Stupid Proxy Server Request



  • Our business manager wants the proxy server to alert someone whenever a user tries to access anything in the blocked list (which is bigger than dansguardian's. We're a school). Seriously. Every time any student tries to get to youtube / myspace / etc (or visits a page with ads, some of which are also blocked), she wants an email sent to the appropriate teacher and some immediate action.

    That's HUGE.

    root@somehost:/var/log/squid# grep 'blocked.page/error.page' ./access.log.2 | wc -l
    1633
    

    That's from ONE DAY of LIGHT usage.

    Since she doesn't understand why it would be a really bad thing, I mucked around in bash and came up with a simple script which beeps every time a user gets bounced to the ban page. Now to redirect that sound to her office somehow...

    Anyway, the real WTF (if you ignore youtube being blocked) is that she believes this will help us keep our internet costs. If the pages are already blocked, how is following up students who try to get to them going to help us keep our usage down? She also wanted us to try and detect users bypassing the proxy server... of course, if we could detect that, it wouldn't need any follow-up at all...

    I really wish corporations and governments would stop trying to filter the Internet. They'll never totally win and they need to realise that.



  • Why not just run a cron every hour that fires off a digest email?  It seems like a fairly reasonable request to track who is trying to access restricted content.

     

    You don't think Youtube should be blocked?  That's one of the biggest time-wasters on the 'tubes and certainly full of material most parents would deem inappropriate for school.  Of course restricting content is never 100% successful, but the point is to stop the largest offenses.  Restricting any human behavior is never 100% successful but it needs to be done.  No government has the right to filter my Internet connection, but the same right does not apply to schoolkids who are using the web on my dime.  I would think the same if my employer wanted to block certain sites (luckily it's pretty laid-back here and that is not the case).  None of this seems particularly WTFy to me.



  • My last company had a filter set up to block certain web pages (very small list, fortunately, the only one I've ever seen blocked was Sports Illustrated).  Obviously, being a software company, everyone knew you could defeat this by using a proxy.  Trying to outsmart us, the IT guy blocked everything with the word Proxy in it.

     Unfortunately for me, I was trying to learn about the java.lang.reflect.Proxy class.  Thankfully, after busting my chops for a few hours (we were friends), the IT guy whitelisted sun.com and I was all set.



  • If she wants an email every time someone tries to access a banned page, then do it. Do warn her first (and explain in sufficient detail why you shouldn't implement her solution), but if she insists, then do it.

    Once her inbox is flooded with notifications and she complains, you'll be entitled to tell her "I told you so" and suggest a more realistic solution.



    As for people bypassing the proxy server, there's one way to do it - [b]force[/b] all HTTP connections to go through the proxy and block all other outgoing connections on port 80 (and probably also other common ports). Of course, then you'd have to prevent people from using their own proxies, and you'd have much less control over encrypted content (i.e. HTTPS).



  • @morbiuswilters said:

    Restricting any human behavior is never 100% successful but it needs to be done. 

     

    Nonsense! Nixon declared a war on drugs in 1971 and we've had 38 straight and sober years ever since ....

    No government has the right to filter my Internet connection

    Oh they don't want to filter it just [url=http://en.wikipedia.org/wiki/Room_641A]put it in a special room[/url] ... (until recently I worked on the same block as that windowless, joyless facility which itself looks much like a big 20 story server).

     



  • I find myself pro filtering, provided it's backed up by a reasonable and sensible AUP.  If our DBAs are trying to download a critical Oracle patch, I don't think it's acceptable for someone to cause havoc just because they want to get their jollies on YouTube.  I could give many more examples.  There are also legal issues: the company could theoretically be held responsible for certain actions the users get up to.  Unfortunately, when given free reign, some people's sense of responsibility goes out the window.



  • @medialint said:

    Nonsense! Nixon declared a war on drugs in 1971 and we've had 38 straight and sober years ever since ....

