1. Introduction
The topic of content filtering in schools is rather hackneyed and full of information on it, but it is already quite outdated due to the transition of many sites to the secure HTTPS protocol, which most of the proposed solutions do not work with. Therefore, I decided to write the most complete article from A to Z, collecting all the information I found on Google’s expanses together. The article is designed for basic knowledge in the field of administration and is suitable for computer science teachers.
2. Terms of Reference
Given: 436-FZ and a school in which many computers are networked and connected to the Internet through a MikroTik router or any other.
Objective: to do content filtering of HTTP and HTTPS by whitelist for everyone except your beloved and school management.
3. Problem solving
An unused desktop computer was found with a dual-core Intel-ohm, 1 GB of RAM and hard 80 GB.
To solve this, the following will be done:
- Linux Ubuntu Server 18.04 LTS installed
- Transparent Proxy Squid is installed and configured on the server, assembled from source codes with HTTPS support.
- Integration of the server into the subnet, by redirecting requests to Proxy or an alternative option (at the very end)
Let's get started.
3.1. Install and configure Ubuntu 18.04
The installation process is simple. Download the distribution of Ubuntu Server 18.04 from the official site. I recommend downloading with the old installer, since the new one, personally from me, went into endless download during installation. We write the image to a USB flash drive / disk in any convenient way. For recording on a USB flash drive, I recommend using Rufus and at the beginning of recording select “Record DD-image”. Next, following the information on the screen, install the system. We dwell only on the choice of components, where you can immediately select OpenSSH and that's it. We do not need much, but we need to install what we need.
So, Ubuntu is installed. The network, if you have DHCP, is already configured. We will enter superuser mode so that each time we do not add sudo to the commands.
sudo -s
Enter your password and update the system.
apt-get update apt-get upgrade
Install a text editor and file manager.
apt-get install nano mc
To save the file in nano , press Ctrl + O followed by Y. Exit the editor by pressing Ctrl + X. You can save the file immediately before exiting by pressing Ctrl + X followed by Y.
To open the file manager, type mc . A typical NortonCommander DOS or Windows TotalCommander / FAR opens with two panels. Although I’m used to working with the console, the file manager also sometimes helps, for example, to find the desired file faster.
If you do not have DHCP or you want a separate IP address for your server, as I wanted, then we will go on to the configuration.
Configure Static IP Address
Unlike previous versions of Ubuntu, in the new 18.04 the network is no longer configured in the usual / etc / network / interfaces , but via netplan in the /etc/netplan/*.yaml file. A file may have different names, but it is there alone. / Etc / network / interfaces itself writes us the following:
Also, if you want to upgrade from a version older than 18.04, the network settings will remain where they were. Netplan is only relevant for a clean installation of 18.04.
Let’s begin, however, to configure the network.
First, let's look at the name of the network interface assigned by the OS, and remember it.
Now open the settings file.
It should already have a DHCP setting. Let's bring the file to the following form.
Enter your interface, address and gateway. DNS recommend leaving these - Yandex.DNS Children's will be as an additional protection. The same DNS is configured in my router. In any case, you must specify the DNS that the router distributes.
Here you need to pay attention to spaces (namely spaces, not tabs). Each, a kind of paragraph is separated from the previous space. For example, if after nameservers the address line is not separated by a space, but aligned with the line above, then, when you try to apply the settings, netplan will throw an error.
Apply the settings.
Reboot the server, just in case.
Also, if you want to upgrade from a version older than 18.04, the network settings will remain where they were. Netplan is only relevant for a clean installation of 18.04.
Let’s begin, however, to configure the network.
First, let's look at the name of the network interface assigned by the OS, and remember it.
ifconfig
Now open the settings file.
nano /etc/netplan/*.yaml
It should already have a DHCP setting. Let's bring the file to the following form.
# This file describes the network interfaces available on your system # For more information, see netplan(5). network: version: 2 renderer: networkd ethernets: : dhcp4: no dhcp6: no addresses: [/24] gateway4: nameservers: addresses: [77.88.8.7, 77.88.8.3]
Enter your interface, address and gateway. DNS recommend leaving these - Yandex.DNS Children's will be as an additional protection. The same DNS is configured in my router. In any case, you must specify the DNS that the router distributes.
Here you need to pay attention to spaces (namely spaces, not tabs). Each, a kind of paragraph is separated from the previous space. For example, if after nameservers the address line is not separated by a space, but aligned with the line above, then, when you try to apply the settings, netplan will throw an error.
Apply the settings.
netplan apply
Reboot the server, just in case.
reboot
Also, he added an alternative network configuration option for both DHCP and static IP, if netplan does not suit.
Alternative network setup
In Ubuntu 18.04, you can return to the familiar network configuration option through / etc / network / interfaces . To do this, the file itself indicates that you need to install the ifupdown utility. Install it:
Now open the initial settings file in netplan
and comment out all its contents so that there are no conflicts.
Next, open the network settings file
And add to it:
for static IP
for dynamic (DHCP)
Reboot the server
If you use this option to configure the network, then in the Firewall settings, you can opt out of Webmin altogether and use the configuration option under the spoiler (although the option with Webmin will also work)
apt-get install ifupdown
Now open the initial settings file in netplan
nano /etc/netplan/*.yaml
and comment out all its contents so that there are no conflicts.
Next, open the network settings file
nano /etc/network/interfaces
And add to it:
for static IP
auto ___ iface ___ inet static address IP- netmask gateway dns-nameservers 77.88.8.7 77.88.8.3
for dynamic (DHCP)
auto ___ iface ___ inet dhcp
Reboot the server
reboot
If you use this option to configure the network, then in the Firewall settings, you can opt out of Webmin altogether and use the configuration option under the spoiler (although the option with Webmin will also work)
Now you need to enable the passage of packets through our server. Open the file /etc/sysctl.conf
nano /etc/sysctl.conf
We look for the string net.ipv4.ip_forward = 1 in it and uncomment it. If the value is 0 , then change to 1 .
Enter the command to apply the setting
sysctl -p /etc/sysctl.conf
After setting up the network, I recommend going directly to the terminal, and continue to work in it. To do this, if you did not select OpenSSH during the installation phase, install it.
apt-get install ssh
By default, SSH is already configured for user / password login on port 22, but you can configure it for yourself through, for example, an authorization key and with another port in order to protect the server from outside attacks. How to do this is full of information on the Internet.
As a terminal, I use XShell. You can use the one you like best.
We do not need a DHCP server and a second network card, since we will redirect user requests to our Proxy using the router itself.
The foundation is laid. Now let's move on to installing and configuring Squid.
3.2. Installing and Configuring Squid with HTTPS Support and List Filtering
3.2.1. Build and Install Squid
Since there is no ready-made Squid package with SSL support in the repositories, you will have to assemble it manually from the source. First, open the file with the repositories.
nano /etc/apt/sources.list
In it, uncomment (delete # at the beginning) the lines starting with deb-src .
After that, we will update the packages.
apt-get update
Next, install the assembly tools.
apt-get install fakeroot build-essential devscripts
And add all the necessary packages for the assembly.
apt-get build-dep squid3
Install the library for SSL support.
apt-get install libssl1.0-dev
Let's go to the home folder and create a folder for the assembly, immediately setting the necessary rights to it.
cd ~ mkdir build chown _apt:root build
Go to the created folder and download the Squid sources.
cd build apt-get source squid3
A folder will appear in the build folder with the name squid3 and the release number. On Ubuntu 18.04.3 it is 3.5.27. Let's go into it.
cd squid3-3.5.27
Before assembly, you must specify options. Open the file with them.
nano debian/rules
We are looking for a listing of options, as in the picture
Add the following options.
--enable-ssl \ --enable-ssl-crtd \ --with-openssl
Please note that options have already been added to the picture, and the "\" character should appear after each line in the options except the last one .
So, everything is ready for assembly. Now let's move on to the Squid source folder, although you should already be in it.
cd ~/build/squid3-3.5.27
And enter the command to build.
debuild -d
The assembly will take a very long time, it took me an average of 2 to 4 hours. Depends on the speed of the computer. At the end of the assembly, you will see a package signing error. This is normal - ignore the error.
Now go to the Build folder.
cd ~/build
And install Squid.
dpkg -i squid*.deb
Immediately run into an error about unsatisfied dependencies and enter the command
apt-get install -f
After installation, we mark the packages so that they do not overwrite after updating the system.
apt-mark hold squid apt-mark hold squid-common apt-mark hold squidclient
3.2.2. Configuring Squid and Filtering
So, Squid is installed, it remains to configure it for our needs.
All settings are in the /etc/squid/squid.conf file. It contains many comments and at first glance it seems very complicated, but in fact there is nothing super complicated in it. To begin with, we will clean it from comments by first copying the original, if you suddenly want to study it in more detail. For convenience, we’ll go directly to the folder with Squid.
cd /etc/squid cp squid.conf squid.conf.backup cat squid.conf.backup | egrep "^[^#]" > squid.conf
Now open squid.conf
nano squid.conf
As you can see, he cleared of comments and ceased to be as bulky as he seemed.
