Squid blacklists

Squidguard is a plugin for squid service. It allow a better and fine ACL management, via compiled blacklists. SquidGuard also allow to manage scheduled access, fine conditions and can replace a page by another.

Installation & Configuration

Installation

To install squidGuard, it’s simple Debian version

aptitude install squidguard

FreeBSD version

cd /usr/ports/www/squidguard
make install clean

OpenBSD version

export PKG_PATH=http://ftp.fr.openbsd.org/pub/OpenBSD/5.2/packages/amd64/
pkg_add -i squidguard

The modify squid configuration for to add these lines (or un-comment) Versions 3.1 and lower

 redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
 url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
 url_rewrite_children 10

Version 3.2 and upper

url_rewrite_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf
url_rewrite_children 10 startup=4 idle=2 concurrency=0

Squid is now linked to SquidGuard. It used 10 parallel processes for filtering. Now we install one blacklists (Toulouse-1 French university): Linux version

cd /etc/squidguard/
wget ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz
tar xzf blacklists.tar.gz
chown -R squid:squid /etc/squidguard/blacklists
rm blacklists.tar.gz

BSD version

cd /etc/squidguard/
wget ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz
tar xzf blacklists.tar.gz
chown -R _squid:_squid /etc/squidguard/blacklists
rm blacklists.tar.gz

Configuration

Open squidguard.conf file (Linux /etc/squid/squidGuard.conf, BSD /etc/squidguard/squidguard.conf) First, configure squidguard blacklist directory by modifying dbhome.

 dbhome /etc/squidguard/blacklists

Next, write squidGuard -C all to compile blacklists (squidGuard -f /etc/squidguard/squidguard.conf -C all for BSD) SquidGuard use source/destination mechanics to define ACLs. Source example:

 source localnet {
    ip 10.0.0.0/8
    192.168.0.0/16
 }

Here a destination example, using porn compiled blacklist

 destination porno {
    domainlist porn/domains
    urllist porn/urllist
    expressionlist porn/expressions
 }

porn/domains value define directory porn and file domains.db under dbhome Warn, we can’t give multiple domainlist, urllist, expresionlist. Only the last is used._ The last directive is acl. It define filtering rules to apply. You use source and pass directive with the destinations.

 acl {
    localnet {
       pass !porno
       redirect http://localhost/403.html
    }

    admin {
       pass all
    }

    guests {
       pass none
       redirect http://localhost/403.html
    }
 }

Those acl define localnet source can access to all sites, except porn blacklist, admin source can access to everything, and guests have no access. When access is wrong, squidGuard will give the URL given in redirect directive (here local page) You can also declare access times. For example, social networks are allowed at break. Access times are defined by time directive.

# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat

time personnel-pause {
   weekly s 	00:00 - 23:59
   weekly mtwhfa	12:00 - 14:00
}

Then, ACL is written as:

acl {
  personnel within personnel-pause {
        pass     !common-blacklist
  } else personnel {
        pass     !common-blacklist !social-networks
  }
}

Automated update

To make an automated update, create a script with this content and add it to cron: Linux version

cd /etc/squidguard
wget ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz
tar xvzf blacklists.tar.gz
chown -R squid:squid /var/firewall/blacklists
rm blacklists.tar.gz
squidGuard -C all

BSD version

cd /etc/squidguard
wget ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz
tar xzf blacklists.tar.gz
chown -R _squid:_squid /var/firewall/blacklists
rm blacklists.tar.gz
/usr/local/bin/squidGuard -f /etc/squidguard/squidguard.conf -C all

Add exceptions

We create a whitelist to allow some sites which are blacklisted.

mkdir /etc/squidguard/blacklists/exceptions/
touch /etc/squidguard/blacklists/exceptions/domains
touch /etc/squidguard/blacklists/exceptions/urllist

Open squidGuard configuration file and create this ACL

 destination exceptions {
    domainlist exceptions/domains
 }

After, apply it

acl {
  personnel within personnel-pause {
        pass    exceptions !common-blacklist
  } else personnel {
        pass    exceptions !common-blacklist !social-networks
  }
}

To use it, open /etc/squidguard/blacklists/exceptions/domains. After, add one domain per line:

linkedin.com
linkedin.fr
viadeo.com

Close file and launch this command

Linux version:

squidGuard -C exceptions
killall squidGuard

BSD version:

/usr/local/sbin/squidGuard -f /etc/squidguard/squidguard.conf -C exceptions
pkill squidGuard

These commands regenerate “blacklist” exceptions and kill all squidGuard processes. Squid automatically relaunch them