This article offered a good start to getting a squid server up and running to do just this. As an added bonus, this is a caching server, so once they load things once they can access them quickly from server cache. I had a headstart on the process since I already had a box running Fedora Core 3, and it already had squid rpm installed, but not configured or activated. Let me summarize exactly what I did to get squid configured.
- Installed squid (already done) via rpm (rpm -Uvh packagename) on Fedora Core 3.
- Edit /full/path/squid.conf starting with the default configuration file. My changes / additions are marked below:
#CHANGE: Use a more standard proxy port
#CHANGE: Set my cache directory onto my local raid
cache_dir ufs /raid/squid 100 16 256
#CHANGE: Set the ftp user as my email address
#(not included here)
#ADD: Setup the authentication as ncsa through
# the files we will set up in the next step
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
#CHANGE: Set up visible hostname since squid seemed to need it
- Create a "squid_passwd" ncsa auth file:
htpasswd -c /etc/squid/squid_passwd adult
htpasswd /etc/squid/squid_passwd kid
- Create a whitelist file /full/path/squid/whitelist. It is simply a flat file with one host/domain or domain per list. I started with a simple one:
- Edit /full/path/suid.conf to use these files:
In the acl area of the squid.conf file create these entries:
acl ncsa_adult_users proxy_auth adult
acl ncsa_kid_users proxy_auth kid
acl whitelist dstdomain "/etc/squid/whitelist"
Then in the http_access area of the squid.conf file create these entries:
http_access allow ncsa_adult_users
http_access allow ncsa_kid_users whitelist
http_access deny all
- Activate squid by adding it to the boot process and then starting it.
chkconfig squid on
- Configure my test browser to use hostname:8080 as its proxy for all protocols. When trying to get to a website, it now asks for a username /password. If you enter the kid password, all non-whitelisted sites should be block. If the adult password is entered, you have full access.
- To ensure that there is no way around the proxy, I block access to the internet from all machines but the proxy machine, or atleast all machines that I want on the proxy. This avoids the kids from just bypassing the proxy.