Squid + SquidGuard : static block page not working

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid + SquidGuard : static block page not working

Nicolas Kovacs
Hi,

I've been working with Squid + SquidGuard for a few years, though only
on Slackware. I'm currently transferring my proxy expertise to CentOS 7,
and right now I'm having a little problem with that.

Squid works perfectly so far as a transparent HTTP + HTTPS cache proxy.

The next step is to add SquidGuard, so I installed it and edited the
most basic /etc/squid/squidGuard.conf file possible.

In this setup, my workstation (192.168.2.2) is allowed to access
anything on the Web, and all other client machines on the networks are
blocked and should be redirected to the avertissement.html block page
for every request.

--8<------------------------------------------------------------------
# /etc/squid/squidGuard.conf
dbhome /var/squidGuard
logdir /var/log/squidGuard

src admin {
  ip 192.168.2.2
}

acl {
  admin {
    pass any
  }
  default {
    pass none
    redirect http://nestor.microlinux.lan/avertissement.html
  }
}
--8<------------------------------------------------------------------

I appended the following lines to /etc/squid/squid.conf:

--8<------------------------------------------------------------------
# SquidGuard
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_children 5
--8<------------------------------------------------------------------

Now this setup sort of works. My workstation can access anything, other
clients are blocked. Unfortunately, the block page avertissement.html is
not displayed. Instead, I get a Squid error page:

  The following error was encountered while trying to retrieve the URL:
  https://http/*

  Unable to determine IP address from host name "http".

Any idea why my static block page avertissement.html is not displayed?

Cheers,

Niki
--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : [hidden email]
Tél. : 04 66 63 10 32
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid + SquidGuard : static block page not working

Amos Jeffries
Administrator
On 15/03/18 01:07, Nicolas Kovacs wrote:

> Hi,
>
> I've been working with Squid + SquidGuard for a few years, though only
> on Slackware. I'm currently transferring my proxy expertise to CentOS 7,
> and right now I'm having a little problem with that.
>
> Squid works perfectly so far as a transparent HTTP + HTTPS cache proxy.
>
> The next step is to add SquidGuard, so I installed it and edited the
> most basic /etc/squid/squidGuard.conf file possible.
>
> In this setup, my workstation (192.168.2.2) is allowed to access
> anything on the Web, and all other client machines on the networks are
> blocked and should be redirected to the avertissement.html block page
> for every request.

You do not need SG or any fancy redirector helpers at all for that.

Place this in your squid.conf instead:

  acl admin src 192.168.2.2
  http_access allow admin
  deny_info 302:http://nestor.microlinux.lan/avertissement.html all
  http_access deny all

If the clients can only reach nestor.microlinux.lan through the proxy
you will need an http_access rule allowing that domain before the deny line.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid + SquidGuard : static block page not working

Nicolas Kovacs
Le 14/03/2018 à 13:33, Amos Jeffries a écrit :
> You do not need SG or any fancy redirector helpers at all for that.

Yes, I do. Because this is part of a step-by-step course about
SquidGuard, which worked perfectly under Slackware Linux. And my
filtering rules are becoming increasingly complex.

Niki


--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : [hidden email]
Tél. : 04 66 63 10 32
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid + SquidGuard : static block page not working

Nicolas Kovacs
Le 14/03/2018 à 13:39, Nicolas Kovacs a écrit :
> Yes, I do. Because this is part of a step-by-step course about
> SquidGuard, which worked perfectly under Slackware Linux. And my
> filtering rules are becoming increasingly complex.

FYI, this is the course. It's a HOWTO in simple text format.

I'm currently trying to adapt this to CentOS 7.

Niki

--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : [hidden email]
Tél. : 04 66 63 10 32

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

SquidGuard-HOWTO.txt (19K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Squid + SquidGuard : static block page not working

Amos Jeffries
Administrator
On 15/03/18 01:43, Nicolas Kovacs wrote:
> Le 14/03/2018 à 13:39, Nicolas Kovacs a écrit :
>> Yes, I do. Because this is part of a step-by-step course about
>> SquidGuard, which worked perfectly under Slackware Linux. And my
>> filtering rules are becoming increasingly complex.
>
> FYI, this is the course. It's a HOWTO in simple text format.
>
> I'm currently trying to adapt this to CentOS 7.

Then the first thing you and your readers need to be clear on is that
SquidGuard was end-of-life'd many years ago. It is long overdue for
removal or replacement. This has impact such as the one you saw on HTTPS
traffic support which was only added to Squid-3 after SG stopped being
maintained.

The best thing to be doing these days is upgrading simple configs like
the one you presented earlier to using modern Squid features directly in
squid.conf - as I recommended earlier.

For very complex configurations (or emergency upgrades) the ufdbguard
tool can be used as a drop-in replacement for squidGuard while the
config migration is evaluated. It handles the HTTPS situation better
than SG does, but for simple configs any helper is still very much
overkill and a performance drag.

HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid + SquidGuard : static block page not working

Nicolas Kovacs
Le 14/03/2018 à 14:06, Amos Jeffries a écrit :

> Then the first thing you and your readers need to be clear on is that
> SquidGuard was end-of-life'd many years ago. It is long overdue for
> removal or replacement. This has impact such as the one you saw on HTTPS
> traffic support which was only added to Squid-3 after SG stopped being
> maintained.
>
> The best thing to be doing these days is upgrading simple configs like
> the one you presented earlier to using modern Squid features directly in
> squid.conf - as I recommended earlier.
>
> For very complex configurations (or emergency upgrades) the ufdbguard
> tool can be used as a drop-in replacement for squidGuard while the
> config migration is evaluated. It handles the HTTPS situation better
> than SG does, but for simple configs any helper is still very much
> overkill and a performance drag.

This is the configuration which is currently in use at our local school.
The server is running Squid + SquidGuard on Slackware 14.1. We're
planning to move to CentOS 7 in June 2018, so I'd like to use this
working configuration without having to jump through burning loops or
having to reinvent the wheel.

--8<-----------------------------------------------------------------------
# /etc/squidguard/squidguard.conf

dbhome /var/lib/squidguard/dest
logdir /var/log/squidguard

time couvrefeu {
  weekly mtwhf 00:00-07:00
  weekly smtwh 22:30-24:00
}

src direction {
  ip 192.168.10.2-192.168.10.49
  ip 192.168.10.246-192.168.10.249
}

src scholae {
  ip 192.168.10.50-192.168.10.210
}

# Sites adultes
destination adult {
  domainlist adult/domains
  urllist adult/urls
  log adult
}

# Sites racistes, antisémites, incitant à la haine
destination agressif {
  domainlist agressif/domains
  urllist agressif/urls
  log agressif
}

# Sites orientés vers l'audio et la vidéo
destination audio-video {
  domainlist audio-video/domains
  urllist audio-video/urls
  log audio-video
}

# Blogs
destination blog {
  domainlist blog/domains
  urllist blog/urls
  log blog
}

# Sites pour désinfecter et mettre à jour des ordinateurs
destination cleaning {
  domainlist cleaning/domains
  urllist cleaning/urls
  log cleaning
}

# Sites décrivant la fabrication de bombes, de poison, etc.
destination dangerous_material {
  domainlist dangerous_material/domains
  urllist dangerous_material/urls
  log dangerous_material
}

# Sites de téléchargement
destination download {
  domainlist download/domains
  urllist download/urls
  log download
}

# Drogue
destination drogue {
  domainlist drogue/domains
  urllist drogue/urls
  log drogue
}

# Infos financières
destination financial {
  domainlist financial/domains
  urllist financial/urls
  log financial
}

# Forums
destination forums {
  domainlist forums/domains
  urllist forums/urls
  log forums
}

# Jeux en ligne, casino
destination gambling {
  domainlist gambling/domains
  urllist gambling/urls
  log gambling
}

# Sites de piratage et d'agressions informatiques
destination hacking {
  domainlist hacking/domains
  urllist hacking/urls
  log hacking
}

# Sites éducatifs
destination liste_bu {
  domainlist liste_bu/domains
  urllist liste_bu/urls
  log liste_bu
}

# Sonneries de mobiles
destination mobile-phone {
  domainlist mobile-phone/domains
  urllist mobile-phone/urls
  log mobile-phone
}

# Phishing, pièges bancaires, etc.
destination phishing {
  domainlist phishing/domains
  urllist phishing/urls
  log phishing
}

# Publicité
destination publicite {
  domainlist publicite/domains
  urllist publicite/urls
  log publicite
}

# Webradio
destination radio {
  domainlist radio/domains
  urllist radio/urls
  log radio
}

# Redirecteurs 1/3
destination redirector {
  domainlist redirector/domains
  urllist redirector/urls
  log redirector
}

# Redirecteurs 2/3
destination strict_redirector {
  domainlist strict_redirector/domains
  urllist strict_redirector/urls
  log strict_redirector
}

# Redirecteurs 3/3
destination strong_redirector {
  domainlist strong_redirector/domains
  urllist strong_redirector/urls
  log strong_redirector
}

# Sites qui expliquent comme tricher aux examens
destination tricheur {
  domainlist tricheur/domains
  urllist tricheur/urls
  log tricheur
}

# Warez
destination warez {
  domainlist warez/domains
  urllist warez/urls
  log warez
}

# Webmail
destination webmail {
  domainlist webmail/domains
  urllist webmail/urls
  log webmail
}

# Jeux
destination games {
  domainlist games/domains
  urllist games/urls
  log games
}

# Jeux éducatifs
destination educational_games {
  domainlist educational_games/domains
  urllist educational_games/urls
  log educational_games
}

# Sites pour adultes
destination mixed_adult {
  domainlist mixed_adult/domains
  urllist mixed_adult/urls
  log mixed_adult
}

# Sites de téléchargement
destination filehosting {
  domainlist filehosting/domains
  urllist filehosting/urls
  log filehosting
}

# Changement de propriétaire
destination reaffected {
  domainlist reaffected/domains
  urllist reaffected/urls
  log reaffected
}

# Éducation sexuelle
destination sexual_education {
  domainlist sexual_education/domains
  urllist sexual_education/urls
  log sexual_education
}

# Shopping
destination shopping {
  domainlist shopping/domains
  urllist shopping/urls
  log shopping
}

# Sites de rencontres
destination dating {
  domainlist dating/domains
  urllist dating/urls
  log dating
}

# Marketing
destination marketingware {
  domainlist marketingware/domains
  urllist marketingware/urls
  log marketingware
}

