特殊:Badtitle/NS100:SquidGuard:修订间差异
小无编辑摘要 |
小无编辑摘要 |
||
(未显示同一用户的4个中间版本) | |||
第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/SquidGuard}} | {{From|https://help.ubuntu.com/community/SquidGuard}} | ||
{{Languages|UbuntuHelp:SquidGuard}} | {{Languages|UbuntuHelp:SquidGuard}} | ||
This howto describes the process of setting up Squid and | <<Include(Tag/StyleCleanup)>> | ||
<<Include(Tag/NeedsExpansion)>> | |||
This howto describes the process of setting up Squid and SquidGuard for the purpose of internet content filtering. It is revised for Karmic 9.10 and Squid 2.7 in the repositories with it. Older versions work a little different. | |||
There are many different configuration options available. The settings used in this howto are very simplistic and may not suit your needs. In any case it will get you up and running. More complex settings can be added afterwards. | There are many different configuration options available. The settings used in this howto are very simplistic and may not suit your needs. In any case it will get you up and running. More complex settings can be added afterwards. | ||
=== Introduction === | === Introduction === | ||
Squid is a proxy server, HTTP requests are sent to Squid instead of being sent directly to the internet. | Squid is a proxy server, HTTP requests are sent to Squid instead of being sent directly to the internet. | ||
SquidGuard is a web filter plugin for Squid which is used to restrict access to domains/URLs based upon access control lists. When SquidGuard receives a request it is examined and will either allow the page to load or will redirect to a predetermined “block” page or script. SquidGuard makes its decisions based upon the use of access control lists and databases of domains, URLs, and expressions. | |||
=== Installation === | === Installation === | ||
If you'd like to host your own block page, install apache2 | |||
<pre><nowiki> | <pre><nowiki> | ||
sudo apt-get install | sudo apt-get install apache2 | ||
</nowiki></pre> | </nowiki></pre> | ||
Install [[UbuntuHelp:Squid|Squid]] | |||
Make sure you have the Universe repository enabled | |||
Install SquidGuard | |||
<pre><nowiki> | <pre><nowiki> | ||
sudo apt-get install | sudo apt-get install squidguard | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Key File Locations === | === Key File Locations === | ||
第24行: | 第27行: | ||
| /var/log/squid/access.log || Squid access log file | | /var/log/squid/access.log || Squid access log file | ||
|- | |- | ||
| /etc/squid/squidGuard.conf || | | /etc/squid/squidGuard.conf || SquidGuard configuration file | ||
|- | |- | ||
| /var/lib/squidguard/db || | | /var/lib/squidguard/db || SquidGuard database files | ||
|- | |- | ||
| /var/log/squid/squidGuard.log || | | /var/log/squid/squidGuard.log || SquidGuard log file | ||
|} | |} | ||
=== Squid Configuration === | === Squid Configuration === | ||
The squid.conf file is huge, with hundreds of options. In this howto we will only be changing a few settings. | The squid.conf file is huge, with hundreds of options. In this howto we will only be changing a few settings. | ||
Open the squid.conf file for editing | Open the squid.conf file for editing using sudo and a text editor. You can use graphical sudo (gksudo) and gedit for this task, or `sudo nano` | ||
<pre><nowiki> | <pre><nowiki> | ||
gksudo gedit /etc/squid/squid.conf | gksudo gedit /etc/squid/squid.conf | ||
</nowiki></pre> | </nowiki></pre> | ||
Turn on line numbers in gedit (Edit > Preferences) | Turn on line numbers in gedit (Edit > Preferences) | ||
Find the `http_port tag` | Find the `http_port tag`. By default it reads `# http_port 3128` This is the default port that Squid will listen on for requests. If you want to change it, uncomment the line and set the correct port. If you want Squid to listen only on one specific NIC, you can also change the IP address – for example `192.168.1.5:3128` | ||
Now we need to tell squid where squidguard is. Find the | Now we need to tell squid where squidguard is. Find the `TAG: url_rewrite_program` heading. There is no default setting here, so we need to add our own line: | ||
<pre><nowiki> | <pre><nowiki> | ||
url_rewrite_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf | |||
