Install and Configure SquidGuard Overview
It is very useful to be able to block users on your network from accessing millions of websites with nefarious content. A great way to accomplish this is with a proxy server like Squid. Squid is a free and powerful proxy server that is capable of blocking users from accessing web content. A great way of enhancing Squid’s ability to block unwanted websites, domains and IP addresses is to install SquidGuard. SquidGuard is an add-on program for the Squid proxy server (see my previous article on Squid), that’s main purpose is to block unwanted web traffic. SquidGuard works with databases of blacklists to block, filter, and redirect requested URLs and domains. You manually download and add blacklist files to SquidGuard and compile them into the SquidGuard database, then Squid can redirect web requests, checking them against SquidGuard’s database of blacklisted websites, domains and IP addresses. It seems like this process would slow down a network, but SquidGuard is an extremely fast web content filter with the ability to check web requests against millions of blacklisted sites in a matter of seconds. There is great information about SquidGuard’s capabilities on the SquidGuard website, including links to download the program, well written installation and configuration instructions, and links to websites that maintain blacklists.
Steps to manually install SquidGuard in Ubuntu
You can download and install SquidGuard using a package manager program like apt-get or yum, or even a graphical software installer tool like the software center program. Instead, I chose to outline the steps involved in manually downloading and installing SquidGuard.
1. Download the current stable version of SquidGuard at http://www.squidguard.org and save it to your downloads folder.
2. Download the Berkeley DB from Oracle at http://oracle.com. Download version 4.8.30.NC.tar.gz with no encryption and save it to your Downloads folder
3. Open a terminal and navigate to the directory where you downloaded SquidGuard and the BerkeleyDB. You should see the tar.gz files
cd ~/Downloads
ls
4. Decompress the tar.gz files (substitute the file names for the versions you downloaded)
tar -xvzf squidGuard-1.5-beta.tar.gz
tar -xvzf db-4.8.30.NC.tar.gz
ls
You should see two folders one for squidGuard and one for BerkeleyDB (e.g. squidGuard-1.5, and db-4.8.30)
5. Install the Berkeley DB first, since SquidGuard requires it for installation. By default, the Berkeley DB will install itself to a directory in /usr/local/ in a folder named BerkeleyDB.4.8 you will need this information when preparing SquidGuard for installation.
cd db-4.8.30
cd build_unix
../dist/configure
make
sudo make install
6. Install SquidGuard by navigating to the extracted SquidGuard folder and then during the configure process you will pass the configure script the location of the Berkeley DB directory and correctly change the squiduser to ‘proxy’ for Ubuntu. The squiduser and group is typically “squid” in other Linux distributions like Fedora.
cd ~/Downloads/squidGuard-1.5
./configure –with-db=/usr/local/BerkeleyDB.4.8 –with-squiduser=proxy
make
sudo make install
You should get a message that the initial SquidGuard configuration is complete. Congratulation, SquidGuard is successfully installed! Make a note of the directory locations of the SquidGurad db, log, and conf files:
/usr/local/squidGuard/db
/usr/local/squidGuard/log
/usr/local/squidGuard/squidGuard.conf
Blacklists
7. Now that SquidGuard is installed you will want to download some blacklists. The SquidGuard website provides a few options. Click on Blacklists link and download a few blacklists. I recommend going here http://cri.univ-tlse1.fr/blacklists/index_en.php and downloading the blacklists.tar.gz file from the top of the Descriptions section
Now you can move the blacklists to the SquidGuard db directory and extract them so they are ready to use.
cd ~/Downloads
sudo cp blacklists.tar.gz /usr/local/squidGuard/db/blacklists.tar.gz
cd /usr/local/squidGuard/db
sudo tar -xvf blacklists.tar.gz
Configuring SquidGuard
8. Now you are ready to configure SquidGuard you will want to open the configuration file with a text editor.
cd /usr/local/squidGuard/
ls
You should see a squidGuard.conf file. Copy the conf file to a backup and open it with a text editor
sudo cp squidGuard.conf squidGuard.conf.bak
sudo su
gedit squidGuard.conf &
If your squidGuard.conf file is janked i.e. blank, then you can copy the configuration directly from the SquidGuard website: http://www.squidguard.org/Doc/configure.html
Looking at your squidGuard.conf file in the text editor make sure that the lines beginning with dbhome and logdir point to the correct directory. For my install the dbhome and logdir lines read:
dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/log
So I changed the dbhome line to:
dbhome /usr/local/squidGuard/db/blacklists
Try to running squidGuard in an output to stderr mode:
squidGuard -d
I had errors showing on line 23 so I commented out lines 22 to 25 with # signs:
#rew dmz{
# s@://admin/…
# s@://foo.bar….
#}
Now try running squidGuard:
squidGuard -d
If squidGuard ran with no errors it is time to compile your Blacklists from text to DB with a -C all command
squidGuard -d -C all
{loadposition adposition7}I had additional errors caused by the Destination Classes area in the squidGuard.conf file. The dest adult block of code had the following lines that needed to have the “dest/” edited out, because they are not the correct directory paths following from the “/usr/local/squidGuard/db/blacklists” directory:
dest adult{
domainlist dest/adult/domains
urllist dest/adult/urls
expressionlist dest/adult/expressions
redirect http://admin.foo.bar.de…
}
to
dest adult{
domainlist adult/domains
urllist adult/urls
expressionlist adult/expressions
redirect http://google.com
}
I also edited the ACL block of code at the end of the config file. I commented out areas that I was not going to use, and focused on the default acl block of code, which I changed to pass only the not(!) adult sites (pass !adult all):
acl {
# admin {
# pass any
# }
#
# foo-clients within workhours {
# pass good !in-addr !adult any
# } else {
# pass any
# }
#
# bar-clients {
# pass local none
# }
#
default {
pass !adult all
#rewrite dmz
redirect http://google.com
}
}
9. After editing your config file try to compile your Blacklists from text to DB with a “-C all” command
squidGuard -d -C all
If there are no errors make sure the blacklists have correct ownership and group for Squid. You can check ownership of files and folders using the ls-l command. For Ubuntu the correct owner and group for Squid is “proxy”, in other distributions it is “squid”.
chown -R proxy:proxy /usr/local/squidGuard/db/blacklists
10. To finish the installation, add the following line to the squid.conf file in /etc/squid/squid.conf. I added the following line around line 1083 although you could add it anywhere, notice that it is directing the squidGuard program to the configuration file. If your squidGuard installation and configuration file is located in a different directory then adjust the paths in the line accordingly:
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
11. Now restart Squid or reload the Squid configuration file which is much faster.
service squid reload
or
pkill -9 squid
service squid start
12. In order to test if squidGuard configuration is working correctly and that Squid is passing web requests and checking them against the SquidGuard database. The SquidGuard website recommends running a dry-run test using the following command. You can substitute one of the blacklisted URLs from your blacklists instead of the “http://www.example.com” URL in the example. Also, If you do not have a “test.cfg” file, just remove the part of the line from, “-c … to … test.cfg” (see example below):
echo “http://www.example.com 10.0.0.1/ – – GET” | squidGuard -c /tmp/test.cfg -d
to
echo “http://www.blacklisted.com – – – GET” | squidGuard -d
After running the command above, if you see the following 3 messages in the output then squidGuard is functioning correctly:
– the redirected URL website address from the squidGuard.conf file
– “squidGuard ready for requests”,
– “squidguard stopped”
Now you can try using your web browser to see if it will block blacklisted domains and websites!
Note: If you are in a situation where you do not want to risk requesting blacklisted sites in your browser and having them not be filtered, then you can add one of your own entries in a blacklist, recompile the squidGuard blacklist database, and test to see if your manually entered website is blocked by squidGuard.