New Install - Squid Help

zoro

Hey there ... I'm basically trying to stop my sister from getting at some sites - she's annoying the **** outta me while i'm playing games, so this is getting my own back

Plus i want to know how to set it up anyway!

I'm using Webmin at the moment .. but I know it's not the best way to do it ... can anyone point me to a nice, easy to use tutorial about setting up Squid and using Window's user names with it? or is it even possible?

Thanks
Daniel

niallb

It IS possible, but if you've never configured squid before,
you're probably better off with simpler configurations first.

When I've set it up like this, I authenticate against a windows domain controller,
which you are unlikely to have at home.

As you probably only have a few users, just set them up with
names and passwords and don't worry about using the windows accounts - set the password the same, if you like.

There's a whole load of auth scripts included with squid,
probably in /usr/lib/squid if you've already installed it.
There should be example configurations included in the docs directory installed with your squid package.

First thing to do is set up an Access Control List that describes your home network.
e.g.
acl myhome src 192.168.0.0/255.255.255.0
and further down you'll put in:
http_access allow myhome

Without that, nobody can use the cache.
That's the only change absolutely required before the cache is ready to be used.

What would make a good squid tutorial for one person
might not be very good for another - just the way the docs turned out.
If the included docs in /usr/share/docs/squid-x.x.x
don't suit you,
use a search engine and good luck.

NiallB

zoro

thanks very much for the reply

i've gotten squid up and running with no problem ... and i've been trying to use the ncsa_auth program that's there by default but it just wont authenticate for me

if i run:
./ncsa_auth /tmp/passwordfile
daniel mypassword
OK

it outputs right everytime (unless i give it the wrong password ) - but for some reason:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/proxypasswd

wont' work (it's the same passwd file)
that's the line that goes in the conf file but it never asks me for authentication in IE (i dont know how it is supposed to either ... popup window??) - it just gives me a "piss off, you're not allowed here" message

Daniel

zoro

hmmm ... i've just updated my version of squid and it seems to work perfectly now!

thanks for your help anyway.

Daniel

niallb

If using authentication, latest versions of squid are highly recommended!
Unfortunately the config syntax around authentication changed dramatically during the last major update.
Your previous setup was probably fine, but not being invoked
because of an incompatible config file stanza.
I'd forgotten that - I got bitten by it too at the time :-)

Good to hear you got it working.

NiallB

ssh

If she's browsing the web and killing your gameage, you could use wondershaper to lower the priority of outgoing http traffic. It takes a bit of work and reading, but it's probably the "fairest" way of doing it.

hth,

Steffen

zoro

niallb:
actually, i think the problem may have been to do with my rules blocking things in the wrong order if you know what i mean?

but an update and a reworking of my rules meant it was great!

ssh:
that's originally what i was intending doing ... and may yet - have you any info on it? u use it yourself?

i just love to see her sweat when the server "randomly" restricts outgoing requests for internet pages *evil*

niallb

# Here's some bits of a working configuration from a squid 2.4 installation.

authenticate_children 8
proxy_auth_realm Passport Please
authenticate_ttl 16 hours
authenticate_program /usr/lib/squid/smb_auth -W MYDOMAIN -U 192.168.0.52
acl authenticated proxy_auth REQUIRED
# Create a file ERR_AUTH in /etc/squid/errors
# to control what she sees before typing in password.
deny_info ERR_AUTH authenticated

acl homenetwork src 192.168.0.0/255.255.255.0
acl sister src 192.168.0.6
# This kind of ACL can prevent surfing at certain times.
acl peakhours time MTWHF 08:00-18:00


# Here's a simple way of banning certain URLs.
# Just list them in the restricted file.
# If it's catching something you want,
# you can override it in the unrestricted.
# You can make the ERR file as blunt as you like
# The syntax is as written, it won't work with restricted !unrestricted
acl restricted url_regex "/etc/squid/filters/restricted"
acl unrestricted url_regex "/etc/squid/filters/unrestricted"
deny_info ERR_CONTENT_CONTROL restricted unrestricted

# Then in order
http_access deny restricted !unrestricted # No access to restricted if it's not in unrestricted
http_access allow localhost # localhost access without password.
http_access deny peakhours # No browsing at these times for password users
http_access allow authenticated # OK then, if you must.
http_access allow homenetwork # But only if you're local
http_access deny all # Nothing here to see, move along

Wondershaper is a great tool, and not that hard to set up.
It works well for ssh, so I'd say would be spot on for gaming.
You might look into another squid feature as well to limit browsing.
delay_pools are a means of resource control
http://squid.visolve.com/squid24s1/delaypool.htm covers the options.
You can restrict browsing from a particular IP to perhaps 28.8k for that nostalgic feeling of frustration.

Have fun, but keep the electrons flowing.

NiallB

ssh

Yeah, I've used wondershaper a bit.

It has a basic limitation that it can only control what is sent by the router... not what is received by the router. It'll generally throttle things nicely enough though. Depending on how you got your kernel, you may have to do some recompiling.

I have an axe shaped solution to that particular problem anyway. I feel your pain

schrodinger

Has anyone here used the ncsa_auth program successfully?? I am atempting to get it working in college but with no joy. I compiled squid with

--enable-auth="basic ntlm digest" \
--enable-basic-auth-helpers="${basic_auth}"

And changed the config file to where the ncsa auth program is and pointed it to a editted version of the system passwd file, then added acl password proxy_auth REQUIRED to the ACLs but after that it blocked all access.

This is on FreeBSD btw, I have exhausted Google with this one with no joy or much documentation

zoro

i was having trouble with just that before i upgraded ... then i decided to go for the IMAP authentication

if the user has an account on the box, then they'll have an email address on that box (user@mypc type thing) - so if the login for IMAP is successful then it'll allow the user to use the squid thingy

if you want the code i'll paste it up? it's only a few lines long

Daniel

*edit*
acutally, this yoke is where i got it from

schrodinger

But you need IMAP running yes? We dont run it because we are not allowed provide mail

niallb

You could use any service on the box.
As an example, you could use telnet to authenticate a user. Give the username in question a shell that just echos "OK" and disconnects.

/waits for security flaming :-)

NiallB