Using Squid to Deny Media Streams
This article is originally taken from Media Streams on Squid wiki, I am just posting it here for quick reference.
Media Streams come in many types. Most commonly used are Audio, Video, or Audio-Visual Streaming.
It's hard to separate the stream types by application so the config below includes all the known streams and simply comments the commonly known ones where possible.
Squid Configuration File
# Media Streams
## MediaPlayer MMS Protocol
acl media rep_mime_type mms
acl mediapr url_regex dvrplayer mediastream ^mms://
## (Squid does not yet handle the URI as a known proto type.)## Active Stream Format (Windows Media Player)
acl media rep_mime_type x-ms-asf
acl mediapr urlpath_regex \.(afx|asf)(\?.*)?$## Flash Video Format
acl media rep_mime_type video/flv video/x-flv
acl mediapr urlpath_regex \.flv(\?.*)?$## Flash General Media Scripts (Animation)
acl media rep_mime_type application/x-shockwave-flash
acl mediapr urlpath_regex \.swf(\?.*)?$## Others currently unknown
acl media rep_mime_type ms-hdr
acl media rep_mime_type x-fcshttp_access deny mediapr
http_reply_access deny media
Squid authentication against Active Directory
Following up with integrating AD with Linux, I thought of configuring squid to authenticate users against Active Directory. I am still using my late vmware machines.
My target is to prohibit Active Directory users from abusing the network resources (such as watching youtube videos during work hours). First, I thought of putting squid as a transparent proxy in the network with authentication, but it couldn't be done here is why.
So I had to create a Group Policy in Active Directory that prohibits the users from changing the LAN settings as well as forcing internet explorer to use Squid as it's proxy server and prohibiting users from changing their proxy settings in internet explorer. This will ensure that users cannot change their network settings and be forced to use Squid.
Okay, less talk more work!
First start by installing Squid3...
# apt-get install squid3 squid3-cgi squid3-common
Then make sure Squid can communicate with Active Directory
# /usr/lib/squid3/squid_ldap_auth -v 3 -P -R -u cn -s sub -b basedn -D binddn -w bindpasswd -f "(&(sAMAccountName=%s))" -h server
At this step, you will get an empty command line, test the authentication for a user by entering the username followed by a space then the password
Illustration...
# /usr/lib/squid3/squid_ldap_auth -v 3 -P -R -u cn -s sub -b "dc=win2k3,dc=example,dc=com" -D "cn=Squid,cn=Users,dc=win2k3,dc=example,dc=com" -w "password" -f "(&(sAMAccountName=%s))" -h win2k3.example.com
ahmed mySECRETpassword
OK
ahmed blaBLAbla
ERR Invalid credentials
^C
Then configure squid...
# vi /etc/squid3/squid.conf
# OPTIONS FOR AUTHENTICATION
auth_param basic program /usr/lib/squid3/squid_ldap_auth -v 3 -P -R -u cn -s sub -b "dc=win2k3,dc=example,dc=com" -D "cn=Squid,cn=Users,dc=win2k3,dc=example,dc=com" -w "password" -f "(&(sAMAccountName=%s))" -h win2k3.example.com
auth_param basic children 2
auth_param basic realm Example.com
auth_param basic credentialsttl 2 hours# Defining an Access List
acl example src 192.168.0.0/16
acl ldapauth proxy_auth REQUIRED# Allowing or Denying access based on defined access lists
http_access allow ldapauth
http_access allow example
Save, exit, and restart squid, and test.
Now when a user authenticated against Active Directory, is placed in the Group Policy opens internet explorer, he will be prompted to enter his active directory username and password.