On Monday 29 September 2003 2:01 pm, Guy Dawson wrote: > Brett Lymn wrote: > > On Mon, Sep 29, 2003 at 02:40:57PM +0200, Manuel Schroeder wrote: > >>How can I make squid to block browsers coming on port 80 in "no proxy > >>mode"?! :) > > > > Quite simply, you cannot. What you need is a firewall that prevents > > your users from directly accessing the internet, only allowing WWW > > access via your proxy. This way your users are forced to use the > > proxy and hence are forced to comply with the mandated policies (much > > as that may sound authoritarian). > > Indeed. That's what we do here. The firewall only allows outgoing WWW > connections from our WWW proxies. Users are free to configure their > WWW browsers to not use the WWW proxy. This simply results in them being > stopped by the firewall...
You can take this one step further if you wish and replace the firewall 'block' rule with a redirection, to a local web server which has only one page (and which serves that page no matter what URL is requested - certainly quite easy to do with Apache, I have no experience with others). You can then make that web page say anything from "This is how to configure your browser to use our proxy server", to "Please do not violate the security policy - your IP address has been logged", depending on whether you think people will get there by accident or by deliberately trying to circumvent the system. Regards, Antony. -- In Heaven, the police are British, the chefs are Italian, the beer is Belgian, the mechanics are German, the lovers are French, the entertainment is American, and everything is organised by the Swiss. In Hell, the police are German, the chefs are British, the beer is American, the mechanics are French, the lovers are Swiss, the entertainment is Belgian, and everything is organised by the Italians.
