process
> the others. SquidGuard will deny or allow access on the first rule that
> triggers that matches and does not process any others.
>
> I really like Squid and squidguard, can I do something before I need to
> go look at one of these commercial content filtering appliances?
>
> Regards,
> Nick Duda
>
>
>
> ---------------------
> Confidentiality note
> The information in this email and any attachment may contain
> confidential and proprietary information of VistaPrint and/or its
> affiliates and may be privileged or otherwise protected from
> disclosure. If you are not the intended recipient, you are hereby
> notified that any review, reliance or distribution by others or
> forwarding without express permission is strictly prohibited and may
> cause liability. In case you have received this message due to an
> error in transmission, please notify the sender immediately and
> delete this email and any attachment from your system.
> ---------------------
>

You can do something similiar with SecureComputings Smartfilter. It
will tie into Active Directory. Not sure on pricing, we are k-12 so
we get a discount.

-- 
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools