Différences entre versions de « SquidGuard »

De Cliss XXI
Sauter à la navigation Sauter à la recherche
imported>SylvainBeucler
imported>SylvainBeucler
m
 
(11 versions intermédiaires par le même utilisateur non affichées)
Ligne 16 : Ligne 16 :
 
  mkdir -p /var/log/squidguard/
 
  mkdir -p /var/log/squidguard/
 
  chown proxy: /var/log/squidguard/
 
  chown proxy: /var/log/squidguard/
 +
 +
Rotation des logs:
 +
<pre>
 +
cat <<EOF > /etc/logrotate.d/squidguard
 +
/var/log/squidguard/*.log {
 +
  daily
 +
  compress
 +
  delaycompress
 +
  rotate 10
 +
  nocreate
 +
}
 +
EOF
 +
</pre>
  
 
== La liste noire ==
 
== La liste noire ==
Ligne 24 : Ligne 37 :
 
  # Refresh DB
 
  # Refresh DB
 
  rsync -aq rsync://ftp.univ-tlse1.fr/blacklist/ /var/lib/squidguard/db/blacklist/
 
  rsync -aq rsync://ftp.univ-tlse1.fr/blacklist/ /var/lib/squidguard/db/blacklist/
# Rebuild and get rid of silly log excerpt on stderr
 
squidGuard -C all 2>&1 | grep -v ^20
 
 
  # Cf. http://www.squidguard.org/Doc/configure.html
 
  # Cf. http://www.squidguard.org/Doc/configure.html
 +
squidGuard -C all
 
  chown -R proxy: /var/lib/squidguard/db/blacklist/
 
  chown -R proxy: /var/lib/squidguard/db/blacklist/
 
  EOF
 
  EOF
 +
chmod 755 /etc/cron.daily/liste_noire_de_toulouse
  
 
== Configuration ==
 
== Configuration ==
Ligne 34 : Ligne 47 :
 
Dans <code>/usr/local/squidGuard/squidGuard.conf</code>:
 
Dans <code>/usr/local/squidGuard/squidGuard.conf</code>:
  
  dbhome /var/lib/squidguard/db/blacklist
+
  dbhome /var/lib/squidguard/db/blacklist/dest
 
  logdir /var/log/squidguard
 
  logdir /var/log/squidguard
  
Ligne 59 : Ligne 72 :
 
* Références dans le block <code>default</code>:
 
* Références dans le block <code>default</code>:
 
  echo $(ls */usage | xargs grep -l black | xargs -n1 dirname | while read list; do echo '!'$list; done)
 
