squid with multiple redirectors

Discuss Networking
Post Reply
Posts: 1
Joined: Tue Sep 09, 2003 10:32 pm

squid with multiple redirectors

Post by cbenard »

My need is quite unique it seems.
I need to block people from porn all of the time(dansguardian), block ads(adzapper) and block all except allowed mime types(i dont know how).

However, when the user authenticates, I'm doing that through php since it's transparent, it's inserting an iptables rule at #1 that does -j RETURN instead of -j REDIRECT --to-ports 3128. That excepts them from squid altogether. I want to -j REDIRECT them to another port, have squid listen on that port and only block porn, not ads and not mime types.

Is this even possible or am I going to have to run TWO instances of squid and have different redirectors on each. I know you can chain redirectors. But I need only ONE redirector to be consulted for these authenticated users on transparent proxying.

Thanks for all and any help,
Chris Benard

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA

Post by Void Main »

Hmmm, I am a little confused. I believe you should be able to do everything you want with one instance of Squid and without iptables redirects unless you have to have it set up as a transparent proxy but then how do you authenticate? I guess that's where the PHP authentication comes in? Can you explain the authentication process a little more?

I run one instance of Squid along with Dansguardian, squidGuard, and adzapper. I do authentication with smb_auth (to a Linux PDC) and do not do transparent proxy. I block all port 80 traffic which which forces anyone wanting to get to the internet to use the proxy. I have a few different groups defined with different levels of access. For instance I use port the squid port 3128 for my proxy which actually bypasses Dansguardian. If one of my kids try to bypass Dansguardian it will deny them access at authentication time so their browsers are configured to connect to the Dansguardian port (8080). I do this with a:

Code: Select all

acl localhost src
acl daytime time 05:30-21:30
acl kidsgrp proxy_auth "/etc/squid/acl/kids.grp"

acl bannedsites dstdomain "/etc/squid/acl/banned.sites"
acl porn url_regex "/etc/squid/block/porn"

# the following rule will force kids to go through DansGuardian on 8080
http_access deny kidsgrp !localhost
# Only allow kids to use the net during reasonable hours
http_access deny kidsgrp !daytime
http_access allow kidsgrp !bannedsites !porn
http_access deny all
Of course I have porn blocked by 3 different methods, one is listed directly in the squid.conf as you can see above and the other two methods are Dansguardian and squidGuard. I only listed a subset of my rules above which are the rules that apply to my kids. In my configuration everyone is subject to squidGuard and adzapper but not Dansguardian. I believe you are correct that if you are running a redirector it applies to everyone using the proxy and you can't pick and choose who uses the redirector. I believe you are correct that you must use two instances in this case. If you don't absolutely have to use transparent proxying and can use proxy settings in the browser then this should be no problem. Configure user group A's browser proxy settings to use proxy A and user group B's browser proxy settings to use proxy B. Validate the user with authentication on each proxy instance so to ensure group A users can't use proxy B and group B users can't use proxy A.

I realize this probably isn't exactly what you are trying to do but I'm hoping it might give you some ideas and if you can explain in a little more detail how you are configured and what your requirements/goals are then maybe I can help a little more.

Post Reply