Linux · Making things work · Open Source · Proxy · security

SquidGuard implementation for enterprise network


SquidGuard is a content filtering tool used in enterprise network to control/filter sites that end users/hosts can access.

SquidGuard is built to work as a plug-in for squid. It uses black lists and url redirection technology to make this content filter work.

There are many free/paid black lists available in the internet, that SquidGuard can work with. These black lists includes, list of url and domain, usually categorized into content group such as  advertising, chat, social network, proxy, porn, webmail, education and many more.

We see content filtering requirements in educational institutions, corporate network etc.

SquidGuard is open source, works with your Squid Proxy server. I have done my implementation on Redhat EL 5.x with squid 2.6

SquidGuard Installation:

Download squid Guard from SquidGuard.org. I have tested this with SquidGuard 1.4

Unpack the source

tar xvzf squidGuard-1.2.1.tar.gz

Compiling: go inside the folder run configure and the make

cd squidGuard-1.2.1 ./configure make

This will complete the installation under /usr/local. SquidGuard also required BerkelyDB to be present in the system

Installing SquidGuard:

su – make install

This will install squid Guard under /usr/local Test SquidGuard installation by running

squidGuard -v

and you shall see some output like the following.

SquidGuard: 1.4 Sleepycat Software: Berkeley DB 4.3.29: (May 26, 2010)

Black list for SquidGuard

After the SquidGuard is installed, you  will need a black list to work with. This is list or url and domain which SquidGuard shall use as a data base to filter web content.

Black lists can be free or paid. following are the url black list lists, lited by SquidGuard on their web site

http://urlblacklist.com/?sec=download

http://dsi.ut-capitole.fr/documentations/cache/squidguard_en.html#contrib

http://www.shallalist.de/

In this blog I shall be using Shalla’s Blacklists

Download the list using the following link Shalla’s Blacklists download. this black list can only be used freely for non commercial use. Visit their site for more information

Download the black list on your linux box

wget http://www.shallalist.de/Downloads/shallalist.tar.gz

untar the file

tar xvmfpz shallalist.tar.gz

this utars the file in the present working directory in a folder called “BL”

in this example we used the following directory to store the black list database

/usr/local/squidGuard/db/BL

So run

mv BL /usr/local/squidGuard/db/

 

SquidGuard Configuration

Inside the source SquidGuard folder you will find a  couple of sample files to work with

/squidGuard-1.4/samples

The file “squidGuard.cgi” is a CGI script used to generate the black massage

Make sure this file is copied to a web server, that can run cgi script. Set the file permission to apache.apache , in this case it is in the same server

cd /squidGuard-1.4/samples

cp squidGuard.cgi /var/www/cgi-bin/

chown apache.apache /var/www/cgi-bin/squidGuard.cgi

have the following line in http conf file to make the CGI script work

ScriptAlias /cgi-bin/ “/var/www/cgi-bin/”

<Directory “/var/www/cgi-bin”>

AllowOverride None

Options None

Order allow,deny

Allow from all

</Directory>

In the squidguard.conf file you need to define the “dbhome”. The location there all the db files are stored. Make sure it is owned by squid.squid all recursively

The directive “logfile” is the folder there all the SquidGuard log file are stored. Make sure this folder is writeable by squid

chown squid:squid -R /var/log/squidGuard

First of all to make your life a little easy I shall provide you with a sample working SquidGuard configuration file

In this example 192.168.0.101 and 192.168.0.102 are in the expiation list. Therefore no filter will apply to these ip address.

The default rule will allow the white list items for all clients and deny/block categories such as porn, spyware, anonvpn, warez, violence, updatesites, hacking, dating, socialnet, downloads  and allow the rest of the traffic.

