| Tutorial details | |
|---|---|
| Difficulty | Intermediate (rss) |
| Root privileges | Yes |
| Requirements | squid/squidGurd |
| Estimated completion time | 20 minutes |
| Contents | |
|---|---|
Step #1: Install squidguard
Open a terminal and type the following command as root on the server:
# apt-get install squidguard
Step #2: Install Blacklist
The blacklists are the heart of every URL filter. Squidgurd supports both free and commercial distributions of blacklists on the net or create and use your own (or any combination of them). List of free databases:
- MESD blacklists (free).
- Shalla's Blacklists (free for non commercial/private use).
- Urlblacklist (commercial)
Use wget command to download blacklists from shallalist.de as follows:
# cd /tmp
# wget -c http://www.shallalist.de/Downloads/shallalist.tar.gz
Sample outputs:
--2012-08-22 00:34:16-- http://www.shallalist.de/Downloads/shallalist.tar.gz Resolving www.shallalist.de... 78.47.242.85 Connecting to www.shallalist.de|78.47.242.85|:80... connected. HTTP request sent, awaiting response... 206 Partial Content Length: 9935263 (9.5M), 7448411 (7.1M) remaining [application/x-tar] Saving to: `shallalist.tar.gz' 100%[++++++++++++++============================================>] 99,35,263 475K/s in 16s 2012-08-22 00:34:33 (459 KB/s) - `shallalist.tar.gz' saved [9935263/9935263]
Untar tar ball, enter:
# tar -zxvf shallalist.tar.gz
Sample outputs:
BL/ BL/porn/ BL/porn/domains BL/porn/urls BL/gamble/ BL/gamble/domains BL/gamble/urls BL/chat/ BL/chat/domains BL/chat/urls BL/automobile/ .... .. BL/radiotv/domains BL/radiotv/urls BL/urlshortener/ BL/urlshortener/domains BL/urlshortener/urls BL/anonvpn/ BL/anonvpn/urls BL/anonvpn/domains
In this example, install porn blacklist as follows using the cp command:
# cp -avr BL/porn/ /var/lib/squidguard/db/
Sample outputs:
`BL/porn/' -> `/var/lib/squidguard/db/porn' `BL/porn/domains' -> `/var/lib/squidguard/db/porn/domains' `BL/porn/urls' -> `/var/lib/squidguard/db/porn/urls'
Finally, create the database from text files as follows:
# cd /var/lib/squidguard/db/porn
# squidGuard -b -C domains
# squidGuard -b -C urls
Sample outputs:
Processing file and database /var/lib/squidguard/db/porn/domains
[==================================================] 100 % done
Processing file and database /var/lib/squidguard/db/porn/urls
[==================================================] 100 % done
Where,
- -b : Show on progress bar when updating the blacklists.
- -C fileName : Create new .db files from urls/domain files, which are specified in "fileName".
Set permissions so that squid can read the files using chown command:
# chown proxy:proxy -R /var/lib/squidguard/db/
Step #3: Configure Squid 3
I'm assuming that Squid 3 is installed and configured properly. Edit /etc/squid3/squid.conf, enter:
# vi /etc/squid3/squid.conf
You need to specify the location of the executable for the URL rewriter using url_rewrite_program as follows:
url_rewrite_program /usr/bin/squidGuard
Save and close the file.
Step #4: Configure SquidGuard
Finally edit /etc/squid/squidGuard.conf, enter:
# vi /etc/squid/squidGuard.conf
Add the following directives:
## Block adult/porn sites for school ## dest porn { domainlist porn/domains urllist porn/urls }
Edit / update acl as follows:
acl { default { pass !porn all redirect http://192.168.1.11/blocked.html?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } }
Save and close the file. Create a blocked.html on 192.168.1.11 web server:
<html> <head> <title>URL Blocked</title> </head> <body> <h1>URL Blocked</h1> <p>Access to this site / url has been blocked.</p> <p>If you think this is an error, please contact the help-desk:</p> <p>Call us - 123-456-789 (ext. 333)</p> <p>Email us - proxymaster@server1.cyberciti.biz</p> </body> </head> </html>
Finally, reload the squid 2/3 proxy server:
# /usr/sbin/squid3 -k reconfigure
Verify that both squid and squidguard working properly, run:
# tail -f /var/log/squid3/cache.log
Sample outputs:
2012/08/22 01:23:40| Processing Configuration File: /etc/squid3/squid.conf (depth 0) 2012/08/22 01:23:40| Squid modules loaded: 0 2012/08/22 01:23:40| Adaptation support is off. 2012/08/22 01:23:40| Store logging disabled 2012/08/22 01:23:40| DNS Socket created at [::], FD 8 2012/08/22 01:23:40| DNS Socket created at 0.0.0.0, FD 9 2012/08/22 01:23:40| Adding nameserver 127.0.0.1 from /etc/resolv.conf 2012/08/22 01:23:40| helperOpenServers: Starting 5/5 'squidGuard' processes 2012/08/22 01:23:40| Accepting HTTP connections at [::]:3128, FD 30. 2012/08/22 01:23:40| HTCP Disabled. 2012/08/22 01:23:40| Loaded Icons. 2012/08/22 01:23:40| Ready to serve requests.
