Deny access to web site with proxy

On 2004-09-13, riviereg <guillaume@nomail.org> wrote:
> My problem is with annonymous web site proxy, like
<zap>
> Do you know if there is a simple way to say: "anno proxy: forbiden" to
> squid ?

No there isn't, but if you are in a 'normal' country, pr0n surfing
during the work hours is normally forbidden, and the log files of the
proxy are there for you to check. So, you just inform your pr0n-addict
users that their action are controlled and termination is on his way.

Davide

--
Love means having to say you're sorry every five minutes.

Dear all Linux user,

I set up a proxy gateway (squid) for my office network.
I try to deny access to adult web site from this office.

It's work fine with some acl and a "blacklist".
My problem is with annonymous web site proxy, like
"http://www.ec.com.my/webproxy/nph-proxy.pl". My user
can access to unautorised web site.

I try multiple configuration to deny those proxies, but no one is good:

1/ Add a list of anno proxy web site:
I doesn't have a list like this, I can just add proxy I know ...
A simple google search can show you a proxy to pass over my squid
configuration.

2/ Add a acl pathurl_regex with the "http" key word:
It work fine (most of the proxy use a
"www.myproxy.com/foocgi?http://mypornsite.com/" redirection)
But there is many problem with other website, for exemple, a google
search with "http" is not autorised ...

3/ Add my blacklist as keyword for regex url acl.
This is exactly what I want, but I think that with a big blacklist
(chastity of squidGuard, > 100 000 entries) My web access is very slow:
to much memory for parsing each url with this kind of regex.

Do you know if there is a simple way to say: "anno proxy: forbiden" to
squid ?


Thank you very much for Help,
Guillaume

riviereg wrote:
> Dear all Linux user,
>
> I set up a proxy gateway (squid) for my office network.
> I try to deny access to adult web site from this office.
>
> It's work fine with some acl and a "blacklist".
> My problem is with annonymous web site proxy, like
> "http://www.ec.com.my/webproxy/nph-proxy.pl". My user
> can access to unautorised web site.
>
> I try multiple configuration to deny those proxies, but no one is good:
>
> 1/ Add a list of anno proxy web site:
> I doesn't have a list like this, I can just add proxy I know ...
> A simple google search can show you a proxy to pass over my squid
> configuration.
>
> 2/ Add a acl pathurl_regex with the "http" key word:
> It work fine (most of the proxy use a
> "www.myproxy.com/foocgi?http://mypornsite.com/" redirection)
> But there is many problem with other website, for exemple, a google
> search with "http" is not autorised ...
>
> 3/ Add my blacklist as keyword for regex url acl.
> This is exactly what I want, but I think that with a big blacklist
> (chastity of squidGuard, > 100 000 entries) My web access is very slow:
> to much memory for parsing each url with this kind of regex.
>
> Do you know if there is a simple way to say: "anno proxy: forbiden" to
> squid ?
>
>
> Thank you very much for Help,
> Guillaume
hi
i'm using squid + squirm , you can add in the configuration pattern file
a row where you can deny the access for always type of site using a
regular expression for example :


regexi ^http://www\.playboy\.com/.* http://proxy/notallowed.html

in this case you don't see playboy.com...


i hope is good for you

giuseppe
.....sorry for my bad english...

riviereg wrote:
> Dear all Linux user,
>
> I set up a proxy gateway (squid) for my office network.
> I try to deny access to adult web site from this office.

Why don't you use some kind of redirector as squidGuard or
DansGuardian? They are perfect for this job.

--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

Jose Maria Lopez Hernandez <jkerouac@bgsec.com> wrote in message news:<hNj1d.130371$r4.3904233@news-reader.eresmas.com>...
> riviereg wrote:
> > Dear all Linux user,
> >
> > I set up a proxy gateway (squid) for my office network.
> > I try to deny access to adult web site from this office.
>
> Why don't you use some kind of redirector as squidGuard or
> DansGuardian? They are perfect for this job.
>
> --
>
> Jose Maria Lopez Hernandez
> Director Tecnico de bgSEC
> jkerouac@bgsec.com
> bgSEC Seguridad y Consultoria de Sistemas Informaticos
> http://www.bgsec.com
> ESPAÑA
>
> The only people for me are the mad ones -- the ones who are mad to live,
> mad to talk, mad to be saved, desirous of everything at the same time,
> the ones who never yawn or say a commonplace thing, but burn, burn, burn
> like fabulous yellow Roman candles.
> -- Jack Kerouac, "On the Road"


The best solution is CYBEROAM. It contains a traffic dicovery module
which
identifies http requests going on any port and redirects it to squid
using iptables.
So any proxy request will be redirected to squid and thus squid can
identify the original site requested and block it (if the acl says
so).

Rgds,
Vinod

Jose Maria Lopez Hernandez wrote:
> riviereg wrote:
>
>> Dear all Linux user,
>>
>> I set up a proxy gateway (squid) for my office network.
>> I try to deny access to adult web site from this office.
>
>
> Why don't you use some kind of redirector as squidGuard or
> DansGuardian? They are perfect for this job.
>
Thank you for all this help,

In fact, I doesn't see anything in squidGuard that really bring me
more than the basic Access control in squid.

Maybe I'm wrong, I doesn't know those project very well. I take the
basic way of Access Control with squid and it's good enougth for me.

Please, correct me if I'm wrong, but is there things I can do (like
generic access control to anno proxy or to porn site via anno proxy)
with squidGuard that I cannot do with basic squid Access control ?

Thanks you for help,
Guillaume

Vinod Patel wrote:
> Jose Maria Lopez Hernandez <jkerouac@bgsec.com> wrote in message news:<hNj1d.130371$r4.3904233@news-reader.eresmas.com>...
>
>>riviereg wrote:
>>
>>>Dear all Linux user,
>>>
>>>I set up a proxy gateway (squid) for my office network.
>>>I try to deny access to adult web site from this office.
>>
>>Why don't you use some kind of redirector as squidGuard or
>>DansGuardian? They are perfect for this job.
>>
>>--
>>
>>Jose Maria Lopez Hernandez
>>Director Tecnico de bgSEC
>>jkerouac@bgsec.com
>>bgSEC Seguridad y Consultoria de Sistemas Informaticos
>>http://www.bgsec.com
>>ESPAÑA
>>
>>The only people for me are the mad ones -- the ones who are mad to live,
>>mad to talk, mad to be saved, desirous of everything at the same time,
>>the ones who never yawn or say a commonplace thing, but burn, burn, burn
>>like fabulous yellow Roman candles.
>> -- Jack Kerouac, "On the Road"
>
>
>
> The best solution is CYBEROAM. It contains a traffic dicovery module
> which
> identifies http requests going on any port and redirects it to squid
> using iptables.
> So any proxy request will be redirected to squid and thus squid can
> identify the original site requested and block it (if the acl says
> so).
>
> Rgds,
> Vinod
Thank you very much for this link,

but we want to setup our IT architecture with free software. Not for the
price (I think it's a little bit more expensive), but for the very good
support (best ever) on all news group and mailling lists and for our
desire to participate in those communities (by using free software in
bussiness environment in a first time ...)

This is one of our principal criteria to choose a software for our office.

And so ... is there something like this with an open source/free
software licence ?

Guillaume