Using Squid to Deny Media Streams
This article is originally taken from Media Streams on Squid wiki, I am just posting it here for quick reference.
Media Streams come in many types. Most commonly used are Audio, Video, or Audio-Visual Streaming.
It's hard to separate the stream types by application so the config below includes all the known streams and simply comments the commonly known ones where possible.
Squid Configuration File
# Media Streams
## MediaPlayer MMS Protocol
acl media rep_mime_type mms
acl mediapr url_regex dvrplayer mediastream ^mms://
## (Squid does not yet handle the URI as a known proto type.)## Active Stream Format (Windows Media Player)
acl media rep_mime_type x-ms-asf
acl mediapr urlpath_regex \.(afx|asf)(\?.*)?$## Flash Video Format
acl media rep_mime_type video/flv video/x-flv
acl mediapr urlpath_regex \.flv(\?.*)?$## Flash General Media Scripts (Animation)
acl media rep_mime_type application/x-shockwave-flash
acl mediapr urlpath_regex \.swf(\?.*)?$## Others currently unknown
acl media rep_mime_type ms-hdr
acl media rep_mime_type x-fcshttp_access deny mediapr
http_reply_access deny media
Openbox on FreeBSD
So I was always a big fan of KDE till 3.5. When 4 was released I wasn't pretty much pleased (though a lot of people like it). So I kept with 3.5 till I switched to Openbox.
Openbox is light-weight extensible window manager. It could be used in a desktop environment (GNOME and KDE) or as a standalone window manager without a desktop environment (The lightweight approach).
Openbox itself does not manage the desktop. That means installing Openbox won't give you easy menu access to wallpaper options, a taskbar or system panel, or most of those other doo-dads. It does, however, give a framework to build incorporate other programs that do those things and usually with a greater degree of freedom over the style and interface.
So breaking what's needed for a desktop...
- A wallpaper, for fancying the background
- A trayer, to keep track of system tray/notification area
- A taskbar, to launch and monitor applications
- Desktop Icons, for quick launching programs
- Desktop Menu, provides a central launching point for application and tasks
Beautifying Openbox...
First thing I do upon configuring a new operating system, either Linux, FreeBSD or Windows, I set the wallpaper.
Install hsetroot for fancying the background
# pkg_add -r hsetroot
$ hsetroot -center /home/ahmed/.config/openbox/bg.jpg
Install trayer to keep track of system tray/notification area
# pkg_add -r trayer
$ trayer --edge bottom --align right --widthtype request --height 20 --SetDockType true --transparent true --alpha 255 --expand true
Install tint to launch and monitor applications
# pkg_add -r tint2
$ tint2 &
For the desktop icons, I use iDesk
The desktop menu is provided by right clicking anywhere on the desktop.
Bring X to life on FreeBSD
By default, X isn't enabled on a new FreeBSD installation, even if it's installed during a regular installation. I tried to make it as simple as possible to get X running smoothly. I continued using the vm I created earlier for my FreeBSD asterisk installation.
During the installation, I chose to install X and xdm (located in x11 category in sysinstall), with no graphical desktops yet. Later, I installed openbox.
First thing, build an initial configuration file, and place it in /etc/X11/
# Xorg -configure; mv xorg.conf.new /etc/X11/xorg.conf
Then enable hal and dbus
# vi /etc/rc.conf
dbus_enable="YES"
hald_enable="YES"
At this point, X is configured, but need it needs a display manager. I was a big fan of KDM (I even wrote some kdm themes), but I choose to go with XDM. So to get xdm on...
Modify the xdm entry in /etc/ttys
# vi /etc/ttys
ttyv8 "/usr/local/bin/xdm -nodaemon" xterm on secure
XDM needs ~/.xsession file to launch a desktop environment, I use openbox.
# pkg_add -r openbox
$ echo "exec openbox-session" >> ~/.xsession
Now after rebooting, XDM will launch, and upon logging in, openbox will start.