Step #5: Verify the configuration
Type the following command to verify that squidguard is working and blocking the urls:
echo "http://DOMAIN-NAME-HERE / - - GET" | squidGuard -d echo "http://sex.com / - - GET" | squidGuard -d
Sample outputs:
2012-08-22 01:26:05 [3365] New setting: dbhome: /var/lib/squidguard/db
2012-08-22 01:26:05 [3365] New setting: logdir: /var/log/squid3
2012-08-22 01:26:05 [3365] destblock good missing active content, set inactive
2012-08-22 01:26:05 [3365] destblock local missing active content, set inactive
2012-08-22 01:26:05 [3365] init domainlist /var/lib/squidguard/db/porn/domains
2012-08-22 01:26:05 [3365] loading dbfile /var/lib/squidguard/db/porn/domains.db
2012-08-22 01:26:05 [3365] init urllist /var/lib/squidguard/db/porn/urls
2012-08-22 01:26:05 [3365] loading dbfile /var/lib/squidguard/db/porn/urls.db
2012-08-22 01:26:05 [3365] squidGuard 1.4 started (1345578965.473)
2012-08-22 01:26:05 [3365] Info: recalculating alarm in 23635 seconds
2012-08-22 01:26:05 [3365] squidGuard ready for requests (1345578965.476)
2012-08-22 01:26:05 [3365] source not found
2012-08-22 01:26:05 [3365] no ACL matching source, using default
http://192.168.1.11/blocked.html?clientaddr=+clientname=+clientident=+srcclass=default+targetclass=porn+url=http://sex.com /- - -
2012-08-22 01:26:05 [3365] squidGuard stopped (1345578965.477)
Or you can see the following in browser:
Fig.01: SquidGuard in action
How do I block other categories?
Update /etc/squid/squidGuard.conf as follows. Define your categories. Just like you did above for porn:
dest gamble { domainlist gamble/domains urllist gamble/urls } dest alcohol { domainlist alcohol/domains urllist alcohol/urls }
Update acl entry as follows:
acl { default { pass !porn !gamble !alcohol all redirect http://192.168.1.11/blocked.html?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } }
You also need to install database in /var/lib/squidguard/db/ directory:
# cd /tmp
# cp -avr BL/alcohol/ /var/lib/squidguard/db/
# cp -avr BL/gamble/ /var/lib/squidguard/db/
To initializing the blacklists, run:
# squidGuard -C all
Or just initializing newly created categories:
# squidGuard -C /var/lib/squidguard/db/alcohol/domains
squidGuard -C /var/lib/squidguard/db/alcohol/urls
Finally, set permissions:
# chown proxy:proxy -R /var/lib/squidguard/db/
Reload the squid 3:
# /usr/sbin/squid3 -k reconfigure
Do not allow URL filter bypass by the IP addresses
To make sure that users don't bypass the URL filter by simply using the IP addresses instead of the FQDNs, edit acl entry as follows with !in-addr directive:
acl { default { pass !porn !gamble !alcohol !in-addr all redirect http://192.168.1.11/blocked.html?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } }
Reload the squid as follows:
# /usr/sbin/squid3 -k reconfigure
References:
- man pages - squid(1), squidGuard(1)
- For more information see squidguard website.
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 13 comments… read them below or add one }
Does it block ultrasurf? How do i blok unwanted or timely block certain http.sites..or httpa site?
Very good tutorial. Thank you very much!
Seems really useful to me!
Is it possible to block https websites?
I don’t think squidguard capable to blocking https website,but you could consider using iptables as an alternative
Can you put the server inline (between the router and cable modem) to filter the URL of the all PC’s behind the router?
Thanks.
Yes, just put squid proxy in transparent mode and users won’t notice it at all.
hi,
i was just confused, i did everything as show here, but the main problem is that all sites are getting blocked?
i m not sure, maybe i lacked somewhere in the configuration?
need some help pls…Thanks
GREAT!!! WORKING FINE!!!!!
Very good tutorial. Thank you very much!
Lovely tutorial but my squid will not start if I add “url_rewrite_program /usr/bin/squidGuard” to my squid.conf
If I do a test with “echo “http://sex.com / – - GET” | squidGuard -d” it works perfectly…
What is wrong?
I do not understand the line:
Save and close the file. Create a blocked.html on 192.168.1.11 web server:
what web server? I made the blocked.html file but where do I put it?
Hello,
I am also confused about this line:
Create a blocked.html on 192.168.1.11 web server:
what is the location to save this file?
@ Andrew / sanny,
You need to install Apache2 and put file in /var/www/ directory.
HTH
Hello,
I’ve put together a little script that will update that blacklists. Basically it will download, extract, move the files into place, rebuild the squidGuard databases, and reload the squidGuard processes. Will also send email notifying of success or failure.
With minor modifications it should work on any system. Tested on Ubuntu 10.04 with distro squid3, and squidGuard 1.6 compiled from squidguard.org.
Feel free to download at hopefully it will be of use to someone.