Block Audio And Video with web proxy

dpi
webfilter
v7
ndpi

(Harold Maponde Shamanoh) #1

NethServer Version: 7.4
Module: Web Proxy

Can someone please advice me on how to block video files, extension files and flash video content on Nethserver. My students are abusing this system.

Kind Regards,
Harold.


(Markus Neuberger) #2

Hello @Harold_Maponde_Shama,

you may use web proxy and web content filtering:

With web content filter you can block audio and video categories and you may block file extensions completely.

In web proxy you’ll find specific file extension blocking:

If that’s not enough you may use DPI firewall rules but AFAIK there may be problems with combining all the filters.


(Harold Maponde Shamanoh) #3

None of these options work. I tried before posting


(Markus Neuberger) #4

Do you use transparent proxy? If not the proxy has to be set on clients. For transparent proxy to work the clients have to use Nethserver as gateway.
Do you have some concrete examples what to block?


(Harold Maponde Shamanoh) #5

I’m using it in authenticated mode with windows active directory… Streaming audio files online or bbc video content


(Michael Träumner) #6

I think the streaming of files is the problem. Mostly it isn’t flash today, it’s html 5.
But please try to block a special site, to see if this works. If it doesn’t work we have to look at your whole configuration, otherwise we have to test how to block streaming content.


(Harold Maponde Shamanoh) #7

I am able to block sites by category like social network etc? But unfortunately i can block lets say
www.itsretunes,com… I have it in the global blacklist but still goes through. That makes a a lot of sense because its not flash content but html 5. is there a workaround for it?


(Harold Maponde Shamanoh) #8

i can’t block individual sites like www.istretunes.com


(Michael Träumner) #9

Did you copy this address from your blacklist? there should be a dot between itsretunes and com.

To block audio and video you can try to create custom templates for squid and add the following:

#Edit File in squid.conf above line in ACL Zone.
# ACL for Radio / Video Stream

acl StreamingRequest1 req_mime_type -i ^video/x-ms-asf$
acl StreamingRequest2 req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingRequest3 req_mime_type -i ^application/x-mms-framed$
acl StreamingRequest4 req_mime_type -i ^audio/x-pn-realaudio$
acl StreamingReply1 rep_mime_type -i ^video/x-ms-asf$
acl StreamingReply2 rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingReply3 rep_mime_type -i ^application/x-mms-framed$
acl StreamingReply4 rep_mime_type -i ^audio/x-pn-realaudio$

#End of ACL for Radio / Video Stream


#Edit File in squid.conf above line in http_access Zone.
#Rules to block Radio / Video Stream

http_access deny StreamingRequest1 all
http_access deny StreamingRequest2 all
http_access deny StreamingRequest3 all
http_access deny StreamingRequest4 all

http_reply_access deny StreamingReply1 all
http_reply_access deny StreamingReply2 all
http_reply_access deny StreamingReply3 all
http_reply_access deny StreamingReply4 all

# End of Rules to block Radio / Video Stream

I’ve found it here:

https://linuxstep.wordpress.com/step-by-step-configuration-squid-to-block-streaming-media-online/


Block www.netflix.com
(Harold Maponde Shamanoh) #10

would this work for my users and groups? because i still want teachers to be able to stream.Sorry that was a typo.


(Harold Maponde Shamanoh) #11

You see i could to this in zentyal very easily by blocking mime types and exe files


(Michael Träumner) #12

Can you show us your config please? I think you can implement it.

The lines I posted are to block differently mimetypes.


(Harold Maponde Shamanoh) #13

how do i specify as to which groups they apply to?


(Michael Träumner) #14

I didn’t work with groups till know, but you can have a look to this howto:

http://jim-zimmerman.com/?p=678

But if you post your config, I would have a look at it.


(Harold Maponde Shamanoh) #15

did you mean the squid conf?


(Harold Maponde Shamanoh) #16

where do i place this configuration? because i do not see the acl zone. And the other question would be won’t the changes be lost when the file is regenerated?


(Michael Träumner) #17

Yes I mean the squid.conf. At the beginning the ports should be configured with acl, I would define it under the portconfiguration.

You are right, so please create a custom template, they aren’t overwritten.
A documentation you find here:

http://docs.nethserver.org/projects/nethserver-devel/en/v7/templates.html

If you need help don’t be shy to ask.


(Harold Maponde Shamanoh) #18
  GNU nano 2.3.1                  File: squid.conf                                            
# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
#

# Uncomment this to enable debug
#debug_options ALL,1 33,2 28,9

# Sites not cached
acl no_cache dstdomain "/etc/squid/acls/no_cache.acl"
no_cache deny no_cache

# Allow access from green and trusted networks.
acl localnet src 192.168.2.0/24
acl localnet_dst src 192.168.2.0/24
# Allow access from blue: ens34
acl blue src 192.168.8.0/24

# Safe ports
acl SSL_ports port 443
acl SSL_ports port 980# httpd-admin (server-manager)
acl Safe_ports port 80# http

(Michael Träumner) #19

@Harold_Maponde_Shama
Can you post the whole squid.conf? I think the easiest way is to transfer the file per scp (for windows winscp) to your desktop, open it with an editor notepad++ for example and copy the whole content to this thread.

If you use [code]at the beginning and[/code] 
at the end of the code it is formated well.

@davidep
Hi Davide,
Can you tell us how to implement something at the acl zone? It isn’t part of a template.
I think the conf should look like the following:

# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
#
# Uncomment this to enable debug
#debug_options ALL,1 33,2 28,9
# Sites not cached
acl no_cache dstdomain "/etc/squid/acls/no_cache.acl"
no_cache deny no_cache
# Allow access from green and trusted networks.
acl localnet src 192.168.2.0/24
acl localnet_dst src 192.168.2.0/24
# Allow access from blue: ens34
acl blue src 192.168.8.0/24
# Safe ports
acl SSL_ports port 443
acl SSL_ports port 980# httpd-admin (server-manager)
acl Safe_ports port 80# http


# ACL for Radio / Video Stream (the implemented part)
acl StreamingRequest1 req_mime_type -i ^video/x-ms-asf$
acl StreamingRequest2 req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingRequest3 req_mime_type -i ^application/x-mms-framed$
acl StreamingRequest4 req_mime_type -i ^audio/x-pn-realaudio$
acl StreamingReply1 rep_mime_type -i ^video/x-ms-asf$
acl StreamingReply2 rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingReply3 rep_mime_type -i ^application/x-mms-framed$
acl StreamingReply4 rep_mime_type -i ^audio/x-pn-realaudio$
#End of ACL for Radio / Video Stream 
acl CONNECT method CONNECT

(Giacomo Sanchietti) #20

It can be done, but honestly it needs some work.
Also in this case you need to create extra acls for users/groups, which aren’t present inside squid right now but only in ufdbguard.

Why you can’t block individual site? You can try debug your filter following this doc: https://github.com/NethServer/nethserver-squidguard#troubleshooting