Mailinglist Archive: opensuse-edu (156 mails)

< Previous Next >
Re: [suse-linux-uk-schools] A happy Squid story
  • From: "Gary Parr" <g_parr@xxxxxxxxxxx>
  • Date: Fri, 26 Jan 2001 09:17:01 +0000 (UTC)
  • Message-id: <F49m4jb4Sk4wnF1Uqvp000011f4@xxxxxxxxxxx>

Would this then be correct....

acl public_rooms "/usr/local/squid/public_rooms" - list of ip address
acl nonedsites "/usr/local/squid/nonedsites" - list of sites to ban

# defining break times and games times
acl am_break time MTWHF 10:55-11:10
acl lunch time MTWHF 12:10-13:05
acl pm_break time MTWHF 14:05-14:15
acl afterschool time MTWHF 15:50-16:10

# blocking freetime access in public rooms
http_access deny public_rooms am_break
http_access deny public_rooms lunch
http_access deny public_rooms pm_break
http_access deny public_rooms afterschool
# http_access allow public_rooms


# defining lessons times
acl P1P2 time MTWHF 08:45-10:55
acl P3 time MTWHF 11:10-12:10
acl P4 time MTWHF 13:05-14:05
acl P5 time MTWHF 14:15-15:15

# block sites during lesson time
http_access deny nonedsites P1P2
http_access deny nonedsites P3
http_access deny nonedsites P4
http_access deny nonedsites P5
# http_allow nonedsites

So would this ban certain machines at breaks from accessing the net..
Im not to sure about the ban sites part.... im sure theres a url_regex to go in somewhere.....

Gary

From: "npauli" <npauli@xxxxxxxxxxxxxxx>
To: <suse-linux-uk-schools@xxxxxxxx>
Subject: [suse-linux-uk-schools] A happy Squid story
Date: Tue, 23 Jan 2001 21:48:03 -0000

I don't know if Azrael has resolved his acl problems but I've just done
something vaguely similar and so far, touch wood, it seems to be working
(famous last words...)

But before I get onto that, I noticed in my notes that on the advice of
squid.conf I uncommented the following two lines:

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

any help?

First off, I was having problems with people downloading MS Messenger and
getting into chat rooms, etc. So, I found out that to get it you download a
file called mmssetup.exe or, in one case only, msnsetup.exe. I then opened
/usr/local/squid/logs/access.log and used a find utilty to check out these
lines and, sure enough, they were pointing to download sites for messenger.

So I added the following to squid.conf

# blocking MS messenger
acl messenger1 url_regex mmssetup.exe
acl messenger2 url_regex msnsetup.exe
http_access deny messenger1
http_access deny messenger2

I then did

/usr/local/squid/bin/squid -k reconfigure
to tell squid to re-read its now altered config file.

I then had to purge the offending setup.exe files from my cache. To do that
I had to add the following line to my squid.conf (I bunged it in under
#Defaults along with a bunch of other acls.)

acl PURGE method purge

Then I used the client program that comes with squid to do the dirty work.
You have to give the full url of the file you want purged - just using the
regex mmssetup.exe as you can in the acl produces a "sorry, squire" error
message.

/usr/local/squid/bin/client -m PURGE http://full/url/mmssetup.exe

did the business, though. [And I don't know about your mail reader but mine
insists on adding blue and underlining to that argument above.]

Next problem. We now have network stations in the library and one classroom
that I can't keep an eye on at breaktimes. The following lines from
squid.conf deal with it.

acl public_rooms "/usr/local/squid/public_rooms"

# defining break times and games times
acl am_break time MTWHF 10:50-11:15
acl lunch time MTH 12:25-13:25
acl pm_break time MTWHF 14:30-14:50
acl games time WF 12:25-15:50
acl afterschool time MTWHF 15:50-16:10

# blocking freetime access in public rooms
http_access deny public_rooms am_break
http_access deny public_rooms lunch
http_access deny public_rooms pm_break
http_access deny public_rooms games
http_access deny public_rooms afterschool
# http_access allow public_rooms

/usr/local/squid/public_rooms is simply a text file containing the ip
addresses of the network stations that I wanted to go 'off air' as far as
squid and the internet were concerned at the times defined in those acl
lines. Each ip address in the text file should be on its own line.
Originally I included their netmasks as well e.g.
123.14.56.48/255.255.255.192 but I later removed them.

Okay, so I did this on a Sunday afternoon (don't forget to use linuxconf to
ensure that your squid box and the school bells agree on the time) and
Monday morning I waited to see what would happen at 10:50. Sure enough, at
that moment *every* station in the school was denied access. So I commented
out the lines I'd added, did
/usr/local/squid/bin/squid -k reconfigure
to give it back to everyone, reconsulted the FAQ and guide and decided
1. to remove the netmasks from those ip addresses, and
2. to leave everything commented out except

acl public_rooms "/usr/local/squid/public_rooms"
acl lunch time MTH 12:25-13:25
http_access deny public_rooms lunch

Much better! At lunch only the correct stations went out. Since then I've
added back in the corresponding acl and http_access deny lines as each break
comes around with no further problems.

As my users are gratifyingly disrespectful towards authority, I can have the
pleasurable experience of popping into my office towards the end of a break
and doing
grep -e 123.14.56.48 /usr/local/squid/logs/access.log
and gazing fondly at those lines that read TCP_DENIED/403

I hope someone will find this write-up handy. I'm partly doing it to teach
myself to take sufficient notes as I do new things to the network and make
changes.

Nigel.

Nigel Pauli - St. John's School, Northwood


_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.


< Previous Next >