    Yes.  Yes we have...  Complete success...  WHO TOLD YOU OTHERWISE??? 



  • Why can't you redirect the users that access a banned page to a special page that runs a server-side script to start the request, each room should be on it's own subnet anyways so it should be trivial to guess which computer needs to receive the message?



  • Make the computer emit a loud, blaring noise every time a restricted page is accessed. The comdedic possibilities are limitless.



  • @Lingerance said:

    Why can't you redirect the users that access a banned page to a special page that runs a server-side script to start the request, each room should be on it's own subnet anyways so it should be trivial to guess which computer needs to receive the message?
     

    Why would each room be on its own subnet?  I suppose if you had several hundred computers in each room or massive school buildings, but I imagine most schools would only need one subnet for the entire building.



  • Uninstall the Flash plugin. Works better against youtube & co than any of this weird filtering...

    other than that: a transparent proxy will do it. As for the reporting, make it so it only reports access to HTML pages that are blocked (e.g. put an <iframe> on the page that says that it's blocked, and let it query a special internal URL that does the reporting - that'd still not get rid of the ads completely, but reduce the number of false positives)



  • As for people bypassing the proxy server, there's one way to do it - force all HTTP connections to go through the proxy and block all other outgoing connections on port 80 (and probably also other common ports). Of course, then you'd have to prevent people from using their own proxies, and you'd have much less control over encrypted content (i.e. HTTPS).
    My uni does something similar - Force all HTTP connections through the proxy, and block all ports. HTTP CONNECT to port 443 (for HTTPS connections) still works, so I'm running a SSH server on a spare virtual server on port 443, and tunnelling through that :)


  • @OperatorBastardusInfernalis said:

    Uninstall the Flash plugin. Works better against youtube & co than any of this weird filtering...

    That's a good idea. As a rule I'm against attempting to filter out 'objectional' content, because it never works; it leaves gaps while creating false positives - for example at my 6th form I was blocked from the Scrapheap Challenge (British version of Junkyard Wars, engineering-ey TV show so somewhat relevant to my studies). But I think it's reasonable to use it to improve computer security, and also control bandwidth usage and thus costs, hence why blocking Youtube might be useful.



  • It depends - most reasonably large orgs will have a fixed-price leased line, so it doesn't really matter how much bandwidth is used, it's the same cost in the end.  In these cases, filtering and other controls can be helpful in preventing non-business traffic from swamping the bandwidth that is required for business traffic; if you've ever had to administer this stuff you'll be all too familiar with the problems (particularly where you have more than one site, and slow WAN links come into the equation).  Experience tells me that throwing more bandwidth at it is not the solution; usage will always increase to fill it up (same as with HD space, CPU, RAM, and any other finite resource), so while you may get effective short-term results, in the medium/long term you'll always end up exactly back where you started.  The definition of what kind of content is considered "objectionable" is also key.  As I said a few posts above, some people's sense of responsibility will go out the window when given free reign.  I may be presuming to speak for others here, but I think that most folks would agree on certain types of website that could be considered "objectionable" on a corporate network.  There are others that are "grey areas" - certain web sites classified (or mis-classified) as "hacking" may very well contain useful info for in-house developers, and so on.

    What's the solution?  I don't believe there's an easy one-size-fits-all answer to any of this.  Blocking stuff that's outright illegal will be a no-brainer, but when you wander into the grey areas you're in a minefield.  Even the likes of YouTube could have legitimate business uses (hypothetical scenario of someone who needs to watch a certain video on it for research purposes).  Make friends with your local sysadmin, I suppose, but otherwise this is a problem that's just going to run and run.



  • there are easier ways to do it. Put all machines that are declared kid-safe behind a seperate firewall computer - one that caches all requests from the internet and then feeds them to the students locally. Blacklisting sites this way should be trivial, and it's going to be a real bitch to bypass seeing as how they can only access local files. IPCop's blue/orange zones could be hacked to do this in a short time, and i'd like to meet a student that could get anything out of a completely locked down local network. It'd be the equivalent of them not even having access to the internet, except for snapshots.