  echo $(ls */usage | xargs grep -l black | xargs -n1 dirname | while read list; do echo '!'$list; done)
 +
 +
Ce qui nous donne par exemple:
 +
<pre>
 +
#
 +
# CONFIG FILE FOR SQUIDGUARD
 +
#
 +
 +
dbhome /var/lib/squidguard/db/blacklist/dest
 +
logdir /var/log/squidguard
 +
 +
#
 +
# DESTINATION CLASSES:
 +
#
 +
 +
dest adult {
 +
  domainlist adult/domains
 +
  urllist adult/urls
 +
  expressionlist adult/expressions
 +
}
 +
dest agressif {
 +
  domainlist agressif/domains
 +
  urllist agressif/urls
 +
}
 +
dest astrology {
 +
  domainlist astrology/domains
 +
  urllist astrology/urls
 +
}
 +
dest audio-video {
 +
  domainlist audio-video/domains
 +
  urllist audio-video/urls
 +
}
 +
dest blog {
 +
  domainlist blog/domains
 +
  urllist blog/urls
 +
}
 +
dest celebrity {
 +
  domainlist celebrity/domains
 +
  urllist celebrity/urls
 +
}
 +
dest dangerous_material {
 +
  domainlist dangerous_material/domains
 +
  urllist dangerous_material/urls
 +
}
 +
dest dating {
 +
  domainlist dating/domains
 +
  urllist dating/urls
 +
}
 +
dest drogue {
 +
  domainlist drogue/domains
 +
  urllist drogue/urls
 +
}
 +
dest filehosting {
 +
  domainlist filehosting/domains
 +
  urllist filehosting/urls
 +
}
 +
dest financial {
 +
  domainlist financial/domains
 +
}
 +
dest forums {
 +
  domainlist forums/domains
 +
  urllist forums/urls
 +
  expressionlist forums/expressions
 +
}
 +
dest gambling {
 +
  domainlist gambling/domains
 +
  urllist gambling/urls
 +
}
 +
dest games {
 +
  domainlist games/domains
 +
  urllist games/urls
 +
}
 +
dest hacking {
 +
  domainlist hacking/domains
 +
  urllist hacking/urls
 +
}
 +
dest malware {
 +
  domainlist malware/domains
 +
  urllist malware/urls
 +
  expressionlist malware/expressions
 +
}
 +
dest manga {
 +
  domainlist manga/domains
 +
  urllist manga/urls
 +
}
 +
dest marketingware {
 +
  domainlist marketingware/domains
 +
  urllist marketingware/urls
 +
}
 +
dest mixed_adult {
 +
  domainlist mixed_adult/domains
 +
  urllist mixed_adult/urls
 +
}
 +
dest mobile-phone {
 +
  domainlist mobile-phone/domains
 +
  urllist mobile-phone/urls
 +
}
 +
dest phishing {
 +
  domainlist phishing/domains
 +
  urllist phishing/urls
 +
}
 +
dest publicite {
 +
  domainlist publicite/domains
 +
  urllist publicite/urls
 +
  expressionlist publicite/expressions
 +
}
 +
dest radio {
 +
  domainlist radio/domains
 +
  urllist radio/urls
 +
}
 +
dest reaffected {
 +
  domainlist reaffected/domains
 +
  urllist reaffected/urls
 +
}
 +
dest redirector {
 +
  domainlist redirector/domains
 +
  urllist redirector/urls
 +
  expressionlist redirector/expressions
 +
}
 +
dest sect {
 +
  domainlist sect/domains
 +
  urllist sect/urls
 +
}
 +
dest shopping {
 +
  domainlist shopping/domains
 +
  urllist shopping/urls
 +
}
 +
dest strict_redirector {
 +
  domainlist strict_redirector/domains
 +
  urllist strict_redirector/urls
 +
  expressionlist strict_redirector/expressions
 +
}
 +
dest strong_redirector {
 +
  domainlist strong_redirector/domains
 +
  urllist strong_redirector/urls
 +
  expressionlist strong_redirector/expressions
 +
}
 +
dest tricheur {
 +
  domainlist tricheur/domains
 +
  urllist tricheur/urls
 +
}
 +
dest warez {
 +
  domainlist warez/domains
 +
  urllist warez/urls
 +
  expressionlist warez/expressions
 +
}
 +
dest webmail {
 +
  domainlist webmail/domains
 +
  urllist webmail/urls
 +
}
 +
 +
acl {
 +
default {
 +
pass !adult !agressif !astrology !audio-video !blog !celebrity !dangerous_material !dating !drogue !filehosting !financial !forums !gambling !games !hacking !malware !manga !marketingware !mixed_adult !mobile-phone !phishing !publicite !radio !reaffected !redirector !sect !shopping !strict_redirector !strong_redirector !tricheur !warez !webmail all
 +
redirect http://192.168.1.1/bloque.html
 +
}
 +
}
 +
</pre>
  
 
== Squid ==
 
== Squid ==
Ligne 64 : Ligne 234 :
 
  apt-get install squid3
 
  apt-get install squid3
  
Dans <code>/etc/squid3/squid.conf</code>:
+
Dans <code>/etc/squid3/squid.conf</code> (modifiez/décommentez les lignes correspondantes dans la configuration par défaut):
 
