Block Audio And Video with web proxy

mrmarkuz · November 1, 2017, 2:44pm

Do you use transparent proxy? If not the proxy has to be set on clients. For transparent proxy to work the clients have to use Nethserver as gateway.
Do you have some concrete examples what to block?

Harold_Maponde_Shama · November 2, 2017, 7:22am

I’m using it in authenticated mode with windows active directory… Streaming audio files online or bbc video content

m.traeumner · November 2, 2017, 8:21am

I think the streaming of files is the problem. Mostly it isn’t flash today, it’s html 5.
But please try to block a special site, to see if this works. If it doesn’t work we have to look at your whole configuration, otherwise we have to test how to block streaming content.

Harold_Maponde_Shama · November 2, 2017, 8:42am

I am able to block sites by category like social network etc? But unfortunately i can block lets say
www.itsretunes,com… I have it in the global blacklist but still goes through. That makes a a lot of sense because its not flash content but html 5. is there a workaround for it?

Harold_Maponde_Shama · November 2, 2017, 8:47am

i can’t block individual sites like www.istretunes.com

m.traeumner · November 2, 2017, 9:18am

Did you copy this address from your blacklist? there should be a dot between itsretunes and com.

To block audio and video you can try to create custom templates for squid and add the following:

#Edit File in squid.conf above line in ACL Zone.
# ACL for Radio / Video Stream

acl StreamingRequest1 req_mime_type -i ^video/x-ms-asf$
acl StreamingRequest2 req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingRequest3 req_mime_type -i ^application/x-mms-framed$
acl StreamingRequest4 req_mime_type -i ^audio/x-pn-realaudio$
acl StreamingReply1 rep_mime_type -i ^video/x-ms-asf$
acl StreamingReply2 rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingReply3 rep_mime_type -i ^application/x-mms-framed$
acl StreamingReply4 rep_mime_type -i ^audio/x-pn-realaudio$

#End of ACL for Radio / Video Stream

#Edit File in squid.conf above line in http_access Zone.
#Rules to block Radio / Video Stream

http_access deny StreamingRequest1 all
http_access deny StreamingRequest2 all
http_access deny StreamingRequest3 all
http_access deny StreamingRequest4 all

http_reply_access deny StreamingReply1 all
http_reply_access deny StreamingReply2 all
http_reply_access deny StreamingReply3 all
http_reply_access deny StreamingReply4 all

# End of Rules to block Radio / Video Stream

I’ve found it here:

Step By Step Configuration Squid To block Streaming media Online | Linux Step By Step

Harold_Maponde_Shama · November 2, 2017, 12:12pm

would this work for my users and groups? because i still want teachers to be able to stream.Sorry that was a typo.

Harold_Maponde_Shama · November 2, 2017, 12:14pm

You see i could to this in zentyal very easily by blocking mime types and exe files

m.traeumner · November 2, 2017, 12:48pm

Can you show us your config please? I think you can implement it.

The lines I posted are to block differently mimetypes.

Harold_Maponde_Shama · November 2, 2017, 12:59pm

how do i specify as to which groups they apply to?

m.traeumner · November 2, 2017, 2:10pm

I didn’t work with groups till know, but you can have a look to this howto:

http://jim-zimmerman.com/?p=678

But if you post your config, I would have a look at it.

Harold_Maponde_Shama · November 3, 2017, 6:36am

did you mean the squid conf?

Harold_Maponde_Shama · November 3, 2017, 6:59am

where do i place this configuration? because i do not see the acl zone. And the other question would be won’t the changes be lost when the file is regenerated?

m.traeumner · November 3, 2017, 8:20am

Yes I mean the squid.conf. At the beginning the ports should be configured with acl, I would define it under the portconfiguration.

You are right, so please create a custom template, they aren’t overwritten.
A documentation you find here:

http://docs.nethserver.org/projects/nethserver-devel/en/v7/templates.html

If you need help don’t be shy to ask.

Harold_Maponde_Shama · November 8, 2017, 6:46am

  GNU nano 2.3.1                  File: squid.conf                                            
# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
#

# Uncomment this to enable debug
#debug_options ALL,1 33,2 28,9

# Sites not cached
acl no_cache dstdomain "/etc/squid/acls/no_cache.acl"
no_cache deny no_cache

# Allow access from green and trusted networks.
acl localnet src 192.168.2.0/24
acl localnet_dst src 192.168.2.0/24
# Allow access from blue: ens34
acl blue src 192.168.8.0/24

# Safe ports
acl SSL_ports port 443
acl SSL_ports port 980# httpd-admin (server-manager)
acl Safe_ports port 80# http

m.traeumner · November 8, 2017, 9:09am

@Harold_Maponde_Shama
Can you post the whole squid.conf? I think the easiest way is to transfer the file per scp (for windows winscp) to your desktop, open it with an editor notepad++ for example and copy the whole content to this thread.

If you use [code]at the beginning and[/code]

at the end of the code it is formated well.

@davidep
Hi Davide,
Can you tell us how to implement something at the acl zone? It isn’t part of a template.
I think the conf should look like the following:

# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
#
# Uncomment this to enable debug
#debug_options ALL,1 33,2 28,9
# Sites not cached
acl no_cache dstdomain "/etc/squid/acls/no_cache.acl"
no_cache deny no_cache
# Allow access from green and trusted networks.
acl localnet src 192.168.2.0/24
acl localnet_dst src 192.168.2.0/24
# Allow access from blue: ens34
acl blue src 192.168.8.0/24
# Safe ports
acl SSL_ports port 443
acl SSL_ports port 980# httpd-admin (server-manager)
acl Safe_ports port 80# http


# ACL for Radio / Video Stream (the implemented part)
acl StreamingRequest1 req_mime_type -i ^video/x-ms-asf$
acl StreamingRequest2 req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingRequest3 req_mime_type -i ^application/x-mms-framed$
acl StreamingRequest4 req_mime_type -i ^audio/x-pn-realaudio$
acl StreamingReply1 rep_mime_type -i ^video/x-ms-asf$
acl StreamingReply2 rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingReply3 rep_mime_type -i ^application/x-mms-framed$
acl StreamingReply4 rep_mime_type -i ^audio/x-pn-realaudio$
#End of ACL for Radio / Video Stream 
acl CONNECT method CONNECT

giacomo · November 8, 2017, 2:48pm

It can be done, but honestly it needs some work.
Also in this case you need to create extra acls for users/groups, which aren’t present inside squid right now but only in ufdbguard.

Why you can’t block individual site? You can try debug your filter following this doc: GitHub - NethServer/nethserver-squidguard: NethServer configuration for a filtering web proxy

m.traeumner · November 9, 2017, 1:46pm

Is there a chance to block this content with ufdbguard?

giacomo · November 9, 2017, 2:21pm

No, because ufdbguard is only a URL rewriter.

m.traeumner · November 10, 2017, 9:30am

Can you give me a hint how to do it, than I can try to help @Harold_Maponde_Shama.

Yes I’ve read it, it’s described at the second link I posted