Différences entre versions de « SquidGuard »
Sauter à la navigation
Sauter à la recherche
imported>SylvainBeucler m (→Squid) |
imported>SylvainBeucler m |
||
(11 versions intermédiaires par le même utilisateur non affichées) | |||
Ligne 16 : | Ligne 16 : | ||
mkdir -p /var/log/squidguard/ | mkdir -p /var/log/squidguard/ | ||
chown proxy: /var/log/squidguard/ | chown proxy: /var/log/squidguard/ | ||
+ | |||
+ | Rotation des logs: | ||
+ | <pre> | ||
+ | cat <<EOF > /etc/logrotate.d/squidguard | ||
+ | /var/log/squidguard/*.log { | ||
+ | daily | ||
+ | compress | ||
+ | delaycompress | ||
+ | rotate 10 | ||
+ | nocreate | ||
+ | } | ||
+ | EOF | ||
+ | </pre> | ||
== La liste noire == | == La liste noire == | ||
Ligne 24 : | Ligne 37 : | ||
# Refresh DB | # Refresh DB | ||
rsync -aq rsync://ftp.univ-tlse1.fr/blacklist/ /var/lib/squidguard/db/blacklist/ | rsync -aq rsync://ftp.univ-tlse1.fr/blacklist/ /var/lib/squidguard/db/blacklist/ | ||
− | |||
− | |||
# Cf. http://www.squidguard.org/Doc/configure.html | # Cf. http://www.squidguard.org/Doc/configure.html | ||
+ | squidGuard -C all | ||
chown -R proxy: /var/lib/squidguard/db/blacklist/ | chown -R proxy: /var/lib/squidguard/db/blacklist/ | ||
EOF | EOF | ||
+ | chmod 755 /etc/cron.daily/liste_noire_de_toulouse | ||
== Configuration == | == Configuration == | ||
Ligne 34 : | Ligne 47 : | ||
Dans <code>/usr/local/squidGuard/squidGuard.conf</code>: | Dans <code>/usr/local/squidGuard/squidGuard.conf</code>: | ||
− | dbhome /var/lib/squidguard/db/blacklist | + | dbhome /var/lib/squidguard/db/blacklist/dest |
logdir /var/log/squidguard | logdir /var/log/squidguard | ||
Ligne 59 : | Ligne 72 : | ||
* Références dans le block <code>default</code>: | * Références dans le block <code>default</code>: | ||
echo $(ls */usage | xargs grep -l black | xargs -n1 dirname | while read list; do echo '!'$list; done) | echo $(ls */usage | xargs grep -l black | xargs -n1 dirname | while read list; do echo '!'$list; done) | ||
+ | |||
+ | Ce qui nous donne par exemple: | ||
+ | <pre> | ||
+ | # | ||
+ | # CONFIG FILE FOR SQUIDGUARD | ||
+ | # | ||
+ | |||
+ | dbhome /var/lib/squidguard/db/blacklist/dest | ||
+ | logdir /var/log/squidguard | ||
+ | |||
+ | # | ||
+ | # DESTINATION CLASSES: | ||
+ | # | ||
+ | |||
+ | dest adult { | ||
+ | domainlist adult/domains | ||
+ | urllist adult/urls | ||
+ | expressionlist adult/expressions | ||
+ | } | ||
+ | dest agressif { | ||
+ | domainlist agressif/domains | ||
+ | urllist agressif/urls | ||
+ | } | ||
+ | dest astrology { | ||
+ | domainlist astrology/domains | ||
+ | urllist astrology/urls | ||
+ | } | ||
+ | dest audio-video { | ||
+ | domainlist audio-video/domains | ||
+ | urllist audio-video/urls | ||
+ | } | ||
+ | dest blog { | ||
+ | domainlist blog/domains | ||
+ | urllist blog/urls | ||
+ | } | ||
+ | dest celebrity { | ||
+ | domainlist celebrity/domains | ||
+ | urllist celebrity/urls | ||
+ | } | ||
+ | dest dangerous_material { | ||
+ | domainlist dangerous_material/domains | ||
+ | urllist dangerous_material/urls | ||
+ | } | ||
+ | dest dating { | ||
+ | domainlist dating/domains | ||
+ | urllist dating/urls | ||
+ | } | ||
+ | dest drogue { | ||
+ | domainlist drogue/domains | ||
+ | urllist drogue/urls | ||
+ | } | ||
+ | dest filehosting { | ||
+ | domainlist filehosting/domains | ||
+ | urllist filehosting/urls | ||
+ | } | ||
+ | dest financial { | ||
+ | domainlist financial/domains | ||
+ | } | ||
+ | dest forums { | ||
+ | domainlist forums/domains | ||
+ | urllist forums/urls | ||
+ | expressionlist forums/expressions | ||
+ | } | ||
+ | dest gambling { | ||
+ | domainlist gambling/domains | ||
+ | urllist gambling/urls | ||
+ | } | ||
+ | dest games { | ||
+ | domainlist games/domains | ||
+ | urllist games/urls | ||
+ | } | ||
+ | dest hacking { | ||
+ | domainlist hacking/domains | ||
+ | urllist hacking/urls | ||
+ | } | ||
+ | dest malware { | ||
+ | domainlist malware/domains | ||
+ | urllist malware/urls | ||
+ | expressionlist malware/expressions | ||
+ | } | ||
+ | dest manga { | ||
+ | domainlist manga/domains | ||
+ | urllist manga/urls | ||
+ | } | ||
+ | dest marketingware { | ||
+ | domainlist marketingware/domains | ||
+ | urllist marketingware/urls | ||
+ | } | ||
+ | dest mixed_adult { | ||
+ | domainlist mixed_adult/domains | ||
+ | urllist mixed_adult/urls | ||
+ | } | ||
+ | dest mobile-phone { | ||
+ | domainlist mobile-phone/domains | ||
+ | urllist mobile-phone/urls | ||
+ | } | ||
+ | dest phishing { | ||
+ | domainlist phishing/domains | ||
+ | urllist phishing/urls | ||
+ | } | ||
+ | dest publicite { | ||
+ | domainlist publicite/domains | ||
+ | urllist publicite/urls | ||
+ | expressionlist publicite/expressions | ||
+ | } | ||
+ | dest radio { | ||
+ | domainlist radio/domains | ||
+ | urllist radio/urls | ||
+ | } | ||
+ | dest reaffected { | ||
+ | domainlist reaffected/domains | ||
+ | urllist reaffected/urls | ||
+ | } | ||
+ | dest redirector { | ||
+ | domainlist redirector/domains | ||
+ | urllist redirector/urls | ||
+ | expressionlist redirector/expressions | ||
+ | } | ||
+ | dest sect { | ||
+ | domainlist sect/domains | ||
+ | urllist sect/urls | ||
+ | } | ||
+ | dest shopping { | ||
+ | domainlist shopping/domains | ||
+ | urllist shopping/urls | ||
+ | } | ||
+ | dest strict_redirector { | ||
+ | domainlist strict_redirector/domains | ||
+ | urllist strict_redirector/urls | ||
+ | expressionlist strict_redirector/expressions | ||
+ | } | ||
+ | dest strong_redirector { | ||
+ | domainlist strong_redirector/domains | ||
+ | urllist strong_redirector/urls | ||
+ | expressionlist strong_redirector/expressions | ||
+ | } | ||
+ | dest tricheur { | ||
+ | domainlist tricheur/domains | ||
+ | urllist tricheur/urls | ||
+ | } | ||
+ | dest warez { | ||
+ | domainlist warez/domains | ||
+ | urllist warez/urls | ||
+ | expressionlist warez/expressions | ||
+ | } | ||
+ | dest webmail { | ||
+ | domainlist webmail/domains | ||
+ | urllist webmail/urls | ||
+ | } | ||
+ | |||
+ | acl { | ||
+ | default { | ||
+ | pass !adult !agressif !astrology !audio-video !blog !celebrity !dangerous_material !dating !drogue !filehosting !financial !forums !gambling !games !hacking !malware !manga !marketingware !mixed_adult !mobile-phone !phishing !publicite !radio !reaffected !redirector !sect !shopping !strict_redirector !strong_redirector !tricheur !warez !webmail all | ||
+ | redirect http://192.168.1.1/bloque.html | ||
+ | } | ||
+ | } | ||
+ | </pre> | ||
== Squid == | == Squid == | ||
Ligne 64 : | Ligne 234 : | ||
apt-get install squid3 | apt-get install squid3 | ||
− | Dans <code>/etc/squid3/squid.conf</code>: | + | Dans <code>/etc/squid3/squid.conf</code> (modifiez/décommentez les lignes correspondantes dans la configuration par défaut): |
acl localnet src 10.0.0.0/8 | acl localnet src 10.0.0.0/8 | ||
http_access allow localnet | http_access allow localnet | ||
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf | url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf | ||
+ | |||
+ | Configuration proxy transparent: | ||
+ | http_port 3128 transparent | ||
+ | Dans iptables: | ||
+ | iptables -t nat -A PREROUTING -i eth-local -p tcp --dport 80 -j REDIRECT --to-port 3128 | ||