Installing Asterisk on FreeBSD
Couple of days ago, I wanted to move from using AsteriskNOW to installing asterisk on FreeBSD. So I installed FreeBSD on a vmware, and started installing Asterisk 1.6.
Update ports tree to install the latest asterisk port available for FreeBSD 7.2
# portsnap fetch
# portsnap extract
Install asterisk16 from ports
# cd /usr/ports/net/asterisk16/ && make install clean
Installation may be interrupted if libtool is less than 2.2. To fix this install libtool22
# cd /usr/ports/devel/libtool22/ && make install clean
Then carry on with asterisk installation
Install asterisk16-addons
# cd /usr/ports/net/asterisk16-addons/ && make install clean
Install asterisk-gui
# cd /usr/ports/www/asterisk-gui/ && make install clean
Edit rc.conf to start asterisk on boot
# vi /etc/rc.conf
And append...
# asterisk
asterisk_enable="YES"
Then configure asterisk
# vi /usr/local/etc/asterisk/manager.conf
[general]
enabled = yes
webenabled = yes
port = 5038
displaysystemname = yes
httptimeout = 60
bindaddr = 0.0.0.0
allowmultiplelogin = no
displayconnects = yes
timestampevents = yes[ahmed]
secret = mySECRETpassword
write = system,call,agent,user,config,command,reporting,originate
# vi /usr/local/etc/asterisk/httpd.conf
[general]
enabled = yes
enablestatic = yes
bindaddr = 0.0.0.0
bindport = 8088
prefix = asterisk
Start asterisk
# /usr/local/etc/rc.d/asterisk start
Browse to http://your.asterisk.box:8088/asterisk/static/config/index.html
Squid authentication against Active Directory
Following up with integrating AD with Linux, I thought of configuring squid to authenticate users against Active Directory. I am still using my late vmware machines.
My target is to prohibit Active Directory users from abusing the network resources (such as watching youtube videos during work hours). First, I thought of putting squid as a transparent proxy in the network with authentication, but it couldn't be done here is why.
So I had to create a Group Policy in Active Directory that prohibits the users from changing the LAN settings as well as forcing internet explorer to use Squid as it's proxy server and prohibiting users from changing their proxy settings in internet explorer. This will ensure that users cannot change their network settings and be forced to use Squid.
Okay, less talk more work!
First start by installing Squid3...
# apt-get install squid3 squid3-cgi squid3-common
Then make sure Squid can communicate with Active Directory
# /usr/lib/squid3/squid_ldap_auth -v 3 -P -R -u cn -s sub -b basedn -D binddn -w bindpasswd -f "(&(sAMAccountName=%s))" -h server
At this step, you will get an empty command line, test the authentication for a user by entering the username followed by a space then the password
Illustration...
# /usr/lib/squid3/squid_ldap_auth -v 3 -P -R -u cn -s sub -b "dc=win2k3,dc=example,dc=com" -D "cn=Squid,cn=Users,dc=win2k3,dc=example,dc=com" -w "password" -f "(&(sAMAccountName=%s))" -h win2k3.example.com
ahmed mySECRETpassword
OK
ahmed blaBLAbla
ERR Invalid credentials
^C
Then configure squid...
# vi /etc/squid3/squid.conf
# OPTIONS FOR AUTHENTICATION
auth_param basic program /usr/lib/squid3/squid_ldap_auth -v 3 -P -R -u cn -s sub -b "dc=win2k3,dc=example,dc=com" -D "cn=Squid,cn=Users,dc=win2k3,dc=example,dc=com" -w "password" -f "(&(sAMAccountName=%s))" -h win2k3.example.com
auth_param basic children 2
auth_param basic realm Example.com
auth_param basic credentialsttl 2 hours# Defining an Access List
acl example src 192.168.0.0/16
acl ldapauth proxy_auth REQUIRED# Allowing or Denying access based on defined access lists
http_access allow ldapauth
http_access allow example
Save, exit, and restart squid, and test.
Now when a user authenticated against Active Directory, is placed in the Group Policy opens internet explorer, he will be prompted to enter his active directory username and password.