Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid Guard to Block websites for some users

    Scheduled Pinned Locked Moved Cache/Proxy
    8 Posts 3 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Abhishek
      last edited by

      Hello all , I want to block websites based on blacklist for some users lets say Normal users and managers  i want to block websites like youtube, catagory like social networking  to normal users but Managers should be able to access those sites

      there r many LInks to configure squid guard but i find very less info to give Unrestrected access for some IP(not blocking IPs)

      current setup is like

      ISP–--Mediaconverter----PFSENSE Router (Router-Firewall-Squid Proxy Non Transparent with wpad auto configuration - )  --------Switch ----windows server with  IIS (wpad) , also DHCP ,DNS

      currently squid is working perfectly i would like to block sites using squidguard for normal users only  ( Normal users ,Managers,Mobile device have seperate IP range but same subnet (
      like  Users 192.168.1.10-192.168.1.100/24
      Managers 192.168.1.120-192.168.1.150/24
      Mobiles    192.168.1.160-192.168.1.180/24
      Stataic devices above x.x.x.200 /24

      Total of 100 users

      2.3-RC (amd64)
      built on Mon Apr 04 17:09:32 CDT 2016
      FreeBSD 10.3-RELEASE
      Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz

      darkstat 3.1.2_1
      Lightsquid 3.0.3_1
      mailreport 3.0_1
      pfBlockerNG 2.0.9_1  
      RRD_Summary 1.3.1_2
      snort 3.2.9.1_9  
      squid 0.4.16_1  
      squidGuard 1.14_1
      syslog-ng 1.1.2_2

      1 Reply Last reply Reply Quote 0
      • C
        chris4916
        last edited by

        From my standpoint, the way you express your need doesn't make sense (please do not take my comment the wrong way  :-[)

        On one hand, you express need for access control rules based on users (normal user, manager etc…) while, on the other hand, you describe it as based on IP addresses.

        These are 2 different dimensions with most likely no relationship except if you apply some specific set-up and administration overhead.

        Implementing rules "per user" can be done very easily: you just need to enable proxy authentication then define access control rules per user or, better, per group. No need for any "per IP" rule.
        If you need to build rules based on IP (why not), then just do it but do not expect this to be linked to any user  ;)

        Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

        1 Reply Last reply Reply Quote 0
        • A
          ashima LAYER 8
          last edited by

          I have a similar situation and this is how I have configured my pfsense box

          pfsense 2.2.3 with ipguard, squid3 and squidguard.

          My scenario
          normalusers 192.168.1.128-192.168.1.254
          managers 192.168.1.10-192.168.1.127
          static devices 192.168.1.0-192.168.1.9

          In firewall alias create two groups ( I have only two kind of users normal and manager)
          normalusers 192.168.1.128/25
          managers 192.168.1.0/25

          DHCP range 192.168.1.128-192.168.1.254  ( So the normalusers will get ip with dhcp)
          create a static entry for each of managers device in the range 192.168.1.10-192.168.10.127

          I have installed ipguard so that normalusers don't change their ip in the range 192.168.10-192.168.10.127

          In squid create two groups normalusers and managers

          normalusers source ip 192.168.1.128/25 select the category to blocked
          managers source ip 192.168.1.0/25 select the catelgory to be blocked.

          Its important to install ipguard as the users can change their ip and get unrestricted access.

          1 Reply Last reply Reply Quote 0
          • A
            Abhishek
            last edited by

            I created user in PFsense > proxy server > Users > also from authentication tab selected Local authentication applied and restarted as shown in PIC 2  now users are prompted for username and password but it keep asking in loop  (Chck PIC 1 ) its showing user Agent and manager by TCP_Denied

            01.png
            01.png_thumb
            02.PNG
            02.PNG_thumb
            03.PNG
            03.PNG_thumb

            2.3-RC (amd64)
            built on Mon Apr 04 17:09:32 CDT 2016
            FreeBSD 10.3-RELEASE
            Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz

            darkstat 3.1.2_1
            Lightsquid 3.0.3_1
            mailreport 3.0_1
            pfBlockerNG 2.0.9_1  
            RRD_Summary 1.3.1_2
            snort 3.2.9.1_9  
            squid 0.4.16_1  
            squidGuard 1.14_1
            syslog-ng 1.1.2_2

            1 Reply Last reply Reply Quote 0
            • C
              chris4916
              last edited by

              are you sure your password is correct?
              HTTP 407 means that proxy authentication is still required.

              Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

              1 Reply Last reply Reply Quote 0
              • A
                Abhishek
                last edited by

                yes it was a test account 123.com and 1234.com agent and manager

                2.3-RC (amd64)
                built on Mon Apr 04 17:09:32 CDT 2016
                FreeBSD 10.3-RELEASE
                Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz

                darkstat 3.1.2_1
                Lightsquid 3.0.3_1
                mailreport 3.0_1
                pfBlockerNG 2.0.9_1  
                RRD_Summary 1.3.1_2
                snort 3.2.9.1_9  
                squid 0.4.16_1  
                squidGuard 1.14_1
                syslog-ng 1.1.2_2

                1 Reply Last reply Reply Quote 0
                • A
                  Abhishek
                  last edited by

                  i find after disabled Snort on lan interface two of the Users / 5 users created in Squid can access , no authentication loop

                  2.3-RC (amd64)
                  built on Mon Apr 04 17:09:32 CDT 2016
                  FreeBSD 10.3-RELEASE
                  Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz

                  darkstat 3.1.2_1
                  Lightsquid 3.0.3_1
                  mailreport 3.0_1
                  pfBlockerNG 2.0.9_1  
                  RRD_Summary 1.3.1_2
                  snort 3.2.9.1_9  
                  squid 0.4.16_1  
                  squidGuard 1.14_1
                  syslog-ng 1.1.2_2

                  1 Reply Last reply Reply Quote 0
                  • C
                    chris4916
                    last edited by

                    @Abhishek:

                    i find after disabled Snort on lan interface…

                    I'll be very glad if you could explain purpose of Snort listening on internal interface. There is something I don't understand here  ???

                    Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.