Under the spoiler, I will post my file with settings that work flawlessly, and below I will describe in blocks what and how.
Squid.conf configuration
acl localnet src 192.168.0.0/24 acl worktime time 08:00-15:00 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl blacklist url_regex -i "/etc/squid/blacklist" acl whitelist url_regex -i "/etc/squid/whitelist" http_access allow localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow CONNECT http_access deny blacklist http_access allow whitelist http_access deny all worktime http_access allow all http_port 3128 http_port 3129 intercept https_port 3130 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off cert=/etc/squid/squid.pem always_direct allow all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER acl blacklist_ssl ssl::server_name_regex -i "/etc/squid/blacklist_ssl" acl whitelist_ssl ssl::server_name_regex -i "/etc/squid/whitelist_ssl" acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump terminate blacklist_ssl ssl_bump splice whitelist_ssl ssl_bump terminate all worktime ssl_bump splice all sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB # cache_mem 512 MB maximum_object_size_in_memory 512 KB memory_replacement_policy lru cache_dir aufs /var/spool/squid 2048 16 256 # access_log daemon:/var/log/squid/access.log squid logfile_rotate 1 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320
The first block is as follows.
acl localnet src 192.168.0.0/24 acl worktime time 08:00-15:00 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT
He is responsible for standard acl parameters. In it, in localnet, we change the local network to our own, and we also add acl of working time (optional). I added working time in view of the fact that teachers often come to me complaining that they cannot find anything, everything is inaccessible. Of course, I'm glad that everything works as it should, but, frankly, I'm tired of listening to this. Now I’m reporting their claim that after 15:00 the filtering is turned off and they can freely (almost) find the information they need. You can add your time, or leave the filtering around the clock without adding this acl.
The second block defines the lists of allowed and forbidden sites for HTTP and looks as follows.
acl blacklist url_regex -i "/etc/squid/blacklist" acl whitelist url_regex -i "/etc/squid/whitelist"
We will add lists of allowed and prohibited sites later, and they will be placed in the files specified in acl.
The third block determines the access parameters via HTTP and looks like this
http_access allow localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow CONNECT http_access deny blacklist http_access allow whitelist http_access deny all worktime http_access allow all
Here the item http_access allow CONNECT is required, since without it Squid would not let anyone on the Internet. Next are the rules on the black and white lists. The deny and allow parameters deny and allow access, respectively. After them comes the rule to completely ban all HTTP traffic during business hours. If you did not set working hours, then delete worktime , and the ban will be permanent. An important point is the order of the rules, as Squid reads them from top to bottom
The fourth block defines the port settings for Squid.
http_port 3128 http_port 3129 intercept https_port 3130 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off cert=/etc/squid/squid.pem
The first parameter is necessary so that the “ERROR: No forward-proxy ports configured” error does not appear infinitely in the logs. It fills the log and, therefore, the memory. A common mistake, but for some reason, in our ru-segment I did not find how to fix it, foreign forums helped. The second parameter defines the HTTP protocol port. Intercept means Proxy transparency, that is, there will be no need to prescribe settings on each computer.
The third parameter defines the HTTPS port and its options. This is one long line. The squid.pem file is our certificate, which we will create later.
The fifth block defines the parameters of the SSL connection with Squid. In particular, he indicates that all traffic should be directed immediately to the Internet, without using higher caches, and the last two allow connections even with certificate verification errors, since the decision to visit such a resource must be made by the user, not the server. Looks like that.
always_direct allow all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER
The sixth block sets the acl parameters of the “black” and “white” lists, which will be created later, as well as the depth of interception of HTTPS traffic.
acl blacklist_ssl ssl::server_name_regex -i "/etc/squid/blacklist_ssl" acl whitelist_ssl ssl::server_name_regex -i "/etc/squid/whitelist_ssl" acl step1 at_step SslBump1
The seventh block determines the access parameters using the HTTPS protocol. Here, the ban and permission are already responsible for terminate and splice, respectively. Again, do not forget to remove worktime if you do not have a specified working time.
ssl_bump peek step1 ssl_bump terminate blacklist_ssl ssl_bump splice whitelist_ssl ssl_bump terminate all worktime ssl_bump splice all sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
The eighth block sets the cache and log of our Squid. Here it is worth noting only the logfile_rotate parameter, which indicates the number of days during which the log is stored.
