Discussion:
Squid Authentication
Chris Hodgetts
2011-09-12 08:08:23 UTC
Permalink
Hey --

Just wondering if anyone can help me
I have a couple of webpages (ok so facebook and its game pages and
trademe) that I would like to lock down between the hours of say 07:00am
and 18:00 unless there is an authencated user - outside of those times,
unrestricted access.

My Squid is currently transparent to the end users, but I can only see how
to auth for all, not just a single domain..

Anyway, any help would be great :)

Thanks

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Nick Rout
2011-09-12 09:18:07 UTC
Permalink
Post by Chris Hodgetts
Hey --
Just wondering if anyone can help me
I have a couple of webpages (ok so facebook and its game pages and
trademe) that I would like to lock down between the hours of say 07:00am
and 18:00 unless there is an authencated user - outside of those times,
unrestricted access.
My Squid is currently transparent to the end users, but I can only see how
to auth for all, not just a single domain..
Anyway, any help would be great :)
Thanks
father of one and step-father of two waits with baited breath...

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
David Hawke
2011-09-12 09:21:06 UTC
Permalink
With a family of five, I used to do this with custom iptables scripts
and cron jobs :-)

I did start a project called parapet to do this more nicely with a web
ui but ...

David H
Post by Nick Rout
Post by Chris Hodgetts
Hey --
Just wondering if anyone can help me
I have a couple of webpages (ok so facebook and its game pages and
trademe) that I would like to lock down between the hours of say 07:00am
and 18:00 unless there is an authencated user - outside of those times,
unrestricted access.
My Squid is currently transparent to the end users, but I can only see how
to auth for all, not just a single domain..
Anyway, any help would be great :)
Thanks
father of one and step-father of two waits with baited breath...
_______________________________________________
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Steve Holdoway
2011-09-12 09:39:07 UTC
Permalink
Post by Nick Rout
Post by Chris Hodgetts
Hey --
Just wondering if anyone can help me
I have a couple of webpages (ok so facebook and its game pages and
trademe) that I would like to lock down between the hours of say 07:00am
and 18:00 unless there is an authencated user - outside of those times,
unrestricted access.
My Squid is currently transparent to the end users, but I can only see how
to auth for all, not just a single domain..
Anyway, any help would be great :)
Thanks
father of one and step-father of two waits with baited breath...
You can't authenticate a transparent proxy. From what I remember,
SquidGuard can manage most, if not all of what you're wanting to do.


Steve
--
Steve Holdoway <***@greengecko.co.nz>
http://www.greengecko.co.nz
MSN: ***@greengecko.co.nz
Skype: sholdowa


_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Nevyn
2011-09-12 09:51:02 UTC
Permalink
Post by Steve Holdoway
Post by Nick Rout
Post by Chris Hodgetts
Hey --
Just wondering if anyone can help me
I have a couple of webpages (ok so facebook and its game pages and
trademe) that I would like to lock down between the hours of say 07:00am
and 18:00 unless there is an authencated user - outside of those times,
unrestricted access.
My Squid is currently transparent to the end users, but I can only see how
to auth for all, not just a single domain..
Anyway, any help would be great :)
Thanks
father of one and step-father of two waits with baited breath...
You can't authenticate a transparent proxy. From what I remember,
SquidGuard can manage most, if not all of what you're wanting to do.
Steve
I was wondering something similar... if you were able to authenticate,
not on credentials, but on mac address.... In which case, if you were
able to put DHCP on the same server (or have access to it's
logs)......?

Regards,
Nevyn
http://nevsramblings.blogspot.com/

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Steve Holdoway
2011-09-12 10:46:24 UTC
Permalink
Post by Nevyn
Post by Steve Holdoway
Post by Nick Rout
Post by Chris Hodgetts
Hey --
Just wondering if anyone can help me
I have a couple of webpages (ok so facebook and its game pages and
trademe) that I would like to lock down between the hours of say 07:00am
and 18:00 unless there is an authencated user - outside of those times,
unrestricted access.
My Squid is currently transparent to the end users, but I can only see how
to auth for all, not just a single domain..
Anyway, any help would be great :)
Thanks
father of one and step-father of two waits with baited breath...
You can't authenticate a transparent proxy. From what I remember,
SquidGuard can manage most, if not all of what you're wanting to do.
Steve
I was wondering something similar... if you were able to authenticate,
not on credentials, but on mac address.... In which case, if you were
able to put DHCP on the same server (or have access to it's
logs)......?
Regards,
Nevyn
http://nevsramblings.blogspot.com/
You can certainly categorise client machines by IP address. If you use
static IP addresses / allocate by MAC address for the special cases, and
then have a default dhcp range for the basic access level, then that'll
work.

Marry that up with OpenDNS censoring, and you'll have a pretty well
policed internet access policy in place, lessening the need for publicly
placed machines ( is that even possible any more? ) and your time.

As this all requires some sort of *nix based gateway, there's plenty
more that you can do with iptables, multiple (wireless) networks, etc...

hth,

Steve
--
Steve Holdoway <***@greengecko.co.nz>
http://www.greengecko.co.nz
MSN: ***@greengecko.co.nz
Skype: sholdowa


_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Craig Box
2011-09-12 09:24:18 UTC
Permalink
Post by Chris Hodgetts
My Squid is currently transparent to the end users, but I can only see how
to auth for all, not just a single domain..
Simply add more restrictions to your ACLs. There is a section on how to do
this at http://www.wlug.org.nz/SquidNotes and I don't think the method has
changed since 2004!

Craig
_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Craig Box
2011-09-12 09:25:13 UTC
Permalink
Post by Chris Hodgetts
My Squid is currently transparent to the end users, but I can only see how
Post by Chris Hodgetts
to auth for all, not just a single domain..
Simply add more restrictions to your ACLs. There is a section on how to do
this at http://www.wlug.org.nz/SquidNotes and I don't think the method has
changed since 2004!
That could have been worded better. "Simply add more restrictions with
ACLs". It's the http_access lines that do the restricting!
_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Bruce Clement
2011-09-12 11:59:53 UTC
Permalink
Post by Chris Hodgetts
Hey --
Just wondering if anyone can help me
I have a couple of webpages (ok so facebook and its game pages and
trademe) that I would like to lock down between the hours of say 07:00am
and 18:00 unless there is an authencated user - outside of those times,
unrestricted access.
My Squid is currently transparent to the end users, but I can only see how
to auth for all, not just a single domain..
Anyway, any help would be great :)
The following is all theoretical but may work.

My reading of the squid manual is that you can have multiple http_port
lines, one with a transparent option & one without.

Specifying transparent disable authentication. So if you then require it, it
should only req1uire it for people who connect on the proxy port

You should be able to set up a set of rules that allow anyone who is logged
in to access facebook or trade-me and forbid everone else from connecting to
them, then just include the default options allowing access to pretty much
everything else to follow.

You then go to the machines that are going to be used for accessing trademe
/ facebook and turn on proxy use in the browser.
--
Bruce Clement

Home: http://www.clement.co.nz/
Twitter: http://twitter.com/Bruce_Clement
Directory: http://www.searchme.co.nz/

"Before attempting to create something new, it is vital to have a good
appreciation of everything that already exists in this field." Mikhail
Kalashnikov
_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Continue reading on narkive:
Loading...