# Astrologie
destination astrology {
  domainlist astrology/domains
  urllist astrology/urls
  log astrology
}

# Sectes
destination sect {
  domainlist sect/domains
  urllist sect/urls
  log sect
}

# People
destination celebrity {
  domainlist celebrity/domains
  urllist celebrity/urls
  log celebrity
}

# Mangas
destination manga {
  domainlist manga/domains
  urllist manga/urls
  log manga
}

# Sites pour les enfants
destination child {
  domainlist child/domains
  urllist child/urls
  log child
}

# Malwares
destination malware {
  domainlist malware/domains
  urllist malware/urls
  log malware
}

# Presse en ligne
destination press {
  domainlist press/domains
  urllist press/urls
  log press
}

# Messagerie instantanée
destination chat {
  domainlist chat/domains
  urllist chat/urls
  log chat
}

# Prise de contrôle à distance
destination remote-control {
  domainlist remote-control/domains
  urllist remote-control/urls
  log remote-control
}

# Réseaux sociaux
destination social_networks {
  domainlist social_networks/domains
  urllist social_networks/urls
  log social_networks
}

# Recherche d'emploi
destination jobsearch {
  domainlist jobsearch/domains
  log jobsearch
}

# Sport
destination sports {
  domainlist sports/domains
  log sports
}

# Banque en ligne
destination bank {
  domainlist bank/domains
  log bank
}

# Paris en ligne
destination arjel {
  domainlist arjel/domains
  log arjel
}

# Cuisine
destination cooking {
  domainlist cooking/domains
  log cooking
}

# Lingerie
destination lingerie {
  domainlist lingerie/domains
  urllist lingerie/urls
  log lingerie
}

# Traduction
destination translation {
  domainlist translation/domains
  urllist translation/urls
  log translation
}

# Bitcoin
destination bitcoin {
  domainlist bitcoin/domains
  urllist bitcoin/urls
  log bitcoin
}

# Dialers
destination dialer {
  domainlist dialer/domains
  log dialer
}

# DDoS
destination ddos {
  domainlist ddos/domains
  log ddos
}

# Mises à jour
destination update {
  domainlist update/domains
  log update
}

# Associations religieuses
destination associations_religieuses {
  domainlist associations_religieuses/domains
  log associations_religieuses
}

# Réduction d'URL
destination shortener {
  domainlist shortener/domains
  urllist shortener/urls
  log shortener
}

acl {
  direction {
    pass all
  }
  scholae within couvrefeu {
    pass none
    redirect
http://squidguard.serveur-hp.ecole-scholae.lan/avertissement.html
  }
  scholae {
    pass !adult
    pass !agressif
    pass audio-video
    pass blog
    pass cleaning
    pass !dangerous_material
    pass !download
    pass !drogue
    pass financial
    pass forums
    pass !gambling
    pass !hacking
    pass liste_bu
    pass !mobile-phone
    pass !phishing
    pass !publicite
    pass radio
    pass !redirector
    pass !strict_redirector
    pass !strong_redirector
    pass !tricheur
    pass !warez
    pass webmail
    pass !games
    pass educational_games
    pass !mixed_adult
    pass !filehosting
    pass !reaffected
    pass sexual_education
    pass !shopping
    pass !dating
    pass !marketingware
    pass astrology
    pass !sect
    pass !celebrity
    pass !manga
    pass child
    pass !malware
    pass press
    pass !chat
    pass !remote-control
    pass social_networks
    pass jobsearch
    pass sports
    pass bank
    pass !arjel
    pass cooking
    pass !lingerie
    pass translation
    pass !bitcoin
    pass !dialer
    pass !ddos
    pass update
    pass !associations_religieuses
    pass !shortener
    redirect
http://squidguard.serveur-hp.ecole-scholae.lan/avertissement.html
  }
  default {
    pass none
    redirect
http://squidguard.serveur-hp.ecole-scholae.lan/avertissement.html
  }
}
--8<-----------------------------------------------------------------------

Cheers,

Niki
--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : [hidden email]
Tél. : 04 66 63 10 32
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid + SquidGuard : static block page not working

Amos Jeffries
Administrator
In reply to this post by Nicolas Kovacs
On 15/03/18 01:43, Nicolas Kovacs wrote:

> Le 14/03/2018 à 13:39, Nicolas Kovacs a écrit :
>> Yes, I do. Because this is part of a step-by-step course about
>> SquidGuard, which worked perfectly under Slackware Linux. And my
>> filtering rules are becoming increasingly complex.
> FYI, this is the course. It's a HOWTO in simple text format.
>
> I'm currently trying to adapt this to CentOS 7.
>
> Niki
>
> -- Microlinux - Solutions informatiques durables 7, place de l'église -
> 30730 Montpezat Site : https://www.microlinux.fr Blog :
> https://blog.microlinux.fr Mail : [hidden email] Tél. : 04 66 63 10 32
>
>

I have added some "Best Practice" config changes inline below:

