HowTo WhiteList Proxy for School Using Squid on OpenSUSE Linux 11

Overview

I am the technology coordinator for a small, private K12 school in rural Upstate New York.  One of our challenges is filtering Internet access so that the students may have access to the Internet as much as possible while not requiring constant, direct supervision.

To meet these needs we decided that we were limited to WhiteListing – managing a list of all allowed websites and blocking everything by default as opposed to blacklisting where everything is allowed except for a specific list of banned sites.  Whitelisting means that we have to manually maintain a list of approved websites, but the parents are confident that the students are only able to access pre-approved web sites.

Our Infrastructure

Before getting into the implementation details, I would like to detail how our network is laid out to put this project into context.  We are a pure 32bit Novell OpenSUSE environment, both desktops and servers, with a single Netgear ProSafe Firewall connecting us to a donated Time-Warner RoadRunner cable connection (Thank You, Time Warner RR!!)

Each desktop is setup without routing so they are limited to communications within the subnet only.  We have no fears of needing to grow beyond our /25 subnet’s limit anytime soon.  We have no DHCP and use static IP assignments throughout the school including machines connected via wireless.  Those machines used for administrators (not teachers – but office use where students do not have access) are routable and will not use our filter (for extra security they are allowed external access at the firewall via an IP list.)  All other machines can only get access to the Internet through the use of the proxy server.  This also allows us to improve bandwidth utilization through aggressive caching since the set of allowed sites is so limited and well known.

For our proxy server hardware we are using an HP Proliant DL380 G2 with dual Pentium IIIs 1.4GHz processors, 1.25GB and six hot-swap 36GB 10,000RPM SCSI drives arranged as RAID 0+1.  This machines is far more than adequate for our needs and does an amazing job.  We could easily run on a DL360 G1 with just a single processor, half that memory and two drives in RAID 1 without any problem.  Our previous machine, which we used for years without any issues in performance, was a Proliant 3000, dual Pentium II 333MHz, 1GB and five 4.3GB 7,200RPM drives in RAID 5.

The older system ran SUSE 9.2 and ran wonderfully for a long time.  I am writing this HowTo guide as I move us to OpenSUSE 11 and do a fresh installation of our proxy server.

The Software

As we are running on OpenSUSE Linux 11, I want to work with Novell managed packages as much as possible.  For the proxy portion of our system we will use the Linux standard proxy server Squid.  OpenSUSE’s repository offers us both Squid3 and Squid2.  We will go ahead and use the latest Squid Proxy package for OpenSUSE 11, Squid3 3.0.5.  The downside to going with the newer Squid3 package is that OpenSUSE’s YaST tool cannot yet manage it so you are stuck working only from the configuration files.

For advanced filtering we have two primary choices: SquidGuard and DansGuardian.  SquidGuard has the advantage of being included in the OpenSUSE repositories making it easier to manage from a patch perspective.  DansGuardian is what I have used in the past.  It is available as an RPM from the OpenSUSE Build site but is not available through the YaST repositories.  DansGuardian is GPL’d but the author asks that you not exercise your GPL right (GPL in fact but not in spirit.)  So, I like to avoid DansGuardian simply because I can’t figure out if the author even wants me to use his software or not.

For our purposes here, using nothing but whitelisting, we do not need the features of either SquidGuard or DansGuardian and can avoid them completely.  If you are looking to do more than just whitefiltering they are your best bets.

Installing the Proxy Server: Squid

Installing Squid3 on OpenSUSE 11 is extremely simple.

zypper install squid3

Of course, if you prefer, you can always use OpenSUSE’s YaST utility, either graphically through the desktop or through an ncurses interface on the command line to install Squid and any necessary dependencies.  I find that working through Zypper (or Yum on a Red Hat, CentOS or Fedora system) to be the most effecient by far.

