Re: [suse-linux-uk-schools] A happy Squid story

Would this then be correct.... acl public_rooms "/usr/local/squid/public_rooms" - list of ip address acl nonedsites "/usr/local/squid/nonedsites" - list of sites to ban # defining break times and games times acl am_break time MTWHF 10:55-11:10 acl lunch time MTWHF 12:10-13:05 acl pm_break time MTWHF 14:05-14:15 acl afterschool time MTWHF 15:50-16:10 # blocking freetime access in public rooms http_access deny public_rooms am_break http_access deny public_rooms lunch http_access deny public_rooms pm_break http_access deny public_rooms afterschool # http_access allow public_rooms # defining lessons times acl P1P2 time MTWHF 08:45-10:55 acl P3 time MTWHF 11:10-12:10 acl P4 time MTWHF 13:05-14:05 acl P5 time MTWHF 14:15-15:15 # block sites during lesson time http_access deny nonedsites P1P2 http_access deny nonedsites P3 http_access deny nonedsites P4 http_access deny nonedsites P5 # http_allow nonedsites So would this ban certain machines at breaks from accessing the net.. Im not to sure about the ban sites part.... im sure theres a url_regex to go in somewhere..... Gary

From: "npauli" To: Subject: [suse-linux-uk-schools] A happy Squid story Date: Tue, 23 Jan 2001 21:48:03 -0000

I don't know if Azrael has resolved his acl problems but I've just done something vaguely similar and so far, touch wood, it seems to be working (famous last words...)

But before I get onto that, I noticed in my notes that on the advice of squid.conf I uncommented the following two lines:

acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY

any help?

First off, I was having problems with people downloading MS Messenger and getting into chat rooms, etc. So, I found out that to get it you download a file called mmssetup.exe or, in one case only, msnsetup.exe. I then opened /usr/local/squid/logs/access.log and used a find utilty to check out these lines and, sure enough, they were pointing to download sites for messenger.

So I added the following to squid.conf

# blocking MS messenger acl messenger1 url_regex mmssetup.exe acl messenger2 url_regex msnsetup.exe http_access deny messenger1 http_access deny messenger2

I then did

/usr/local/squid/bin/squid -k reconfigure to tell squid to re-read its now altered config file.

I then had to purge the offending setup.exe files from my cache. To do that I had to add the following line to my squid.conf (I bunged it in under #Defaults along with a bunch of other acls.)

acl PURGE method purge

Then I used the client program that comes with squid to do the dirty work. You have to give the full url of the file you want purged - just using the regex mmssetup.exe as you can in the acl produces a "sorry, squire" error message.

/usr/local/squid/bin/client -m PURGE http://full/url/mmssetup.exe

did the business, though. [And I don't know about your mail reader but mine insists on adding blue and underlining to that argument above.]

Next problem. We now have network stations in the library and one classroom that I can't keep an eye on at breaktimes. The following lines from squid.conf deal with it.

acl public_rooms "/usr/local/squid/public_rooms"

# defining break times and games times acl am_break time MTWHF 10:50-11:15 acl lunch time MTH 12:25-13:25 acl pm_break time MTWHF 14:30-14:50 acl games time WF 12:25-15:50 acl afterschool time MTWHF 15:50-16:10

# blocking freetime access in public rooms http_access deny public_rooms am_break http_access deny public_rooms lunch http_access deny public_rooms pm_break http_access deny public_rooms games http_access deny public_rooms afterschool # http_access allow public_rooms

/usr/local/squid/public_rooms is simply a text file containing the ip addresses of the network stations that I wanted to go 'off air' as far as squid and the internet were concerned at the times defined in those acl lines. Each ip address in the text file should be on its own line. Originally I included their netmasks as well e.g. 123.14.56.48/255.255.255.192 but I later removed them.

Okay, so I did this on a Sunday afternoon (don't forget to use linuxconf to ensure that your squid box and the school bells agree on the time) and Monday morning I waited to see what would happen at 10:50. Sure enough, at that moment *every* station in the school was denied access. So I commented out the lines I'd added, did /usr/local/squid/bin/squid -k reconfigure to give it back to everyone, reconsulted the FAQ and guide and decided 1. to remove the netmasks from those ip addresses, and 2. to leave everything commented out except

acl public_rooms "/usr/local/squid/public_rooms" acl lunch time MTH 12:25-13:25 http_access deny public_rooms lunch

Much better! At lunch only the correct stations went out. Since then I've added back in the corresponding acl and http_access deny lines as each break comes around with no further problems.

As my users are gratifyingly disrespectful towards authority, I can have the pleasurable experience of popping into my office towards the end of a break and doing grep -e 123.14.56.48 /usr/local/squid/logs/access.log and gazing fondly at those lines that read TCP_DENIED/403

I hope someone will find this write-up handy. I'm partly doing it to teach myself to take sufficient notes as I do new things to the network and make changes.

Nigel.

Nigel Pauli - St. John's School, Northwood

_________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.