> SquidGuard-HOWTO.txt
>
>
> ================
> SquidGuard HOWTO (c) Nicolas Kovacs <[hidden email]>
> ================
>
> Dernière révision : 5 mai 2015
>
> Ce HOWTO décrit la mise en place du redirecteur SquidGuard pour un serveur
> proxy Squid sous Slackware.
>
>   * Généralités et prérequis
>   * Installation
>   * La page explicative
>   * Une redirection simple
>   * Récupérer les listes noires et blanches
>   * Un filtre simple pour contenus problématiques
>   * Automatiser les opérations
>
>
> Généralités et prérequis
> ------------------------
>
> SquidGuard est un plug-in pour Squid. On doit donc disposer d'une installation
> fonctionnelle de ce dernier.
>
>
> Installation
> ------------
>
> Installer le paquet 'squidGuard' depuis le dépôt de paquets MLES.
>
>
> La page explicative
> -------------------
>
> Lorsque SquidGuard refuse l'accès à une page, c'est toujours une bonne idée
> d'expliquer les raisons de ce refus aux utilisateurs. Pour commencer, on va
> donc mettre en place une page d'avertissement, qui sera hébergée sur le
> serveur lui-même.
>
> Le répertoire 'template/squidguard/html/' propose un modèle de page
> explicative.
>
> Pour la configuration d'une page web locale, voir le Apache-HOWTO.
>
>
> Une redirection simple
> ----------------------
>
> Nous n'avons pas encore de listes noires et blanches ni de base de données,
> mais nous pouvons déjà faire un premier test de redirection :
>
>   1. la machine 192.168.2.2 n'est pas filtrée
>
>   2. toutes les autres machines du réseau local sont bloquées
>
> SquidGuard se configure par le biais du fichier de configuration
> '/etc/squidguard/squidguard.conf'. Sauvegardez le fichier de configuration
> d'origine :
>
>   # cd /etc/squidguard
>   # mv squidguard.conf squidguard.conf.orig
>
> Éditez un fichier de configuration minimal comme ceci :
>
> --8<---------- /etc/squidguard/squidguard.conf -------------------------------
> dbhome /var/lib/squidguard
> logdir /var/log/squidguard
>
> src admin {
>   ip 192.168.2.2
> }
>
> acl {
>   admin {
>     pass any
>   }
>   default {
>     pass none
>     redirect http://squidguard.nestor/avertissement.html
>   }
> }
> --8<--------------------------------------------------------------------------
>

In squid.conf:

  acl admin src 192.168.2.2
  http_access allow admin

  acl redirect src all
  deny_info 302:http://squidguard.nestor/avertissement.html redirect
  http_access deny redirect

No URL-rewrite use.


>   > La directive 'dbhome' indique à SquidGuard où trouver la base de données
>     des listes (que nous n'avons pas encore).
>
>   > La directive 'logdir' spécifie l'endroit où l'on désire récupérer les
>     logs.
>
>   > Les sources définissent les groupes de clients. Ici, nous définissons une
>     seule adresse IP.
>
>   > Les 'acl' ou "Access Control Lists" permettent de définir quelle source
>     peut aller ou ne pas aller vers quelle(s) destination(s).
>
>   > Lorsqu'une destination n'est pas autorisée, la directive 'redirect' permet
>     de servir une page explicative au client.
>
> À présent, il faut configurer Squid pour qu'il utilise SquidGuard. Éditer le
> fichier '/etc/squid/squid.conf' et ajouter cette stance à la fin du fichier :
>
> --8<---------- /etc/squid/squid.conf -----------------------------------------
> url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidguard.conf
> url_rewrite_children 5

