Différences entre versions de « SquidGuard »
Sauter à la navigation
Sauter à la recherche
imported>SylvainBeucler m |
imported>SylvainBeucler m |
||
| (14 versions intermédiaires par le même utilisateur non affichées) | |||
| Ligne 1 : | Ligne 1 : | ||
| − | Installation (Debian 5.0 Lenny): | + | == Installation == |
| + | |||
| + | Compilation (Debian 5.0 Lenny): | ||
cd /usr/src/ | cd /usr/src/ | ||
wget http://www.squidguard.org/Downloads/squidGuard-1.4.tar.gz | wget http://www.squidguard.org/Downloads/squidGuard-1.4.tar.gz | ||
| Ligne 10 : | Ligne 12 : | ||
make install | make install | ||
| − | + | Création des répertoires: | |
| − | |||
mkdir -p /var/lib/squidguard/db/ | mkdir -p /var/lib/squidguard/db/ | ||
mkdir -p /var/log/squidguard/ | mkdir -p /var/log/squidguard/ | ||
chown proxy: /var/log/squidguard/ | chown proxy: /var/log/squidguard/ | ||
| − | + | Rotation des logs: | |
| − | + | <pre> | |
| + | cat <<EOF > /etc/logrotate.d/squidguard | ||
| + | /var/log/squidguard/*.log { | ||
| + | daily | ||
| + | compress | ||
| + | delaycompress | ||
| + | rotate 10 | ||
| + | nocreate | ||
| + | } | ||
| + | EOF | ||
| + | </pre> | ||
| + | |||
| + | == La liste noire == | ||
| + | On récupère celle de Toulouse quotidiennement: | ||
cat <<EOF > /etc/cron.daily/liste_noire_de_toulouse | cat <<EOF > /etc/cron.daily/liste_noire_de_toulouse | ||
#!/bin/bash | #!/bin/bash | ||
# Refresh DB | # Refresh DB | ||
rsync -aq rsync://ftp.univ-tlse1.fr/blacklist/ /var/lib/squidguard/db/blacklist/ | rsync -aq rsync://ftp.univ-tlse1.fr/blacklist/ /var/lib/squidguard/db/blacklist/ | ||
| − | |||
| − | |||
# Cf. http://www.squidguard.org/Doc/configure.html | # Cf. http://www.squidguard.org/Doc/configure.html | ||
| + | squidGuard -C all | ||
chown -R proxy: /var/lib/squidguard/db/blacklist/ | chown -R proxy: /var/lib/squidguard/db/blacklist/ | ||
EOF | EOF | ||
| + | chmod 755 /etc/cron.daily/liste_noire_de_toulouse | ||
| + | |||
| + | == Configuration == | ||
| + | |||
| + | Dans <code>/usr/local/squidGuard/squidGuard.conf</code>: | ||
| + | |||
| + | dbhome /var/lib/squidguard/db/blacklist/dest | ||
| + | logdir /var/log/squidguard | ||
| + | |||
| + | Pour créer le fichier de configuration, on peut s'appuyer sur les scripts suivants: | ||
| + | * Déclaration des listes: | ||
| + | <pre> | ||
| + | cd /var/lib/squidguard/db/blacklist/dest/ | ||
| + | ls */usage | xargs grep -l black | xargs -n1 dirname | ( | ||
| + | while read list; do | ||
| + | echo "dest $list {" | ||
| + | if [ -f "$list/domains" ]; then | ||
| + | echo " domainlist $list/domains" | ||
| + | fi | ||
| + | if [ -f "$list/urls" ]; then | ||
| + | echo " urllist $list/urls" | ||
| + | fi | ||
| + | if [ -f "$list/expressions" ]; then | ||
| + | echo " expressionlist $list/expressions" | ||
| + | fi | ||
| + | echo "}" | ||
| + | done | ||
| + | ) | ||
| + | </pre> | ||
| + | * Références dans le block <code>default</code>: | ||
| + | echo $(ls */usage | xargs grep -l black | xargs -n1 dirname | while read list; do echo '!'$list; done) | ||
| + | |||
| + | Ce qui nous donne par exemple: | ||
| + | <pre> | ||
| + | # | ||
| + | # CONFIG FILE FOR SQUIDGUARD | ||
| + | # | ||
| + | |||
| + | dbhome /var/lib/squidguard/db/blacklist/dest | ||
| + | logdir /var/log/squidguard | ||
| + | |||
| + | # | ||
| + | # DESTINATION CLASSES: | ||
| + | # | ||
| + | |||
| + | dest adult { | ||
| + | domainlist adult/domains | ||
| + | urllist adult/urls | ||
| + | expressionlist adult/expressions | ||
| + | } | ||
| + | dest agressif { | ||
| + | domainlist agressif/domains | ||
| + | urllist agressif/urls | ||
| + | } | ||
| + | dest astrology { | ||
| + | domainlist astrology/domains | ||
| + | urllist astrology/urls | ||
| + | } | ||
| + | dest audio-video { | ||
| + | domainlist audio-video/domains | ||
| + | urllist audio-video/urls | ||
