Installing and Configuring squidGuard

BerkeleyDB

squidGuard uses the Berkeley db database, so the first thing to do if this software is not already installed on your system is go here:

http://www.sleepycat.com

and download the latest version of db in tar.gz format. At this time (early May 2002) the latest version is:

http://www.sleepycat.com/update/snapshot/db-4.0.14.tar.gz

After downloading, move the tarball (db-4.0.14.tar.gz) into the /usr/local/src directory:

mv db-4.0.14.tar.gz /usr/local/src

Next, change to the /usr/local/src directory and unpack the tarball using either Midnight Commander ('F2 and x' to gunzip and untar) or the commands:

cd /usr/local/src

tar xzvf db-4.0.14.tar.gz

To compile and install db:

cd db-4.0.14/build_unix

../dist/configure

make

make install

The BerkeleyDB installation should create the directory /usr/local/BerkeleyDB.4.0

squidGuard

Download the squidGuard tarball from:

http://www.squidguard.org

The latest version (May 2002) is:

http://ftp.teledanmark.no/pub/www/proxy/squidGuard/squidGuard-1.2.0.tar.gz

Move the squidGuard tarball to /usr/local/src and unpack it like you did the Berkeley DB tarball. Change to the /usr/local/src directory and build the software:

cd squidGuard-1.2.0

./configure --with-db=/usr/local/BerkeleyDB.4.0

make

make test

make install

Next, download the latest squidGuard blacklists tarball, which contains lists of offensive internet sites. The latest version at the time of this writing:

http:// ftp.teledanmark.no/pub/www/proxy/squidGuard/contrib/blacklists-20020504.tar.gz

Make a directory to house the squidGuard configuration file, blacklists and logs:

mkdir /usr/local/squidGuard

cd /usr/local/squidGuard

mkdir db

mkdir logs

Move the blacklists tarball from its current location into /usr/local/squidGuard/db and unpack it:

mv blacklists-20020504.tar.gz /usr/local/squidGuard/db

cd /usr/local/squidGuard/db

tar xzvf blacklists-20020504.tar.gz

This will create a subdirectory blacklists under which will be additional subdirectories like: ads, aggressive, porn, violence, etc.

The next step is to create a minimal, "do-nothing" configuration file for squidGuard. Change to the /usr/local/squidGuard directory and create the file squidGuard.conf containing these lines:

dbhome /usr/local/squidGuard/db

logdir /usr/local/squidGuard/logs

acl {

default {

pass all

}

}

The last configuration step is to edit /etc/squid/squid.conf and add an entry for a redirect_program. Scroll down through the squid.conf file and in the redirect_program section add this line:

redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf

One of the most difficult and confusing aspects of getting squidGuard to run successfully is the fact that the correct permissions have to be set on all the files and directories that squidGuard uses. In particular, the owner and group have to be the same as the effective owner and group under which the squid proxy server runs. We can determine the owner and group that squid runs as by searching the /etc/squid/squid.conf file for the terms 'cache_effective_user' and 'cache_effective_group'. These will probably be set to www or squid by default; let's assume it's squid. To set the correct permissions:

cd /usr/local/squidGuard

chown -R squid.squid db logs squidGuard.conf

Copy the squidGuard cgi script to Apache's cgi-bin directory:

cp /usr/local/src/squidGuard-1.2.0/samples/squidGuard.cgi /var/www/cgi-bin

and change owner, group and mode of this file:

chown squid.squid /var/www/cgi-bin/squidGuard.cgi

chmod 744 /var/www/cgi-bin/squidGuard.cgi

And now the moment of truth: reconfiguring squid and determining if squidGuard starts up properly. Issue this command:

squid -k reconfigure

If squidGuard started properly there should be a file: /usr/local/squidGuard/logs/squidGuard.log

with several repeating lines containing the phrases "squidGuard 1.2.0 started" and "squidGuard ready for requests." If the log file does not exist then something went wrong. The first place to look is in the file /var/squid/logs/cache.log. If you see error messages stating that squidGuard could not write to a log file or there are "permission denied" errors then the permissions on some files are still incorrect. After making changes to file/directory permissions or altering squidGuard.conf, always do a 'squid -k reconfigure' to make the changes take effect.

Once you have squid and squidGuard running you will want to configure the broswer on another computer on the network to use the proxy server and see if you can successfully surf the Internet.

Creating a filtering squidGuard.conf

The squidGuard.conf file we are using at this point does nothing but pass all requests for web pages; it does no filtering at all. So let's have it filter porn sites. In order to do this we need to create a config. file that looks like this:

dbhome /usr/local/squidGuard/db

logdir /usr/local/squidGuard/logs

dest porn {

domainlist blacklists/porn/domains

urllist blacklists/porn/urls

log porn.log

redirect http://localhost/cgi-

bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u

}

acl {

default {

pass !porn all

}

}

**NOTE: the redirect must be typed on one line and not wrapped like it is above.

What this revised configuration file does is define a destination category called "porn" which will block access to sites contained in the blacklists/porn/domains and blacklists/porn/urls lists but pass everything else. It will log attempts to reach blocked sites in the file porn.log. In addition, when someone attempts to reach a blocked site, their browser will be redirected to the squidGuard.cgi script, which will print out a message saying access has been denied along with other details. You can have the browser redirected to any URL you wish, perhaps to a web page which explains your internet policy, for example.