[root@proxy squidGuard]# cat squidGuard.conf

# CONFIG FILE FOR SQUIDGUARD

#

dbhome /usr/local/squidGuard/db/BL

logdir /var/log/squidGuard

src exception-list {

ip 192.168.0.101

ip 192.168.0.102

}

dest whitelist { domainlist whitelistdomain

urllist whitelisturl

log WhiteListLog

}

dest news {

domainlist      news/domains

urllist         news/urls

log             NewsAccess

}

dest anonvpn {

domainlist      anonvpn/domains

urllist         anonvpn/urls

log             AnonVPNAccess

}

dest dating {

domainlist      dating/domains

urllist         dating/urls

log             DatingSiteAccess

}

dest hacking {

domainlist      hacking/domains

urllist         hacking/urls

log             HackingSiteAccess

}

dest porn {

domainlist      porn/domains

urllist         porn/urls

log             PornSiteAccess

}

dest spyware {

domainlist      spyware/domains

urllist         spyware/urls

log             SpywareSiteAccess

}

dest tracker {

domainlist      tracker/domains

urllist         tracker/urls

log             TrackerSiteAccess

}

dest updatesites {

domainlist      updatesites/domains

urllist         updatesites/urls

log             UpdateSiteAccess

}

dest violence {

domainlist      violence/domains

urllist         violence/urls

log             ViolenceSiteAccess

}

dest warez {

domainlist      warez/domains

urllist         warez/urls

log             WarezSiteAccess

}

dest socialnet {

domainlist      socialnet/domains

urllist         socialnet/urls

log             SocialnetSiteAccess

}

dest downloads {

domainlist      downloads/domains

urllist         downloads/urls

log             DownloadSiteAccess

}

acl {

exception-list  {pass all

redirect        http://192.168.0.250/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u

}

default {

pass whitelist !porn !spyware !anonvpn !warez !violence !updatesites !hacking !dating !socialnet !downloads all

redirect        http://192.168.0.250/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u

}

}

Compiling the blacklist for SquidGuard

The following command shall create a db file out of the black list files which will be readable to SquidGuard while filtering.

squidGuard -d -b -P -C all

make sure all files are readable by squid using the following command on the newly complied db file

chown -R squid.squid /usr/local/squidGuard/db/BL

Squid configuration/integration with SquidGuard

Add the following line to squid.conf file

redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf

assuming  that the squidguard binary is installed in /usr/local/bin/SquidGuard and the configuration file is located at /usr/local/squidGuard/squidGuard.conf

This tells squid to run SquidGuard as a redirect program.

To get all the changes to work make sure you reload your squid configuration file

service squid reload

Testing and debugging SquidGuard

While restating squid

service squid reload

you may run in a different console, to check for any error or warning messages message.

tail -f /var/log/squidGuard/squidGuard.log

try accessing restricted site using the proxy server and see it getting logged in the corresponding log file under /var/log/SquidGuard folder

Make sure all SquidGuard config files, log files db files are accessible by the user squid user.

Recap

  1. Download and install SquidGuard from http://www.squidguard.org/
  2. Download and install black lists from Shalla’s Blacklists
  3. Enable CGI execution on your web server and install the SquidGuard CGI scripts
  4. Configure log file directories
  5. Define/update SquidGuard configurations as per your requirement
  6. Compile the black list to db file, should readable by SquidGuard
  7. Tell squid to use SquidGuard as a URL filter (define redirect_program in squid.conf file)
  8. Reload squid and test

Integration notes for SquidGuard

If you want to use SquidGuard in an enterprise network and try to make it Zero configuration on the client side, in my opinion you have two options.

  1. Use transparent proxy for http and https traffic
  2. Use web Proxy Autodiscovery Protocol (WPAD)

Transparent proxy works fine with clear text traffic, however ssl traffic do not work well with squid transparent proxy

I think web Proxy Autodiscovery Protocol (WPAD) is a better option as client site configuration is zero and it gracefully passes all traffic though the proxy server both http and https

Advertisements

4 thoughts on “SquidGuard implementation for enterprise network

  1. There is room for better blacklists, we intend to fill that gap.

    We are the worlds leading publisher of Squid ‘Native ACL’ formatted blacklists, that allow for web filtering directly with Squid proxy. Of course we also offer alternative formats for the most widely used third party plugins, such as DansGuardian and Squidguard. And while our blacklists are subscription based, they are as a result of our efforts, of a much higher degree of quality than the free alternatives.

    We hope to serve you,


    Signed,

    Benjamin E. Nichols
    http://www.squidblacklist.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s