Configuring Squid

These are the changes that I made to /etc/squid/squid.conf:

acl localnet srv 192.168.4.0/25
http_access allow all whitelist
http_access deny all
http_port 8080

That’s it.  Very, very simple.  The first line is simply to allow my local network.  You will need to add in your own local network and not mine for this to work for you.  If you stick with the Squid3 defaults then all private networks are allowed locally by default so that is a completely viable option.

The next two lines, http_access, first tell the system to allow access to anyone “all” to sites included in the whitelist.  The next line says to deny access to anyone who did not get allowed from the previous rule.

The last line, http_port, is also completely optionaly.  The default port for Squid is 3128 but I prefer to run my proxy on the more common 8080 port.  This is just easier to remember when setting up desktops.

With the default install of Squid3, Squid is not configured to start automatically.  So we need to use chkconfig to configure Squid to start on system boot.  You can skip this step if, for some reason, you do not want your proxy system to start automatically when your server restarts.

chkconfig –level 3 squid

Before we actually start Squid, though, we will want to create our whitelist file which will be the main configuration file that we will be using after Squid is up and running.

Creating the Whitelist

Using your favourite text editor (that’s vi for me) create the file /etc/squid/whitelist.  This file is just a simple list of websites that will be allowed.  The one thing of which to be aware is the fact that your entries need to lead with a dot.  If you leave off the dot you will have problems.  Here is an example from my own whitelist:

.gov
.sheepguardingllama.com
.unicef.org
.eff.org
.conversationsnetwork.org

In this example, all United States government web sites will be allowed (those ending in .gov) as well as this blog, UNICEF, the Electronic Frontier Foundation and The Conversations Network.  Anytime that you alter this file you will need to ask Squid to reread its configuration.

Configuring the Desktop Clients

If you are like me, you will be using OpenSUSE on your desktops as well which I highly recommend.  OpenSUSE makes a wonderful desktop, especially with KDE4.  With OpenSUSE you have the option of setting your proxy settings using the handy YaST tool.  This is fine.  If you are like me, you will prefer to use the command line – mostly because it is easily scriptable but also because it will work for non-SUSE Linux boxes as well.

To set your proxy temporarily just for the current session to test your proxy server you can simply:

http_proxy="http://192.168.4.2:8080/"

Notice that you will need to use your own IP address here as well as your own port number if you decided to use one other than 8080.  My proxy server’s IP address is 192.168.4.2 so modify accordingly.

The most common means of setting this variable to survive through a reboot is to use /etc/profile so that it will apply to all users.  Simply add this line to /etc/profile:

export http_proxy=http://192.168.4.2:8080/

In OpenSUSE, there is a better place to set this information.  Let’s look at /etc/sysconfig/proxy.  This file is a central proxy settings file for all of the OpenSUSE which makes it very handy so that we don’t have to worry about users not picking up changes from other locations.  It is also nice as it will allow us to have some advanced settings if we so desire.

In my case, I am only using the proxy server to handle HTTP and HTTPS requests (we are blocking FTP and GOPHER entirely) so we only need to edit the two lines pertaining to those protocols as well as the “no proxy” setting to list which locations should not be proxied but accessed directly.  Here are my settings:

HTTP_PROXY="http://192.168.4.2:8080/"
HTTPS_PROXY="http://192.168.4.2:8080/"
NO_PROXY="localhost, 127.0.0.1"

With these changes you should now have a functioning, whitelisting proxy server to protect your network.  OpenSUSE’s default installation of FireFox is set to bypass its own proxy settings and to pick up the system changes automatically.  Tools like w3m and wget will use the system proxy settings as well.  If you are using a client that is either unable to or is not configured to get its settings from the system then you will need to configure its proxy settings manually on an application by application basis.

September 27, 2008: Super Foggy Day

55 Days to Baby Day! (32 Weeks and One Day Pregnant)

Got up at eight this morning to work.  Saturday morning work really is not so bad, especially this week when we need the money so badly.

There was a crazy amount of fog here in Newark this morning.  As I came out to the living room to get to work I was greeted to a completely white world outside.  I had to walk very close to the window before I could see a building close enough to us to be visible at all.  Only those buildings directly adjacent to us are poking out of the mist.  Everything else is completely obscured.  Very strange living in a place with a view that regularly varies from hundreds of feet to around twenty miles are so!  The variance is quite amazing on a day to day basis.  This is pretty extreme though.

It is strange that I am amazed by this because growing up on the farm we had a far farther view close to thirty or forty miles to both the north and the south and a good ten miles east.  I think being in a high rise eliminated the gradual drop off of visibility and makes it occur in steps that cause it to seem to be more pronounced.  Manhattan, for example, can disappear all on its own while leaving Newark visible.  Buildings disappear one block at a time not gradually inch by inch.

My morning work lasted until around eleven.  Then it was time for my homework.  I did my class reading assignment and put some thought into my homework but never really had a chance to work on it directly.  That will have to wait until tomorrow.

I ended up working almost a full day today for the office.  As one thing would end another would begin.  It was a really long day.  At least the weather was really nice.

I lost some ground on my back today.  It was doing pretty well yesterday but today it is hurting a bit again.  So I am continuing on my regimen of ibuprofen.

Dominica did lots of laundry today.  We tend to get pretty backed up on laundry if we travel at all.  She also gave Oreo an herbal ear cleaning with a new dog ear cleaning solution that she found from Halo recently.  He didn’t really like it but it did seem to reduce the amount of ear itching that he has been doing.

Dominica spent a lot of the day watching Magnum P.I. She is starting to catch up with me a little bit.  I think that I watched four seasons without her.  If I remember correctly, I watched most of those when I was living in North Brunswick, New Jersey by myself in early 2006.

I put in a bunch of time this afternoon working on the server at the school in Castile.  I installed Squid and got it set up to run as the school’s proxy server so that the students can get online again.  We use a whitelisting system where we approve web sites ahead of time and block all others which is the opposite of most people’s approach of block sites that they don’t want and allowing everything by default.

For the past few years we have been using DansGuardian for this type of web filtering but we are going with just plain, simple Squid which is a bit easier to manage.  I prefer not having the extra piece of software to deal with if at all possible and since we only do whitelisting it really is easier just to use Squid for that.

I also did a bit of work creating a build script for the school this afternoon.  We have a single script which will run, applying all needed packages and setting up each of the computers which helps us keep the entire environment completely identical and gives us a means for rebuilding and/or repairing machines very quickly.  It is going to be very, very handy once it is all done.  I am hoping that I will be able to run it by Monday or so.

For dinner we decided to be lazy and to just get tuna salad sandwiches from the deli in our apartment building.  Getting food from their is cheaper than most places that we might try to go to (or order from) and only takes a few minutes.  The food is pretty good but the selection is nothing exciting except for the fact that they do do breakfast all day long.  So eggs, pancakes, french toast, etc. along with grilled cheese, tuna salad products, egg salad and tossed salads, but that is about all that they have for us vegetarians.

I went down and got food and then we spend a while watching some of Magnum P.I. and The Fresh Prince of Bel Air Season Two on our AppleTV.  My back was really bad this evening.  I was barely able to walk and seeing as we have no chairs in our bedroom, which is the only room in which we can watch AppleTV or DVDs, I had to sit on the bed propped up against the wall which didn’t do much to help my back situation.

I worked on the CCA script on my OLPC while we watched AppleTV.  I was not very productive but it makes me feel a little bit better to at least be doing something.  I did get some work done just not nearly as much as if I had been not watching AppleTV.

Tonight is Katie’s 30th birthday party up in Haverstraw.  We had wanted to go but Dominica really is not up to doing anything extra in the evenings and it is not like she could drink either, and neither could I unless I was going to make Dominica drive which we try to do as little as possible.  It definitely turned out to be the right decision not to go to the party tonight as originally we had though that both my back was going to be a bit better, rather than quite a bit worse, and we thought that I was just working for two hours or so this morning and not almost eight hours!

