Problem Blocking Live streaming & U tube

Taking care of your Linux box.
asadsq
Lance Naik
Posts: 48
Joined: Fri Feb 22, 2008 3:10 pm
Location: Peshawar
Contact:

Problem Blocking Live streaming & U tube

Post by asadsq »

AOA,

I am system administrator in Govt based educational institute. Our current bandwidth is 640K CIR from one of private ISP. I am using Clark Connect (www.clarkconnect.com) for Proxy, report generation & firewall. It uses Squid for proxy.
As this is educational institute we don't need Live streaming of any live channel (like Geo TV etc) or any other video based site like Utube.com or metacafe.com.
I tried alot to block all the possible extensions used by different programs like
.flv
.wma
.wmp
.f4a
.f4b
.mms
.mpeg
.mpeg2
.mpeg4
.qt
.ra
.ram
.swf
.wvx
but still no effect

Apart from that following MIME were also blocked

application/asx
application/octet-stream
application/realplay
application/sdp
application/x-director
application/x-drm
application/x-drm-v2
application/x-mplayer2
application/x-ms-wmd
application/x-ms-wmp
application/x-ms-wmz
application/x-mtx
application/x-rtsp
application/x-sdp
application/x-shockwave-flash
application/x-vlc-plugin
application/x-xvlplayer
audio/3gpp
audio/3gpp2
audio/x-pn-realaudio
video/3gpp
video/3gpp2
video/avi
video/divx
video/mp4
video/mpeg
video/msvideo
video/quicktime
video/x-dv
video/x-mpeg
video/x-ms-asf
video/x-ms-asf-plugin
video/x-ms-wm
video/x-ms-wmv
video/x-ms-wmx
video/x-ms-wvx
video/acorn-replay
video/mpeg
video/msvideo
video/quicktime
video/x-mpeg2
video/x-msvideo

but result was same (live streaming as well as real time video playing is still going on)

So after 2 weeks research i got nothing that's why i contacted this forum as last option.

So help is required in this scenario
Plz plz plz do reply me

Regards
Asad Siddiqui
Asad Zia Siddiqui
Peshawar
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

post your squid rules you using for blocking these!
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
asadsq
Lance Naik
Posts: 48
Joined: Fri Feb 22, 2008 3:10 pm
Location: Peshawar
Contact:

Post by asadsq »

AOA Brother,

Bro, usually all configurations are done through its GUI interface & 90% are configurations are done through it. So that's why my squid.conf has no reflection of all this configuration.
So i am unable to post acl's
However, if there is any server, i can upload that pages in which i have i have made these configurations.
If not then please tell me how can i do these both restrictions?

Asad
Asad Zia Siddiqui
Peshawar
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

go to pages.google.com, and create a site. upload your configs to the site and post the link here.

alternatively, go to docs.google.com, paste the configs into a document (or two), and post the links here.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
asadsq
Lance Naik
Posts: 48
Joined: Fri Feb 22, 2008 3:10 pm
Location: Peshawar
Contact:

Post by asadsq »

Images are posted on the following link

http://asadsq.googlepages.com/home

Now please suggest what i have done mistake in configuration

Regards
Asad
Asad Zia Siddiqui
Peshawar
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

i think you should ask the developers of clark connect, or try their forums/mailing lists if they have any.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

i gone through your screenshots but didn't seen flv extension getting blocked anywhere. most of these websites like youtube uses flv media. ok here is procedure

add a rep mime type for blocking this

Code: Select all

video/flv
and block it with http_reply_access not with http_access.

it will look like in squid conf like this.

Code: Select all

acl block rep_mime_type video/flv
http_reply_access deny block
it will not get load any of the videos from youtube and metacafe and almost all live video streaming websites.
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
asadsq
Lance Naik
Posts: 48
Joined: Fri Feb 22, 2008 3:10 pm
Location: Peshawar
Contact:

Post by asadsq »

thx bro,
i have applied that Access List but still same result :roll:
However, i am sending you my squid main configuration

http_port 8080

# webconfig: http_port_start
http_port 192.168.0.1:3128
http_port 127.0.0.1:3128
# webconfig: http_port_end

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY


maximum_object_size 102400 KB
cache_dir ufs /var/spool/squid 1024 16 256

redirect_program /usr/sbin/adzapper

redirect_children 10

auth_param ntlm children 15
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on
#auth_param basic program <uncomment and complete this line>
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "dc=clarkconnect,dc=lan" -f "(&(objectClass=pcnProxyAccount)(uid=%s))" -h 127.0.0.1 -D "cn=manager,cn=internal,dc=clarkconnect,dc=lan" -W /etc/squid/ldap.conf -s one -v 3 -U pcnProxyPassword -d
auth_param basic children 5
auth_param basic realm ClarkConnect Community Edition - Web Proxy
auth_param basic credentialsttl 2 hours

