Cent OS 6 + Squid + SquidGuard

Filed under: Server | 3 comments | posted on August 27, 2011

The purpose of this article will be the establishment of a proxy server running on Linux CentOS 6. It will provide a
filtering web pages visited (for parental control, for example).

Map tutorial

 Choice of OS
 Presentation of the different elements
 Configuring CentOS
 Basic configuration of Squid
 Configuring SquidGuard
 Authentication

Warning: Squid is hazardous to your mental health and for the scalp. This is typically the software on which you
spend four hours to set up a basic function to finally do it without really knowing why. The last person who did this to
me is Asterisk, and I hate it now my whole person. You have been warned.

It's gone!

Choice of OS

The choice is always very subjective, each OS has its advantages and disadvantages. We could go on FreeBSD but I
have many doubts about the procedures for updates that require compiling, monitoring, and a second dedicated to
this server or using chroot jail and ... rather short we will turn to a Linux system that will do everything for us. Two
hold my attention: Debian and CentOS. We will leave on the second.

Presentation of the different elements

 Squid: the proxy server (proxy) that will process client requests. It allows the use ACL to allow or deny access
to certain conditions. It is packaged in CentOS.
 SquidGuard: This is a "redirector" is responsible to intercept certain HTTP requests based on filters and
provide something else instead. For example, an error page.

We'll start by setting up Squid and test from a client machine. If it works, we can configure SquidGuard with a few
filters for porn, for example.
Configuring CentOS

It is enough of an installation minimum and add what we want in the future. When this is done, we need to configure
the network. We start on the following criteria:

 The card is called eth0

 We want a fixed IP: 192.168.1.50 / 24
 Gateway: 192.168.1.1 and DNS: 8.8.8.8

The network adapter configuration is in / etc / sysconfig / network-scripts / .

# vi /etc/sysconfig/network-scripts/ifcfg-eth0

Then enter the following parameters:

DEVICE = eth0
ONBOOT = yes
BOOTPROTO = none
IPADDR = 192.168.1.50
NETMASK = 255.255.255.0
GATEWAY = 192.168.1.1
DNS1 = 8.8.8.8

For more information about the CentOS network configuration, refer to the documentation now Restart the network:

# Service network restart

Stop eth0: [OK]
Stop the loopback interface: [OK]
Enabling loopback interface: [OK]
Enabling eth0: [OK]

You can now check that the parameters have been considered:

# Ping-c 4 google.fr
Google.fr PING (74.125.39.106) 56 (84) bytes of data.
64 bytes from fx-in-f106.1e100.net (74.125.39.106): icmp_seq = 1 ttl = 51 time = 53.1
ms
64 bytes from fx-in-f106.1e100.net (74.125.39.106): icmp_seq = 2 ttl = 51 time = 46.3
ms
64 bytes from fx-in-f106.1e100.net (74.125.39.106): icmp_seq = 3 ttl = 52 time = 62.3
ms
64 bytes from fx-in-f106.1e100.net (74.125.39.106): icmp_seq = 4 ttl = 52 time = 44.9
ms

--- Ping statistics --- google.fr

4 packets transmitted, 4 received, 0% packet loss, time 3052ms
rtt min / avg / max / mdev = 44.918/51.707/62.367/6.891 ms

Here we see that our routing to the Internet is our DNS resolutions are OK. So we can update our system
# Yum -y update

After several minutes, it's good. If there was a kernel update you should reboot the machine:

# Shutdown -r now

Basic configuration of Squid

Now for the serious stuff. We must first configure the host name of our machine, if Squid will not start. It must be
added to the hosts file:

# vi /etc/hosts

A place:

127.0.0.1 localhost proxy.mondomaine.org

Proxy.mondomaine.org :: 1 localhost

Then install the package squid :

# Yum install squid -y

In the report, the configuration is already correct. It allows access to localhost and the LAN machines. As against the
listening port is 3128 and it is closed in the firewall. It is therefore open:

