[squid-users] Content filtering, password-bypass & client configuration.

From: Stroller <linux.luser_at_myrealbox.com>
Date: Tue, 3 Feb 2009 08:35:36 +0000

Hi there,

I have a small office at which the bosses want to restrict access to
certain sites. I'm new to Squid - if I understand correctly then Squid
does the proxying stuff and then I add squidGuard on top to do the
filtering?

I haven't even got as far as the proxying, yet, though, because I'm
not sure the best way to get things up.

The bosses want these sites blocked, but they also want to be able to
log in & use a password to bypass the restriction themselves.

Am I understanding correctly that they can't do this (proxy_auth?) if
Squid is running in transparent / invisible mode?

Because transparent / invisible mode seems the ideal solution if you
want to *force* employees to use the proxy. Without that option I'm in
a bit of a muddle as to the best way to .... hmmmn.... well, configure
the clients, I guess, basically.

With transparency, the machine has two NICs and everything goes
through it, right? But if it's not transparent then it's just another
IP on the LAN (??) and that has to be entered into Internet Explorer's
configuration options. I can block outgoing connections to port 80
(except those made by the Squid box) at the ADSL router, and because
all the PCs are in a Windows domain I can use Policies to set that on
all clients. However this stitches up 2 or 3 laptop users - if I force
them to proxy through 192.168.4.2 then they won't be able to surf the
net when they take their laptops home (where there is no proxy at that
address).

I can make the client proxy configuration a manual process - or allow
certain users to override it - but that just seems clumsy to me,
having these poor folks who don't know anything about computers
messing around in Control Panel twice a day to tick & untick the proxy
options. I find that kinda inelegant - the idea of it just bugs me.

I'd prefer not to have the "bypassing" of the block list done by IP,
mostly because the bosses have mentioned the use of passwords. They
anticipate the work-related sites as being accessible without a
password, and only to be prompted for one when they go to facebook or
sports-scores.com. I'm not sure if this is possible with Squid(guard)?
I get the impression it might be necessary to log on before browsing
ANY site if authentication is enabled? Having to log on to use the
internet at the beginning of the work day would be seen as a bit
intrusive, I think - I think the bosses see the password thing as a
disincentive to them themselves to slack off. And if they go through
the proxy then the slacking off is logged and each boss can monitor
the other's slacking.

Clearly some of my concerns are Windows related, and halfway through
writing this I thought maybe I should have addressed my concerns to
the Microsoft newsgroups instead. But this must be a well-trodden path
in Squid administration, so perhaps you may have some pointers? If
it's not possible to do what I expect of Squid / squidGuard then
please feel free to offer alternative suggestions - of either proxy /
content-filter, or just other ways of using Squid.

Thanks for reading and thanks in advance for any suggestions,

Stroller.
Received on Tue Feb 03 2009 - 08:35:48 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 04 2009 - 12:00:01 MST