Re: [squid-users] WebFilter by ip

From: Mike Rambo <mrambo_at_lsd.k12.mi.us>
Date: Mon, 29 Mar 2010 11:08:43 -0400

Landy Landy wrote:
>
>
> I have a small network at an elementery school where I have two labs: one would have access to the internet and one won't. I'm currently doing this. Now, I also have teachers and others that would be accessing the web as well. I would like to allow teachers and other full access to the internet and the allowed students (the other lab) would be restricted to certain pages that's where squidGuarg comes in.
>
> Since, I'm already doing:
>
> acl localnet src 172.16.0.0/16
> acl proxy src 172.16.0.1
> acl allowed src "/etc/msd/ipAllowed"
>
> acl CONNECT method CONNECT
>
> http_access allow proxy
> http_access allow localhost
>
> #---- Block some sites
>
> acl blockanalysis01 dstdomain .scorecardresearch.com .google-analytics.com
> acl blockads01 dstdomain .rad.msn.com ads1.msn.com ads2.msn.com ads3.msn.com ads4.msn.com
> acl blockads02 dstdomain .adserver.yahoo.com pagead2.googlesyndication.com ad.yieldmanager.com
> acl blockads03 dstdomain .doubleclick.net
> http_access deny blockanalysis01
> http_access deny blockads01
> http_access deny blockads02
> http_access deny blockads03
>
> http_access allow allowed
> http_access deny all
>
> ....................................
>
> I don't see how I can take an ip address from ipAllowed to do content filtering. This is where I'm stuck.
>

It sounds like you are missing the concept that squidGuard is a separate
process with a separate set of rules from that of squid. SG will act on
whatever squid redirects to it.

You have rules (above) that permit only a subset of your total user base
access to the web as determined by whether they are allowed access to
the proxy at all.

squidGuard works as a squid redirector (see url_rewrite_program in
squid.conf) on top of this. With this enabled, all web traffic permitted
access to the proxy (in your case defined by "http_access allow
allowed") will also be redirected to SG and be filtered according to
whatever rules you set up there. Within SG you can allow or disallow
based upon network segment, individual IP address, userid if you set up
authentication, time of day, destination url on the web and other
parameters.

IOW, you "take an ip address from ipAllowed to do content filtering" by
virtue of that fact that the client in ipAllowed has already been
permitted access to the proxy and with the redirector enabled will now
also be processed according to the rules set up in the redirect
(url_rewrite) program.

HTH.

-- 
Mike Rambo
NOTE: In order to control energy costs the light at the end
of the tunnel has been shut off until further notice...
Received on Mon Mar 29 2010 - 15:08:50 MDT

This archive was generated by hypermail 2.2.0 : Mon Mar 29 2010 - 12:00:06 MDT