Timing fun with Squid

Posted on: Sat, 2020-02-01 - 15:23 By: dl7und

Are your students/pupils browsing all kinds of sites during the computer lab class? You do not need to switch off the network, there is a smarter way.

In a now previous life, when I had to deal with a university’s network (while also teaching there), one of the things I ruled were the web proxies. And Squid’s time ACLs are an excellent way to control what students can do in a computer lab.

There are several ways to keep control in a computer classroom. I saw a very nice low-tech solution at Formosa university once: There was no broadcast system, only a projector. The teacher’s desk was at the back of the room and slightly elevated, so with just his built-in eyes the teacher could find out what each student was doing at any time.

Our school was not like that, so I had to come up with a “high-tech” solution. I never understood why teachers would not be interested in this and instead accepted (or did not care) that students were enjoying themselves on Yahoo, Wretch, Ruten etc during the class. I did prefer to have some more attention, so I eliminated distractions. And this is how I did it:

With “time” we can define ACLs based on time. This can be a repeating time frame every day, a whole weekday or a time range on a certain weekday. Since I was the only one using this, I defined mine based on a short name for my course, like “l10n” for localisation. Supposed that class is on Wednesday, 1310-1500, with a break 1400-1410. The ACLs would look like this:

acl l10n1 time W 1310-1400
acl l10n2 time W 1410-1500

I would however not recommend this, if you want to implement it on a larger scale. In that case, you better assign names to each period each day, like “CM1” for the first period on Monday, “CM2”for the second etc, like this:

acl CM1 time M 0810-0900
acl CM2 time M 0910-1000

Next is the source IP. When I redesigned the school's network structure, I assigned a whole class C subnet to each room on the campus. (From the IP you could easily tell where a computer was located and vice versa.) And while IPs were assigned dynamically through DHCP, I set up teacher computers in computer labs to be on 1. (insert MAC address in DHCP config) That means, student computers would be 2-100, for example.

Let us assume we speak about a computer lab in room C101, and that room uses the subnet . So the source definition for this is:

acl C101 src

The third thing we need are destination domains. Where do we want to let our students go during class time? I always allowed Wikipedia, Google, dictionaries etc, and of course destinations needed for the course, like a software (Let us take Secret Maryo Chronicles here.) we wanted to translate.

acl l10ndomain dstdomain .google.com.tw, .wikipedia.org, .wikimedia.org, www.secretmaryo.org

Now we can take all these and allow or deny access. Please remember that if you allow access like in the example explained here you also need to deny access to other places. Since I was the only teacher using this, I had to deny access to any other place for only our classes in our lab.

If you set this up for all classes in a computer lab, you can deny it for the whole lab. But then nobody else can go on-line outside the allowed times and domains. So, this is up to you. Allowing access from a certain computer lab at a certain time to a certain group of domains can look like this:

http_access allow C101 CM1 l10ndomain
http_access allow C101 CM2 l10ndomain

Have fun…