kodmasin

User Tools

Site Tools

Trace:
admins:squidopensuse

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
admins:squidopensuse [d.m.Y H:i] – [Force users to use proxy] kodmasinadmins:squidopensuse [d.m.Y H:i] (current) – external edit 127.0.0.1
Line 1: Line 1:
 +====== Limit internet access on OpenSuse ======
 +===== Summary =====
 +This article is about limiting internet access for users of one computer (not router) running OpenSuse using squid, squidguard and SuSEfirewall. It will show you how to configure squid for authentication using PAM (using system username and password). How to setup transparent proxy for http and https together with normal proxy with authentication. How to use squidguard and finaly how to set up SuSEfirewall rules (iptables).
 +
 +What is what:
 +  * [[http://www.squid-cache.org/|squid]] - a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more
 +  * [[http://www.squidguard.org/|squidguard]] - a combined filter, redirector and access controller plugin for Squid
 +  * SuSEFirewall2 - default OpenSuse firewall
 +
 +===== Installation =====
 +
 +If you already do not have installed squid and squidguard you should install them with YAST (or any other way you prefer).
 +
 +===== squid PAM authentication =====
 +Setting squid to use PAM for authentication enable users who have shell access to use same username and password for squid.
 +
 +You should edit /etc/squid/squid.conf :
 +
 +Find auth_param TAG and uncomment or add following lines:
 +  
 +  auth_param basic program /usr/sbin/pam_auth
 +  auth_param basic children 5
 +  auth_param basic realm Squid proxy-caching web server
 +  auth_param basic credentialsttl 2 hours
 +
 +Next find acl TAG and uncomment or add following line:
 +
 +  acl password proxy_auth REQUIRED
 +  
 +Next find http_access TAG there should be 2 lines that look like below:
 +
 +  http_access allow localnet
 +  http_access allow localhost
 +  
 +Change them to look like:
 +
 +  http_access allow localnet password
 +  http_access allow localhost password
 +
 +Restart squid and you will have squid using PAM for authentication.
 +
 +===== Force users to use proxy (no transparent proxy) =====
 +As you have PAM authentication your proxy can not be transparent (below is procedure how to add transparent proxy). So there is no use of redirecting local traffic to proxy (as with transparent proxy - see bellow). Thing you can do is to block direct outgoing access to 80 and 443 ports.
 +As you do not want to get in conflict with YAST firewall configuration you should edit /etc/sysconfig/SuSEfirewall2 file. Find FW_CUSTOMRULES option and set it like this:
 +  
 +  FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
 +  
 +Then edit /etc/sysconfig/scripts/SuSEfirewall2-custom so that function fw_custom_before_denyall() look like:
 +
 +  fw_custom_before_denyall() {
 +     iptables -A OUTPUT -p tcp -m owner --uid-owner root -j ACCEPT
 +     iptables -A OUTPUT -p tcp -m owner --uid-owner squid -j ACCEPT
 +     iptables -A OUTPUT -p tcp --dport 80 -j DROP
 +     iptables -A OUTPUT -p tcp --dport 443 -j DROP
 +     true
 +  }
 +
 +This has one drawback. User will not be aware that he should use proxy as his request are blocked. He will think that there is no internet connection.
 +
 +
 +
 +===== Transparent proxy =====
 +FIXME work in progress
  

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki