Debian / Ubuntu Linux: Install SquidGuard Web Filter Plugin For Squid 3.x To Block Unwanted Sites

How do I install and configure SquidGuard – a web filter plugin for Squid to restrict access to domains/URLs based upon access control lists? How do I block porn, gambling, and other web-sites using squid proxy server version 3.x under Debian or Ubuntu Linux server for my school?

squidGuard is flexible and ultra fast filter, redirector and access controller plugin for squid proxy server (it works with both squid version 2.x and 3.x). It lets you define multiple access rules with different restrictions for different user groups on a squid cache. squidGuard uses squid’s standard redirector interface.

Step #1: Install squidguard

Open a terminal and type the following command as root on the server:
# apt-get install squidguard

Step #2: Install Blacklist

The blacklists are the heart of every URL filter. Squidgurd supports both free and commercial distributions of blacklists on the net or create and use your own (or any combination of them). List of free databases:

  1. MESD blacklists (free).
  2. Shalla’s Blacklists (free for non commercial/private use).
  3. Urlblacklist (commercial)

Use wget command to download blacklists from shallalist.de as follows:
# cd /tmp
# wget -c http://www.shallalist.de/Downloads/shallalist.tar.gz

Sample outputs:

--2012-08-22 00:34:16--  http://www.shallalist.de/Downloads/shallalist.tar.gz
Resolving www.shallalist.de... 78.47.242.85
Connecting to www.shallalist.de|78.47.242.85|:80... connected.
HTTP request sent, awaiting response... 206 Partial Content
Length: 9935263 (9.5M), 7448411 (7.1M) remaining [application/x-tar]
Saving to: `shallalist.tar.gz'
 
100%[++++++++++++++============================================>] 99,35,263    475K/s   in 16s     
 
2012-08-22 00:34:33 (459 KB/s) - `shallalist.tar.gz' saved [9935263/9935263]

Untar tar ball, enter:
# tar -zxvf shallalist.tar.gz
Sample outputs:

BL/
BL/porn/
BL/porn/domains
BL/porn/urls
BL/gamble/
BL/gamble/domains
BL/gamble/urls
BL/chat/
BL/chat/domains
BL/chat/urls
BL/automobile/
....
..


BL/radiotv/domains
BL/radiotv/urls
BL/urlshortener/
BL/urlshortener/domains
BL/urlshortener/urls
BL/anonvpn/
BL/anonvpn/urls
BL/anonvpn/domains

In this example, install porn blacklist as follows using the cp command:
# cp -avr BL/porn/ /var/lib/squidguard/db/
Sample outputs:

`BL/porn/' -> `/var/lib/squidguard/db/porn'
`BL/porn/domains' -> `/var/lib/squidguard/db/porn/domains'
`BL/porn/urls' -> `/var/lib/squidguard/db/porn/urls'

Finally, create the database from text files as follows:
# cd /var/lib/squidguard/db/porn
# squidGuard -b -C domains
# squidGuard -b -C urls

Sample outputs:

Processing file and database /var/lib/squidguard/db/porn/domains
    [==================================================] 100 % done
Processing file and database /var/lib/squidguard/db/porn/urls
    [==================================================] 100 % done

Where,

  • -b : Show on progress bar when updating the blacklists.
  • -C fileName : Create new .db files from urls/domain files, which are specified in “fileName”.

Set permissions so that squid can read the files using chown command:
# chown proxy:proxy -R /var/lib/squidguard/db/

Step #3: Configure Squid 3

I’m assuming that Squid 3 is installed and configured properly. Edit /etc/squid3/squid.conf, enter:
# vi /etc/squid3/squid.conf
You need to specify the location of the executable for the URL rewriter using url_rewrite_program as follows:

url_rewrite_program /usr/bin/squidGuard

Save and close the file.

Step #4: Configure SquidGuard

Finally edit /etc/squid/squidGuard.conf, enter:
# vi /etc/squid/squidGuard.conf
Add the following directives:

## Block adult/porn sites for school  ##
dest porn {
        domainlist      porn/domains
        urllist         porn/urls
}

Edit / update acl as follows:

acl {
        default {
                pass  !porn all
                redirect http://192.168.1.11/blocked.html?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
        }
}

Save and close the file. Create a blocked.html on 192.168.1.11 web server:

<html>
	<head>
		<title>URL Blocked</title>
	</head>
	<body>
		<h1>URL Blocked</h1>
		<p>Access to this site / url has been blocked.</p>
		<p>If you think this is an error, please contact the help-desk:</p>
		<p>Call us - 123-456-789 (ext. 333)</p>
		<p>Email us - [email protected]</p>
	</body>
</head>
</html>

