Partners Support Community Ubuntu.

com Login to edit

Search

SquidGuard
Style Cleanup Required: This article does not follow the style standards in the Wiki Guide. More info...

Needs Expansion: This article is incomplete, and needs to be expanded. More info... This howto describes the process of setting up Squid and SquidGuard for the purpose of internet content filtering. It is revised for Karmic 9.10 and Squid 2.7 in the repositories with it. Older versions work a little different. There are many different configuration options available. The settings used in this howto are very simplistic and may not suit your needs. In any case it will get you up and running. More complex settings can be added afterwards.

Contents 1. 2. 3. 4. 5. 6. 7. Introduction Installation Key File Locations Squid Configuration SquidGuard Configuration Testing Troubleshooting 1. SquidGuard Emergency Mode 8. External Links 9. In Need Of Further Documentation

Introduction
Squid is a proxy server, HTTP requests are sent to Squid instead of being sent

directly to the internet. SquidGuard is a web filter plugin for Squid which is used to restrict access to domains/URLs based upon access control lists. When SquidGuard receives a request it is examined and will either allow the page to load or will redirect to a predetermined block page or script. SquidGuard makes its decisions based upon the use of access control lists and databases of domains, URLs, and expressions.

Installation
If you'd like to host your own block page, install apache2
sd atgtisalaah2 uo p-e ntl pce

Install Squid Make sure you have the Universe repository enabled Install SquidGuard
sd atgtisalsudur uo p-e ntl qigad

Key File Locations

File /etc/squid/squid.conf /var/log/squid/access.log /etc/squid/squidGuard.conf /var/lib/squidguard/db Purpose Squid configuration file Squid access log file SquidGuard configuration file SquidGuard database files

/var/log/squid/squidGuard.log SquidGuard log file

Squid Configuration
The squid.conf file is huge, with hundreds of options. In this howto we will only be changing a few settings. Open the squid.conf file for editing using sudo and a text editor. You can use graphical sudo (gksudo) and gedit for this task, or s d n n uo ao
gsd gdt/t/qi/qi.of kuo ei ecsudsudcn

Turn on line numbers in gedit (Edit > Preferences) Find the h t _ o t t g By default it reads # h t _ o t 3 2 This is the default port that Squid will listen on for requests. If tppr a. tppr 18 you want to change it, uncomment the line and set the correct port. If you want Squid to listen only on one specific NIC, you can also change the IP address for example 1 2 1 8 1 5 3 2 9.6..:18 Now we need to tell squid where squidguard is. Find the T G u l r w i e p o r mheading. There is no default setting here, A: r_ert_rga so we need to add our own line:
ulrwieporm/s/i/qiGad /t/qi/qiGadcn r_ert_rga urbnsudur c ecsudsudur.of

Now we'll setup who is allowed access to the proxy. Find the T G h t _ c e sheading and below it the 'INSERT YOUR OWN A: tpacs RULE(S) HERE...' Uncomment the line
#tpacs alwlcle ht_ces lo oant

And we need to define who is in the localnet. Find the T G A Lheading. Way down you will find A: C
#c lcle sc1218102 (n abnho ohrI sbes al oant r 9.6../4 ad uc f te P unt)

You'll need to uncomment that line if necessary, and change that IP address to match your network. /24 signifies the block of IP addresses from 192.168.1.0 to 192.168.1.255. You can also delete any extra IP blocks out of the examples you are not using. if you get a startup error :- 'FATAL: Could not determine fully qualified hostname. Please set visible_hostname' you will also need to add a visible_hostname tag, or uncomment it if you can find one in there already :vsbehsnm lclot iil_otae oahs

Save the file and close gedit

SquidGuard Configuration
For the purposes of this howto we will use a very simple configuration for SquidGuard, with only one category of sites that we want to block. More complex and useful configurations are explained on the official SquidGuard site. First we will create a list of domains we want to block
sd mdr/a/i/qigadd/d/ uo ki vrlbsudur/bas gsd gdt/a/i/qigadd/d/oan kuo ei vrlbsudur/basdmis

Insert the following, then save the file.

dulciknt obelc.e fahanro.o lsbnenwcm adsesrcm dipne.o

proxy must own the db, config, and log files

sd conpoypoy/t/qi/qiGadcn uo hw rx:rx ecsudsudur.of sd con- poypoy/a/i/qigadd uo hw R rx:rx vrlbsudur/b sd con- poypoy/a/o/qi/ uo hw R rx:rx vrlgsud

Now we edit our squidGuard.conf file.

gsd gdt/t/qi/qiGadcn kuo ei ecsudsudur.of

Delete everything after the line: l g i / a / o / q i odr vrlgsud Replace the deleted text with the following:
ds as{ et d dmils asdmis oanit d/oan } al{ c dfut{ eal ps !d al as as l rdrc ht:/orpbokhm eiet tp/yui/lc.tl

} }

Time to compile the domains list into a database

sd sudur al uo qiGad C l

Create a page to redirect blocked requests to. If you can write raw html in a text editor do
sd nn /a/w/lc.tl uo ao vrwwbokhm

