How to Control Internet Access Using Squid
Free Web Proxy Server Software to Limit Employees' Web Surfing
Oct 26, 2009
Squid can effectively control Internet access based on user name and password, or only at certain times of the day. This gives managers to ability to control and monitor Internet usage within the company. Squid can also be used to block certain unsavory web sites. Many parents have used squid to monitor and control their children's Internet access.
Once a Linux server with Squid has been setup, the next step is to customize it to suit the requirements of the company. The following will provide a guide as to how to configure squid to allow access based on subnet, time and user name and password.
Access only from LAN
For a simple rule that allows access to the Internet from a particular subnet on the LAN continue as follows:
Step 1 - find the “ACL” section of the “squid.conf” file. Scroll down to “recommended minimum configuration” and add the line (or whatever the subnet LAN address should be):
- acl lacal src 192.168.1.0/24
Note that the “24” represents the subnet mask – in this case 255.255.255.0
Step 2- Scroll down to the “http_access” section of the ‘squid.conf” file and find “http_access allow manager localhost”. Put a space between it and the one below and insert the following:
- http_as allow lan_local
Notice that the part "lan_local" is the rule set up in Step 1
Allowing Access Certain Times of the day:
The following is an example how to restrict access to lunch time and block Internet access at all other times:
Step 1 - Add the following to the bottom of the ACL section of squid.conf
acl luchtime time 12:00-13:00
Step 2 - Add the following to the top of the http_access section of squid.conf
http_access allow lunchtime
Access Controlled by Password:
The following is an example how to restrict access by password using NCSA Password Authentication:
Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file. Tthe htpasswd2 program that comes installed with Apache2 can be used to create passwords. The following requires that Apache2 be installed. Adding user authentication can be accomplished in 6 easy steps.
Step 1:Create the password file.
Create a password file. The name of the password file could be /etc/squid/squid_passwd. Make sure that it’s universally readable by typing the following at the command prompt:
touch /etc/squid/squid_passwd
chmod o+r /etc/squid/squid_passwd
Step 2: Use the”htpasswd2″ program to add users to the password file.
Type the following at the command prompt (example shows the user fred being added):
htpasswd2 /etc/squid/squid_passwd fred
Type in a password when prompted to do so.
Step 3:Find the location of the “ncsa_auth” file using the rpm command as follows:
rpm -ql squid | grep ncsa
Take note of the path to that file.
Step 4:Edit “squid.conf” to define the authentication program in squid.conf, “ncsa_auth” .
Add the following to the”auth_param” section of the “squid.conf” file.
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
Use the path noted earlier when finding the ncsa_auth file.
Step 5: Create an “ACL” named “ncsa_users” with the “REQUIRED” keyword that forces Squid to use the “NCSA auth_param” as follows:
Add the following to the bottom of the “ACL” section of the “squid.conf” file.
acl ncsa_users proxy_auth REQUIRED
Step 6: Create an “http_access” entry that allows traffic that matches the “ncsa_users ACL” entry as follows:
Add the following to the top of the “http_access” section of the “squid.conf” file.
http_access allow ncsa_users
After restarting Squid, users will be asked a user name and password.
The web proxy server can be configured to use a number of rules at the same time. An example would be combining time with user name and password authentication.
Internet Access Control During work Hours but not During Lunch Breaks:
Combine the time control with password control as follows:
Under “http_access”, put the “hours” access above the “password” access.
http_access allow lunchtime
http_access allow ncsa_users
With the above configuration the web proxy server will require a user name and password except during lunchtime when anyone is allowed to access the Internet freely.
Some companies are very conscious of the amount of time their staff devote to surfing the Internet and prefer to block Internet access or limit usage to a certain amount of time and/or bandwidth per user. They also would like to block certain types of web sites with a view to limiting access to non work related web sites. Squid proxy server can be configured to accomplish this as well.
 |
 |
 |
 |
