On Thu, 13 February 2014, at 4:28 pm, Raffaele BELARDI <[email protected]> wrote: >> ... >> If I'm understanding correctly, users will have to enter a password to >> access the internet. >> >> My experience was that some whitelisting was necessary quite aside from >> Gentoo emerges, so I'd just add some Gentoo mirrors in there as "allow all" >> sites. > > By whitelisting you mean allowing access to some sites without > authenticating the user on the proxy? In what cases did you find this > necessary?
It's been several years since I did this, so my memory may be hazy on the details. Desktop PCs were running Windows XP, and there was an SBS 2003 server that provided roaming profiles, so the demanding part was getting Squid to do auth via a Samba winbind PAM module. As I recall the office admin staff, or certain of them, had been spending too much time pissing about on Facebook and were "too busy" to answer the phone. I think the original claim that that these pen-pushers didn't need internet access to do their jobs so all sites would be blocked, and the boss wanted unlimited web access, unlocked by his password (actually winbind saved him doing that, because he was already logged into the domain). It turned out that the clerical staff had all been regularly and legitimately using Google Maps, gov.uk sites and a bunch of others in the course of their duties, so these had to be whitelisted. > I plan to deploy on the same server also a content filter (DansGuardian) > and all of this is new for me. I understood whitelisting can be done on > DansGuardian to bypass URL filtering but here you are suggesting a > different approach (bypass proxy authentication), right? I don't really care where you do it, TBH. In the case I've described above, I'm not sure that the boss handled it so well - he went for this draconian "filter everything" approach because he let himself get too annoyed at his staff instead of saying "listen guys, you can't be on Facebook when the work's not getting done". So I think in this case, we simply had a couple of directives in /etc/squid/squid.conf which said users in the web group = allow all, otherwise deny. Then when we added the whitelist, we inserted a statement (before or between those previous two) that allowed any URLs or domains in a /etc/squid/whitelist.txt file we created. Maybe this example, of the boss going overboard, isn't the best one, but IMO it doesn't pay to treat your employees like children. If someone's surfing hardcore porn at work then everyone knows about it and the answer isn't to stop a bad employee doing this one particular thing you disapprove of (because he's sure to be doing other things you don't know about; you stop that one bad behaviour, and he goes and does something else), it's to get rid of or rehabilitate bad employees. There's always more than one way of doing things, and there are always going to be exceptions to any rule you create. You can find some way to make Portage / wget / curl authenticate against the proxy, or you can just whitelist the Gentoo box's URL (if it's a single server inside the LAN). You can do a network shared DISTDIR / PKGDIR / PORTDIR, or you can just whitelist anything you put in GENTOO_MIRRORS. I found whitelisting very easy and straightforward, though. Stroller.
