Objective:
To familiarize students how to limit the web access to only authorized users.
Scope:
The students would be able to do the following at the end of this lab:
• Configure squid proxy server to provide restricted access to the internet using access list.
• Provide transparent proxy services to the users.
Useful Concepts
Squid Configuration File
The main Squid configuration file is squid.conf, and, like most Linux applications, Squid needs to be res-tarted for changes to the configuration file can take effect. In the next sections we will illustrate the vari-ous useful sections of squid.conf file.
The Visible Host Name
Squid will fail to start if you don't give your server a hostname. You can set this with the visi-ble_hostname parameter. Here, the hostname is set to the real name of the server ciit.
visible_hostname ciit
Access Control Lists
You can limit users' ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.
Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it finds a match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny statement in the list that blocks a similar allow statement below it. The final http_access statement denies everything, so it is best to place new http_access statements above it.
Note: The very last http_access statement in the squid.conf file denies all access. You therefore have to add your specific permit statements above this line.
Exercise-1:- This exercise illustrates Restricting Web Access By Time
You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23.
#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl RestrictedHost src 192.168.1.23
#
# Add this at the top of the http_access section of squid.conf
#
http_access deny RestrictedHost
http_access allow home_network business_hours
Or, you can allow morning access only:
#
# Add this to the bottom of the ACL section of squid.conf
#
acl mornings time 08:00-12:00
#
# Add this at the top of the http_access section of squid.conf
#
http_access allow mornings.
Exercise-2:- This exercise illustrates Restricting Access to specific Web sites
Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs. In this example we create to lists in files named /usr/local/etc/allowedsites.squid and /usr/local/etc/restricted-sites.squid.
These can then be used to always block the restricted sites and permit the allowed sites during working hours. This can be illustrated by expanding our previous example slightly.
#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid"
acl BadSites dstdomain "/usr/local/etc/restricted-sites.squid"
#
# Add this at the top of the http_access section of squid.conf
#
http_access deny BadSites
http_access allow home_network business_hours GoodSites
Exercise-3:- This exercise illustrates Restricting Web Access By IP Address
You can create an access control list that restricts Web access to users on certain networks. In this case, it's an ACL that defines a home network of 192.168.1.0.
#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/255.255.255.0
You also have to add a corresponding http_access statement that allows traffic that matches the ACL:
#
# Add this at the top of the http_access section of squid.conf
#
http_access allow home_network
Exercise-4:- This exercise illustrates Configuring Web Browsers to Use Your Squid Server If you don't have a firewall that supports redirection, then you need to configure your firewall to only ac-cept HTTP Internet access from the Squid server, as well as configure your PC browser's proxy server settings manually to use the Squid server. The method you use depends on your browser.
For example, to make these changes using Internet Explorer
1. Click on the "Tools" item on the menu bar of the browser.
2. Click on "Internet Options"
3. Click on "Connections"
4. Click on "LAN Settings"
5. Configure with the address and TCP port (3128 default) used by your Squid server.
Here's how to make the same changes using Mozilla or Firefox.
1. Click on the "Edit" item on the browser's menu bar.
2. Click on "Preferences"
3. Click on "Advanced"
4. Click on "Proxies"
5. Configure with the address and TCP port (3128 default) used by your Squid server under "Ma-nual Proxy Configuration".
Exercises for lab
Exercise 1:- Install Squid proxy server.
Exercise 2:- Using squid proxy server restrict user from visiting illegal sites.
Exercise 3:- Allow users to only visit legal/allowed sites from trusted IP addresses only.
Home Work
1) Make your squid server transparent to users using transparent proxy configuration.