# cache_mem 512 MB maximum_object_size_in_memory 512 KB memory_replacement_policy lru cache_dir aufs /var/spool/squid 2048 16 256 # access_log daemon:/var/log/squid/access.log squid logfile_rotate 1 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320
This completes the setup of squid.conf. We save the file and proceed to the creation of the certificate and lists.
Let's go to the folder with Squid
cd /etc/squid/
And enter the following command to create the certificate
openssl req -new -newkey rsa:1024 -days 36500 -nodes -x509 -keyout squid.pem -out squid.pem
Next, you will need to enter the certificate data. The certificate is valid for 100 years to forget about it for a long time. It is needed only for Proxy.
Now create our list files.
touch blacklist touch whitelist cp whitelist whitelist_ssl cp blacklist blacklist_ssl
Sites are listed in the form of regular expressions. For example, to unlock mail.ru, open whitelist
nano whitelist
and add the following expression to it.
mail\.ru
Now block Games.Mail.ru. Let's open our blacklist
nano blacklist
and write the following expression into it
games\.mail\.ru
Since, as a rule, a blacklist blocker is located above the white list, when you switch to mail.ru, the site will open as expected (except for pictures, but more on that later), and if you try to switch to the Games, Squid us will not let go.
Some sites have many subdomains, subdomains, etc. For example, mail.ru stores its pictures on imgsmail.ru. Regarding other similar sites, you need to open the desired site in any browser (I use Chrome) and, subsequently, the developer tools (in Chrome they are called by pressing F12).
Go to the Sources tab and see what other resources the site loads information from.
After adding sites, copy them to the lists for HTTPS.
cp whitelist whitelist_ssl cp blacklist blacklist_ssl
List Fill Tip
Create a plain text file on your computer, find and copy the list of allowed sites into it, add it to yours. Then, in a regular notebook, auto-replace the point with a slash point (\.) And delete the unnecessary one with the same auto-replacement (www, http, the "/" character, etc.). Then, such a file, using the terminal, can be immediately copied to the sheets on the server.
Now check the configuration.
squid -k check
If all is well, stop Squid.
/etc/init.d/squid stop
Rebuild the cache
squid -z
And run Squid again
/etc/init.d/squid start
After any changes to lists or Squid configuration, it must be reloaded with the command
/etc/init.d/squid restart
You can also change the access restriction page (works only on HTTP) under the path / usr / share / squid / errors / ~ Russian-1251 . Look in the folder for the file ERR_ACCESS_DENIED and edit it. The file syntax is HTML.
3.3. Monitoring Server Status and Configuring Firewall
To monitor the status of our server, install the Webmin utility, with which we configure our Firewall. In addition, through it you can monitor the status of the CPU, RAM, etc., update packages, add and configure components, and much more. It has its own terminal, though clumsy. The utility works through any browser, therefore, you can connect to our server from any computer on the network, which is convenient enough, although not safe. If desired, the connection can be limited only to individual IP addresses in the "IP Access Control" in Webmin itself.
Before starting the installation, add the Webmin repository. Open sources.list.
nano /etc/apt/sources.list
And add the line below.
deb http://download.webmin.com/download/repository sarge contrib
Now install the GPG key with which the packages are signed in the Webmin repository
cd /root wget http://www.webmin.com/jcameron-key.asc apt-key add jcameron-key.asc
Next we update the list of packages and install the utility
apt-get update apt-get install webmin
You can connect to the server in any browser by entering the address bar
IP__:10000
By default, Webmin connects via SSL, and most browsers give an untrusted certificate error. In order not to choose trust each time, disable SSL. To do this, open the file /etc/webmin/miniserv.conf
nano /etc/webmin/miniserv.conf
Find the string ssl = 1 in it and replace it with ssl = 0 . In the same file, you can change the connection port. By default it is 10000. You can put any free one.
Having connected to Webmin, go to Webmin -> Webmin Configuration and switch the language to Russian. Then go to Network -> Firewall . By default, our firewall is clean. We go to the very bottom and opposite " Enable at boot" select "Yes" . Click "Apply Configuration . " Now the settings of our Firewall are specified in the /etc/webmin/firewall/iptables.save file and are launched with the system. If there is no such file, then look at what is written in the line “File with rules” on the Firewall tab in Webmin. Let's open it in the terminal.
nano /etc/webmin/firewall/iptables.save
We go to the * nat block and at the end before COMMIT add the following rules.
