SquidGuard is a content filtering tool used in enterprise network to control/filter sites that end users/hosts can access.
SquidGuard is built to work as a plug-in for squid. It uses black lists and url redirection technology to make this content filter work.
There are many free/paid black lists available in the internet, that SquidGuard can work with. These black lists includes, list of url and domain, usually categorized into content group such as advertising, chat, social network, proxy, porn, webmail, education and many more.
We see content filtering requirements in educational institutions, corporate network etc.
SquidGuard is open source, works with your Squid Proxy server. I have done my implementation on Redhat EL 5.x with squid 2.6
SquidGuard Installation:
Download squid Guard from SquidGuard.org. I have tested this with SquidGuard 1.4
Unpack the source
tar xvzf squidGuard-1.2.1.tar.gz
Compiling: go inside the folder run configure and the make
cd squidGuard-1.2.1 ./configure make
This will complete the installation under /usr/local. SquidGuard also required BerkelyDB to be present in the system
Installing SquidGuard:
su – make install
This will install squid Guard under /usr/local Test SquidGuard installation by running
squidGuard -v
and you shall see some output like the following.
SquidGuard: 1.4 Sleepycat Software: Berkeley DB 4.3.29: (May 26, 2010)
Black list for SquidGuard
After the SquidGuard is installed, you will need a black list to work with. This is list or url and domain which SquidGuard shall use as a data base to filter web content.
Black lists can be free or paid. following are the url black list lists, lited by SquidGuard on their web site
http://urlblacklist.com/?sec=download
http://dsi.ut-capitole.fr/documentations/cache/squidguard_en.html#contrib
In this blog I shall be using Shalla’s Blacklists
Download the list using the following link Shalla’s Blacklists download. this black list can only be used freely for non commercial use. Visit their site for more information
Download the black list on your linux box
untar the file
tar xvmfpz shallalist.tar.gz
this utars the file in the present working directory in a folder called “BL”
in this example we used the following directory to store the black list database
/usr/local/squidGuard/db/BL
So run
mv BL /usr/local/squidGuard/db/
SquidGuard Configuration
Inside the source SquidGuard folder you will find a couple of sample files to work with
/squidGuard-1.4/samples
The file “squidGuard.cgi” is a CGI script used to generate the black massage
Make sure this file is copied to a web server, that can run cgi script. Set the file permission to apache.apache , in this case it is in the same server
cd /squidGuard-1.4/samples
cp squidGuard.cgi /var/www/cgi-bin/
chown apache.apache /var/www/cgi-bin/squidGuard.cgi
have the following line in http conf file to make the CGI script work
ScriptAlias /cgi-bin/ “/var/www/cgi-bin/”
<Directory “/var/www/cgi-bin”>
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
In the squidguard.conf file you need to define the “dbhome”. The location there all the db files are stored. Make sure it is owned by squid.squid all recursively
The directive “logfile” is the folder there all the SquidGuard log file are stored. Make sure this folder is writeable by squid
chown squid:squid -R /var/log/squidGuard
First of all to make your life a little easy I shall provide you with a sample working SquidGuard configuration file
In this example 192.168.0.101 and 192.168.0.102 are in the expiation list. Therefore no filter will apply to these ip address.
The default rule will allow the white list items for all clients and deny/block categories such as porn, spyware, anonvpn, warez, violence, updatesites, hacking, dating, socialnet, downloads and allow the rest of the traffic.