Initializing databases

Before we put this new filtering configuration into effect we need to create db files from the domain and url lists. As a word of caution, don't do this until you have declared that you are going to use these databases in the squidGuard.conf file. We've done this in the configuration file above, so we can go ahead and create the db files like this:

squidGuard -C blacklists/porn/domains

squidGuard -C blacklists/porn/urls

chown squid.squid /usr/local/squidGuard/db/blacklists/porn/*.db

After this is completed you can do 'squid -k reconfigure' to put the new filtering scheme into place. Check squidGuard.log to confirm that squidGuard has started up properly.

Source group filtering

The squidGuard configuration file we have at this point does not distinguish between different groups of users - everyone is treated the same. Let's suppose that you want no filtering at all for staff members but porn and violence filtering for everyone else. One way to accomplish this is to establish a block of IP addresses on your network for staff computers and another block of IP addresses for everyone else. Let's assume that staff computers will be assigned IPs in the range 192.168.5.5 - 192.168.5.50 and that systems used by patrons will be in the range 192.168.5.60 - 192.168.5.100. Here's how we would set up our new squidGuard.conf:

dbhome /usr/local/squidGuard/db

logdir /usr/local/squidGuard/logs

src staff {

ip 192.168.5.5 - 192.168.5.50

}

src patrons {

ip 192.168.5.60 - 192.168.5.100

}

dest porn {

domainlist blacklists/porn/domains

urllist blacklists/porn/urls

log porn.log

redirect http://localhost/cgi-

bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u

}

dest violence {

domainlist blacklists/violence/domains

urllist blacklists/violence/urls

log violence.log

redirect http://localhost/cgi-

bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u

}

acl {

staff {

pass all

}

patrons {

pass !porn !violence all

}

default {

pass none

redirect http://localhost/cgi-

bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u

}

}

**NOTE: the redirects must be typed on one line and not wrapped like they are above.

As before, we need to create db files for the new databases (blacklists/violence/domains and blacklists/violence/urls) we will be using:

squidGuard -C blacklists/violence/domains

squidGuard -C blacklists/violence/urls

chown squid.squid /usr/local/squidGuard/db/blacklists/violence/*.db

Then issue the familiar 'squid -k reconfigure' command and then make sure squid and squidGuard started without errors.

An easy way to update your database (db) files

squidGuard provides a quick and easy way to update your db files that avoids the necessity of compiling the db files from scratch (squidGuard -C <listname>) as explained above. If, for example, you wanted to make some changes to the blacklists/porn/domains.db file you would create a file named /usr/local/squidGuard/db/blacklists/porn/domains.diff that looks like this (purely hypothetical example):

+abadsite.com

+anotherbadsite.org

-agoodsite.net

-anoksite.org

-asitethatshouldnotbeblocked.gov

Domains preceded with a plus sign will be added to the db file, while ones with a minus

sign will be removed. The first entry will block access to the entire domain 'abadsite.com', so attempts to reach:

http://www.abadsite.com

http://abadsite.com/smut/stuff

would be blocked.

If you want to block or unblock specific URLs, put these changes into /usr/local/squidGuard/db/blacklists/porn/urls.diff

For example:

+ml.xxx.com/pics/girls

+221.32.55.1/howto/xxx/nudes

-123.44.55.78/legal/info/chimps

After you finish editing the diff file(s), do this (must be in same directory as diff file):

squidGuard -u

squid -k reconfigure

and squidGuard will apply all the diff files it finds directly to the previously compiled db database files. After completing the two commands above, remove the diff files so that you don't inadvertently try to apply them a second time at some point in the future:

rm *.diff

Blocking ads

Ads can be annoying and on a slow, dial-up connection they can significantly increase the time required to load web pages. To block ads, first copy blank.gif from /var/www/icons to /var/www/htdocs. Then create an additional section in squidGuard.conf:

dest ads {

domainlist blacklists/ads/domains

urllist blacklists/ads/urls

redirect http://localhost/blank.gif

}

Add !ads into the 'pass' commands of your acl rules, compile the new databases and reconfigure squid:

squidGuard -C blacklists/ads/domains

squidGuard -C blacklists/ads/urls

chown squid.squid /usr/local/squidGuard/db/blacklists/ads/*.db

squid -k reconfigure

From this point on ads listed in the databases will be replaced with a small, invisible gif image. If you still see ads being loaded into web pages that you want to block, jot down the domain names/URLs, then create and apply diff files as explained above.

More information on squidGuard

http://www.squidguard.org

http://www.squidguard.org/config