+ | |||
+ | == Page d'erreur == | ||
+ | |||
+ | On pourra installer un petit serveur web sur lequel rediriger les requêtes en cas de page bloquée: | ||
+ | apt-get install lighttpd | ||
+ | |||
+ | Dans <code>/var/www/bloque.html</code>: | ||
+ | <meta http-equiv="content-type" value="text/html;charset=UTF-8" /> | ||
+ | Cette page est bloquée. | ||
+ | |||
+ | Dans <code>/usr/local/squidGuard/squidGuard.conf</code>: | ||
+ | acl { | ||
+ | defaut { | ||
+ | ... | ||
+ | redirect http://192.168.1.1/bloque.html | ||
+ | |||
== Liens == | == Liens == | ||
Ligne 73 : | Ligne 264 : | ||
* [http://www.squidguard.org/Doc/configure.html Documentation SquidGuard]: principes de configuration et configuration minimale | * [http://www.squidguard.org/Doc/configure.html Documentation SquidGuard]: principes de configuration et configuration minimale | ||
* [http://cri.univ-tlse1.fr/blacklists/configuration_squidguard.php Blacklists UT1 : squidguard.conf]: exemple de configuration de l'université de Toulouse | * [http://cri.univ-tlse1.fr/blacklists/configuration_squidguard.php Blacklists UT1 : squidguard.conf]: exemple de configuration de l'université de Toulouse | ||
+ | * [http://www.fido-fr.net/linux_proxy_transparent.shtml Proxy transparent simplement avec linux et SQUID]: configuration proxy transparent Squid |
Version actuelle datée du 24 juin 2010 à 17:09
Installation
Compilation (Debian 5.0 Lenny):
cd /usr/src/ wget http://www.squidguard.org/Downloads/squidGuard-1.4.tar.gz tar xzf squidGuard-1.4.tar.gz cd squidGuard-1.4 apt-get install build-essential apt-get install libdb-dev ./configure --with-squiduser=proxy make make install
Création des répertoires:
mkdir -p /var/lib/squidguard/db/ mkdir -p /var/log/squidguard/ chown proxy: /var/log/squidguard/
Rotation des logs:
cat <<EOF > /etc/logrotate.d/squidguard /var/log/squidguard/*.log { daily compress delaycompress rotate 10 nocreate } EOF
La liste noire
On récupère celle de Toulouse quotidiennement:
cat <<EOF > /etc/cron.daily/liste_noire_de_toulouse #!/bin/bash # Refresh DB rsync -aq rsync://ftp.univ-tlse1.fr/blacklist/ /var/lib/squidguard/db/blacklist/ # Cf. http://www.squidguard.org/Doc/configure.html squidGuard -C all chown -R proxy: /var/lib/squidguard/db/blacklist/ EOF chmod 755 /etc/cron.daily/liste_noire_de_toulouse
Configuration
Dans /usr/local/squidGuard/squidGuard.conf
:
dbhome /var/lib/squidguard/db/blacklist/dest logdir /var/log/squidguard
Pour créer le fichier de configuration, on peut s'appuyer sur les scripts suivants:
- Déclaration des listes:
cd /var/lib/squidguard/db/blacklist/dest/ ls */usage | xargs grep -l black | xargs -n1 dirname | ( while read list; do echo "dest $list {" if [ -f "$list/domains" ]; then echo " domainlist $list/domains" fi if [ -f "$list/urls" ]; then echo " urllist $list/urls" fi if [ -f "$list/expressions" ]; then echo " expressionlist $list/expressions" fi echo "}" done )
- Références dans le block
default
:
echo $(ls */usage | xargs grep -l black | xargs -n1 dirname | while read list; do echo '!'$list; done)
Ce qui nous donne par exemple:
# # CONFIG FILE FOR SQUIDGUARD # dbhome /var/lib/squidguard/db/blacklist/dest logdir /var/log/squidguard # # DESTINATION CLASSES: # dest adult { domainlist adult/domains urllist adult/urls expressionlist adult/expressions } dest agressif { domainlist agressif/domains urllist agressif/urls } dest astrology { domainlist astrology/domains urllist astrology/urls } dest audio-video { domainlist audio-video/domains urllist audio-video/urls } dest blog { domainlist blog/domains urllist blog/urls } dest celebrity { domainlist celebrity/domains urllist celebrity/urls } dest dangerous_material { domainlist dangerous_material/domains urllist dangerous_material/urls } dest dating { domainlist dating/domains urllist dating/urls } dest drogue { domainlist drogue/domains urllist drogue/urls } dest filehosting { domainlist filehosting/domains urllist filehosting/urls } dest financial { domainlist financial/domains } dest forums { domainlist forums/domains urllist forums/urls expressionlist forums/expressions } dest gambling { domainlist gambling/domains urllist gambling/urls } dest games { domainlist games/domains urllist games/urls } dest hacking { domainlist hacking/domains urllist hacking/urls } dest malware { domainlist malware/domains urllist malware/urls expressionlist malware/expressions } dest manga { domainlist manga/domains urllist manga/urls } dest marketingware { domainlist marketingware/domains urllist marketingware/urls } dest mixed_adult { domainlist mixed_adult/domains urllist mixed_adult/urls } dest mobile-phone { domainlist mobile-phone/domains urllist mobile-phone/urls } dest phishing { domainlist phishing/domains urllist phishing/urls } dest publicite { domainlist publicite/domains urllist publicite/urls expressionlist publicite/expressions } dest radio { domainlist radio/domains urllist radio/urls } dest reaffected { domainlist reaffected/domains urllist reaffected/urls } dest redirector { domainlist redirector/domains urllist redirector/urls expressionlist redirector/expressions } dest sect { domainlist sect/domains urllist sect/urls } dest shopping { domainlist shopping/domains urllist shopping/urls } dest strict_redirector { domainlist strict_redirector/domains urllist strict_redirector/urls expressionlist strict_redirector/expressions } dest strong_redirector { domainlist strong_redirector/domains urllist strong_redirector/urls expressionlist strong_redirector/expressions } dest tricheur { domainlist tricheur/domains urllist tricheur/urls } dest warez { domainlist warez/domains urllist warez/urls expressionlist warez/expressions } dest webmail { domainlist webmail/domains urllist webmail/urls } acl { default { pass !adult !agressif !astrology !audio-video !blog !celebrity !dangerous_material !dating !drogue !filehosting !financial !forums !gambling !games !hacking !malware !manga !marketingware !mixed_adult !mobile-phone !phishing !publicite !radio !reaffected !redirector !sect !shopping !strict_redirector !strong_redirector !tricheur !warez !webmail all redirect http://192.168.1.1/bloque.html } }
Squid
apt-get install squid3
Dans /etc/squid3/squid.conf
(modifiez/décommentez les lignes correspondantes dans la configuration par défaut):
acl localnet src 10.0.0.0/8 http_access allow localnet url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
Configuration proxy transparent:
http_port 3128 transparent
Dans iptables:
iptables -t nat -A PREROUTING -i eth-local -p tcp --dport 80 -j REDIRECT --to-port 3128
Page d'erreur
On pourra installer un petit serveur web sur lequel rediriger les requêtes en cas de page bloquée:
apt-get install lighttpd
Dans /var/www/bloque.html
:
<meta http-equiv="content-type" value="text/html;charset=UTF-8" /> Cette page est bloquée.
Dans /usr/local/squidGuard/squidGuard.conf
:
acl { defaut { ... redirect http://192.168.1.1/bloque.html
Liens
- Documentation SquidGuard: principes de configuration et configuration minimale
- Blacklists UT1 : squidguard.conf: exemple de configuration de l'université de Toulouse
- Proxy transparent simplement avec linux et SQUID: configuration proxy transparent Squid