A LFCE (Linux Foundation Certified Engineer) is a professional who has the necessary skills to install, manage, and troubleshoot network services in Linux systems, and is in charge of the design, implementation and ongoing maintenance of the system architecture in its entirety.
Introducing The Linux Foundation Certification Program.
In previous posts we discussed how to install Squid + squidGuard and how to configure squid to properly handle or restrict access requests. Please make sure you go over those two tutorials and install both Squid and squidGuard before proceeding as they set the background and the context for what we will cover in this post: integrating squidguard in a working squid environment to implement blacklist rules and content control over the proxy server.
Installation Squid2/3 + squidGuard on pfSense 2.1.x¶ Open Packages list: click System > Packages, Available Packages tab; Install the Squid package if it is not already installed. Install the squidGuard package; Configure Squid package. Configure squidGuard package.
Requirements
![Squidguard Squidguard](/uploads/1/2/5/1/125157106/193520378.jpg)
What Can / Cannot I use SquidGuard For?
Though squidGuard will certainly boost and enhance Squid’s features, it is important to highlight what it can and what it cannot do.
squidGuard can be used to:
- limit the allowed web access for some users to a list of accepted/well known web servers and/or URLs only, while denying access to other blacklisted web servers and/or URLs.
- block access to sites (by IP address or domain name) matching a list of regular expressions or words for some users.
- require the use of domain names/prohibit the use of IP address in URLs.
- redirect blocked URLs to error or info pages.
- use distinct access rules based on time of day, day of the week, date etc.
- implement different rules for distinct user groups.
However, neither squidGuard nor Squid can be used to:
- analyze text inside documents and act in result.
- detect or block embedded scripting languages like JavaScript, Python, or VBscript inside HTML code.
BlackLists – The Basics
Blacklists are an essential part of squidGuard. Basically, they are plain text files that will allow you to implement content filters based on specific keywords. There are both freely available and commercial blacklists, and you can find the download links in the squidguard blacklists project’s website.
In this tutorial I will show you how to integrate the blacklists provided by Shalla Secure Services to your squidGuard installation. These blacklists are free for personal / non-commercial use and are updated on a daily basis. They include, as of today, over 1,700,000 entries.
For our convenience, let’s create a directory to download the blacklist package.
The latest download link is always available as highlighted below.
Download Squidguard Blacklist
After untarring the newly downloaded file, we will browse to the blacklist (BL) folder.
You can think of the directories shown in the output of ls as backlist categories, and their corresponding (optional) subdirectories as subcategories, descending all the way down to specific URLs and domains, which are listed in the files urls and domains, respectively. Refer to the below image for further details.
SquidGuard Blacklist Urls Domains
Installing Blacklists
Installation of the whole blacklist package, or of individual categories, is performed by copying the BL directory, or one of its subdirectories, respectively, to the /var/lib/squidguard/db directory.
Of course you could have downloaded the blacklist tarball to this directory in the first place, but the approach explained earlier gives you more control over what categories should be blocked (or not) at a specific time.
Next, I will show you how to install the anonvpn, hacking, and chat blacklists and how to configure squidGuard to use them.
Step 1: Copy recursively the anonvpn, hacking, and chat directories from /opt/3rdparty/BL to /var/lib/squidguard/db.
Step 2: Use the domains and urls files to create squidguard’s database files. Please note that the following command will work for creating .db files for all the installed blacklists – even when a certain category has 2 or more subcategories.
Step 3: Change the ownership of the /var/lib/squidguard/db/ directory and its contents to the proxy user so that Squid can read the database files.
Step 4: Configure Squid to use squidGuard. We will use Squid’s url_rewrite_program directive in /etc/squid/squid.conf to tell Squid to use squidGuard as a URL rewriter / redirector.
Add the following line to squid.conf, making sure that /usr/bin/squidGuard is the right absolute path in your case.
Step 5: Add the necessary directives to squidGuard’s configuration file (located in /etc/squidguard/squidGuard.conf).
Please refer to the screenshot above, after the following code for further clarification.
Step 6: Restart Squid and test.
Open a web browser in a client within local network and browse to a site found in any of the blacklist files (domains or urls – we will use http://spin.de/ chat in the following example) and you will be redirected to another URL, www.lds.org in this case.
You can verify that the request was made to the proxy server but was denied (301 http response – Moved permanently) and was redirected to www.lds.org instead.
Analyze Squid Logs
Removing Restrictions
If for some reason you need to enable a category that has been blocked in the past, remove the corresponding directory from /var/lib/squidguard/db and comment (or delete) the related acl in the squidguard.conf file.
For example, if you want to enable the domains and urls blacklisted by the anonvpn category, you would need to perform the following steps.
And edit the squidguard.conf file as follows.
Please note that parts highlighted in yellow under BEFORE have been deleted in AFTER.
Whitelisting Specific Domains and URL’s
On occasions you may want to allow certain URLs or domains, but not an entire blacklisted directory. In that case, you should create a directory named myWhiteLists (or whatever name you choose) and insert the desired URLs and domains under /var/lib/squidguard/db/myWhiteLists in files named urls and domains, respectively.
Then, initialize the new content rules as before,
and modify the squidguard.conf as follows.
Remove Domains Urls in Squid Blacklist
As before, the parts highlighted in yellow indicate the changes that need to be added. Note that the myWhiteLists string needs to be first in the row that starts with pass.
Finally, remember to restart Squid in order to apply changes.
Conclusion
After following the steps outlined in this tutorial you should have a powerful content filter and URL redirector working hand in hand with your Squid proxy. If you experience any issues during your installation / configuration process or have any questions or comments, you may want to refer to squidGuard’s web documentation but always feel free to drop us a line using the form below and we will get back to you as soon as possible.
Share
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU GPL. http://www.squid-cache.org
This project provides MSI Windows Installer for Squid Proxy Server. It enables Squid installation in just a few clicks. Current build is based on the latest Squid 3.5 build for Cygwin Windows 64 bit.
Installation instructions
- Run it and click 'Next' button till the product is installed
Please have a look at the tutorial describing How to Install Squid 3.5 on Windows.
HTTP and HTTPS Filtering on Windows Using Squid and ICAP
In case you need a high-quality HTTP(s) traffic filtering solution on Windows, we recommend Diladele Web Safety running in Docker.
Web Safety for Squid Proxy is an ICAP web filtering server that integrates with Squid proxy server and provides rich content and web filtering functionality to sanitize Internet traffic passing into an internal home/enterprise network. It may be used to block illegal or potentially malicious file downloads, remove annoying advertisements, prevent access to various categories of web sites and block resources with adult/explicit content.
To try it out please have a look at the Windows 10 tutorial.
For Windows 7 please have a look here.
Help
Squid documentation can be found at http://www.squid-cache.orgIn case of any errors in the installer only, please send an email to [email protected] or post your question in the following google group https://groups.google.com/d/forum/web-safety
For squid specific questions please use one of Squid mailing lists http://www.squid-cache.org/Support/mailing-lists.html.
Contribution guidelines
Please contact [email protected]
Credits
We admire people working on Squid Cache server, who deliver great product to all of us.