Setting up an Internet Café
One of our engineers has spent a considerable amount of time over the past few years setting up "locked down" computers for use in scenarios such as a church Internet Café, UK Department for Work & Pensions Work Club, etc.
There are a number of things to consider:
- Users may save files to the local disk by accident
- Users may connect USB sticks or other storage media with viruses on
- Users may access inappropriate content, either by accident or design
- Ensuring that a large number of computers are kept current with security updates can become very time consuming
Various options were explored, including immutable virtual machines running the original Microsoft Windows images for the computers, and several thin client solutions, but one or other of the above was not well addressed.
However, it became apparent that there is an open source solution which works well in such an environment. This is openthinclient®.
This open thin client solution is much more flexible than the more common solutions that were previously tried. The system needs a server, which can be any machine capable of running an Oracle Java VM, although the easiest mechanism is to run the virtual machine that the openthinclient company provide.
The client machines are then set up to be diskless, with PXE as the boot mechanism.
Whenever a client is turned on, it sends a DHCP request which is picked up by a conventional DHCP server. The openthinclient server then provides a PXE boot agent which enables the client to load a complete Linux-based operating system with applications into its RAM.
Whereas the mainstream use of openthinclient is to provide Citrix ICA or rdesktop access, for our use case here we instead deploy LibreOffice, IceWeasel, etc.
By employing a combination of Squid and Privoxy (for example) on the server, and having no direct Internet access from the clients, the proxy server can be used to block any content which is inappropriate for the use case.