Tomorrow I need to finish up my week’s homework and do more CCA preperation work for Monday.  We are hoping that most of the computers will be usable on Monday for the students.

September 26, 2008: Debate Day

56 Days to Baby Day! (32 Weeks Pregnant)

It is a cold and rainy morning here in the New York Metro area.  I am very excited that summer seems finally to have broken and the nice weather has begun.  It is amazing how happy a nice, cool day can make me.  We have the windows open and I am wearing a fleece in the apartment – just as it should be.

We decided that because of Dominica and my schedules today that Oreo could skip daycare and stay at home.  He loves his lazy mornings when he does not have to leave his cocoon of fleece blankets on our bed.  He is like a babe in swaddling in there with just his nose protruding to get him fresh air.

My back seems to have improved a bit this morning.  Impossible to tell for sure.  It seems to get better throughout the day and then be worst in the mornings.  Perhaps that is because of the stress of getting out of bed after it has sat mostly motionless for so long.  I am still taking ibuprofen today.  Maybe I can cut that out tomorrow.

My morning at work, which started at six thirty, started off nice and slow.  Friday morning are usually slow but you never know what can happen.

Dominica left work around noon  to go up to her new doctor’s office in Peekskill where she was supposed to meet with their insurance specialist.  But that person didn’t come to work today so she has to drive all of the way up there just to fill out some paperwork.  Clearly this clinic doesn’t think that women should have jobs and should spend their time spinning their wheels at the doctor’s office for no reason.

In a cruel twist of ironic fate, after years of living in Newark and having one fender issue after another with the BMW, we are just days away from moving to Peekskill and Dominica has a small parking accident with the BMW and does some fender damager – in Peekskill, of all places!  At least we didn’t get the car fixed yet from all of the other issues before this happened.  That would have been really depressing.

Today was another long day but that is not surprising.  There is no way to shorten a Friday and when I work the early shift it is just that much longer.  Today was a good thirteen hours after two twelve hour days, and tomorrow I start again at eight in the morning.

I spent a couple of hours working on my homework.  We had a major assignment due today (Friday) and have our regular assignment due in two days (Sunday) so it is a busy homework week for me.  I got my homework done and submitted around nine thirty which was much earlier than I had thought that I would be able to complete it so I was pretty happy.

Dominica spent the evening watching “television”.  First she watched some Kitchen Nightmares on Hulu and then watched the fist disc of the second season of Bones which had just arrived today from NetFlix.  After that she watched the final few episodes of the final season of Frasier which I had watched without her last week.

Kevin and Ryan were over at the new sports bar that has recently opened in the space where the Savoy used to be.  The Savoy was a nice restaurant, a bit overpriced, but a good addition to downtown Newark.  Adding yet another competing bar doesn’t seem like a good idea.  There are so many bars here and so few restaurants that they are just taking each other’s business rather than adding anything to downtown.

By the time that I realized that Kevin and Ryan were trying to reach me they had already left the bar and were down in the lounge watching the presidential debate between McCain and Obama.  So I changed my clothes and went down to the lounge to watch the debate.  Believe it or not, tonight was the first time that I have ever seen Barrack Obama on television and the first time that I have seen McCain on television related to this year’s election!

After the election we tried to go over to Sculley’s which had said that it would be open until midnight but, as always, it was closed when we got there even though it was just ten thirty.  I imagine that they will be out of business soon.  They aren’t open weekends ever and now we have problems going there on weeknights too.  It takes some serious effort to be able to get into Sculley’s, I have no idea when they are open or why.  So we went over to the Key Club instead.

We had a few drinks and appetizers and stayed until around midnight.  I couldn’t stay out any later than that as I have to be up to work at eight in the morning.  Tomorrow evening is Katie’s birthday party up in Rockland County, New York.  We are not sure whether or not we will be able to make it.  We are trying to go but will have to play it by ear.  It will depend heavily on my work and homework situations.