| + | } | ||
| + | dest blog { | ||
| + | domainlist blog/domains | ||
| + | urllist blog/urls | ||
| + | } | ||
| + | dest celebrity { | ||
| + | domainlist celebrity/domains | ||
| + | urllist celebrity/urls | ||
| + | } | ||
| + | dest dangerous_material { | ||
| + | domainlist dangerous_material/domains | ||
| + | urllist dangerous_material/urls | ||
| + | } | ||
| + | dest dating { | ||
| + | domainlist dating/domains | ||
| + | urllist dating/urls | ||
| + | } | ||
| + | dest drogue { | ||
| + | domainlist drogue/domains | ||
| + | urllist drogue/urls | ||
| + | } | ||
| + | dest filehosting { | ||
| + | domainlist filehosting/domains | ||
| + | urllist filehosting/urls | ||
| + | } | ||
| + | dest financial { | ||
| + | domainlist financial/domains | ||
| + | } | ||
| + | dest forums { | ||
| + | domainlist forums/domains | ||
| + | urllist forums/urls | ||
| + | expressionlist forums/expressions | ||
| + | } | ||
| + | dest gambling { | ||
| + | domainlist gambling/domains | ||
| + | urllist gambling/urls | ||
| + | } | ||
| + | dest games { | ||
| + | domainlist games/domains | ||
| + | urllist games/urls | ||
| + | } | ||
| + | dest hacking { | ||
| + | domainlist hacking/domains | ||
| + | urllist hacking/urls | ||
| + | } | ||
| + | dest malware { | ||
| + | domainlist malware/domains | ||
| + | urllist malware/urls | ||
| + | expressionlist malware/expressions | ||
| + | } | ||
| + | dest manga { | ||
| + | domainlist manga/domains | ||
| + | urllist manga/urls | ||
| + | } | ||
| + | dest marketingware { | ||
| + | domainlist marketingware/domains | ||
| + | urllist marketingware/urls | ||
| + | } | ||
| + | dest mixed_adult { | ||
| + | domainlist mixed_adult/domains | ||
| + | urllist mixed_adult/urls | ||
| + | } | ||
| + | dest mobile-phone { | ||
| + | domainlist mobile-phone/domains | ||
| + | urllist mobile-phone/urls | ||
| + | } | ||
| + | dest phishing { | ||
| + | domainlist phishing/domains | ||
| + | urllist phishing/urls | ||
| + | } | ||
| + | dest publicite { | ||
| + | domainlist publicite/domains | ||
| + | urllist publicite/urls | ||
| + | expressionlist publicite/expressions | ||
| + | } | ||
| + | dest radio { | ||
| + | domainlist radio/domains | ||
| + | urllist radio/urls | ||
| + | } | ||
| + | dest reaffected { | ||
| + | domainlist reaffected/domains | ||
| + | urllist reaffected/urls | ||
| + | } | ||
| + | dest redirector { | ||
| + | domainlist redirector/domains | ||
| + | urllist redirector/urls | ||
| + | expressionlist redirector/expressions | ||
| + | } | ||
| + | dest sect { | ||
| + | domainlist sect/domains | ||
| + | urllist sect/urls | ||
| + | } | ||
| + | dest shopping { | ||
| + | domainlist shopping/domains | ||
| + | urllist shopping/urls | ||
| + | } | ||
| + | dest strict_redirector { | ||
| + | domainlist strict_redirector/domains | ||
| + | urllist strict_redirector/urls | ||
| + | expressionlist strict_redirector/expressions | ||
| + | } | ||
| + | dest strong_redirector { | ||
| + | domainlist strong_redirector/domains | ||
| + | urllist strong_redirector/urls | ||
| + | expressionlist strong_redirector/expressions | ||
| + | } | ||
| + | dest tricheur { | ||
| + | domainlist tricheur/domains | ||
| + | urllist tricheur/urls | ||
| + | } | ||
| + | dest warez { | ||
| + | domainlist warez/domains | ||
| + | urllist warez/urls | ||
| + | expressionlist warez/expressions | ||
| + | } | ||
| + | dest webmail { | ||
| + | domainlist webmail/domains | ||
| + | urllist webmail/urls | ||
| + | } | ||
| + | |||
| + | acl { | ||
| + | default { | ||
| + | pass !adult !agressif !astrology !audio-video !blog !celebrity !dangerous_material !dating !drogue !filehosting !financial !forums !gambling !games !hacking !malware !manga !marketingware !mixed_adult !mobile-phone !phishing !publicite !radio !reaffected !redirector !sect !shopping !strict_redirector !strong_redirector !tricheur !warez !webmail all | ||