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320


acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.0/8
# webconfig: acl_start
acl webconfig_lan src 192.168.0.0/24
acl webconfig_to_lan dst 192.168.0.0/24
# webconfig: acl_end
acl to_localhost dst 127.0.0.0/8
#acl password proxy_auth REQUIRED
acl password proxy_auth REQUIRED
acl privoxy dstdomain config.privoxy.org
acl SSL_ports port 443 563
acl SSL_ports port 81 10000
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 81 82 83 10000 # Web-based administration tools
acl CONNECT method CONNECT
acl pcntime-New time MTWHFA 05:15-23:15
acl pcngroup-Deny arp 00:30:4F:2D:8F:93 00:18:6E:80:EB:40 00:16:E0:AF:C6:40 00:02:A5:2B:B1:09 00:02:A5:0F:0F:6F 00:50:FC:88:9B:D6 00:18:6E:80:E7:C0 00:1D:09:12:BA:E2

http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports


acl our_networks src 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24
acl pcngroup-MOre src 192.168.1.1-192.168.1.250 192.168.2.1-192.168.2.250
acl pcntime-More time SMTWHFA 01:00-23:00
acl pcngroup-IPBlock src 192.168.1.125 192.168.0.215
acl block rep_mime_type video/flv .flv
http_access allow our_networks


# And finally deny all other access to this proxy

http_reply_access deny block
http_access deny privoxy
http_access allow localhost
http_access deny pcngroup-Deny pcntime-New
http_access deny pcngroup-IPBlock !pcntime-More
http_access allow pcngroup-MOre pcntime-New
http_access allow webconfig_to_lan
http_access allow webconfig_lan
http_access deny all

http_reply_access allow all

icp_access allow all

reply_body_max_size 52428800 allow all


httpd_accel_host virtual
httpd_accel_port 80

error_directory /etc/squid/errors


Plz now suggest me some thing in order to block these live streaming as well as online video viewing sites

Regards
Asad Siddiqui
Asad Zia Siddiqui
Peshawar
irfanbhatti
Havaldaar
Posts: 145
Joined: Fri Jun 03, 2005 12:19 pm
Location: Rawalpindi Islamabad
Contact:

Post by irfanbhatti »

mime.conf
\.flv$ flash/movie anthony-movie.gif - image +download
squid.conf
acl block rep_mime_type video/flv
http_reply_access deny block

it's works for Me
Last edited by irfanbhatti on Mon Mar 24, 2008 5:55 pm, edited 2 times in total.
Muhammad Irfan
03335246272
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

your problem area is your acl's placing. you put the acl right but not in right location.
acl pcngroup-IPBlock src 192.168.1.125 192.168.0.215
acl block rep_mime_type video/flv .flv
http_access allow our_networks


# And finally deny all other access to this proxy

http_reply_access deny block
http_access deny privoxy
http_access allow localhost

you http_reply_access deny rule should be above your http_access allow our_networks

it should be look like.

acl pcngroup-IPBlock src 192.168.1.125 192.168.0.215
acl block rep_mime_type video/flv .flv

http_reply_access deny block
http_access allow our_networks

# And finally deny all other access to this proxy

http_access deny privoxy
http_access allow localhost
there is not need to put .flv after that mime type as it is not a mime type. so remove that.. it will work for you now. just try it.
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
asadsq
Lance Naik
Posts: 48
Joined: Fri Feb 22, 2008 3:10 pm
Location: Peshawar
Contact:

Post by asadsq »

Dear Irfan,

I tried this, but i dono why it is not working with me. Meaning not working agian.

I have done the same acl positioning as told by X2Oxen

Plz, i am bothering U again, tell me what i do now?
If u want i will post the acl where i applied that as wel as in mime.conf


Regards
Asad Zia Siddiqui
Peshawar
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

the acls i defined for you is perfectly working about 4 places where am running the squid box. it will let website open really fine but the video inside that player will not load as it will be blocked their. just try it again. and correct your positioning and post the new acls you applied.
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
irfanbhatti
Havaldaar
Posts: 145
Joined: Fri Jun 03, 2005 12:19 pm
Location: Rawalpindi Islamabad
Contact:

Post by irfanbhatti »

dear asad
are you using transparent proxy
Muhammad Irfan
03335246272
asadsq
Lance Naik
Posts: 48
Joined: Fri Feb 22, 2008 3:10 pm
Location: Peshawar
Contact:

Post by asadsq »

No Bro,
i am not using transparent proxy, i have disabled this feature & user have to enter IP & port in browser in order to have browsing services.
& X2Oxen & Irfan
still after applying mime & acl still there is problem & i am still able to browse.

Settings are
squid.conf
acl block rep_mime_type video/flv
http_reply_access deny block
http_access allow our_networks

mime.conf

\.flv$ flash/movie anthony-movie.gif - image +download

Plz help me now
n thx for ur replies
Asad Zia Siddiqui
Peshawar
asadsq
Lance Naik
Posts: 48
Joined: Fri Feb 22, 2008 3:10 pm
Location: Peshawar
Contact:

Post by asadsq »

Also applied instructions according to mentioned site

http://wiki.squid-cache.org/KnowledgeBa ... gMimeTypes

still no luck

Sites are opening, when movie are clicked, some times works & some time not. I dono its because of bandwidth or due to acl
Asad Zia Siddiqui
Peshawar
Post Reply