-A PREROUTING -p tcp -m tcp -i _ --dport 80 -j DNAT --to-destination ip_:3129 -A PREROUTING -p tcp -m tcp -i _ --dport 443 -j REDIRECT --to-ports 3130
These rules direct traffic going to ports 80 (HTTP) and 443 (HTTPS) of the server to our Squid ports. Here I presented two variants of the rules with DNAT and REDIRECT. You can use both, or take one option by putting the appropriate ports.
Configure FIrewall for Alternative Network Setup
This option is suitable if you used the above alternative network setup.
First, create a file with the rules for our Firewall and give it the right to execute.
Open it
And add the following content
As in the case of Webmin, I presented two variants of the rules with DNAT and REDIRECT. You can use both, or take one option by putting the appropriate ports.
Now add our file to the download immediately after starting the network. Open the network settings file
And add the line at the bottom of the file
PS: the plus of this option is that you can add your own rules in the future just by editing the / etc / nat file. Webmin is a bit more complicated.
First, create a file with the rules for our Firewall and give it the right to execute.
touch /etc/nat chmod +x /etc/nat
Open it
nano /etc/nat
And add the following content
#!/bin/sh #Firewall iptables -t nat -A PREROUTING -p tcp -m tcp -i _ --dport 80 -j DNAT --to-destination ip_:3129 iptables -t nat -A PREROUTING -p tcp -m tcp -i _ --dport 443 -j REDIRECT --to-ports 3130
As in the case of Webmin, I presented two variants of the rules with DNAT and REDIRECT. You can use both, or take one option by putting the appropriate ports.
Now add our file to the download immediately after starting the network. Open the network settings file
nano /etc/network/interfaces
And add the line at the bottom of the file
post-up /etc/nat
PS: the plus of this option is that you can add your own rules in the future just by editing the / etc / nat file. Webmin is a bit more complicated.
This completes the server setup. Reboot it.
reboot
And let's move on to setting up the MikroTik router.
3.4. Configuring a MikroTik router to redirect traffic to Proxy
We assume that you have already downloaded the WinBox utility for remote control, the Internet and the local network are configured, the firewall on the router is clean. you know the name of the LAN interface (you can see it in IP - DHCP Server - DHCP ).
a) Go to WinBox, go to IP - DHCP Server - Leases . In the list we look for IP computers for which filtering will not work (director, management), right-click on them and select Make Static in the menu. The letter “D” should disappear next to them, which means Dynamic. Now these addresses will be immediately statically assigned to these computers, regardless of the lease time, by MAC address. If the laptop is used via Wi-Fi and cable, you must select Make Static on both MAC addresses.
b) Next, go to IP - Firewall - Address Lists and click on the blue plus sign "+" . In the Name field, specify the name for our group of
c) Go to the Mangle tab in the same IP - Firewall and click on "+" . A tabbed window will open. On the General tab, fill in the following fields:
Chain - Prerouting Src. Address - __proxy Protocol - 6 (tcp) Dst. Port - 80 In. Interface - __
On the Action tab, check for the value Accept and click OK.
Repeat the process, but in the Dst field . Port set the value to 443 .
d) Click on "+" again and on the General tab we again fill in the following fields:
Chain - Prerouting Protocol - 6 (tcp) Dst. Port - 80 In. Interface - __
Go to the Advanced tab and in the Src field . Address List select our " Admins " management address list . Be sure to click on the appeared box next to the list. An exclamation mark "!" , meaning logical NOT or NEGATIVE.
Go to the Action tab and fill in the fields:
Action - mark routing New Routing Mark - to_proxy Passthrough -
Click OK and do the same actions, but in the Dst field . Port specify the value 443 .
e) Finally, add the last rule. Click the plus sign and fill out the following fields on the General tab :
Chain - Prerouting In. Interface - __ Routing Mark - to_proxy
As a result, the following should happen with your parameters. Order is important!
f) Go to IP - Routes and click on the "+". Fill in the following fields:
Dst. Address - 0.0.0.0/0 Gateway - __proxy Routing Mark - to_proxy
Click OK and that’s it. With the server turned on, all HTTP and HTTPS traffic will go through our Squid.