Add:
  url_rewrite_access deny CONNECT


> --8<--------------------------------------------------------------------------
>
> Recharger la configuration de Squid :
>
>   # /etc/rc.d/rc.squid reload
>
> Vérifier si la modification a bien été prise en compte :
>
>   # ps aux | grep squid | grep -v grep
>   root      5043  ...  /usr/sbin/squid -F
>   nobody    5045  ...  (squid) -F
>   nobody    5068  ...  (squidGuard) -c /etc/squidguard/squidguard.conf
>   nobody    5069  ...  (squidGuard) -c /etc/squidguard/squidguard.conf
>   nobody    5070  ...  (squidGuard) -c /etc/squidguard/squidguard.conf
>   nobody    5071  ...  (squidGuard) -c /etc/squidguard/squidguard.conf
>   nobody    5072  ...  (squidGuard) -c /etc/squidguard/squidguard.conf
>
> Maintenant, on peut essayer de naviguer sur Internet :
>
>   1. avec la machine 192.168.2.2
>
>   2. avec une machine dont l'adresse IP n'est pas 192.168.2.2
>
>
> Récupérer les listes noires et blanches
> ---------------------------------------
>
> Dans les exemples présentés ci-dessous, nous utiliserons les listes noires et
> blanches maintenues par le Centre de Ressources Informatiques de l'Université
> de Toulouse. Ces listes ne font pas partie de SquidGuard. On peut les
> récupérer manuellement comme ceci :
>  
>   # cd /var/lib/squidguard
>   # wget -c ftp://ftp.ut-capitole.fr/blacklist/blacklists.tar.gz
>   # tar xvzf blacklists.tar.gz
>   # cd blacklists
>
> Chacun des répertoires correspond à une catégorie (ou "destination") du Web :
>
>   # ls -l | awk '{print $9, $10, $11}'
>   ads -> publicite
>   adult  
>   aggressive -> agressif
>   agressif  
>   arjel  
>   astrology  
>   audio-video  
>   bank  
>   bitcoin  
>   blog  
>   cc-by-sa-4-0.pdf  
>   celebrity  
>   chat  
>   child  
>   cleaning  
>   cooking  
>   dangerous_material  
>   dating  
>   drogue  
>   drugs -> drogue
>   educational_games  
>   filehosting  
>   financial  
>   forums  
>   gambling  
>   games  
>   global_usage  
>   hacking  
>   jobsearch  
>   ...
>
> On peut également récupérer les listes avec l'outil 'rsync'. Cette méthode est
> même recommandée, étant donné que 'rsync' ne téléchargera que la différence
> entre les arborescences distante et locale lors d'une mise à jour :
>
>   # cd /var/lib/squidguard
>   # rm -rf blacklists*
>   # rsync -rv rsync://ftp.ut-capitole.fr/blacklist/ .
>   # cd dest
>
> La seule différence par rapport au téléchargement avec 'wget', c'est que nous
> retrouvons nos destinations dans un répertoire 'dest/' et non 'blacklists/'.
>
> Repérez le fichier 'global_usage' et jetez un oeil dedans. Il s'agit d'un
> fichier explicatif sur le contenu des listes.
>
>
> Un filtre simple pour contenus problématiques
> ---------------------------------------------
>
> Dans ce deuxième exemple, nous allons filtrer les sites à contenu
> manifestement problématique (porno, violence, drogues) pour toutes les
> machines du réseau local.
>
> Dans un premier temps, nous allons adapter la directive 'dbhome' à ce que nous
> venons de télécharger un peu plus haut :
>
> --8<---------- /etc/squidguard/squidguard.conf -------------------------------
> dbhome /var/lib/squidguard/dest
> logdir /var/log/squidguard
> ...
> --8<--------------------------------------------------------------------------
>
> Les sources sont là pour spécifier les groupes de clients. Nous allons définir
> tout le réseau local "à la louche" :
>
> --8<---------- /etc/squidguard/squidguard.conf -------------------------------
> ...
> src microlinux {
>   ip 192.168.2.0/24
> }
> --8<--------------------------------------------------------------------------
>
> Les destinations définissent des ensembles de domaines, d'URL ou d'expressions
> régulières à appliquer aux URLs. Ici, nous allons définir trois destinations :
>
> --8<---------- /etc/squidguard/squidguard.conf -------------------------------
> ...
> # Des sites adultes allant de l'érotique à la pornographie dure
> destination adult {
>   domainlist adult/domains
>   urllist adult/urls
>   log adult
> }
>
> # Quelques sites racistes, antisémites et incitant à la haine
> destination agressif {
>   domainlist agressif/domains
>   urllist agressif/urls
>   log agressif
> }
>
> # Drogues
> destination drogue {
>   domainlist drogue/domains
>   urllist drogue/urls
>   log drogue
> }
> --8<--------------------------------------------------------------------------
>
> Les ACLs ("Access Control Lists") permettent de définir quelle source peut
> aller ou ne pas aller vers quelle destination :
>
> --8<---------- /etc/squidguard/squidguard.conf -------------------------------
> ...
> acl {
>   microlinux {
>     pass !adult
>     pass !agressif
>     pass !drogue
>     redirect http://squidguard.nestor/avertissement.html
>   }
>   default {
>     pass none
>     redirect http://squidguard.nestor/avertissement.html
>   }
> }
> --8<--------------------------------------------------------------------------
>
>   > Le point d'exclamation '!' équivaut à une négation.
>
> Au total, notre configuration ressemblera donc à ceci :
>
> --8<---------- /etc/squidguard/squidguard.conf -------------------------------
> dbhome /var/lib/squidguard/dest
> logdir /var/log/squidguard
>
> src microlinux {
>   ip 192.168.2.0/24
> }

squid.conf:
  acl microlinux src 192.168.2.0/24

>
> # Des sites adultes allant de l'érotique à la pornographie dure
> destination adult {
>   domainlist adult/domains
>   urllist adult/urls
>   log adult
> }
>

squid.conf:
  acl adult_domains dstdomain "/var/lib/squidguard/dest/adult/domains"
  acl adult_urls url_regex "/var/lib/squidguard/dest/adult/urls"
  acl adult any-of adult_domains adult_urls

(or files in a location other than "lib/squidguard/".)

Note: Squid can handle regex files up to several hundred entries easily.
If they get into thousands OR are very frequently changed urldbguard can
become worth using.


The below agressif and drogue definitions can be done using the same
pattern as the adult lines above.


> # Quelques sites racistes, antisémites et incitant à la haine
> destination agressif {
>   domainlist agressif/domains
>   urllist agressif/urls
>   log agressif
> }
>
> # Drogues
> destination drogue {
>   domainlist drogue/domains
>   urllist drogue/urls
>   log drogue
> }
>
> acl {
>   microlinux {
>     pass !adult
>     pass !agressif
>     pass !drogue
>     redirect http://squidguard.amandine/avertissement.html
>   }
>   default {
>     pass none
>     redirect http://squidguard.amandine/avertissement.html
>   }
> }

squid.conf:

 acl redirect src all
 deny_info 302:http://squidguard.amandine/avertissement.html redirect
 http_access allow microlinux !adult !agressif !drogue
 http_access deny redirect


> --8<--------------------------------------------------------------------------
>
> Avant d'aller plus loin, nous devons régler quelques permissions.
> Rappelons-nous que le proxy cache Squid tourne avec les droits de
> l'utilisateur 'nobody' et du groupe 'nobody' :
>
> --8<---------- /etc/squid/squid.conf -----------------------------------------
> ...
> cache_effective_user nobody
> cache_effective_group nobody
> ...
> --8<--------------------------------------------------------------------------

Remove entirely. Pre-packaged Squid should be built with the appropriate
user account in --with-default-user= such that these do not need setting
at all.