</nowiki></pre> | |||
Now we'll setup who is allowed access to the proxy. Find the `TAG: http_access` heading and below it the 'INSERT YOUR OWN RULE(S) HERE...' Uncomment the line | |||
<pre><nowiki> | |||
#http_access allow localnet | |||
</nowiki></pre> | </nowiki></pre> | ||
And we need to define who is in the localnet. Find the `TAG: ACL` heading. Way down you will find | |||
<pre><nowiki> | <pre><nowiki> | ||
</nowiki></pre> | </nowiki></pre> | ||
You'll need to change 192.168.1.0 | You'll need to uncomment that line if necessary, and change that IP address to match your network. /24 signifies the block of IP addresses from 192.168.1.0 to 192.168.1.255. You can also delete any extra IP blocks out of the examples you are not using. | ||
if you get a startup error :- | if you get a startup error :- | ||
'FATAL: Could not determine fully qualified hostname. Please set visible_hostname' | 'FATAL: Could not determine fully qualified hostname. Please set visible_hostname' | ||
you will also need to | you will also need to add a visible_hostname tag, or uncomment it if you can find one in there already :- | ||
<pre><nowiki> | <pre><nowiki> | ||
visible_hostname localhost | visible_hostname localhost | ||
</nowiki></pre> | </nowiki></pre> | ||
Save the file and close gedit | Save the file and close gedit | ||
=== | === SquidGuard Configuration === | ||
For the purposes of this howto we will use a very simple configuration for | For the purposes of this howto we will use a very simple configuration for SquidGuard, with only one category of sites that we want to block. More complex and useful configurations are explained on the official SquidGuard site. | ||
First we will create a list of domains we want to block | First we will create a list of domains we want to block | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo mkdir /var/lib/squidguard/db/ | sudo mkdir /var/lib/squidguard/db/ads/ | ||
gksudo gedit /var/lib/squidguard/db/ | gksudo gedit /var/lib/squidguard/db/ads/domains | ||
</nowiki></pre> | </nowiki></pre> | ||
Insert the following, then save the file. | Insert the following, then save the file. | ||
<pre><nowiki> | <pre><nowiki> | ||
doubleclick.net | |||
flashbannernow.com | |||
addispenser.com | |||
</nowiki></pre> | </nowiki></pre> | ||
proxy must own | proxy must own the db, config, and log files | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo chown proxy:proxy /etc/squid/squidGuard.conf | |||
sudo chown -R proxy:proxy /var/lib/squidguard/db | sudo chown -R proxy:proxy /var/lib/squidguard/db | ||
sudo chown -R proxy:proxy /var/log/squid/ | |||
</nowiki></pre> | </nowiki></pre> | ||
Now we edit our squidGuard.conf file. | Now we edit our squidGuard.conf file. | ||
第79行: | 第86行: | ||
Replace the deleted text with the following: | Replace the deleted text with the following: | ||
<pre><nowiki> | <pre><nowiki> | ||
dest | dest ads { | ||
domainlist | domainlist ads/domains | ||
} | } | ||
acl { | acl { | ||
default { | default { | ||
pass ! | pass !ads all | ||
redirect http://yourip/block.html | redirect http://yourip/block.html | ||
} | } | ||
第94行: | 第101行: | ||
sudo squidGuard –C all | sudo squidGuard –C all | ||
</nowiki></pre> | </nowiki></pre> | ||
Create a page to redirect blocked requests to | Create a page to redirect blocked requests to. If you can write raw html in a text editor do | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo nano /var/www/block.html | sudo nano /var/www/block.html | ||
</nowiki></pre> | </nowiki></pre> | ||
REMEMBER, this 'block.html' page points to the default web servers directories, probably Apache as installed above. You must have a web server running on the machine for this to work! | If not, use a WYSIWYG editor, and copy the files into the /var/www directory. REMEMBER, this 'block.html' page points to the default web servers directories, probably Apache as installed above. You must have a web server running on the machine for this to work! Or you get an error message with the redirect on the client's PC. You could also redirect it to another server running a web server and let it host the error pages. | ||
Put whatever message you want in this page. | Put whatever message you want in this page. | ||