September 25, 2008: Still Some Bad Back Pain

57 Days to Baby Day! (31 Weeks and Six Days Pregnant)

Happy birthday to semi-regular reader Jeremy Richardson!

Even going to bed around ten the morning alarm came way earlier than expected.  Getting up this morning my back feels as though it has improved some but overall it still feels pretty bad.

The weather has turned much cooler today and the apartment is actually a little chilly for a change.  I am happy about that.  I am tired of the heat here in the city.  Because of the child safety windows in our building (we have no screens and they are important as Oreo could, in theory, call out an open window) we get very little airflow even high up here looking over the city.

Dominica convinced me to start taking ibuprofen to reduce swelling in my back just in case this is spinal related and not muscle related.  It has probably been seventeen years since I have had ibuprofen in my system.  Seems strange to be taking it.

We got a little news about the new house today.  We are still attempting to get an official and final closing date but we know that everyone is shooting for sometime between October 7th and October 15th.  That is the week window and I guess that everything looks good for us to be able to hit that.  Getting the house a few days early would not be a bad thing.  It would give us time to strategize and some opportunity to haul some items from Newark to the house in the Mazda PR5 before the real move happens.  A few car loads ahead of time can really make things a lot easier, especially considering how little we actually have in the apartment.

We had a production issue today that kept me on the phone for most of the day.  In some ways that makes the day seem to pass more quickly but mostly it just makes it hard to get all of the things done that need to be completed in the day as it is pretty much impossible to do anything useful while on a conference call.

Today was another long one.  I didn’t even get to leave the apartment for lunch today or anything.  I ended up working for the office until seven in the evening!  What a long day.

Dominica brought home dinner from On the Border.  I watched some of one episode of Magnum P.I. with her while we ate but had to get back out to the office in the living room before the episode was much more than halfway through.  She watched more after I left.  I have watched the first several seasons of Magnum P.I. without Dominica and she has never seen the show so she is now catching up with me so that we can watch the rest of the show together.

I got paged out twice this evening.  It is so hard to really get into anything, like my homework, and manage to really wrap my brain around it as I am constantly being interrupted.  While trying to settle in to my homework this evening I had the pages, had to feed Oreo his two late meals, had to walk Oreo in the rain, etc.  Each interruption is tiny but each one breaks my chain of thought and it takes fifteen minutes for me to figure out what I was thinking about and upon what I was last working.

I worked on my homework until eleven twenty.  That was about all that I could handle for the night.  I am very hopeful that I will have a chance to work on it tomorrow morning.  It has to be turned in tomorrow so I only have so many choices.  I am somewhat thankful that I am on the early shift this week as that is actually likely to create more time for me to work on the homework than I would normally have.  It is also getting me some desperately needed overtime this week.

I went back to Monday’s post and added in a picture of dad’s Mercury with the server cabinet mounted onto the trunk lid just before we drove on down to Castile with it.  If you did not see the picture, it is well worth checking out.  Imagine us driving from Peoria to Castile, New York with that huge chunk of steel mounted to the trunk of the car with Dominica and I following in the BMW!  People had to think that we were completely insane.  People at the office thought that we were crazy when I showed them the picture.  Most people’s reaction was “that must have scratched up that car horribly” but, in the end, there was not a single scratch on the car from the cabinet.  Although my back continues to feel it.

I am continuing to take ibuprofen to bring down any potential swelling in my back.  As far as I can tell, it is helping.  I think that I will be in pretty good shape by this weekend.  I sure hope so at least.

Tomorrow, Dominica has to take a half day from work and drive up to Peekskill in the afternoon to meet with our insurance agent about her transferring from a doctor in Newark up to a doctore at Hudson Valley Medical Center.  So she will likely be home rather early.  That means that Oreo will be able to stay at home tomorrow instead of going to daycare.  That will help offset the loss of hours and the gas up to Westchester just a tiny bit.