“UbuntuHelp:SquidGuard”的版本间的差异

2007年11月30日 (五) 21:33的版本

文章出处:

https://help.ubuntu.com/community/SquidGuard

点击翻译:

English

请不要直接编辑翻译本页，本页将定期与来源同步。

This howto describes the process of setting up Squid and SquidGuard for the purpose of internet content filtering. There are many different configuration options available. The settings used in this howto are very simplistic and may not suit your needs. In any case it will get you up and running. More complex settings can be added afterwards.

Introduction

Squid is a proxy server, HTTP requests are sent to Squid instead of being sent directly to the internet. SquidGuard is a web filter plugin for Squid which is used to restrict access to domains/URLs based upon access control lists. When SquidGuard receives a request it is examined and will either allow the page to load or will redirect to a predetermined “block” page or script. SquidGuard makes its decisions based upon the use of access control lists and databases of domains, URLs, and expressions.

Installation

Make sure you have the Universe repository enabled Install Squid and SquidGuard

sudo apt-get install squid squidguard

If you don't have a web server installed

sudo apt-get install apache2

Key File Locations

Squid Configuration

The squid.conf file is huge, with hundreds of options. In this howto we will only be changing a few settings. Open the squid.conf file for editing

gksudo gedit /etc/squid/squid.conf

Turn on line numbers in gedit (Edit > Preferences) Find the `http_port tag` (should be on or around line 53, its currently Line 89 in 7.10 release) By default it reads `# http_port 3128` This is the default port that Squid will listen on for requests. If you want to change it, uncomment the line and set the correct port. If you want Squid to listen only on one specific NIC, you can also change the IP address – for example `192.168.1.5:3128` Now we need to tell squid where squidguard is. Find the redirect_program tag (should be around line 1028) There is no default setting here, so we need to add our own line below the redirect_program description:

redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf

OK, now we'll setup who is allowed access to the proxy. Find the http_access section (should start around line 1860,line 2589 in 7.04 and line 2608 in 7.10 release) Uncomment these 2 lines:

#http_access allow our_networks

You'll need to change 192.168.1.0/24 to match your network. Unless you have a second subnet you can delete 192.168.2.0/24 if you get a startup error :- 'FATAL: Could not determine fully qualified hostname. Please set visible_hostname' you will also need to modify the visible_hostname tag (around line 2909 in 7.10) to:- NOTE: this needs to be added as a new line in 7.10 (not sure about other releases) as there is no commented out line re-introduce.

visible_hostname localhost

Save the file and close gedit

SquidGuard Configuration

For the purposes of this howto we will use a very simple configuration for SquidGuard, with only one category of sites that we want to block. More complex and useful configurations are explained on the official SquidGuard site. First we will create a list of domains we want to block

sudo mkdir /var/lib/squidguard/db/weapons/
gksudo gedit /var/lib/squidguard/db/weapons/domains

Insert the following, then save the file.

israeli-weapons.com
uws.com
glock.com

proxy must own all the db files

sudo chown -R proxy:proxy /var/lib/squidguard/db

Now we edit our squidGuard.conf file.

gksudo gedit /etc/squid/squidGuard.conf

Delete everything after the line: `logdir /var/log/squid` Replace the deleted text with the following:

dest weapons {
	domainlist weapons/domains
}
acl {
	default {
		pass !weapons
		redirect http://yourip/block.html
	}
}

Time to compile the domains list into a database

sudo squidGuard –C all

Create a page to redirect blocked requests to

sudo nano /var/www/block.html

REMEMBER, this 'block.html' page points to the default web servers directories, probably Apache as installed above. You must have a web server running on the machine for this to work! or you get an error message with the redirect on the client's PC. You could also redirect it to another server running a web server and let it host the error pages. Put whatever message you want in this page. Fire up squid and squidguard If it is not running you can use :- sudo /etc/init.d/squid start|restart|stop then this will work

squid -k reconfigure

Testing

Change all your client browser settings to use your new proxy. If you are using Firefox, this is done via Edit > Preferences > Connection Settings. Enter the IP address of your new Proxy server, and the port number you previously configure. The 3 domains we added to our domains file should be blocked.

Troubleshooting

It is fairly common to run into problems. 99% of the time, it comes down to permissions or ownership of files. First of all, lets check what processes are running.

ps -e | grep squid

You should see 1 or 2 squid processes, and 5 squidGuard processes. If not then lets restart Squid.

squid -k reconfigure

Again, check what processes are running. Still having problems? Check what's being written to the squidGuard.log file

tail /var/log/squid/squidGuard.log

You might see something here that mentions that SquidGuard has gone into emergency mode. If this is the case, the following may help. It is often useful to run squidGuard directly from the command line to see what it is doing. An example is:

echo "http://www.somesite.com 10.0.0.1/ - - GET" | squidGuard -d -c /etc/squid/squidGuard.conf

This should be run as root.

SquidGuard Emergency Mode

When squidguard starts up, it tries to do the following things:

1. Read the configuration file
2. Read the database or text files with the lists of sites to block
3. Write to its log file

If it fails to do any of these things, it goes into "emergency mode"; effectively this means that it doesn't do anything. The following problems will cause either 1, 2, or 3 to fail:

• The configuration file is not in the place specified in squid.conf. Make sure squidguard is started with this line in squid.conf:

redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf

• The database files are not in the place defined in squidGuard.conf. Make sure the following is one of the first lines in squidGuard.conf:

/var/lib/squidguard/db

• The ownership of the configuration file, logfiles, or blacklist files is not correct. These files should be owned by the user and group under which the squid program runs. In the case of Ubuntu, that user is `proxy`
• To make sure the ownership is correct, run the following commands:

chown proxy:proxy /etc/squid/squidGuard.conf
chown -R proxy:proxy /var/lib/squidguard/db
chown -R proxy:proxy /var/log/squid/

• The permissions of the configuration file, logfiles, or blacklist files is not correct. Set the permissions as follows:

chmod 644 /etc/squid/squidGuard.conf
chmod -R 640 /var/lib/squidguard/db
chmod -R 644 /var/log/squid/
find /var/lib/squidguard/db -type d -exec chmod 755 \{\} \; -print
chmod 755 /var/log/squid

• There is a line-end before the "{" character in source or dest lists:

Bad:

dest weapons
{

Good:

dest weapons {

After fixing these problems issue the command : `squid –k reconfigure` To restart Squid and SquidGuard with the new settings. You also need to create Swap directories with 'squid -z' If you still have errors you can start squid with 'squid -NCd1' which starts in debug/verbose mode which will show any errors. As above, the most likely will be permissions.

External Links

• Official Squid site
• Official SquidGuard site
• SquidGuard FAQ
• Downloadable blacklists

In Need Of Further Documentation

• More sophisticated configurations (source groups, time settings, more destination groups, urls, expressions)
• Using diff files
• Using Ident