Fire up squid and squidguard | Fire up squid and squidguard | ||
<pre><nowiki> | |||
sudo /etc/init.d/squid start|restart|stop | sudo /etc/init.d/squid start|restart|stop | ||
sudo squid -k reconfigure | |||
squid -k reconfigure | |||
</nowiki></pre> | </nowiki></pre> | ||
If you change your block page after you have visited it, Squid will have cached it, and will not refetch the new version until its default cache expiration time has been reached (generally 1 week). If you'd like to purge the Squid cache to fetch your revised block page, see the [[UbuntuHelp:Squid|Squid Page.]] | |||
=== Testing === | === Testing === | ||
Change all your client browser settings to use your new proxy. | Change all your client browser settings to use your new proxy. | ||
第117行: | 第123行: | ||
ps -e | grep squid | ps -e | grep squid | ||
</nowiki></pre> | </nowiki></pre> | ||
You should see 1 or 2 squid processes, and 5 squidGuard processes. If not then lets restart Squid. | You should see 1 or 2 squid processes, and 5 squidGuard processes. If not then lets restart Squid. If you previously had an abort when you were trying to reconfigure, then squid crashed and you need to start it again, else skip to the reconfigure step... | ||
<pre><nowiki> | <pre><nowiki> | ||
squid -k reconfigure | sudo /etc/init.d/squid start | ||
sudo squid -k reconfigure | |||
</nowiki></pre> | </nowiki></pre> | ||
Again, check what processes are running. | Again, check what processes are running. | ||
Still having problems? Check what's being written to the squidGuard.log file | Still having problems? Check what's being written to the squidGuard.log file | ||
<pre><nowiki> | <pre><nowiki> | ||
tail /var/log/squid/squidGuard.log | sudo tail /var/log/squid/squidGuard.log | ||
</nowiki></pre> | </nowiki></pre> | ||
You might see something here that mentions that | You might see something here that mentions that SquidGuard has gone into emergency mode. You also might see a generic error like 'Error db_open: Permission denied'. If either is the case, the following may help. | ||
It is often useful to run squidGuard directly from the command line to see what it is doing. An example is: | It is often useful to run squidGuard directly from the command line to see what it is doing. An example is: | ||
<pre><nowiki> | <pre><nowiki> | ||
echo "http://www. | sudo echo "http://www.ubuntu.com {client ip address}/ - - GET" | squidGuard -d -c /etc/squid/squidGuard.conf | ||
</nowiki></pre> | </nowiki></pre> | ||
You can change the URL to whatever you'd like to test for access or denial. The IP address is the address of the computer you want to simulate as surfing the net from. | |||
==== | ==== SquidGuard Emergency Mode ==== | ||
When squidguard starts up, it tries to do the following things: | When squidguard starts up, it tries to do the following things: | ||
<ol><li>Read the configuration file | <ol><li>Read the configuration file | ||
第148行: | 第155行: | ||
/var/lib/squidguard/db | /var/lib/squidguard/db | ||
</nowiki></pre> | </nowiki></pre> | ||
* The ownership of the configuration file, logfiles, or blacklist files is not correct. These files should be owned by the user and group under which the squid program runs. In the case of Ubuntu, that user is `proxy` | * The ownership of the configuration file, logfiles, or blacklist files is not correct. These files should be owned by the user and group under which the squid program runs. In the case of Ubuntu, that user is `proxy` (I think this is no longer accurate. To get squid to read the domain and db files, I had to set the permissions to 777, setting to 775 would not work. While unsafe, this indicates squid is not running as user 'proxy'. I will edit this if I can determine the actual user name.) | ||
* To make sure the ownership is correct, run the following commands: | * To make sure the ownership is correct, run the following commands: | ||
<pre><nowiki> | <pre><nowiki> | ||
chown proxy:proxy /etc/squid/squidGuard.conf | sudo chown proxy:proxy /etc/squid/squidGuard.conf | ||
sudo chown -R proxy:proxy /var/lib/squidguard/db | |||
chown -R proxy:proxy /var/lib/squidguard/db | sudo chown -R proxy:proxy /var/log/squid/ | ||