| + | redirect http://192.168.1.1/bloque.html | ||
| + | } | ||
| + | } | ||
| + | </pre> | ||
| + | |||
| + | == Squid == | ||
| + | |||
| + | apt-get install squid3 | ||
| + | |||
| + | Dans <code>/etc/squid3/squid.conf</code> (modifiez/décommentez les lignes correspondantes dans la configuration par défaut): | ||
| + | acl localnet src 10.0.0.0/8 | ||
| + | http_access allow localnet | ||
| + | url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf | ||
| + | |||
| + | Configuration proxy transparent: | ||
| + | http_port 3128 transparent | ||
| + | Dans iptables: | ||
| + | iptables -t nat -A PREROUTING -i eth-local -p tcp --dport 80 -j REDIRECT --to-port 3128 | ||
| + | |||
| + | == Page d'erreur == | ||
| + | |||
| + | On pourra installer un petit serveur web sur lequel rediriger les requêtes en cas de page bloquée: | ||
| + | apt-get install lighttpd | ||
| + | |||
| + | Dans <code>/var/www/bloque.html</code>: | ||
| + | <meta http-equiv="content-type" value="text/html;charset=UTF-8" /> | ||
| + | Cette page est bloquée. | ||
| + | |||
| + | Dans <code>/usr/local/squidGuard/squidGuard.conf</code>: | ||
| + | acl { | ||
| + | defaut { | ||
| + | ... | ||
| + | redirect http://192.168.1.1/bloque.html | ||
| + | |||
| + | |||
| + | == Liens == | ||
| + | |||
| + | * [http://www.squidguard.org/Doc/configure.html Documentation SquidGuard]: principes de configuration et configuration minimale | ||
| + | * [http://cri.univ-tlse1.fr/blacklists/configuration_squidguard.php Blacklists UT1 : squidguard.conf]: exemple de configuration de l'université de Toulouse | ||
| + | * [http://www.fido-fr.net/linux_proxy_transparent.shtml Proxy transparent simplement avec linux et SQUID]: configuration proxy transparent Squid | ||
Version actuelle datée du 24 juin 2010 à 17:09
Installation
Compilation (Debian 5.0 Lenny):
cd /usr/src/ wget http://www.squidguard.org/Downloads/squidGuard-1.4.tar.gz tar xzf squidGuard-1.4.tar.gz cd squidGuard-1.4 apt-get install build-essential apt-get install libdb-dev ./configure --with-squiduser=proxy make make install
Création des répertoires:
mkdir -p /var/lib/squidguard/db/ mkdir -p /var/log/squidguard/ chown proxy: /var/log/squidguard/
Rotation des logs:
cat <<EOF > /etc/logrotate.d/squidguard
/var/log/squidguard/*.log {
daily
compress
delaycompress
rotate 10
nocreate
}
EOF
La liste noire
On récupère celle de Toulouse quotidiennement:
cat <<EOF > /etc/cron.daily/liste_noire_de_toulouse #!/bin/bash # Refresh DB rsync -aq rsync://ftp.univ-tlse1.fr/blacklist/ /var/lib/squidguard/db/blacklist/ # Cf. http://www.squidguard.org/Doc/configure.html squidGuard -C all chown -R proxy: /var/lib/squidguard/db/blacklist/ EOF chmod 755 /etc/cron.daily/liste_noire_de_toulouse
Configuration
Dans /usr/local/squidGuard/squidGuard.conf:
dbhome /var/lib/squidguard/db/blacklist/dest logdir /var/log/squidguard
Pour créer le fichier de configuration, on peut s'appuyer sur les scripts suivants:
- Déclaration des listes:
cd /var/lib/squidguard/db/blacklist/dest/
ls */usage | xargs grep -l black | xargs -n1 dirname | (
while read list; do
echo "dest $list {"
if [ -f "$list/domains" ]; then
echo " domainlist $list/domains"
fi
if [ -f "$list/urls" ]; then
echo " urllist $list/urls"
fi
if [ -f "$list/expressions" ]; then
echo " expressionlist $list/expressions"
fi
echo "}"
done
)
- Références dans le block
default:
echo $(ls */usage | xargs grep -l black | xargs -n1 dirname | while read list; do echo '!'$list; done)
Ce qui nous donne par exemple:
#
# CONFIG FILE FOR SQUIDGUARD
#
dbhome /var/lib/squidguard/db/blacklist/dest
logdir /var/log/squidguard
#
# DESTINATION CLASSES:
#
dest adult {
domainlist adult/domains
urllist adult/urls
expressionlist adult/expressions
}
dest agressif {