  acl localnet src 10.0.0.0/8                                                                     
 
  acl localnet src 10.0.0.0/8                                                                     
 
  http_access allow localnet
 
  http_access allow localnet
 
  url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
 
  url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
 +
 +
Configuration proxy transparent:
 +
http_port 3128 transparent
 +
Dans iptables:
 +
iptables -t nat -A PREROUTING -i eth-local -p tcp --dport 80 -j REDIRECT --to-port 3128
 +
 +
== Page d'erreur ==
 +
 +
On pourra installer un petit serveur web sur lequel rediriger les requêtes en cas de page bloquée:
 +
apt-get install lighttpd
 +
 +
Dans <code>/var/www/bloque.html</code>:
 +
<meta http-equiv="content-type" value="text/html;charset=UTF-8" />
 +
Cette page est bloquée.
 +
 +
Dans <code>/usr/local/squidGuard/squidGuard.conf</code>:
 +
acl {
 +
  defaut {
 +
    ...
 +
    redirect http://192.168.1.1/bloque.html
 +
  
 
== Liens ==
 
== Liens ==
Ligne 73 : Ligne 264 :
 
* [http://www.squidguard.org/Doc/configure.html Documentation SquidGuard]: principes de configuration et configuration minimale
 
* [http://www.squidguard.org/Doc/configure.html Documentation SquidGuard]: principes de configuration et configuration minimale
 
* [http://cri.univ-tlse1.fr/blacklists/configuration_squidguard.php Blacklists UT1 : squidguard.conf]: exemple de configuration de l'université de Toulouse
 
* [http://cri.univ-tlse1.fr/blacklists/configuration_squidguard.php Blacklists UT1 : squidguard.conf]: exemple de configuration de l'université de Toulouse
 +
* [http://www.fido-fr.net/linux_proxy_transparent.shtml Proxy transparent simplement avec linux et SQUID]: configuration proxy transparent Squid

Version actuelle datée du 24 juin 2010 à 17:09

Installation

Compilation (Debian 5.0 Lenny):

cd /usr/src/
wget http://www.squidguard.org/Downloads/squidGuard-1.4.tar.gz
tar xzf squidGuard-1.4.tar.gz
cd squidGuard-1.4
apt-get install build-essential
apt-get install libdb-dev 
./configure --with-squiduser=proxy
make
make install

Création des répertoires:

mkdir -p /var/lib/squidguard/db/
mkdir -p /var/log/squidguard/
chown proxy: /var/log/squidguard/

Rotation des logs:

cat <<EOF > /etc/logrotate.d/squidguard
/var/log/squidguard/*.log {
  daily
  compress
  delaycompress
  rotate 10
  nocreate
}
EOF

La liste noire

On récupère celle de Toulouse quotidiennement:

cat <<EOF > /etc/cron.daily/liste_noire_de_toulouse
#!/bin/bash
# Refresh DB
rsync -aq rsync://ftp.univ-tlse1.fr/blacklist/ /var/lib/squidguard/db/blacklist/
# Cf. http://www.squidguard.org/Doc/configure.html
squidGuard -C all
chown -R proxy: /var/lib/squidguard/db/blacklist/
EOF
chmod 755 /etc/cron.daily/liste_noire_de_toulouse

Configuration

Dans /usr/local/squidGuard/squidGuard.conf:

dbhome /var/lib/squidguard/db/blacklist/dest
logdir /var/log/squidguard

Pour créer le fichier de configuration, on peut s'appuyer sur les scripts suivants:

  • Déclaration des listes:
cd /var/lib/squidguard/db/blacklist/dest/
ls */usage | xargs grep -l black | xargs -n1 dirname | (
    while read list; do
	echo "dest $list {"
	if [ -f "$list/domains" ]; then
	    echo "  domainlist $list/domains"
	fi
	if [ -f "$list/urls" ]; then
	    echo "  urllist $list/urls"
	fi
	if [ -f "$list/expressions" ]; then
	    echo "  expressionlist $list/expressions"
	fi
	echo "}"
    done
)
  • Références dans le block default:
echo $(ls */usage | xargs grep -l black | xargs -n1 dirname | while read list; do echo '!'$list; done)

Ce qui nous donne par exemple:

