Squidguard is a plugin for squid service. It allow a better and fine ACL management, via compiled blacklists. SquidGuard also allow to manage scheduled access, fine conditions and can replace a page by another.
To install squidGuard, it’s simple Debian version
aptitude install squidguard
FreeBSD version
cd /usr/ports/www/squidguard
make install clean
OpenBSD version
export PKG_PATH=http://ftp.fr.openbsd.org/pub/OpenBSD/5.2/packages/amd64/
pkg_add -i squidguard
The modify squid configuration for to add these lines (or un-comment) Versions 3.1 and lower
redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_children 10
Version 3.2 and upper
url_rewrite_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf
url_rewrite_children 10 startup=4 idle=2 concurrency=0
Squid is now linked to SquidGuard. It used 10 parallel processes for filtering. Now we install one blacklists (Toulouse-1 French university): Linux version
cd /etc/squidguard/
wget ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz
tar xzf blacklists.tar.gz
chown -R squid:squid /etc/squidguard/blacklists
rm blacklists.tar.gz
BSD version
cd /etc/squidguard/
wget ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz
tar xzf blacklists.tar.gz
chown -R _squid:_squid /etc/squidguard/blacklists
rm blacklists.tar.gz
Open squidguard.conf file (Linux /etc/squid/squidGuard.conf, BSD /etc/squidguard/squidguard.conf) First, configure squidguard blacklist directory by modifying dbhome.
dbhome /etc/squidguard/blacklists
Next, write squidGuard -C all to compile blacklists (squidGuard -f /etc/squidguard/squidguard.conf -C all for BSD) SquidGuard use source/destination mechanics to define ACLs. Source example:
source localnet {
ip 10.0.0.0/8
192.168.0.0/16
}
Here a destination example, using porn compiled blacklist
destination porno {
domainlist porn/domains
urllist porn/urllist
expressionlist porn/expressions
}
porn/domains value define directory porn and file domains.db under dbhome Warn, we can’t give multiple domainlist, urllist, expresionlist. Only the last is used._ The last directive is acl. It define filtering rules to apply. You use source and pass directive with the destinations.
acl {
localnet {
pass !porno
redirect http://localhost/403.html
}
admin {
pass all
}
guests {
pass none
redirect http://localhost/403.html
}
}
Those acl define localnet source can access to all sites, except porn blacklist, admin source can access to everything, and guests have no access. When access is wrong, squidGuard will give the URL given in redirect directive (here local page) You can also declare access times. For example, social networks are allowed at break. Access times are defined by time directive.
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat
time personnel-pause {
weekly s 00:00 - 23:59
weekly mtwhfa 12:00 - 14:00
}
Then, ACL is written as:
acl {
personnel within personnel-pause {
pass !common-blacklist
} else personnel {
pass !common-blacklist !social-networks
}
}
To make an automated update, create a script with this content and add it to cron: Linux version
cd /etc/squidguard
wget ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz
tar xvzf blacklists.tar.gz
chown -R squid:squid /var/firewall/blacklists
rm blacklists.tar.gz
squidGuard -C all
BSD version
cd /etc/squidguard
wget ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz
tar xzf blacklists.tar.gz
chown -R _squid:_squid /var/firewall/blacklists
rm blacklists.tar.gz
/usr/local/bin/squidGuard -f /etc/squidguard/squidguard.conf -C all
We create a whitelist to allow some sites which are blacklisted.
mkdir /etc/squidguard/blacklists/exceptions/
touch /etc/squidguard/blacklists/exceptions/domains
touch /etc/squidguard/blacklists/exceptions/urllist
Open squidGuard configuration file and create this ACL
destination exceptions {
domainlist exceptions/domains
}
After, apply it
acl {
personnel within personnel-pause {
pass exceptions !common-blacklist
} else personnel {
pass exceptions !common-blacklist !social-networks
}
}
To use it, open /etc/squidguard/blacklists/exceptions/domains. After, add one domain per line:
linkedin.com
linkedin.fr
viadeo.com
Close file and launch this command
Linux version:
squidGuard -C exceptions
killall squidGuard
BSD version:
/usr/local/sbin/squidGuard -f /etc/squidguard/squidguard.conf -C exceptions
pkill squidGuard
These commands regenerate “blacklist” exceptions and kill all squidGuard processes. Squid automatically relaunch them