If not, use a WYSIWYG editor, and copy the files into the /var/www directory. REMEMBER, this 'block.html' page points to the default web servers directories, probably Apache as installed above. You must have a web server running on the machine for this to work! Or you get an error message with the redirect on the client's PC. You could also redirect it to another server running a web server and let it host the error pages. Put whatever message you want in this page. Fire up squid and squidguard
sd /t/ntdsudsatrsatso uo ecii./qi tr|etr|tp sd sud- rcniue uo qi k eofgr

If you change your block page after you have visited it, Squid will have cached it, and will not refetch the new version until its default cache expiration time has been reached (generally 1 week). If you'd like to purge the Squid cache to fetch your revised block page, see the Squid Page.

Testing
Change all your client browser settings to use your new proxy. If you are using Firefox, this is done via Edit > Preferences > Connection Settings. Enter the IP address of your new Proxy server, and the port number you previously configure. The 3 domains we added to our domains file should be blocked.

Troubleshooting
It is fairly common to run into problems. 99% of the time, it comes down to permissions or ownership of files.

First of all, lets check what processes are running.

p - |ge sud s e rp qi

You should see 1 or 2 squid processes, and 5 squidGuard processes. If not then lets restart Squid. If you previously had an abort when you were trying to reconfigure, then squid crashed and you need to start it again, else skip to the reconfigure step...
sd /t/ntdsudsat uo ecii./qi tr sd sud- rcniue uo qi k eofgr

Again, check what processes are running. Still having problems? Check what's being written to the squidGuard.log file
sd ti /a/o/qi/qiGadlg uo al vrlgsudsudur.o

You might see something here that mentions that SquidGuard has gone into emergency mode. You also might see a generic error like 'Error db_open: Permission denied'. If either is the case, the following may help. It is often useful to run squidGuard directly from the command line to see what it is doing. An example is:
sd eh "tp/wwuut.o {leti ades/--GT |sudur - - /t/qi/qiGadcn uo co ht:/w.bnucm cin p drs} E" qiGad d c ecsudsudur.of

You can change the URL to whatever you'd like to test for access or denial. The IP address is the address of the computer you want to simulate as surfing the net from.

SquidGuard Emergency Mode

When squidguard starts up, it tries to do the following things: 1. Read the configuration file 2. Read the database or text files with the lists of sites to block 3. Write to its log file If it fails to do any of these things, it goes into "emergency mode"; effectively this means that it doesn't do anything. The following problems will cause either 1, 2, or 3 to fail: The configuration file is not in the place specified in squid.conf. Make sure squidguard is started with this line in squid.conf:

rdrc_rga /s/i/qiGad /t/qi/qiGadcn eietporm urbnsudur c ecsudsudur.of

The database files are not in the place defined in squidGuard.conf. Make sure the following is one of the first lines in squidGuard.conf:
/a/i/qigadd vrlbsudur/b

The ownership of the configuration file, logfiles, or blacklist files is not correct. These files should be owned by the user and group under which the squid program runs. In the case of Ubuntu, that user is p o y(I think this is no longer accurate. To get squid to rx read the domain and db files, I had to set the permissions to 777, setting to 775 would not work. While unsafe, this indicates squid is not running as user 'proxy'. I will edit this if I can determine the actual user name.) To make sure the ownership is correct, run the following commands:
sd conpoypoy/t/qi/qiGadcn uo hw rx:rx ecsudsudur.of sd con- poypoy/a/i/qigadd uo hw R rx:rx vrlbsudur/b sd con- poypoy/a/o/qi/ uo hw R rx:rx vrlgsud

The permissions of the configuration file, logfiles, or blacklist files is not correct. Set the permissions as follows:
cmd64/t/qi/qiGadcn ho 4 ecsudsudur.of cmd- 60/a/i/qigadd ho R 4 vrlbsudur/b cmd- 64/a/o/qi/ ho R 4 vrlgsud fn /a/i/qigadd -yed-xccmd75\\ \ -rn id vrlbsudur/b tp ee ho 5 {} ; pit cmd75/a/o/qi ho 5 vrlgsud

There is a line-end before the "{" character in source or dest lists: Bad:
ds as et d {

Good:
ds as{ et d

After fixing these problems issue the command to restart with the new settings
sd sud rcniue uo qi k eofgr

You also need to create Swap directories with 'sudo squid -z' If you still have errors you can start squid with 'squid -NCd1' which starts in debug/verbose mode which will show any errors. As above, the most likely will be permissions.

External Links
Official Squid site Official SquidGuard site SquidGuard FAQ Downloadable blacklists

In Need Of Further Documentation

More sophisticated configurations (source groups, time settings, more destination groups, urls, expressions) Using diff files Using Ident CategoryNetworking CategorySecurity SquidGuard (last edited 2009-11-23 01:41:05 by https://login.launchpad.net/+id/f7HheWC @ cpe-72-181-19467.tx.res.rr.com[72.181.194.67]:colin-thegebharts)