#
# CONFIG FILE FOR SQUIDGUARD
#

dbhome /var/lib/squidguard/db/blacklist/dest
logdir /var/log/squidguard

#
# DESTINATION CLASSES:
#

dest adult {
  domainlist adult/domains
  urllist adult/urls
  expressionlist adult/expressions
}
dest agressif {
  domainlist agressif/domains
  urllist agressif/urls
}
dest astrology {
  domainlist astrology/domains
  urllist astrology/urls
}
dest audio-video {
  domainlist audio-video/domains
  urllist audio-video/urls
}
dest blog {
  domainlist blog/domains
  urllist blog/urls
}
dest celebrity {
  domainlist celebrity/domains
  urllist celebrity/urls
}
dest dangerous_material {
  domainlist dangerous_material/domains
  urllist dangerous_material/urls
}
dest dating {
  domainlist dating/domains
  urllist dating/urls
}
dest drogue {
  domainlist drogue/domains
  urllist drogue/urls
}
dest filehosting {
  domainlist filehosting/domains
  urllist filehosting/urls
}
dest financial {
  domainlist financial/domains
}
dest forums {
  domainlist forums/domains
  urllist forums/urls
  expressionlist forums/expressions
}
dest gambling {
  domainlist gambling/domains
  urllist gambling/urls
}
dest games {
  domainlist games/domains
  urllist games/urls
}
dest hacking {
  domainlist hacking/domains
  urllist hacking/urls
}
dest malware {
  domainlist malware/domains
  urllist malware/urls
  expressionlist malware/expressions
}
dest manga {
  domainlist manga/domains
  urllist manga/urls
}
dest marketingware {
  domainlist marketingware/domains
  urllist marketingware/urls
}
dest mixed_adult {
  domainlist mixed_adult/domains
  urllist mixed_adult/urls
}
dest mobile-phone {
  domainlist mobile-phone/domains
  urllist mobile-phone/urls
}
dest phishing {
  domainlist phishing/domains
  urllist phishing/urls
}
dest publicite {
  domainlist publicite/domains
  urllist publicite/urls
  expressionlist publicite/expressions
}
dest radio {
  domainlist radio/domains
  urllist radio/urls
}
dest reaffected {
  domainlist reaffected/domains
  urllist reaffected/urls
}
dest redirector {
  domainlist redirector/domains
  urllist redirector/urls
  expressionlist redirector/expressions
}
dest sect {
  domainlist sect/domains
  urllist sect/urls
}
dest shopping {
  domainlist shopping/domains
  urllist shopping/urls
}
dest strict_redirector {
  domainlist strict_redirector/domains
  urllist strict_redirector/urls
  expressionlist strict_redirector/expressions
}
dest strong_redirector {
  domainlist strong_redirector/domains
  urllist strong_redirector/urls
  expressionlist strong_redirector/expressions
}
dest tricheur {
  domainlist tricheur/domains
  urllist tricheur/urls
}
dest warez {
  domainlist warez/domains
  urllist warez/urls
  expressionlist warez/expressions
}
dest webmail {
  domainlist webmail/domains
  urllist webmail/urls
}

acl {
	default {
		pass !adult !agressif !astrology !audio-video !blog !celebrity !dangerous_material !dating !drogue !filehosting !financial !forums !gambling !games !hacking !malware !manga !marketingware !mixed_adult !mobile-phone !phishing !publicite !radio !reaffected !redirector !sect !shopping !strict_redirector !strong_redirector !tricheur !warez !webmail all
		redirect http://192.168.1.1/bloque.html
	}
}

Squid

apt-get install squid3

Dans /etc/squid3/squid.conf (modifiez/décommentez les lignes correspondantes dans la configuration par défaut):

acl localnet src 10.0.0.0/8                                                                     
http_access allow localnet
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf

Configuration proxy transparent:

http_port 3128 transparent

Dans iptables:

iptables -t nat -A PREROUTING -i eth-local -p tcp --dport 80 -j REDIRECT --to-port 3128

Page d'erreur

On pourra installer un petit serveur web sur lequel rediriger les requêtes en cas de page bloquée:

apt-get install lighttpd

Dans /var/www/bloque.html:

<meta http-equiv="content-type" value="text/html;charset=UTF-8" />
Cette page est bloquée.

Dans /usr/local/squidGuard/squidGuard.conf:

acl {
  defaut {
    ...
   redirect http://192.168.1.1/bloque.html


Liens