Op de server moeten we squid en squidGuard installeren en configureren.
Squid
Installeer squid en configureer had in /etc/squid/squid.conf.
Minimale configuratie:
# Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed # RFC1918 possible internal network # RFC1918 possible internal network # RFC1918 possible internal network # RFC 4193 local private network range # RFC 4291 link-local (directly plugged) machines # http # ftp # https # gopher # wais # unregistered ports # http-mgmt # gss-http # filemaker # multiling http acl localnet src 10.0.0.0/8 acl localnet src 172.16.0.0/12 acl localnet src 192.168.0.0/16 acl localnet src fc00::/7 acl localnet src fe80::/10 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT access_log /var/log/squid/access.log # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports # Deny CONNECT to other than secure SSL ports # Only allow cachemgr access from localhost # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed # Allow localhost always proxy functionality # And finally deny all other access to this proxy http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all #ATH #ATH squidGuard will do url rewrite url_rewrite_program /usr/sbin/squidGuard # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Squid normally listens to port 3128 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. #cache_dir aufs /var/cache/squid 100 16 256 cache_dir ufs /var/cache/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/cache/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20 10080 refresh_pattern ^gopher: 1440 0 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0 0 refresh_pattern . 0 20 4320 cache_log /var/log/squid/cache.log cache_mem 8 MB cache_mgr root cache_replacement_policy lru cache_store_log /var/log/squid/store.log cache_swap_high 95 cache_swap_low 90 client_lifetime 1 days connect_timeout 2 minutes error_directory /usr/share/squid/errors/nl ftp_passive on maximum_object_size 4096 KB memory_replacement_policy lru minimum_object_size 0 KB
Let op de regels in het rood. We gaan in het nl communiceren mbt fouten en voegen de volgende regel toe die zorgt dat squidguard een rewrite van de url kan doen:
url_rewrite_program /usr/sbin/squidGuard
squidGuard
Installeer squidguard en configureer had in /etc/squidguard.conf
Minimale configuratie:
#
# Top directory for all db files. All files are relative to this dir
#
dbhome /var/lib/squidGuard/db
#
# Log directory
#
logdir /var/log/squidGuard
#
# SOURCE ADDRESSES:
#
#
# Define all clients in my network 10.0.0.0/8 by ip
#
src clients {
ip 10.0.0.0/8
}
#
# DESTINATION CLASSES:
#
# All destinations I have defined as good. Note that all files are relative to dbhome
#
#
# My black listed destinations (ads)
#
dest arjanads {
domainlist blacklist/arjan/ads/domains
urllist blacklist/arjan/ads/urls
}
#
# More black listed destinations (ads)
#
dest urlblacklist {
domainlist blacklist/urlblacklist/ads/domains
urllist blacklist/urlblacklist/ads/urls
expressionlist blacklist/urlblacklist/ads/expressions
}
#
# Even more black listed destinations (ads)
#
dest BLads {
domainlist blacklist/BL/adv/domains
urllist blacklist/BL/adv/urls
}
#
# Even more and more black listed destinations (ads)
#
dest MESDads {
domainlist blacklist/MESD/blacklists/ads/domains
urllist blacklist/MESD/blacklists/ads/urls
#redirect http://www.famtenhoopen.nl/squidguard/blocked.png
}
#
# Define the behaviour
#
acl {
#
# Note that de default acl must be defined
#
default {
pass !arjanads !BLads !MESDads !urlblacklist all
redirect http://cloud.famtenhoopen.nl/images/transparant1x1.png
}
}
Het testen van squidguard gaat via het volgende commando
echo "https://adrcdn.com 10.0.0.132/ - - GET" | /usr/sbin/squidGuard
De url https://adrcdn.com wordt getest. De client die de aanvraag doet is 10.0.0.132. De user is –. Het volgende streepje wordt niet gebruikt. De http methode is GET.
Als de output ERR is dan wordt de url niet herschreven. Moet de url wel herschreven worden dan krijg je output die er ongeveer als volgt uit ziet:
OK rewrite-url="https://cloud.famtenhoopen.nl/images/transparant1x1.png"
Redirect
De redirect gaat (voor nu) altijd naar een transparante afbeelding van 1×1 pixel (transparant1x1.png). Het volledige pad is /srv/www/htdocs/images/transparant1x1.png
Dit plaatje moet je ff zelf maken en op de juiste plek zetten.
Database file structuur
Bij het installeren is al een structuur gemaakt voor de database files:
/var/lib/squidGuard /var/lib/squidGuard/db /var/lib/squidGuard/db/blacklist /var/lib/squidGuard/db/blacklist/domains /var/lib/squidGuard/db/blacklist/expressions /var/lib/squidGuard/db/blacklist/urls
Zoals je in de squidguard.conf file hebt gezien is er het nodige bijgefreubeld. Pas de config aan (sloop eruit wat er niet is) als je deze bestanden niet hebt.
Als alles goed is heb je iets dat er zo uitziet:
/var/lib/squidGuard /var/lib/squidGuard/db /var/lib/squidGuard/db/blacklist /var/lib/squidGuard/db/blacklist/domains /var/lib/squidGuard/db/blacklist/BL /var/lib/squidGuard/db/blacklist/BL/adv /var/lib/squidGuard/db/blacklist/BL/adv/domains /var/lib/squidGuard/db/blacklist/BL/adv/urls /var/lib/squidGuard/db/blacklist/expressions /var/lib/squidGuard/db/blacklist/urlblacklist /var/lib/squidGuard/db/blacklist/urlblacklist/ads /var/lib/squidGuard/db/blacklist/urlblacklist/ads/domains /var/lib/squidGuard/db/blacklist/urlblacklist/ads/expressions /var/lib/squidGuard/db/blacklist/urlblacklist/ads/urls /var/lib/squidGuard/db/blacklist/arjan /var/lib/squidGuard/db/blacklist/arjan/ads /var/lib/squidGuard/db/blacklist/arjan/ads/domains /var/lib/squidGuard/db/blacklist/arjan/ads/expressions /var/lib/squidGuard/db/blacklist/arjan/ads/urls /var/lib/squidGuard/db/blacklist/MESD /var/lib/squidGuard/db/blacklist/MESD/blacklists /var/lib/squidGuard/db/blacklist/MESD/blacklists/ads /var/lib/squidGuard/db/blacklist/MESD/blacklists/ads/domains /var/lib/squidGuard/db/blacklist/MESD/blacklists/ads/urls
Dit zijn alle bron bestanden, nu moeten er nog db bestanden van gemaakt worden. Dat gaat als volgt:
# create the db files out of the sources $ /usr/sbin/squidGuard -C all # zorg dat alle permissies goed staan $ chown -R squid:nogroup /var/lib/squidGuard/db # restart squid $ systemctl restart squid
Cron
Plaats in de cron de volgende regel zodat veranderingen aan de bron bestanden automatisch mee worden genomen.
07 1 * * * /usr/sbin/squidGuard -C all ; chown -R squid:nogroup /var/lib/squidGuard/db ; systemctl restart squid
Systemd
Start squid via systemd, je hoeft squidGuard niet te starten want dit is geen deamon, wordt namelijk aangeroepen door squid (als een “normaal” programma)
systemd start squid systemd enable squid systemd status squid
Black lists
Hoe kom je aan blacklists?
http://www.squidguard.org/blacklists.html
Client Installatie
Op de clients moeten de webbrowsers de proxy server gebruiken: 10.0.0.150 poort 3128 .
Zie ook de buil over Ad Blocking.