wowiesy2
October 2nd, 2020, 06:03 AM
At this time of Online Schooling due to community restrictions, I have setup ubuntu to work as router / dhcp thru dnsmasq at home.
There has been numerous times that my son can't keep away from YouTube during class so I had to setup Squid to prevent that.
I have set up basic authentication to work with Squid as well, and manage to get it to work somehow..
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
acl auth_users proxy_auth REQUIRED
through this acl / http_access lines, I was able to directly prevent Squid from loading on the browser of the laptop:
acl U1010_clients src 192.168.254.0/24 #lan ip addresses
acl Test_Device src 192.168.254.204 #target device
acl YouTube_Service dstdomain .youtube.com .youtu.be .ytimg.com .googlevideo.com .i.google.com .ytimg.l.google.com .youtube.l.google.com
acl school_hours time MTWHF 07:30-12:00
http_access deny Test_Device YouTube_Service
but this means that, YouTube will be *forever* banned for that machine (at least while the Squid is running as proxy for that machine).
But there are certain times when certain school materials will actually point to a YouTube link. So I thought that for those times, I figure my son just have to come over to me, my wife or our daughter to authenticate and my son can continue on only for that link (hopefully next time he tries to go YouTube on to watch his preferred videos, the authentication feature will kick in again and he can't get past that... have to have a way to do that right?
the question then is:
How do I prohibit YouTube for a certain device, only during school hours without any proper authentication?
further,
My testing involved having to setup the Windows client to use my Squid proxy setup. but I'm pretty sure my son would be able to find a way to disable that eventually, so I'm thinking of setting Squid as a transparent proxy.
But, is it possible to only do that for certain clients within the LAN? say only for the Windows client my son uses ? (and maybe an backup tablet..)
this is supposed to be the line in my firewall script to setup the transparent proxy:
#$IPT -t nat -A PREROUTING -s 192.168.254.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
instead of the whole LAN ip address pool, I can specifically use the client specific address here ya? Since I do have control on IP address assignment through mac address of the machines (via dnsmasq).
Is it good practice to also have Port 443 go through Squid? (since YouTube also heavily uses that port) ?
thanks for the feedback.
There has been numerous times that my son can't keep away from YouTube during class so I had to setup Squid to prevent that.
I have set up basic authentication to work with Squid as well, and manage to get it to work somehow..
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
acl auth_users proxy_auth REQUIRED
through this acl / http_access lines, I was able to directly prevent Squid from loading on the browser of the laptop:
acl U1010_clients src 192.168.254.0/24 #lan ip addresses
acl Test_Device src 192.168.254.204 #target device
acl YouTube_Service dstdomain .youtube.com .youtu.be .ytimg.com .googlevideo.com .i.google.com .ytimg.l.google.com .youtube.l.google.com
acl school_hours time MTWHF 07:30-12:00
http_access deny Test_Device YouTube_Service
but this means that, YouTube will be *forever* banned for that machine (at least while the Squid is running as proxy for that machine).
But there are certain times when certain school materials will actually point to a YouTube link. So I thought that for those times, I figure my son just have to come over to me, my wife or our daughter to authenticate and my son can continue on only for that link (hopefully next time he tries to go YouTube on to watch his preferred videos, the authentication feature will kick in again and he can't get past that... have to have a way to do that right?
the question then is:
How do I prohibit YouTube for a certain device, only during school hours without any proper authentication?
further,
My testing involved having to setup the Windows client to use my Squid proxy setup. but I'm pretty sure my son would be able to find a way to disable that eventually, so I'm thinking of setting Squid as a transparent proxy.
But, is it possible to only do that for certain clients within the LAN? say only for the Windows client my son uses ? (and maybe an backup tablet..)
this is supposed to be the line in my firewall script to setup the transparent proxy:
#$IPT -t nat -A PREROUTING -s 192.168.254.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
instead of the whole LAN ip address pool, I can specifically use the client specific address here ya? Since I do have control on IP address assignment through mac address of the machines (via dnsmasq).
Is it good practice to also have Port 443 go through Squid? (since YouTube also heavily uses that port) ?
thanks for the feedback.