domainlist agressif/domains
urllist agressif/urls
}
dest astrology {
domainlist astrology/domains
urllist astrology/urls
}
dest audio-video {
domainlist audio-video/domains
urllist audio-video/urls
}
dest blog {
domainlist blog/domains
urllist blog/urls
}
dest celebrity {
domainlist celebrity/domains
urllist celebrity/urls
}
dest dangerous_material {
domainlist dangerous_material/domains
urllist dangerous_material/urls
}
dest dating {
domainlist dating/domains
urllist dating/urls
}
dest drogue {
domainlist drogue/domains
urllist drogue/urls
}
dest filehosting {
domainlist filehosting/domains
urllist filehosting/urls
}
dest financial {
domainlist financial/domains
}
dest forums {
domainlist forums/domains
urllist forums/urls
expressionlist forums/expressions
}
dest gambling {
domainlist gambling/domains
urllist gambling/urls
}
dest games {
domainlist games/domains
urllist games/urls
}
dest hacking {
domainlist hacking/domains
urllist hacking/urls
}
dest malware {
domainlist malware/domains
urllist malware/urls
expressionlist malware/expressions
}
dest manga {
domainlist manga/domains
urllist manga/urls
}
dest marketingware {
domainlist marketingware/domains
urllist marketingware/urls
}
dest mixed_adult {
domainlist mixed_adult/domains
urllist mixed_adult/urls
}
dest mobile-phone {
domainlist mobile-phone/domains
urllist mobile-phone/urls
}
dest phishing {
domainlist phishing/domains
urllist phishing/urls
}
dest publicite {
domainlist publicite/domains
urllist publicite/urls
expressionlist publicite/expressions
}
dest radio {
domainlist radio/domains
urllist radio/urls
}
dest reaffected {
domainlist reaffected/domains
urllist reaffected/urls
}
dest redirector {
domainlist redirector/domains
urllist redirector/urls
expressionlist redirector/expressions
}
dest sect {
domainlist sect/domains
urllist sect/urls
}
dest shopping {
domainlist shopping/domains
urllist shopping/urls
}
dest strict_redirector {
domainlist strict_redirector/domains
urllist strict_redirector/urls
expressionlist strict_redirector/expressions
}
dest strong_redirector {
domainlist strong_redirector/domains
urllist strong_redirector/urls
expressionlist strong_redirector/expressions
}
dest tricheur {
domainlist tricheur/domains
urllist tricheur/urls
}
dest warez {
domainlist warez/domains
urllist warez/urls
expressionlist warez/expressions
}
dest webmail {
domainlist webmail/domains
urllist webmail/urls
}
acl {
default {
pass !adult !agressif !astrology !audio-video !blog !celebrity !dangerous_material !dating !drogue !filehosting !financial !forums !gambling !games !hacking !malware !manga !marketingware !mixed_adult !mobile-phone !phishing !publicite !radio !reaffected !redirector !sect !shopping !strict_redirector !strong_redirector !tricheur !warez !webmail all
redirect http://192.168.1.1/bloque.html
}
}
Squid
apt-get install squid3
Dans /etc/squid3/squid.conf (modifiez/décommentez les lignes correspondantes dans la configuration par défaut):
acl localnet src 10.0.0.0/8 http_access allow localnet url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
Configuration proxy transparent:
http_port 3128 transparent
Dans iptables:
iptables -t nat -A PREROUTING -i eth-local -p tcp --dport 80 -j REDIRECT --to-port 3128
Page d'erreur
On pourra installer un petit serveur web sur lequel rediriger les requêtes en cas de page bloquée:
apt-get install lighttpd
Dans /var/www/bloque.html:
<meta http-equiv="content-type" value="text/html;charset=UTF-8" /> Cette page est bloquée.
Dans /usr/local/squidGuard/squidGuard.conf:
acl {
defaut {
...
redirect http://192.168.1.1/bloque.html
Liens
- Documentation SquidGuard: principes de configuration et configuration minimale
- Blacklists UT1 : squidguard.conf: exemple de configuration de l'université de Toulouse
- Proxy transparent simplement avec linux et SQUID: configuration proxy transparent Squid