>
> L'arborescence '/var/lib/squidguard' doit être accessible en lecture/écriture
> pour Squid :
>
>   # chown -R nobody:nobody /var/lib/squidguard/
>   # ls -ld /var/lib/squidguard/
>   drwxr-xr-x 3 nobody nobody 4096 nov.   2 08:56 /var/lib/squidguard/
>
> Au cas où le répertoire des logs n'existe pas, il faut le créer :
>
>   # mkdir -v /var/log/squidguard
>   mkdir: création du répertoire « /var/log/squidguard »
>
> Là aussi, il faut ajuster les permissions :
>
>   # chown -R nobody:nobody /var/log/squidguard/
>   # ls -ld /var/log/squidguard/
>   drwxr-xr-x 2 nobody nobody 4096 nov.   2 11:08 /var/log/squidguard/
>
> Pour pouvoir fonctionner rapidement, SquidGuard n'utilise pas les fichiers
> texte, mais des bases de données au format Berkeley. Ces bases de données
> n'existent pas encore, et nous devons les construire :
>
>   # squidGuard -C all
>
> Si tout s'est bien passé, on obtient quelque chose comme ceci :
>
>   # cat /var/log/squidguard/squidGuard.log
>   2014-11-02 11:09:39 [3897] New setting: dbhome: /var/lib/squidguard/dest
>   2014-11-02 11:09:39 [3897] New setting: logdir: /var/log/squidguard
>   2014-11-02 11:09:39 [3897] init domainlist
>   /var/lib/squidguard/dest/adult/domains
>   2014-11-02 11:09:52 [3897] create new dbfile
>   /var/lib/squidguard/dest/adult/domains.db
>   2014-11-02 11:09:53 [3897] init urllist /var/lib/squidguard/dest/adult/urls
>   2014-11-02 11:09:53 [3897] create new dbfile
>   /var/lib/squidguard/dest/adult/urls.db
>   2014-11-02 11:09:54 [3897] init domainlist
>   /var/lib/squidguard/dest/agressif/domains
>   2014-11-02 11:09:54 [3897] create new dbfile
>   /var/lib/squidguard/dest/agressif/domains.db
>   2014-11-02 11:09:54 [3897] init urllist /var/lib/squidguard/dest/agressif/urls
>   2014-11-02 11:09:54 [3897] create new dbfile
>   /var/lib/squidguard/dest/agressif/urls.db
>   2014-11-02 11:09:54 [3897] init domainlist
>   /var/lib/squidguard/dest/drogue/domains
>   2014-11-02 11:09:54 [3897] create new dbfile
>   /var/lib/squidguard/dest/drogue/domains.db
>   2014-11-02 11:09:54 [3897] init urllist /var/lib/squidguard/dest/drogue/urls
>   2014-11-02 11:09:54 [3897] create new dbfile
>   /var/lib/squidguard/dest/drogue/urls.db
>   2014-11-02 11:09:54 [3897] squidGuard 1.4 started (1414922979.731)
>   2014-11-02 11:09:54 [3897] db update done
>   2014-11-02 11:09:54 [3897] squidGuard stopped (1414922994.459)
>
> Quelques mises en garde s'imposent ici :
>
>   1. SquidGuard est une application assez pointue, pour ne pas dire une
>   véritable usine à gaz. La moindre faute de frappe dans un des fichiers de
>   configuration se solde généralement par un échec. Il est donc nécessaire de
>   porter une grande attention à la syntaxe.
>
>   2. Les bases de données (fichiers '*.db' en-dessous de l'arborescence
>   '/var/lib/squidguard/dest/') doivent être construites *après* avoir écrit le
>   fichier de configuration, car seules les destinations définies dans ce
>   fichier seront compilées. Autrement dit, si vous devez ajouter une
>   destination par la suite (malware, tricheur, etc.) il va falloir penser à
>   compiler les bases de données correspondantes.
>
>   3. En règle générale, ça ne fonctionne que rarement du premier coup. Dans ce
>   cas, jetez un oeil dans les logs, notamment 'squidGuard.log'. Ce dernier
>   vous sera d'un grand secours, car il vous avertira de tous les problèmes de
>   configuration.
>
> Étant donné que la commande 'squidGuard -C all' a été invoquée par root, les
> fichiers générés par cette commande appartiennent à ce dernier :
>
>   # ls -l /var/lib/squidguard/dest/adult/
>   total 66704
>   -rw-r--r-- 1 nobody nobody 17977204 nov.   1 11:02 domains
>   -rw-r--r-- 1 root   root   44773376 nov.   2 11:09 domains.db
>   -rw-r--r-- 1 nobody nobody        0 nov.   1 11:02 expressions
>   -rw-r--r-- 1 nobody nobody  1959494 nov.   1 11:02 urls
>   -rw-r--r-- 1 root   root    3584000 nov.   2 11:09 urls.db
>   -rw-r--r-- 1 nobody nobody       17 nov.   1 11:02 usage
>   ...
>   # ls -l /var/log/squidguard/
>   total 4
>   -rw-r--r-- 1 root root    0 nov.   2 11:09 adult
>   -rw-r--r-- 1 root root    0 nov.   2 11:09 agressif
>   -rw-r--r-- 1 root root    0 nov.   2 11:09 drogue
>   -rw-r--r-- 1 root root 1316 nov.   2 11:09 squidGuard.log
>
> On va donc devoir rectifier le tir une deuxième fois pour les permissions :
>
>   # chown -R nobody:nobody /var/lib/squidguard/
>   # chown -R nobody:nobody /var/log/squidguard/
>
> Recharger la configuration :
>
>   # /etc/rc.d/rc.squid reload
>
> À présent, naviguer sur le Web et tester le filtrage de quelques sites
> potentiellement problématiques :
>
>   * http://www.nichons.com
>
>   * http://www.whitehonor.com
>
>   * http://www.cannabizz.com
>
> Si tout se passe bien, les pages ne s'affichent pas, et l'utilisateur se
> trouve confronté à la page explicative. Non content de cela, sa tentative est
> enregistrée dans le fichier log correspondant à la catégorie de site prohibé,
> par exemple :
>
>   # tail -f /var/log/squidguard/adult
>   2014-11-02 11:28:42 ... http://www.nichons.com/ 192.168.2.3/- - GET REDIRECT
>   2014-11-02 11:28:42 ... http://www.nichons.com/favicon.ico 192.168.2.3/- ...
>   2014-11-02 11:28:42 ... http://www.nichons.com/favicon.ico 192.168.2.3/- ...
>
>
> Automatiser les opérations
> --------------------------
>
> Je fournis un script 'blacklist.sh' dans le répertoire 'template/squidguard/',
> qui automatise la plupart des tâches répétitives. Copier ce script dans un
> endroit approprié, par exemple '/usr/local/sbin/', et le rendre exécutable. Il
> se charge de :
>
>   1. récupérer les listes noires et blanches
>
>   2. mettre à jour les listes déjà téléchargées
>
>   3. construire les bases de données Berkeley
>
>   4. rectifier les permissions
>
>   5. relancer Squid pour prendre en compte les modifications
>
>
> ------------------------------------------------------------------------------
> # vim: syntax=txt
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid + SquidGuard : static block page not working