     Hell, i should cobble together a prototype and sell it and make millions and donate some money to tdwtf.com :-D



  • How about changing the message so that it plays an audio clip.  Preferrably one of those "Hey everyone, I'm watching gay porn" type things.  Then it would be easy to detect who was accessing restricted pages, because 1) They'd quickly be jumping around for the mute button 2) they'd probably be pretty red faced.


  • Discourse touched me in a no-no place

    @taylonr said:

    Preferrably one of those "Hey everyone, I'm watching gay porn" type things.
    Is this the type of thing you had in mind?



  • Not exactly, over on Fark they had a pranks thread a while back, and they were talking about sending each other "jpgs" that weren't actually jpgs, but mp3s and when you'd click on it, it said something about "I'm watching gay porn" there wasn't any offensive words in the message, just something someone 3 cubes away would hear ;)



  • First of all, we actually USE flash in our curriculum. Uninstalling it would be pretty bad.

    Secondly, the taxpayers don't pay for the Internet usage - the kids do! The proxy server is attached to some charging software which is actually half-decent. This is also why transparent proxying wouldn't work...

    I like the "LOOKING AT GAY PORN" idea, but it'd probably cost my head. WRT blocking upstream proxies, we have - it's websites like proxymall.com that are the issue.

    The whole reason I'm complaining, by the way, is because the business manager wouldn't be the one doing the follow-up, it would be people with much more important things to do.



  • Wow. All I saw when I first looked at your post was:

    @elgate said:

    I like "LOOKING AT GAY PORN"
     

    Jeez... I thought this thread was rapidly spiralling down the 'tubez'.



  • @MasterPlanSoftware said:

    All I saw when I first looked at your post...

    And all I could think was along the lines of "My God! Did I actually write that? Oh no oh no oh no..."



  • @OperatorBastardusInfernalis said:

    Uninstall the Flash plugin. Works better against youtube & co than any of this weird filtering...

    Except for the cases when clueless webmasters design the entire navigation for an actual 'serious' site in Flash. Like, for instance, the entire page of campus bus route maps for my current university.

    [url=http://www.transit.uga.edu/route.html]I wish I were kidding.[/url] Note that you can get the finals/summer schedules without Flash, but to get the [i]regular[/i] schedules, Flash is necessary. What were they thinking?



  • @codeman38 said:

    Like, for instance, the entire page of campus bus route maps for my current university.

    Hello, fellow Georgian!

    I can't f'ing believe that the site looks that horrible. I would think that UGA would invest in something more than 1st year students to make their stuff.



  • This type of notification can be very useful if you're the one who controls the filter.  If you find a person hitting the "blocked" content, then go to the logs to find out what site they went to next.  You will find a site that should be blocked.  You may also find their clever technique for bypassing the proxy, which was the second element of the original request.

    Trying to send it to the user's superior ("appropriate teacher" in this case) is a waste of time.  The block has done its job of preventing access to the objectionable content (or using up bandwidth, using up working time) and there's no more to it.  I can't believe that they would try to instigate a disiplinary procedure for typing in "youtube,com"



  • @Qwerty said:

    Trying to send it to the user's superior ("appropriate teacher" in this case) is a waste of time.  The block has done its job of preventing access to the objectionable content (or using up bandwidth, using up working time) and there's no more to it.  I can't believe that they would try to instigate a disiplinary procedure for typing in "youtube,com"

    Thank you, exactly! Either the block has done its job, or it's failed. If it's failed, obviously we can't detect the violation, or we'd be blocking it. In which case, again, no need to alert anyone.

    But I do agree that we should be checking out peoples' history to see where they go after they hit blocks. Unfortunately the 'blocked' page actually comes from an upstream proxy, so it's difficult. Oh well.


Log in to reply