[squid-users] ditch squid or not?

From: Nick Duda <nduda@dont-contact.us>
Date: Wed, 3 Jan 2007 11:06:51 -0500

I've been fighting this fight for far to long without resolution. I've
emailed the list at times with no resolution to my problem. I'm now
faced with ditching Squid and SquidGuard as our corporate content
filtering product because it can not do what we need. I'll offer the
problem one more time in hopes of getting an answer , or at least
pointed in the direction.

Things to note: SquidGuard is no longer in dev (at least until someone
picks its up) so gettign any support whatsoever isn't happening.

The setup:
I run Squid with SquidGuard in a branch office of about 400 employees.
This branch office only has 2 dedicated private line 1.5mb (bonded for
3mb total) to the corporate office, no internet access directly. All
internet traffic is routed over these private lines to the corporate
office then routed to the internet from there. In this branch office is
the Squid server. Only this server has the rights to go out to the
internet over the private lines, nothing else. If something in this
branch office isn't configured to use the Squid proxy server (which uses
NT authentication with the AD domain) its not going anywhere. Pretty
straight forward.

On the Squid server I run SquidGuard, and subscribe to use the
Blacklists from urlblacklist.com (which puts the files in a format
natively that squidguard likes but not what squid likes). I use pretty
much all the blacklist files in some way or another.

My Problem:

I want to block certain people/groups from using certain blacklists (the
ones from urlblacklist.com) while allowing other access to them. Based
on previous emails to the squid group and the fact that nobody answers
or knows anything about squidguard on the squidguard mailing list
(ironic), squidguard can't do what i want.

In active directory, I setup Security groups with the people I want for
a squidguard rule. For instance, I have an active directory group called
"Can access webmail" and "Can access IM". In this group I add all the
people that I want to access online webmail like gmail, yahoo mail...etc
and in the other people that can access Instant Messaging urls.

On the proxy I run a script:

##### Start Script #####

#!/bin/sh

DC='x.x.x.x'
EMAIL=/usr/local/squidGuard/db/users/EmailUsers
IM=/usr/local/squidGuard/db/users/IMUsers

EMAILemployees=`net rpc group members "Can access webmail" -S $DC -U
username%password | awk '{print substr($0,14,10)}' > $EMAIL`
EMAILemployees=`net rpc group members "Can access IM" -S $DC -U
username%password | awk '{print substr($0,14,10)}' > $IM`

chown squid.squid /usr/local/squidGuard/db/users/* -Rf

/usr/local/squid/sbin/squid -k reconfigure

##### End SCript #####

This script runs every x minutes and the output is a file with a list of
users in the format of first inital last name (ie. jdoh)

In the squidguard.conf file I setup something like this:

source EmailUsers {
       userlist users/EmailUsers
}

source IMUsers {
       userlist users/IMUsers
}

EmailUsers {
        pass webmail mail !ads !adult !aggressive !antispyware !artnudes
!banking !beerliquorinfo !beerliquorsale !cellphones !chat !childcare
!clothing !culinary !customblocked !dating !dialers !drugs !ecommerce
!frencheducation !gambling !government !hacking !homerepair !jewelry
!jobsearch !kidstimewasting !naturism !onlineauctions !onlinegames
!onlinepayment !personalfinance !phishing !porn !proxy !radio !religion
!ringtones !sexuality !spyware !vacation !violence !virusinfected !warez
!weapons all
        redirect
http://localhost/errors/aclerror.php?clientaddr=%a&clientname=%n&clientu
ser=%i&clientgroup=%s&url=%u&targetgroup=%t
    }

IMUsers {
        pass instantmessaging !ads !adult !aggressive !antispyware
!artnudes !banking !beerliquorinfo !beerliquorsale !cellphones !chat
!childcare !clothing !culinary !customblocked !dating !dialers !drugs
!ecommerce !frencheducation !gambling !government !hacking !homerepair
!jewelry !jobsearch !kidstimewasting !mail !naturism !onlineauctions
!onlinegames !onlinepayment !personalfinance !phishing !porn !proxy
!radio !religion !ringtones !sexuality !spyware !vacation !violence
!virusinfected !warez !weapons !webmail all
        redirect
http://localhost/errors/aclerror.php?clientaddr=%a&clientname=%n&clientu
ser=%i&clientgroup=%s&url=%u&targetgroup=%t
    }

    default {
        pass !ads !adult !aggressive !antispyware !artnudes !banking
!beerliquorinfo !beerliquorsale !cellphones !chat !childcare !clothing
!culinary !customblocked !dating !dialers !drugs !ecommerce
!frencheducation !gambling !government !hacking !homerepair
!instantmessaging !jewelry !jobsearch !kidstimewasting !mail !naturism
!onlineauctions !onlinegames !onlinepayment !personalfinance !phishing
!porn !proxy !radio !religion !ringtones !sexuality !spyware !vacation
!violence !virusinfected !warez !weapons !webmail all
        redirect
http://localhost/errors/aclerror.php?clientaddr=%a&clientname=%n&clientu
ser=%i&clientgroup=%s&url=%u&targetgroup=%t
    }

The problem i have is that If I have a user that I want to have access
to both Webmail and Instant messaging when it hits the first rule
"EmailUsers" it is getting denied the instant messaging.

I need a way to run a content filtering solution that I can customize
who can access certain url blacklist files and who can't. It's as if I
want squidguard to look at the first rule and then continue to process
the others. SquidGuard will deny or allow access on the first rule that
triggers that matches and does not process any others.

I really like Squid and squidguard, can I do something before I need to
go look at one of these commercial content filtering appliances?

Regards,
Nick Duda

---------------------
Confidentiality note
The information in this email and any attachment may contain confidential and proprietary information of VistaPrint and/or its affiliates and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any review, reliance or distribution by others or forwarding without express permission is strictly prohibited and may cause liability. In case you have received this message due to an error in transmission, please notify the sender immediately and delete this email and any attachment from your system.
---------------------
Received on Wed Jan 03 2007 - 09:07:03 MST

This archive was generated by hypermail pre-2.1.9 : Thu Feb 01 2007 - 12:00:00 MST