Marcus Kool
In reply to this post by Nicolas Kovacs
ufdbGuard is the tool that you need.
It is an old fork of ufdbGuard with many new features, very good performance and it has regular maintenance.
If you have a question, you can ask the support desk at www.urlfilterdb.com.
You will get an answer from me or a colleague.

Marcus


On 14/03/18 09:39, Nicolas Kovacs wrote:

> Le 14/03/2018 à 13:33, Amos Jeffries a écrit :
>> You do not need SG or any fancy redirector helpers at all for that.
>
> Yes, I do. Because this is part of a step-by-step course about
> SquidGuard, which worked perfectly under Slackware Linux. And my
> filtering rules are becoming increasingly complex.
>
> Niki
>
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid + SquidGuard : static block page not working

Nicolas Kovacs
Le 14/03/2018 à 14:46, Marcus Kool a écrit :
> ufdbGuard is the tool that you need.
> It is an old fork of ufdbGuard with many new features, very good
> performance and it has regular maintenance.
> If you have a question, you can ask the support desk at
> www.urlfilterdb.com.
> You will get an answer from me or a colleague.

Thanks for the heads-up.

On the school server running SquidGuard, I'm using the blacklist
collection of the University of Toulouse, which has several millions (!)
of URLS/domains in about a hundred different categories.

Will I be able to use these blacklists with ufdbGuard ?

Niki

--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : [hidden email]
Tél. : 04 66 63 10 32
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid + SquidGuard : static block page not working

Yuri Voinov
In reply to this post by Amos Jeffries

14.03.2018 19:06, Amos Jeffries пишет:

> On 15/03/18 01:43, Nicolas Kovacs wrote:
>> Le 14/03/2018 à 13:39, Nicolas Kovacs a écrit :
>>> Yes, I do. Because this is part of a step-by-step course about
>>> SquidGuard, which worked perfectly under Slackware Linux. And my
>>> filtering rules are becoming increasingly complex.
>> FYI, this is the course. It's a HOWTO in simple text format.
>>
>> I'm currently trying to adapt this to CentOS 7.
> Then the first thing you and your readers need to be clear on is that
> SquidGuard was end-of-life'd many years ago. It is long overdue for
> removal or replacement. This has impact such as the one you saw on HTTPS
> traffic support which was only added to Squid-3 after SG stopped being
> maintained.
>
> The best thing to be doing these days is upgrading simple configs like
> the one you presented earlier to using modern Squid features directly in
> squid.conf - as I recommended earlier.
>
> For very complex configurations (or emergency upgrades) the ufdbguard
> tool can be used as a drop-in replacement for squidGuard while the
> config migration is evaluated. It handles the HTTPS situation better
> than SG does, but for simple configs any helper is still very much
> overkill and a performance drag.
I can confirm - ufdbguard is up-to-date and very good customizable
replacement for SquidGuard. Using ufdbguard last three years gives
perfect results and bring functionality which is absent in SquidGuard.

ufdbguard has good support of https (including SSL Bump), incredible
fast (it is thread-aware) and has small memory footprint.
>
> HTH
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

--
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Squid + SquidGuard : static block page not working

Marcus Kool
In reply to this post by Nicolas Kovacs

On 14/03/18 10:55, Nicolas Kovacs wrote:

> Le 14/03/2018 à 14:46, Marcus Kool a écrit :
>> ufdbGuard is the tool that you need.
>> It is an old fork of ufdbGuard with many new features, very good
>> performance and it has regular maintenance.
>> If you have a question, you can ask the support desk at
>> www.urlfilterdb.com.
>> You will get an answer from me or a colleague.
>
> Thanks for the heads-up.
>
> On the school server running SquidGuard, I'm using the blacklist
> collection of the University of Toulouse, which has several millions (!)
> of URLS/domains in about a hundred different categories.
>
> Will I be able to use these blacklists with ufdbGuard ?
>
> Niki

yes, no problem.