Finally, reload the squid 2/3 proxy server:
# /usr/sbin/squid3 -k reconfigure
Verify that both squid and squidguard working properly, run:
# tail -f /var/log/squid3/cache.log
Sample outputs:

2012/08/22 01:23:40| Processing Configuration File: /etc/squid3/squid.conf (depth 0)
2012/08/22 01:23:40| Squid modules loaded: 0
2012/08/22 01:23:40| Adaptation support is off.
2012/08/22 01:23:40| Store logging disabled
2012/08/22 01:23:40| DNS Socket created at [::], FD 8
2012/08/22 01:23:40| DNS Socket created at 0.0.0.0, FD 9
2012/08/22 01:23:40| Adding nameserver 127.0.0.1 from /etc/resolv.conf
2012/08/22 01:23:40| helperOpenServers: Starting 5/5 'squidGuard' processes
2012/08/22 01:23:40| Accepting  HTTP connections at [::]:3128, FD 30.
2012/08/22 01:23:40| HTCP Disabled.
2012/08/22 01:23:40| Loaded Icons.
2012/08/22 01:23:40| Ready to serve requests.

Step #5: Verify the configuration

Type the following command to verify that squidguard is working and blocking the urls:

echo "http://DOMAIN-NAME-HERE / - - GET" | squidGuard -d 
echo "http://sex.com / - - GET" | squidGuard -d

Sample outputs:

2012-08-22 01:26:05 [3365] New setting: dbhome: /var/lib/squidguard/db
2012-08-22 01:26:05 [3365] New setting: logdir: /var/log/squid3
2012-08-22 01:26:05 [3365] destblock good missing active content, set inactive
2012-08-22 01:26:05 [3365] destblock local missing active content, set inactive
2012-08-22 01:26:05 [3365] init domainlist /var/lib/squidguard/db/porn/domains
2012-08-22 01:26:05 [3365] loading dbfile /var/lib/squidguard/db/porn/domains.db
2012-08-22 01:26:05 [3365] init urllist /var/lib/squidguard/db/porn/urls
2012-08-22 01:26:05 [3365] loading dbfile /var/lib/squidguard/db/porn/urls.db
2012-08-22 01:26:05 [3365] squidGuard 1.4 started (1345578965.473)
2012-08-22 01:26:05 [3365] Info: recalculating alarm in 23635 seconds
2012-08-22 01:26:05 [3365] squidGuard ready for requests (1345578965.476)
2012-08-22 01:26:05 [3365] source not found
2012-08-22 01:26:05 [3365] no ACL matching source, using default
http://192.168.1.11/blocked.html?clientaddr=+clientname=+clientident=+srcclass=default+targetclass=porn+url=http://sex.com /- - -
2012-08-22 01:26:05 [3365] squidGuard stopped (1345578965.477)

Or you can see the following in browser:

Fig.01: SquidGuard in action

How do I block other categories?

Update /etc/squid/squidGuard.conf as follows. Define your categories. Just like you did above for porn:

dest gamble {
        domainlist      gamble/domains
        urllist         gamble/urls
}
dest alcohol {
        domainlist      alcohol/domains
        urllist         alcohol/urls
}

Update acl entry as follows:

acl {
        default {
                pass  !porn !gamble !alcohol all
                redirect http://192.168.1.11/blocked.html?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
        }
}

You also need to install database in /var/lib/squidguard/db/ directory:
# cd /tmp
# cp -avr BL/alcohol/ /var/lib/squidguard/db/
# cp -avr BL/gamble/ /var/lib/squidguard/db/

To initializing the blacklists, run:
# squidGuard -C all
Or just initializing newly created categories:
# squidGuard -C /var/lib/squidguard/db/alcohol/domains
squidGuard -C /var/lib/squidguard/db/alcohol/urls

Finally, set permissions:
# chown proxy:proxy -R /var/lib/squidguard/db/
Reload the squid 3:
# /usr/sbin/squid3 -k reconfigure

Do not allow URL filter bypass by the IP addresses

To make sure that users don’t bypass the URL filter by simply using the IP addresses instead of the FQDNs, edit acl entry as follows with !in-addr directive:

acl {
        default {
                pass  !porn !gamble !alcohol !in-addr all
                redirect        http://192.168.1.11/blocked.html?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
        }
}

Reload the squid as follows:
# /usr/sbin/squid3 -k reconfigure

References:
  • man pages – squidGuard(1)
  • For more information see squidguard website.

Posted by: SXI ADMIN

The author is the creator of SXI LLC and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.