3.5. Alternative setup for MikroTik and other routers
This option is suitable for both the MikroTik router, and for any other, even the simplest (except for the rented provider pieces you yourself know what). In this case, we implement the sharing of Internet access not on the router, but on Squid itself. So, let's begin.
a) We will assume that you have reached this point by completing all the steps above, including setting up redirection to Proxy in MikroTik. For smooth operation of the described option, we need to cancel subparagraph e) of paragraph 3.4 of this article. You can cancel the entire paragraph 3.4 (leaving, perhaps, subparagraph a) so that our IPs do not change), but this is optional - it is important for us to cancel the routing itself. To do this, go to IP - Routes , look for our route, select it and click on the red cross (not the plus sign, but the cross next to the check mark). The route will turn gray => it is disabled. Filtering also turned off, now all clients go to the Internet directly through a router.
b) Now go to our server and go to the folder with Squid
cd /etc/squid/
Open the configuration file
nano squid.conf
And we add to it in blocks:
In the first block immediately after the line with acl localnet ...
acl admins src "/etc/squid/admins-ip" # IP acl students src "/etc/squid/students-ip" # IP
We do not need a list with teachers' computers, since it is understood that everyone else is a teacher. But you can add it yourself with the corresponding rules in other blocks.
In the second block
acl whitelist-stud url_regex -i "/etc/squid/whitelist-stud" #
In the third block after http_access deny blacklist
http_access allow admins # http_access allow students whitelist-stud # http_access deny students #
Further, the block remains unchanged, since teachers (all other IPs) follow, filtering by their white list and during working hours (if indicated). You can also let the admins group bypass the blacklist by setting the allow rule above the prohibitory one, or add separate IPs (for example, your own) to a separate acl and put it in the rules above blacklist.
The fourth and fifth blocks are unchanged.
In the sixth block, add
acl whitelist-stud_ssl ssl::server_name_regex -i "/etc/squid/whitelist-stud_ssl"
In the seventh block, add after ssl_bump terminate blacklist_ssl
ssl_bump splice admins ssl_bump splice students whitelist-stud_ssl ssl_bump terminate students
The principle is the same as in the third block.
The rest is unchanged. Save and exit
c) Now create our lists of IP addresses.
touch admins-ip touch students-ip
And whitelists for students.
touch whitelist-stud cp whitelist-stud whitelist-stud_ssl
Add the necessary IP addresses and sites to the appropriate lists. In the student list of sites, you can copy the list for teachers by removing sites that are not needed by students. Copying files on Linux is done by the command
cp < > < >
Restart Squid
/etc/init.d/squid restart
d) We have come to the most important thing, namely, how to get customers to go online through our Proxy. We need to change the gateway of our DHCP server from the address of the router to the address of our server. Of course, for this, the server address must be static, or bound to the MAC.
In MikroTik:
Go to IP - DHCP Server - Network and double-click on our network. In the Gateway field, change the address of the router to the address of the proxy server. Click OK and that's it. You can reboot the router so that the settings are correctly updated for all active clients. After that, the clients are likely to change the type of network to public (if it was private).
In a normal router:
Look in the manual for your router where to change the gateway of the DHCP server, but I’ll say what’s in its settings :)
Bottom line: as a result of this alternative solution, we were able to finely configure access by IP and lists, and get normal client IP addresses in Squid logs. If you want some customers to go online bypassing Proxy through a router, then read the spoiler.
Internet bypassing Proxy
, - Squid , , ,
4. Conclusion
So, to summarize all of the above. We managed to install and configure Linux Ubuntu 18.04 LTS from scratch, build and install Squid with HTTPS support, configure whitelisting filtering, integrate the Proxy server into our network without the need to install an additional DHCP server.
5. List of sources
When creating the article, various materials were used from the websites of the Technical Blog of the Interface LLC and Web Safety Specialists - Web Filter for Your Network , as well as personal knowledge and experience.
When editing and supplementing the article, the following users helped a lot: Kanlas , PetRiot , Barsook . Many thanks to them for their assistance and help.
6. Notes by the author
- Any work with the server must be done in superuser mode by adding sudo before the command, or by entering the sudo -s command once .
- Squid \ , , , . .
- , . , 1000 .
-
, IP- Squid. Squid IP- — Mikrotik. , DHCP , . , , , IP .— Barsook - For Squid to work with a large number of clients (more than 50), at least 1 GB of RAM is required. More desirable, as Squid eats memory. You can check the memory status by typing top .
- I recommend using both options for configuring the router, since if you explicitly specify a different gateway in the network settings (the router itself), you can bypass the lock.
UPD1: added an alternative network configuration and Firewall
UPD2: added an alternative router configuration option, where problems with displaying addresses in Squid logs were fixed.
UPD3: added a fix in 3.1 - enabling packets to pass through the server, which he forgot to add initially. Otherwise, the Internet does not work. Thanks to Dmitry1986 for testing the article.