[root@proxy squidGuard]# cat squidGuard.conf
# CONFIG FILE FOR SQUIDGUARD
#
dbhome /usr/local/squidGuard/db/BL
logdir /var/log/squidGuard
src exception-list {
ip 192.168.0.101
ip 192.168.0.102
}
dest whitelist { domainlist whitelistdomain
urllist whitelisturl
log WhiteListLog
}
dest news {
domainlist news/domains
urllist news/urls
log NewsAccess
}
dest anonvpn {
domainlist anonvpn/domains
urllist anonvpn/urls
log AnonVPNAccess
}
dest dating {
domainlist dating/domains
urllist dating/urls
log DatingSiteAccess
}
dest hacking {
domainlist hacking/domains
urllist hacking/urls
log HackingSiteAccess
}
dest porn {
domainlist porn/domains
urllist porn/urls
log PornSiteAccess
}
dest spyware {
domainlist spyware/domains
urllist spyware/urls
log SpywareSiteAccess
}
dest tracker {
domainlist tracker/domains
urllist tracker/urls
log TrackerSiteAccess
}
dest updatesites {
domainlist updatesites/domains
urllist updatesites/urls
log UpdateSiteAccess
}
dest violence {
domainlist violence/domains
urllist violence/urls
log ViolenceSiteAccess
}
dest warez {
domainlist warez/domains
urllist warez/urls
log WarezSiteAccess
}
dest socialnet {
domainlist socialnet/domains
urllist socialnet/urls
log SocialnetSiteAccess
}
dest downloads {
domainlist downloads/domains
urllist downloads/urls
log DownloadSiteAccess
}
acl {
exception-list {pass all
}
default {
pass whitelist !porn !spyware !anonvpn !warez !violence !updatesites !hacking !dating !socialnet !downloads all
}
}
Compiling the blacklist for SquidGuard
The following command shall create a db file out of the black list files which will be readable to SquidGuard while filtering.
squidGuard -d -b -P -C all
make sure all files are readable by squid using the following command on the newly complied db file
chown -R squid.squid /usr/local/squidGuard/db/BL
Squid configuration/integration with SquidGuard
Add the following line to squid.conf file
redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
assuming that the squidguard binary is installed in /usr/local/bin/SquidGuard and the configuration file is located at /usr/local/squidGuard/squidGuard.conf
This tells squid to run SquidGuard as a redirect program.
To get all the changes to work make sure you reload your squid configuration file
service squid reload
Testing and debugging SquidGuard
While restating squid
service squid reload
you may run in a different console, to check for any error or warning messages message.
tail -f /var/log/squidGuard/squidGuard.log
try accessing restricted site using the proxy server and see it getting logged in the corresponding log file under /var/log/SquidGuard folder
Make sure all SquidGuard config files, log files db files are accessible by the user squid user.
Recap
- Download and install SquidGuard from http://www.squidguard.org/
- Download and install black lists from Shalla’s Blacklists
- Enable CGI execution on your web server and install the SquidGuard CGI scripts
- Configure log file directories
- Define/update SquidGuard configurations as per your requirement
- Compile the black list to db file, should readable by SquidGuard
- Tell squid to use SquidGuard as a URL filter (define redirect_program in squid.conf file)
- Reload squid and test
Integration notes for SquidGuard
If you want to use SquidGuard in an enterprise network and try to make it Zero configuration on the client side, in my opinion you have two options.
Transparent proxy works fine with clear text traffic, however ssl traffic do not work well with squid transparent proxy
I think web Proxy Autodiscovery Protocol (WPAD) is a better option as client site configuration is zero and it gracefully passes all traffic though the proxy server both http and https
I’m going to give this a go today and use squid guard as a replacement for dans guardian in my setup.. http://blog.projectz.me/2012/08/04/getting-squid3-on-debian-6-x-to-work-with-active-directory-security-groups-and-websense/
I’m looking to use ad groups to control the filtering..
let me know how it goes 🙂
There is room for better blacklists, we intend to fill that gap.
We are the worlds leading publisher of Squid ‘Native ACL’ formatted blacklists, that allow for web filtering directly with Squid proxy. Of course we also offer alternative formats for the most widely used third party plugins, such as DansGuardian and Squidguard. And while our blacklists are subscription based, they are as a result of our efforts, of a much higher degree of quality than the free alternatives.
We hope to serve you,
—
Signed,
Benjamin E. Nichols
http://www.squidblacklist.org