Installing and configuring the squidGuard web filter

Intro

With the passage of the Children's Internet Protection Act, schools are required to filter access to the internet in order to be elegible for E-Rate funds. E-Rate can be a substantial amount of money. With tightening budgets, foregoing the E-Rate funds will not be an option in most cases.

Unfortunately, commerical filtering software is very expensive.

This puts quite a burdon on under-funded schools. They need the E-Rate funds to help pay for internet access, but in turn must spend a significant amount of money on filtering software.

The good news is that there exists free filtering software. Until recently, MESD had been using expensive commercial filtering software. We are very pleased with the performance of squidGuard, the schools we support report that they much prefer squidGuard.

Official Site

The official squidGuard web site is located here:

http://www.squidguard.org

Installation

First and foremost, you need to start off with a properly configured system that supports the Squid proxy server. Squid is licensed under the GNU General Public License which means that is free, both in the sense of free beer and free speach. Squid runs on a number of operating systems. Currently Linux, *BSD, Tru64, IRIX, Solaris, SCO, AIX, HP-UX, and NextStep are officially supported. MESD recommends Linux or OpenBSD. MESD uses the Immunix version of Linux. Most versions of *BSD and Linux include Squid.

If you are running Red Hat 7.2 server, you can download a squidGuard RPM here:

ftp://k12linux.mesd.k12.or.us/pub/squidGuard/

After installing this package, you can activate squidGuard by adding the following line to the squid configuration file (/etc/squid/squid.conf):

redirect_program /usr/sbin/squidGuard -c /etc/squid/squidGuard.conf

and restart squid:

/sbin/service squid restart /sbin/chkconfig squid on

For full instructions on installing squidGuard, see the squidGuard website: http://www.squidguard.org/install/

Configuration

Configuring squidGuard is very straight-forward. The default location for the block lists is /usr/local/squidGuard/db/. Each category is located in a different directory. Currently, the categories available are ads, aggresive, audio-video, drugs, gambling, hacking, porn, violence, and warez. The configure file is /etc/squid/squidGuard.conf. Here is a sample configuration file:

	dbhome /usr/local/squidGuard/db
	logdir /usr/local/squidGuard/log

	dest gambling{
	        log             gambling
	        domainlist      gambling/domains
	        urllist         gambling/urls
	}

	dest warez{
	        log             warez
	        domainlist      warez/domains
	        urllist         warez/urls
	}

	acl {
		default {
			pass !gambling !warez all
			redirect 302:http://www.google.com
		}
	}

dbhome defines where the block list databases are located
logdir defines where to log blocked requests
dest defines a category
acl defines the access controll lists.

This example configuration defines two categories, gambling and warez. The acl line says that the default action is to block (!=don't pass) gambling and warez categories and to permit everything else. The redirect line says to send requests to blocked sites to http://www.google.com, change this to fit your needs.

The default configuration file, /etc/squid/squidGuard.conf is much more extensive. See the squidGuard homepage, http://www.squidguard.org/config/ for all of the configuration options available.

Updates

The Red Hat 7.2 RPM is configured to automatically synchronize to the MESD blocklists every night. MESD combines the blocklists from ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz and http://www.bn-paf.de/filter/de-blacklists.tar.gz. The combined list is available here: http://squidguard.mesd.k12.or.us/blacklists.tgz

Making changes to the blacklists is very easy. The squidGuard RPM is prefconfigured with two locally-modifable databases, /var/squidguard/blacklists/local-ok/ and /var/squidguard/blacklists/local-block/. Each database has two files: domains and urls. If you want to block/unblock a whole web site, append the domain name to the domains file. To block/unblock just a specific webpage, add the URL to the urls file.

For example, if you want to make sure that web pages at CNN's web site are never blocked, you can append cnn.com to the end of /var/squidguard/blacklists/local-ok/domains. If you want to make sure that all of the pages at somebadsite.com are blocked, append that to /var/squidguard/blacklists/local-block/domains. If there is just a specific portion of a website you want blocked, say http://www.yahoo.com/adult-stuff/, you can add "yahoo.com/adult-stuff" to /var/squidguard/blacklists/local-block/urls.

Once you've made the modifications, you need to run a command or two for the changes to take. If you are using the pre-built RPM, you can run:

/usr/sbin/update_squidguard_blacklists

If you are not using the pre-built RPM, these commands should do the trick for you:

su squid -s /bin/sh -c "/usr/sbin/squidGuard -c /etc/squid/squidGuard.conf -C all" /usr/bin/killall -HUP squid

See the squidGuard homepage, http://www.squidguard.org/config/#Lists, for more tips and tricks on working with the block lists.