Differences between revisions 20 and 21
Revision 20 as of 2010-10-28 22:42:53
Size: 5168
Editor: skizzhg
Comment:
Revision 21 as of 2013-01-09 14:04:33
Size: 5020
Editor: ?Richard Bruna
Comment: squid.conf no longer uses redirect_program ..
Deletions are marked like this. Additions are marked like this.
Line 17: Line 17:
become root, then: Become root, then:
Line 31: Line 31:
next copy that blacklist to the squid directory with: copy that blacklist to the squid directory with:
Line 37: Line 37:
stay root, then:

change directory to the squidGuard database directory
change directory to the squidGuard database directory:
Line 51: Line 49:
Now you may write your config file at: Write your config file at:
Line 59: Line 57:
Now you need to give the squidGuard database the appropriate ownership: Give the squidGuard database the appropriate ownership:
Line 74: Line 72:
Next you need to initialize the database, do: Initialize the database:
Line 80: Line 78:
If you look into the directories holding the files domains and urls you see that additional files have been created: domains.db and urls.db.     Now you will need to tell squid to use squidGuard (arm squid), so add the following line

{{{
redirect_program /usr/bin/squidGuard
If you look into the directories holding the files domains and urls you see that additional files have been created: domains.db and urls.db.

If you have no sudo you need to change
owner again.

T
ell squid to use squidGuard (arm squid), so add the following line:

{{{
url_rewrite_program /usr/bin/squidGuard
Line 96: Line 94:
preferably where it says

{{{
# TAG: redirect_program
}}}

at approx. line 1023



Make th
e message that is returned for blocked URLs

C
reate message that is returned for blocked URLs
Line 114: Line 103:
Then restart squid with: Restart squid:
Line 119: Line 108:

Translation(s): English - Italiano

(!) ?Discussion


This page is about setting a rudimental web filtering system with squidGuard and blacklists


Rudimentary squidGuard Filtering

We recently had a complaint in our in our school about not-existing internet filters. So I setup squidGuard. It took me about 2 hours from learning that squidGuard exists, to having it working in a very basic way. For more advanced things see the bottom of the page.

"Note: The listings within this wiki have been worked out using a Sarge Tjener."

Installation

Become root, then:

apt-get install squidguard

Setup

download a basic blacklist from:

http://squidguard.mesd.k12.or.us/blacklists.tgz

copy that blacklist to the squid directory with:

cp blacklist.tgz /var/lib/squidguard/db/

change directory to the squidGuard database directory:

cd /var/lib/squidguard/db

untar the blacklists with:

tar xvzf blacklists.tgz

Write your config file at:

/etc/squid/squidGuard.conf

a sample squid.conf for the blacklist above can be found in SquidGuardConf

Give the squidGuard database the appropriate ownership:

chown proxy:proxy -R /var/lib/squidguard/db/*

and permissions (all files 644, all directories 755):

find /var/lib/squidguard/db -type f | xargs chmod 644
find /var/lib/squidguard/db -type d | xargs chmod 755

Initialize the database:

sudo -u proxy squidGuard -C all

If you look into the directories holding the files domains and urls you see that additional files have been created: domains.db and urls.db.

If you have no sudo you need to change owner again.

Tell squid to use squidGuard (arm squid), so add the following line:

url_rewrite_program /usr/bin/squidGuard

to the squid config file at

/etc/squid/squid.conf

Create message that is returned for blocked URLs

/var/www/block.html

I used BlockHtml, which is a nice red&black page with a link to skolelinux.de.

Restart squid:

squid -k reconfigure

Verifying the installation

Well the easiest way is to visit some nasty site and check to see if it is blocked, also check some good sites to see if they are let through. The squidGuard website also has a nice way of checking if it works at : verifying squidGuard

For debian-edu you can use the following command:

echo "http://www.rotten.com / - - GET" | squidGuard -d 

If you change the blacklists

You will need to update the Squid Guard database with:

sudo -u proxy squidGuard -C all

And then reconfigure squid with:

squid -k reconfigure

TODO

  • More about blacklists in different languages.
  • Logging blacklist violations, and messaging someone email jabber (??).
  • LDAP Based control (??)
  • Automatic Updates.
  • translate into German, and add to my German wiki
  • Webmin Module - I tried to install this and make it work at DebianEdu/HowTo/SquidGuard/webmin, however the module din't really work too well, and so this idea has been abandoned as webmin and sarge are bothe deprecated

Comments about this page

Please add you comments here with wiki Name, thanks.

Automatic Updates

Save the following script as /root/bin/squid_blacklists_updates.sh:

TARGET=/var/lib/squidguard/db/blacklists

cd $TARGET || exit

# only run if squidGuard is active!
[ "`ps auxw | grep squid[G]uard`" ] || exit

rsync -az squidguard.mesd.k12.or.us::filtering $TARGET

for DIR in `ls $TARGET`
do
        if [ -f $DIR/domains.include ]
        then
                TMP=$RANDOM
                cat $DIR/domains $DIR/domains.include | sort | uniq > $DIR/domains.$TMP
                mv -f $DIR/domains.$TMP $DIR/domains
        fi
        if [ -f $DIR/urls.include ]
        then
                TMP=$RANDOM
                cat $DIR/urls $DIR/urls.include | sort | uniq > $DIR/urls.$TMP
                mv -f $DIR/urls.$TMP $DIR/urls
        fi
done

/usr/bin/squidGuard -c /etc/squid/squidGuard.conf  -C all
# /usr/sbin/squidGuard -c /etc/squid/squidGuard.conf  -u

chown -R proxy:proxy $TARGET
chown -R proxy:proxy /var/log/squid/squidGuard.log

sleep 5s

/usr/bin/killall -HUP squid

and register it in root's crontab

sudo crontab -e

add the following line:

00 5 * * * sh /root/bin/squid_blacklist_update.sh