chown -R proxy:proxy /var/log/squid/ | |||
</nowiki></pre> | </nowiki></pre> | ||
* The permissions of the configuration file, logfiles, or blacklist files is not correct. Set the permissions as follows: | * The permissions of the configuration file, logfiles, or blacklist files is not correct. Set the permissions as follows: | ||
<pre><nowiki> | <pre><nowiki> | ||
chmod 644 /etc/squid/squidGuard.conf | chmod 644 /etc/squid/squidGuard.conf | ||
chmod -R 640 /var/lib/squidguard/db | chmod -R 640 /var/lib/squidguard/db | ||
chmod -R 644 /var/log/squid/ | chmod -R 644 /var/log/squid/ | ||
find /var/lib/squidguard/db -type d -exec chmod 755 \{\} \; -print | find /var/lib/squidguard/db -type d -exec chmod 755 \{\} \; -print | ||
chmod 755 /var/log/squid | chmod 755 /var/log/squid | ||
</nowiki></pre> | </nowiki></pre> | ||
第172行: | 第173行: | ||
Bad: | Bad: | ||
<pre><nowiki> | <pre><nowiki> | ||
dest | dest ads | ||
{ | { | ||
</nowiki></pre> | </nowiki></pre> | ||
Good: | Good: | ||
<pre><nowiki> | <pre><nowiki> | ||
dest | dest ads { | ||
</nowiki></pre> | |||
After fixing these problems issue the command to restart with the new settings | |||
<pre><nowiki> | |||
sudo squid –k reconfigure | |||
</nowiki></pre> | </nowiki></pre> | ||
You also need to create Swap directories with 'sudo squid -z' | |||
You also need to create Swap directories with 'squid -z' | |||
If you still have errors you can start squid with 'squid -NCd1' which starts in debug/verbose mode which will show any errors. As above, the most likely will be permissions. | If you still have errors you can start squid with 'squid -NCd1' which starts in debug/verbose mode which will show any errors. As above, the most likely will be permissions. | ||
=== External Links === | === External Links === | ||
第186行: | 第190行: | ||
*[http://www.squidguard.org/ Official SquidGuard site] | *[http://www.squidguard.org/ Official SquidGuard site] | ||
*[http://www.maynidea.com/squidguard/faq-plus.html SquidGuard FAQ] | *[http://www.maynidea.com/squidguard/faq-plus.html SquidGuard FAQ] | ||
*[http://www.squidguard.org/ | *[http://www.squidguard.org/blacklists.html/ Downloadable blacklists] | ||
=== In Need Of Further Documentation === | === In Need Of Further Documentation === | ||
* More sophisticated configurations (source groups, time settings, more destination groups, urls, expressions) | * More sophisticated configurations (source groups, time settings, more destination groups, urls, expressions) | ||
* Using diff files | * Using diff files | ||
* Using Ident | * Using Ident | ||
[[category: | ---- | ||
[[category:CategoryNetworking]] [[category:CategorySecurity]] | |||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2010年5月20日 (四) 00:16的最新版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/SquidGuard }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/af | • {{#if: UbuntuHelp:SquidGuard|Afrikaans| [[::SquidGuard/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/ar | • {{#if: UbuntuHelp:SquidGuard|العربية| [[::SquidGuard/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/az | • {{#if: UbuntuHelp:SquidGuard|azərbaycanca| [[::SquidGuard/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/bcc | • {{#if: UbuntuHelp:SquidGuard|جهلسری بلوچی| [[::SquidGuard/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/bg | • {{#if: UbuntuHelp:SquidGuard|български| [[::SquidGuard/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/br | • {{#if: UbuntuHelp:SquidGuard|brezhoneg| [[::SquidGuard/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/ca | • {{#if: UbuntuHelp:SquidGuard|català| [[::SquidGuard/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/cs | • {{#if: UbuntuHelp:SquidGuard|čeština| [[::SquidGuard/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/de | • {{#if: UbuntuHelp:SquidGuard|Deutsch| [[::SquidGuard/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/el | • {{#if: UbuntuHelp:SquidGuard|Ελληνικά| [[::SquidGuard/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/es | • {{#if: UbuntuHelp:SquidGuard|español| [[::SquidGuard/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/fa | • {{#if: UbuntuHelp:SquidGuard|فارسی| [[::SquidGuard/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/fi | • {{#if: UbuntuHelp:SquidGuard|suomi| [[::SquidGuard/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/fr | • {{#if: UbuntuHelp:SquidGuard|français| [[::SquidGuard/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/gu | • {{#if: UbuntuHelp:SquidGuard|ગુજરાતી| [[::SquidGuard/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/he | • {{#if: UbuntuHelp:SquidGuard|עברית| [[::SquidGuard/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/hu | • {{#if: UbuntuHelp:SquidGuard|magyar| [[::SquidGuard/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/id | • {{#if: UbuntuHelp:SquidGuard|Bahasa Indonesia| [[::SquidGuard/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/it | • {{#if: UbuntuHelp:SquidGuard|italiano| [[::SquidGuard/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/ja | • {{#if: UbuntuHelp:SquidGuard|日本語| [[::SquidGuard/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/ko | • {{#if: UbuntuHelp:SquidGuard|한국어| [[::SquidGuard/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/ksh | • {{#if: UbuntuHelp:SquidGuard|Ripoarisch| [[::SquidGuard/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/mr | • {{#if: UbuntuHelp:SquidGuard|मराठी| [[::SquidGuard/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/ms | • {{#if: UbuntuHelp:SquidGuard|Bahasa Melayu| [[::SquidGuard/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/nl | • {{#if: UbuntuHelp:SquidGuard|Nederlands| [[::SquidGuard/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/no | • {{#if: UbuntuHelp:SquidGuard|norsk| [[::SquidGuard/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/oc | • {{#if: UbuntuHelp:SquidGuard|occitan| [[::SquidGuard/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/pl | • {{#if: UbuntuHelp:SquidGuard|polski| [[::SquidGuard/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/pt | • {{#if: UbuntuHelp:SquidGuard|português| [[::SquidGuard/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/ro | • {{#if: UbuntuHelp:SquidGuard|română| [[::SquidGuard/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/ru | • {{#if: UbuntuHelp:SquidGuard|русский| [[::SquidGuard/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/si | • {{#if: UbuntuHelp:SquidGuard|සිංහල| [[::SquidGuard/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/sq | • {{#if: UbuntuHelp:SquidGuard|shqip| [[::SquidGuard/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/sr | • {{#if: UbuntuHelp:SquidGuard|српски / srpski| [[::SquidGuard/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/sv | • {{#if: UbuntuHelp:SquidGuard|svenska| [[::SquidGuard/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/th | • {{#if: UbuntuHelp:SquidGuard|ไทย| [[::SquidGuard/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/tr | • {{#if: UbuntuHelp:SquidGuard|Türkçe| [[::SquidGuard/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/vi | • {{#if: UbuntuHelp:SquidGuard|Tiếng Việt| [[::SquidGuard/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/yue | • {{#if: UbuntuHelp:SquidGuard|粵語| [[::SquidGuard/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/zh | • {{#if: UbuntuHelp:SquidGuard|中文| [[::SquidGuard/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/zh-hans | • {{#if: UbuntuHelp:SquidGuard|中文(简体)| [[::SquidGuard/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:SquidGuard | UbuntuHelp:SquidGuard | {{#if: | :}}SquidGuard}}/zh-hant | • {{#if: UbuntuHelp:SquidGuard|中文(繁體)| [[::SquidGuard/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:SquidGuard|:SquidGuard|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :SquidGuard/zh | | {{#ifexist: SquidGuard/zh | | {{#ifeq: {{#titleparts:SquidGuard|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:SquidGuard|1|-1|}} | zh | | }}
<<Include(Tag/StyleCleanup)>> <<Include(Tag/NeedsExpansion)>> This howto describes the process of setting up Squid and SquidGuard for the purpose of internet content filtering. It is revised for Karmic 9.10 and Squid 2.7 in the repositories with it. Older versions work a little different. There are many different configuration options available. The settings used in this howto are very simplistic and may not suit your needs. In any case it will get you up and running. More complex settings can be added afterwards.
