Fedora 9: SquidGuard Proxy Filter Install and HowTo

SquidGuard is a URL redirector and content filter addon that restricts proxy clients from accessing particular and/or banned site(s), IP addresses, URLs, website patterns using the proxy server.  SquidGuard can be used in conjunction with Squid proxy to implement website content filter from the proxy server.

Here's a run down on how to install and integrate SquidGuard into Squid-based proxy server.

Fedora 9: SquidGuard Installation

Requirements:

1. Existing Fedora 9 box

2. Existing Squid Configuration

Proceed with SquidGuard installation via yum.

As root, issue

# yum -y install squidGuard

By default rpm installation, squidGuard configuration files are installed to /etc/squid/squidGuard.conf while blacklist squidGuard files are located  to /var/squidGuard/blacklists

SquidGuard Integration to Squid Proxy Server

Backup and modity /etc/squid/squid.conf. Insert the below lines into /etc/squid/squid.conf

redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_children 400

This above tells  squid to do URL fetch redirection using squidGuard binary and at the same time, spawn 400 squidGuard children or copies. Modify the values to suit your need. Remember that the value is a trade off thing based from your needs and what resources you have.

SquidGuard Configuration Setup

Create a backup copy of /etc/squid/squidGuard.conf . Modify /etc/squid/squidGuard.conf.

a. SquidGuard Log files and black listed sites, URLs and IPs

dbhome /var/squidGuard/blacklists
logdir /var/log/squid

No need to modify the above default values unless you change them to your needs.

b.  Time-Based Access Control

If you wish to implement time-based access control, below is a sample format

time workhours {
weekly mtwhf 08:00 - 23:30
date *-*-01  08:00 - 23:30
}

time special-hours {
weekly mwf 08:00 - 11:00
}

c. Source Access Control

If you wish to implement access control based on IP addresses and/or network IP block, shown below are sample formats

src foo-clients {
ip    192.168.1.4-192.168.1.254
}

src lan-clients {
ip    10.10.100.0/26
}

src admin {
ip    83.83.83.83 83.83.83.100
}
d. Destination Access Control

This is where you can specify the blacklist file(s). Blacklist files contains all banned URLs, websites and web IP addresses.

dest adultsites {
urllist        blacklists/porn/urls
}

dest hacksites {
urllist        blacklists/hacking/urls
}

d. Access Control Policy

Here is where the action begins. All the above control access list could be taken down below with most likely the same format to allow and deny access.

acl {
foo-clients {
pass !adultsites all
redirect 302:http://www.mydomain.com/banned
}

vlan-clients within workhours {
pass !hacksites all
redirect 302:http://www.foo.com/banned.html
}

lan-clients within special-hours {
pass     good !in-addr !adult any
} else {
pass any
}

admins {
pass any
}

default {
pass     local none
}

}
Starting Squid with SquidGuard

# service squid restart

Testing SquidGuard on Debug Mode

# echo "www.playboy.com - - GET" |  squidGuard -c /etc/squid/squidGuard.conf -d

Replace URL playboy.com with your banned URL sites.

Checking SquidGuard Process and PIDs


# ps axuw | grep squidGuard

Loading SquidGuard with Alternate Config File

# squidGuard -d /etc/squid/newsquidGuard.conf

SquidGuard when integrated with Squid makes it a good content filter and URL redirector squid proxy addon.

You can visit SquidGuard for more info.