UbuntuHelp:SquidGuard
来自Ubuntu中文
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
This howto describes the process of setting up Squid and SquidGuard for the purpose of internet content filtering.
There are many different configuration options available. The settings used in this howto are very simplistic and may not suit your needs. In any case it will get you up and running. More complex settings can be added afterwards.
目录
Introduction
Squid is a proxy server, HTTP requests are sent to Squid instead of being sent directly to the internet.
SquidGuard is a web filter plugin for Squid which is used to restrict access to domains/URLs based upon access control lists. When SquidGuard receives a request it is examined and will either allow the page to load or will redirect to a predetermined “block” page or script. SquidGuard makes its decisions based upon the use of access control lists and databases of domains, URLs, and expressions.
Installation
Make sure you have the Universe repository enabled
Install Squid and SquidGuard
sudo apt-get install squid squidguard
If you don't have a web server installed
sudo apt-get install apache2
Key File Locations
| <rowstyle="background-color: #FFFFDD;"> File | Purpose |
| /etc/squid/squid.conf | Squid configuration file |
| /var/log/squid/access.log | Squid access log file |
| /etc/squid/squidGuard.conf | SquidGuard configuration file |
| /var/lib/squidguard/db | SquidGuard database files |
| /var/log/squid/squidGuard.log | SquidGuard log file |
Squid Configuration
The squid.conf file is huge, with hundreds of options. In this howto we will only be changing a few settings. Open the squid.conf file for editing
gksudo gedit /etc/squid/squid.conf
Turn on line numbers in gedit (Edit > Preferences)
Find the `http_port tag` (should be on or around line 53) By default it reads `# http_port 3128` This is the default port that Squid will listen on for requests. If you want to change it, uncomment the line and set the correct port. If you want Squid to listen only on one specific NIC, you can also change the IP address – for example `192.168.1.5:3128`
Now we need to tell squid where squidguard is. Find the redirect_program tag (should be around line 1028) There is no default setting here, so we need to add our own line below the redirect_program description:
redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf
OK, now we'll setup who is allowed access to the proxy. Find the http_access section (should start around line 1860) Uncomment these 2 lines:
#acl our_networks src 192.168.1.0/24 192.168.2.0/24 #http_access allow our_networks
You'll need to change 192.168.1.0/24 to match your network. Unless you have a second subnet you can delete 192.168.2.0/24
if you get a startup error :- 'FATAL: Could not determine fully qualified hostname. Please set visible_hostname' you will also need to modify the visible_hostname tag to:-
visible_hostname localhost
Save the file and close gedit
SquidGuard Configuration
For the purposes of this howto we will use a very simple configuration for SquidGuard, with only one category of sites that we want to block. More complex and useful configurations are explained on the official SquidGuard site.
First we will create a list of domains we want to block
sudo mkdir /var/lib/squidguard/db/weapons/ gksudo gedit /var/lib/squidguard/db/weapons/domains
Insert the following, then save the file.
israeli-weapons.com uws.com glock.com
proxy must own all the db files
sudo chown proxy:proxy –R /var/lib/squidguard/db
Now we edit our squidGuard.conf file.
gksudo gedit /etc/squid/squidGuard.conf
Delete everything after the line: `logdir /var/log/squid`
Replace the deleted text with the following:
dest weapons {
domainlist weapons/domains
}
acl {
default {
pass !weapons
redirect http://yourip/block.html
}
}
Time to compile the domains list into a database
sudo squidGuard –C all
Make sure proxy owns all the database
sudo chown proxy:proxy –R /var/lib/squidguard/db
Create a page to redirect blocked requests to
sudo nano /var/www/block.html
REMEMBER, this 'block.html' page points to the default web servers directories, probably Apache as installed above. You must have a web server running on the machine for this to work! or you get an error message with the redirect on the client's PC. You could also redirect it to another server running a web server and let it host the error pages. Put whatever message you want in this page.
Fire up squid and squidguard
squid -k reconfigure
Testing
Change all your client browser settings to use your new proxy.
If you are using Firefox, this is done via Edit > Preferences > Connection Settings. Enter the IP address of your new Proxy server, and the port number you previously configure.
The 3 domains we added to our domains file should be blocked.
Troubleshooting
It is fairly common to run into problems. 99% of the time, it comes down to permissions or ownership of files.
First of all, lets check what processes are running.
ps -e | grep squid
You should see 1 or 2 squid processes, and 5 squidGuard processes. If not then lets restart Squid.
squid -k reconfigure
Again, check what processes are running.
Still having problems? Check what's being written to the squidGuard.log file
tail /var/log/squid/squidGuard.log
You might see something here that mentions that SquidGuard has gone into emergency mode. If this is the case, the following may help.
SquidGuard Emergency Mode
When squidguard starts up, it tries to do the following things:
- Read the configuration file
- Read the database or text files with the lists of sites to block
- Write to its log file
If it fails to do any of these things, it goes into "emergency mode"; effectively this means that it doesn't do anything.
The following problems will cause either 1, 2, or 3 to fail:
- The configuration file is not in the place specified in squid.conf. Make sure squidguard is started with this line in squid.conf:
redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf
- The database files are not in the place defined in squidGuard.conf. Make sure the following is one of the first lines in squidGuard.conf:
/var/lib/squidguard/db
- The ownership of the configuration file, logfiles, or blacklist files is not correct. These files should be owned by the user and group under which the squid program runs. In the case of Ubuntu, that user is `proxy`
- To make sure the ownership is correct, run the following commands:
chown proxy:proxy /etc/squid/squidGuard.conf chown -R proxy:proxy /var/lib/squidguard/db chown -R proxy:proxy /var/log/squid/
- The permissions of the configuration file, logfiles, or blacklist files is not correct. Set the permissions as follows:
chmod 644 /etc/squid/squidGuard.conf
chmod -R 640 /var/lib/squidguard/db
chmod -R 644 /var/log/squid/
find /var/lib/squidguard/db -type d -exec chmod 755 \{\} \; -print
chmod 755 /var/log/squid
- There is a line-end before the "{" character in source or dest lists:
Bad:
dest weapons
{
Good:
dest weapons {
After fixing these problems issue the command : `squid –k reconfigure` To restart Squid and SquidGuard with the new settings.
You also need to create Swap directories with 'squid -z'
If you still have errors you can start squid with 'squid -NCd1' which starts in debug/verbose mode which will show any errors. As above, the most likely will be permissions.
External Links
In Need Of Further Documentation
- More sophisticated configurations (source groups, time settings, more destination groups, urls, expressions)
- Using diff files
- Using Ident