Introduction
Squid is a proxy server, HTTP requests are sent to Squid instead of being sent directly to the internet. SquidGuard is a web filter plugin for Squid which is used to restrict access to domains/URLs based upon access control lists. When SquidGuard receives a request it is examined and will either allow the page to load or will redirect to a predetermined “block” page or script. SquidGuard makes its decisions based upon the use of access control lists and databases of domains, URLs, and expressions.
Installation
If you'd like to host your own block page, install apache2
sudo apt-get install apache2
Install Squid Make sure you have the Universe repository enabled Install SquidGuard
sudo apt-get install squidguard
Key File Locations
File | Purpose |
/etc/squid/squid.conf | Squid configuration file |
/var/log/squid/access.log | Squid access log file |
/etc/squid/squidGuard.conf | SquidGuard configuration file |
/var/lib/squidguard/db | SquidGuard database files |
/var/log/squid/squidGuard.log | SquidGuard log file |
Squid Configuration
The squid.conf file is huge, with hundreds of options. In this howto we will only be changing a few settings. Open the squid.conf file for editing using sudo and a text editor. You can use graphical sudo (gksudo) and gedit for this task, or `sudo nano`
gksudo gedit /etc/squid/squid.conf
Turn on line numbers in gedit (Edit > Preferences) Find the `http_port tag`. By default it reads `# http_port 3128` This is the default port that Squid will listen on for requests. If you want to change it, uncomment the line and set the correct port. If you want Squid to listen only on one specific NIC, you can also change the IP address – for example `192.168.1.5:3128` Now we need to tell squid where squidguard is. Find the `TAG: url_rewrite_program` heading. There is no default setting here, so we need to add our own line:
url_rewrite_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf
Now we'll setup who is allowed access to the proxy. Find the `TAG: http_access` heading and below it the 'INSERT YOUR OWN RULE(S) HERE...' Uncomment the line
#http_access allow localnet
And we need to define who is in the localnet. Find the `TAG: ACL` heading. Way down you will find
You'll need to uncomment that line if necessary, and change that IP address to match your network. /24 signifies the block of IP addresses from 192.168.1.0 to 192.168.1.255. You can also delete any extra IP blocks out of the examples you are not using. if you get a startup error :- 'FATAL: Could not determine fully qualified hostname. Please set visible_hostname' you will also need to add a visible_hostname tag, or uncomment it if you can find one in there already :-
visible_hostname localhost
Save the file and close gedit
SquidGuard Configuration
For the purposes of this howto we will use a very simple configuration for SquidGuard, with only one category of sites that we want to block. More complex and useful configurations are explained on the official SquidGuard site. First we will create a list of domains we want to block
sudo mkdir /var/lib/squidguard/db/ads/ gksudo gedit /var/lib/squidguard/db/ads/domains
Insert the following, then save the file.
doubleclick.net flashbannernow.com addispenser.com
proxy must own the db, config, and log files
sudo chown proxy:proxy /etc/squid/squidGuard.conf sudo chown -R proxy:proxy /var/lib/squidguard/db sudo chown -R proxy:proxy /var/log/squid/
Now we edit our squidGuard.conf file.