Marcus
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid + SquidGuard : static block page not working

Yuri Voinov
In reply to this post by Nicolas Kovacs


14.03.2018 19:55, Nicolas Kovacs пишет:

> Le 14/03/2018 à 14:46, Marcus Kool a écrit :
>> ufdbGuard is the tool that you need.
>> It is an old fork of ufdbGuard with many new features, very good
>> performance and it has regular maintenance.
>> If you have a question, you can ask the support desk at
>> www.urlfilterdb.com.
>> You will get an answer from me or a colleague.
> Thanks for the heads-up.
>
> On the school server running SquidGuard, I'm using the blacklist
> collection of the University of Toulouse, which has several millions (!)
> of URLS/domains in about a hundred different categories.
>
> Will I be able to use these blacklists with ufdbGuard ?
Niki,

you can use any blacklist you want with ufdbguard. ufdbguard has own
commercial database, but can easy combined with any plain-text free
database by you choise. For example, with Shallalist. Or your own custom.

>
> Niki
>

--
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Squid + SquidGuard : static block page not working

Amos Jeffries
Administrator
In reply to this post by Nicolas Kovacs
On 15/03/18 02:13, Nicolas Kovacs wrote:

> Le 14/03/2018 à 14:06, Amos Jeffries a écrit :
>> Then the first thing you and your readers need to be clear on is that
>> SquidGuard was end-of-life'd many years ago. It is long overdue for
>> removal or replacement. This has impact such as the one you saw on HTTPS
>> traffic support which was only added to Squid-3 after SG stopped being
>> maintained.
>>
>> The best thing to be doing these days is upgrading simple configs like
>> the one you presented earlier to using modern Squid features directly in
>> squid.conf - as I recommended earlier.
>>
>> For very complex configurations (or emergency upgrades) the ufdbguard
>> tool can be used as a drop-in replacement for squidGuard while the
>> config migration is evaluated. It handles the HTTPS situation better
>> than SG does, but for simple configs any helper is still very much
>> overkill and a performance drag.
>
> This is the configuration which is currently in use at our local school.
> The server is running Squid + SquidGuard on Slackware 14.1. We're
> planning to move to CentOS 7 in June 2018, so I'd like to use this
> working configuration without having to jump through burning loops or
> having to reinvent the wheel.

This one is much more complex than your earlier configs. It seems
reasonable to use ufdbguard as a drop-in replacement for squidguard here.


A few things like the direction and couvrefeu ACLs can be moved easily
for better efficiency in squid.conf like so:

 acl direction src 192.168.10.2-192.168.10.49
 acl direction src 192.168.10.246-192.168.10.249

 # these are okay. Don't bother asking the helper
 url_rewrite_access deny direction

 acl couvrefeu time mtwhf 00:00-07:00
 acl couvrefeu time smtwh 22:30-24:00

 acl scholae src 192.168.10.50-192.168.10.210

 deny_info
302:http://squidguard.serveur-hp.ecole-scholae.lan/avertissement.html
couvrefeu

 http_access deny scholae couvrefeu

Note the helper will never even be asked when these are redirected by
http_access, so you do not need url_rewrite_access rule for it - scholae
things will only ever be passed to the helper during non-couvrefeu times.


Also if you want to present a fixed web page instead of redirecting. You
can configure/load a custom HTML error page in deny_info instead of
using the 302:url pattern.

HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid + SquidGuard : static block page not working

Amos Jeffries
Administrator
In reply to this post by Nicolas Kovacs
On 15/03/18 02:55, Nicolas Kovacs wrote:

> Le 14/03/2018 à 14:46, Marcus Kool a écrit :
>> ufdbGuard is the tool that you need.
>> It is an old fork of ufdbGuard with many new features, very good
>> performance and it has regular maintenance.
>> If you have a question, you can ask the support desk at
>> www.urlfilterdb.com.
>> You will get an answer from me or a colleague.
>
> Thanks for the heads-up.
>
> On the school server running SquidGuard, I'm using the blacklist
> collection of the University of Toulouse, which has several millions (!)
> of URLS/domains in about a hundred different categories.
>
> Will I be able to use these blacklists with ufdbGuard ?

If squidguard could handle it, yes. ufdbguard is better.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid + SquidGuard : static block page not working

Nicolas Kovacs
In reply to this post by Yuri Voinov
Le 14/03/2018 à 15:02, Yuri a écrit :
> I can confirm - ufdbguard is up-to-date and very good customizable
> replacement for SquidGuard. Using ufdbguard last three years gives
> perfect results and bring functionality which is absent in
> SquidGuard.
>
> ufdbguard has good support of https (including SSL Bump), incredible
> fast (it is thread-aware) and has small memory footprint.

Thanks everybody for your numerous suggestions.

I fiddled around much more with Squid, and for the moment, I got my
existing SquidGuard configuration from Slackware working on CentOS.

https://blog.microlinux.fr/squidguard-centos/

As soon as I have a bit of time on my hands to experiment, I'll take a
look at ufdbguard.

For the moment, SquidGuard works perfectly here.

Cheers,

Niki

--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : [hidden email]
Tél. : 04 66 63 10 32
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users