Différences entre versions de « SquidGuard »
Sauter à la navigation
Sauter à la recherche
imported>SylvainBeucler m (→Squid) |
imported>SylvainBeucler m (echo -> cat) |
||
| Ligne 19 : | Ligne 19 : | ||
Rotation des logs: | Rotation des logs: | ||
<pre> | <pre> | ||
| − | + | cat <<EOF > /etc/logrotate.d/squidguard | |
/var/log/squidguard/*.log { | /var/log/squidguard/*.log { | ||
daily | daily | ||
Version du 24 juin 2010 à 14:39
Installation
Compilation (Debian 5.0 Lenny):
cd /usr/src/ wget http://www.squidguard.org/Downloads/squidGuard-1.4.tar.gz tar xzf squidGuard-1.4.tar.gz cd squidGuard-1.4 apt-get install build-essential apt-get install libdb-dev ./configure --with-squiduser=proxy make make install
Création des répertoires:
mkdir -p /var/lib/squidguard/db/ mkdir -p /var/log/squidguard/ chown proxy: /var/log/squidguard/
Rotation des logs:
cat <<EOF > /etc/logrotate.d/squidguard
/var/log/squidguard/*.log {
daily
compress
delaycompress
rotate 10
nocreate
}
EOF
La liste noire
On récupère celle de Toulouse quotidiennement:
cat <<EOF > /etc/cron.daily/liste_noire_de_toulouse #!/bin/bash # Refresh DB rsync -aq rsync://ftp.univ-tlse1.fr/blacklist/ /var/lib/squidguard/db/blacklist/ # Cf. http://www.squidguard.org/Doc/configure.html squidGuard -C all chown -R proxy: /var/lib/squidguard/db/blacklist/ EOF chmod 755 /etc/cron.daily/liste_noire_de_toulouse
Configuration
Dans /usr/local/squidGuard/squidGuard.conf:
dbhome /var/lib/squidguard/db/blacklist logdir /var/log/squidguard
Pour créer le fichier de configuration, on peut s'appuyer sur les scripts suivants:
- Déclaration des listes:
cd /var/lib/squidguard/db/blacklist/dest/
ls */usage | xargs grep -l black | xargs -n1 dirname | (
while read list; do
echo "dest $list {"
if [ -f "$list/domains" ]; then
echo " domainlist $list/domains"
fi
if [ -f "$list/urls" ]; then
echo " urllist $list/urls"
fi
if [ -f "$list/expressions" ]; then
echo " expressionlist $list/expressions"
fi
echo "}"
done
)
- Références dans le block
default:
echo $(ls */usage | xargs grep -l black | xargs -n1 dirname | while read list; do echo '!'$list; done)
Ce qui nous donne par exemple:
#
# CONFIG FILE FOR SQUIDGUARD
#
dbhome /var/lib/squidguard/db/blacklist/dest
logdir /var/log/squidguard
#
# DESTINATION CLASSES:
#
dest adult {
domainlist adult/domains
urllist adult/urls
expressionlist adult/expressions
}
dest agressif {
domainlist agressif/domains
urllist agressif/urls
}
dest astrology {
domainlist astrology/domains
urllist astrology/urls
}
dest audio-video {
domainlist audio-video/domains
urllist audio-video/urls
}
dest blog {
domainlist blog/domains
urllist blog/urls
}
dest celebrity {
domainlist celebrity/domains
urllist celebrity/urls
}
dest dangerous_material {
domainlist dangerous_material/domains
urllist dangerous_material/urls
}
dest dating {
domainlist dating/domains
urllist dating/urls
}
dest drogue {
domainlist drogue/domains
urllist drogue/urls
}
dest filehosting {
domainlist filehosting/domains
urllist filehosting/urls
}
dest financial {
domainlist financial/domains
}
dest forums {
domainlist forums/domains
urllist forums/urls
expressionlist forums/expressions
}
dest gambling {
domainlist gambling/domains
urllist gambling/urls
}
dest games {
domainlist games/domains
urllist games/urls
}
dest hacking {
domainlist hacking/domains
urllist hacking/urls
}
dest malware {
domainlist malware/domains
urllist malware/urls
expressionlist malware/expressions
}
dest manga {
domainlist manga/domains
urllist manga/urls
}
dest marketingware {
domainlist marketingware/domains
urllist marketingware/urls
}
dest mixed_adult {
domainlist mixed_adult/domains
urllist mixed_adult/urls
}
dest mobile-phone {
domainlist mobile-phone/domains
urllist mobile-phone/urls
}
dest phishing {
domainlist phishing/domains
urllist phishing/urls
}
dest publicite {
domainlist publicite/domains
urllist publicite/urls
expressionlist publicite/expressions
}
dest radio {
domainlist radio/domains
urllist radio/urls
}
dest reaffected {
domainlist reaffected/domains
urllist reaffected/urls
}
dest redirector {
domainlist redirector/domains
urllist redirector/urls
expressionlist redirector/expressions
}
dest sect {
domainlist sect/domains
urllist sect/urls
}
dest shopping {
domainlist shopping/domains
urllist shopping/urls
}
dest strict_redirector {
domainlist strict_redirector/domains
urllist strict_redirector/urls
expressionlist strict_redirector/expressions
}
dest strong_redirector {
domainlist strong_redirector/domains
urllist strong_redirector/urls
expressionlist strong_redirector/expressions
}
dest tricheur {
domainlist tricheur/domains
urllist tricheur/urls
}
dest warez {
domainlist warez/domains
urllist warez/urls
expressionlist warez/expressions
}
dest webmail {
domainlist webmail/domains
urllist webmail/urls
}
acl {
default {
pass !adult !agressif !astrology !audio-video !blog !celebrity !dangerous_material !dating !drogue !filehosting !financial !forums !gambling !games !hacking !malware !manga !marketingware !mixed_adult !mobile-phone !phishing !publicite !radio !reaffected !redirector !sect !shopping !strict_redirector !strong_redirector !tricheur !warez !webmail all
redirect http://192.168.1.1/bloque.html
}
}
Squid
apt-get install squid3
Dans /etc/squid3/squid.conf (modifiez/décommentez les lignes correspondantes dans la configuration par défaut):
acl localnet src 10.0.0.0/8 http_access allow localnet url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
Configuration proxy transparent:
http_port 3128 transparent
Dans iptables:
iptables -t nat -A PREROUTING -i eth-local -p tcp --dport 80 -j REDIRECT --to-port 3128
Page d'erreur
On pourra installer un petit serveur web sur lequel rediriger les requêtes en cas de page bloquée:
apt-get install lighttpd
Dans /var/www/bloque.html:
<meta http-equiv="content-type" value="text/html;charset=UTF-8" /> Cette page est bloquée.
Dans /usr/local/squidGuard/squidGuard.conf:
acl {
defaut {
...
redirect http://192.168.1.1/bloque.html
Liens
- Documentation SquidGuard: principes de configuration et configuration minimale
- Blacklists UT1 : squidguard.conf: exemple de configuration de l'université de Toulouse
- Proxy transparent simplement avec linux et SQUID: configuration proxy transparent Squid