gksudo gedit /etc/squid/squidGuard.conf
Delete everything after the line: `logdir /var/log/squid` Replace the deleted text with the following:
dest ads { domainlist ads/domains } acl { default { pass !ads all redirect http://yourip/block.html } }
Time to compile the domains list into a database
sudo squidGuard –C all
Create a page to redirect blocked requests to. If you can write raw html in a text editor do
sudo nano /var/www/block.html
If not, use a WYSIWYG editor, and copy the files into the /var/www directory. REMEMBER, this 'block.html' page points to the default web servers directories, probably Apache as installed above. You must have a web server running on the machine for this to work! Or you get an error message with the redirect on the client's PC. You could also redirect it to another server running a web server and let it host the error pages. Put whatever message you want in this page. Fire up squid and squidguard
sudo /etc/init.d/squid start|restart|stop sudo squid -k reconfigure
If you change your block page after you have visited it, Squid will have cached it, and will not refetch the new version until its default cache expiration time has been reached (generally 1 week). If you'd like to purge the Squid cache to fetch your revised block page, see the Squid Page.
Testing
Change all your client browser settings to use your new proxy. If you are using Firefox, this is done via Edit > Preferences > Connection Settings. Enter the IP address of your new Proxy server, and the port number you previously configure. The 3 domains we added to our domains file should be blocked.
Troubleshooting
It is fairly common to run into problems. 99% of the time, it comes down to permissions or ownership of files. First of all, lets check what processes are running.
ps -e | grep squid
You should see 1 or 2 squid processes, and 5 squidGuard processes. If not then lets restart Squid. If you previously had an abort when you were trying to reconfigure, then squid crashed and you need to start it again, else skip to the reconfigure step...
sudo /etc/init.d/squid start sudo squid -k reconfigure
Again, check what processes are running. Still having problems? Check what's being written to the squidGuard.log file
sudo tail /var/log/squid/squidGuard.log
You might see something here that mentions that SquidGuard has gone into emergency mode. You also might see a generic error like 'Error db_open: Permission denied'. If either is the case, the following may help. It is often useful to run squidGuard directly from the command line to see what it is doing. An example is:
sudo echo "http://www.ubuntu.com {client ip address}/ - - GET" | squidGuard -d -c /etc/squid/squidGuard.conf
You can change the URL to whatever you'd like to test for access or denial. The IP address is the address of the computer you want to simulate as surfing the net from.
SquidGuard Emergency Mode
When squidguard starts up, it tries to do the following things:
- Read the configuration file
- Read the database or text files with the lists of sites to block
- Write to its log file
If it fails to do any of these things, it goes into "emergency mode"; effectively this means that it doesn't do anything. The following problems will cause either 1, 2, or 3 to fail:
- The configuration file is not in the place specified in squid.conf. Make sure squidguard is started with this line in squid.conf:
redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf
- The database files are not in the place defined in squidGuard.conf. Make sure the following is one of the first lines in squidGuard.conf:
/var/lib/squidguard/db
- The ownership of the configuration file, logfiles, or blacklist files is not correct. These files should be owned by the user and group under which the squid program runs. In the case of Ubuntu, that user is `proxy` (I think this is no longer accurate. To get squid to read the domain and db files, I had to set the permissions to 777, setting to 775 would not work. While unsafe, this indicates squid is not running as user 'proxy'. I will edit this if I can determine the actual user name.)
- To make sure the ownership is correct, run the following commands:
sudo chown proxy:proxy /etc/squid/squidGuard.conf sudo chown -R proxy:proxy /var/lib/squidguard/db sudo chown -R proxy:proxy /var/log/squid/
- The permissions of the configuration file, logfiles, or blacklist files is not correct. Set the permissions as follows:
chmod 644 /etc/squid/squidGuard.conf chmod -R 640 /var/lib/squidguard/db chmod -R 644 /var/log/squid/ find /var/lib/squidguard/db -type d -exec chmod 755 \{\} \; -print chmod 755 /var/log/squid
- There is a line-end before the "{" character in source or dest lists:
Bad:
dest ads {
Good:
dest ads {
After fixing these problems issue the command to restart with the new settings
sudo squid –k reconfigure
You also need to create Swap directories with 'sudo squid -z' If you still have errors you can start squid with 'squid -NCd1' which starts in debug/verbose mode which will show any errors. As above, the most likely will be permissions.
External Links
In Need Of Further Documentation
- More sophisticated configurations (source groups, time settings, more destination groups, urls, expressions)
- Using diff files
- Using Ident