Setting up a blacklist proxy with automatic updates using
Squid and SquidGuard Posted in Howto, Linux, Proxy, Security by steelmon on December 9, 2010 The versatile, open source proxy server Squid can be used together with the plug-in SquidGuard to set up a flexible blacklist proxy server Together with a simple cron !ob and a shell script, the database of blacklisted sites is kept up to date This article describes the process step-by-step of how to get up and running I will be setting up the solution on n !buntu 9 ser"er which con"eniently hs the necessry so#twre "ilble in its repositories$ %he setup should be "ery similr #or other Linux en"ironments, but you might h"e to compile the so#twre #rom scrtch$ "nstall and configure Squid &irst o# ll, instll nd con#igure S'uid$ I did this in pre"ious post when I ws loo(ing t con#iguring whitelist proxy$ # sudo apt-get install squid )dit the S'uid con#igurtion #ile, /etc/squid/squid.conf nd #ind the http_port tg$ *y de#ult S'uid listens to port +12, #or re'uests$ I# you wnt to chnge it, uncomment the line nd chnge the port number$ -ext, de#ine who is llowed to ccess the proxy$ &ind the TAG: http_access heding nd below it the .INSET !"# "$N #%E&S' (EE). !ncomment the line / #http_access allo* localnet 0ou will lso need to de#ine wht is ment by localnet$ &ind the TAG: A+% heding, nd loo( #or something li(e the #ollowing line/ #acl localnet src ,-..,/0.,.1/.2 ,-..,/0...1/.2 1hnge the IP ddress nd netms( bo"e so tht it mtches your locl networ($ In my cse, I m on locl networ( with ddresses rnging #rom ,-..,/0.1., to ,-..,/0.1..33$ %his mens tht the netms( is .33..33..33.1 2 i$e$ + bytes o# 3ones4, or 25 bits$ So #or my networ( it loo(s li(e this/ acl localnet src ,-..,/0.1.1/.2 -ow strt S'uid i# it6s not lredy running nd then tell it to relod its con#igurtion/ sudo /etc/init.d/squid start squid -4 reconfigure 0ou should now be ble to use the proxy ser"er #rom your web browser$ 0ou will not be ble to get nything bloc(ed 7ust yet, but you should get pges ser"ed i# e"erything ws set up correctly$ "nstall SquidGuard Strt by instlling S'uid8urd using pt9get/ sudo apt-get install squidguard -ext, prepre S'uid #or use with S'uid8urd, so once more open up /etc/squid/squid.conf in your #"orite text editor$ 0ou need to tell s'uid where S'uid8urd is$ &ind the TAG: url_re*rite_progra5 heding$ %here is no de#ult setting so dd new line/ url_re*rite_progra5 /usr/6in/squidGuard 7c /etc/squid/squidGuard.conf #repare the blacklist database *e#ore going in to #urther con#igurtion o# S'uid8urd, h"ing ccess to dtbse o# blc(listed sites nd !:Ls is desirble$ Downlod the #ile getlists$odt, set the executble #lg nd renme it getlists.sh/ *get http://steel5on.files.*ordpress.co5/.1,1/,./getlists.odt sudo 58 getlists.odt /usr/local/6in/getlists.sh sudo ch5od 9: /usr/local/6in/getlists.sh %he #ile ending is odt rther thn sh since wordpress does not llow shell scripts to be uploded$ -ow, crete the dtbse by executing the script/ sudo getlists.sh 0ou should now see some output #rom the script, nd #ter some time o# processing, you should be ble to see the output by listing the contents o# the blc(lists dtbse directory/ ls -l /8ar/li6/squidguard/d6/6lac4lists/ $onfigure SquidGuard ;pen the S'uid8urd con#igurtion #ile, /etc/squid/squidGuard.conf #or edit, nd replce the contents with the #ollowing/ # # +"N;IG ;I%E ;" S<#I=G#A= # d6ho5e /8ar/li6/squidguard/d6/6lac4lists logdir /8ar/log/squid dest ads > do5ainlist ads/do5ains urllist ads/urls ? dest aggressi8e > do5ainlist aggressi8e/do5ains urllist aggressi8e/urls ? dest drugs > do5ainlist drugs/do5ains urllist drugs/urls ? dest hac4ing > do5ainlist hac4ing/do5ains urllist hac4ing/urls ? dest porn > do5ainlist porn/do5ains urllist porn/urls ? dest redirector > do5ainlist redirector/do5ains urllist redirector/urls ? dest suspect > do5ainlist suspect/do5ains urllist suspect/urls ? dest *are@ > do5ainlist *are@/do5ains urllist *are@/urls ? dest audio-8ideo > do5ainlist audio-8ideo/do5ains urllist audio-8ideo/urls ? dest ga56ling > do5ainlist ga56ling/do5ains urllist ga56ling/urls ? dest 5ail > do5ainlist 5ail/do5ains ? dest pro:A > do5ainlist pro:A/do5ains urllist pro:A/urls ? dest spA*are > do5ainlist spA*are/do5ains urllist spA*are/urls ? dest 8iolence > do5ainlist 8iolence/do5ains urllist 8iolence/urls ? acl > default > pass Bads Baggressi8e Bdrugs Bhac4ing Bporn Bredirector B suspect B*are@ Baudio-8ideo Bga56ling B5ail Bpro:A BspA*are B 8iolence all redirect http://***.:31-.se/6loc4.ht5l ? ? <mong the lst lines, there is !:L to pge tht gets ser"ed whene"er there is bloc(ed content$ 0ou should chnge the !:L to your own bloc( pge =unless your hppy with my extremely sprse one in Swedish> $ 1ompile the S'uid8urd dtbse$ %his my t(e while to complete/ sudo squidGuard 7+ all Strt S'uid, which in turn will strt S'uid8urd, nd recon#igure sudo /etc/init.d/squid start sudo squid -4 reconfigure Troubleshooting I# you re h"ing problems, most li(ely it6s relted to permissions$ 0ou cn get some use#ul in#ormtion by running S'uid8urd #rom the commnd line/ sudo su 7 pro:A echo Chttp://***.u6untu.co5 >client ip address?/ - - GETC D squidGuard -d -c /etc/squid/squidGuard.conf 0ou cn chnge the !:L to whte"er you6d li(e to test #or ccess or denil$ %he IP ddress is the ddress o# the computer you wnt to simulte s sur#ing the net #rom$ I# you encounter ny problems with permissions, you my try the #ollowing/ sudo cho*n pro:A:pro:A /etc/squid/squidGuard.conf sudo cho*n - pro:A:pro:A /8ar/li6/squidguard/d6 sudo cho*n - pro:A:pro:A /8ar/log/squid/ ch5od /22 /etc/squid/squidGuard.conf ch5od - /21 /8ar/li6/squidguard/d6 ch5od - /22 /8ar/log/squid/ find /8ar/li6/squidguard/d6 -tApe d -e:ec ch5od E33 F>F? FG -print ch5od E33 /8ar/log/squid %here re more detiled trouble shooting "ilble in the re#erence section$ %utomating the blacklist updates ?hen e"erything is up nd running, you my wnt to utomte the updte procedure$ %his is esily ccomplished by setting up cron 7ob$ ;pen the cron tble in intercti"e mode/ sudo cronta6 -e <dd the #ollowing line t the end o# the #ile/ H1 H I I I /usr/local/6in/getlists.sh %his will run the blc(list downlod script e"ery night t +0 minutes pst +$ &eferences https/@@help$ubuntu$com@community@S'uid8urd http/@@www$s'uidgurd$org@Doc@ http/@@www$mynide$com@s'uidgurd@getlists$html