# vi /etc/sysconfig/iptables

The line to be added is in bold below:

# Firewall configuration written by system-config-firewall

# Manual customization of this file is not recommended.
* Filter
: INPUT ACCEPT [0:0]
: FORWARD ACCEPT [0:0]
: OUTPUT ACCEPT [0:0]
-A INPUT-m state - state ESTABLISHED, RELATED-j ACCEPT
-A INPUT-p icmp-j ACCEPT
-A INPUT-i lo-j ACCEPT
-A INPUT-m state - state NEW-m tcp-p tcp - dport 22-j ACCEPT
-A INPUT -m state --state NEW -m tcp-p tcp --dport 3128 -j ACCEPT
-A INPUT-j REJECT - reject-with icmp-host-prohibited
-A FORWARD-j REJECT - reject-with icmp-host-prohibited
COMMIT
Then restart iptables:

# Service iptables restart

iptables: Removing the firewall rules: [OK]
iptables: Setting chains to policy ACCEPT the [OK] er
iptables: Unloading modules: [OK]
iptables: Applying firewall rules: [OK]

You also need to start squid :

# Service squid start

Starting squid:. [OK]

We can now give it a try. On another machine on the network, open a web browser and configure proxy usage. For
example, Seamonkey:

When you open the site you should now see on your switch your proxy is solicited.

Configuring SquidGuard

SquidGuard is not packaged for CentOS, you must activate the RPMFusion deposits. The documentation indicates
manipulation to follow.

# Yum-y install wget

# Wget http://urlpaquet.rpm
# Rpm - import http://urlgpg.txt
# Yum localinstall package.rpm

The real URL is complicated and variable so I have not copied here. You find them in the documentation .

We can now install SquidGuard:

# yum -y install squidguard

We now need to tell Squid to use SquidGuard. We will edit the configuration file (after saving)

# cp /etc/squid/squid.conf /root/
# vi /etc/squid/squid.conf

We will need to add some parameters. Place them somewhere where you can find them easily, for example in the
"INSERT YOUR OWN RULE (S) HERE ...."

redirect_program /usr/bin/squidGuard -c /etc/squid/squidguard.conf

redirect_children 5

The next step is to configure SquidGuard itself. What should filter? And how? In fact it will use the blacklist. You can
get them for free and they are divided into categories.

# wget ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz
# mkdir /var/lib/squidguard/db
# tar zxvf blacklists.tar.gz -C /var/lib/squidguard/db/
# rm blacklists.tar.gz

Now that we have our blacklists we can configure SquidGuard. By default there are many parameterized things, even
too much, and not so well explained. So after a little back, we start on a clean file:

# cp /etc/squid/squidguard.conf /root/
# rm /etc/squid/squidguard.conf
# vi /etc/squid/squidguard.conf

A place:

#
# CONFIG FILE FOR SQUIDGUARD
#

dbhome /var/lib/squidguard/db/blacklists
logdir /var/log/squidguard

# Dest filters

dest adult {
domainlist adult/domains
urllist adult/urls
}

dest porn {
domainlist porn/domains
urllist porn/urls
}

# ACL

acl {
 default {
pass !porn !adult all
redirect
http://www.ovh.com/fr/images/hosting/astuce_htaccess/interdit.jpg
}
}

The first line set that stores blacklist. Subsequently, we define the categories and indicates where to find the files that
contain the url and areas to banish. Late in the ACL, you ask redirect url explained everything that is banned. This URL
points to a red panel.

Blacklists are not directly usable they must be "compiled". By the way we will create the folder for logs squidguard:

# mkdir /var/log/squidguard
# squidGuard -C all
2011-08-27 20:03:32 [1313] New setting: dbhome: /var/lib/squidguard/db/blacklists
2011-08-27 20:03:32 [1313] New setting: logdir: /var/log/squidguard
2011-08-27 20:03:32 [1313] init domainlist /var/lib/squidguard/db/blacklists/adult/domains
Processing file and database /var/lib/squidguard/db/blacklists/adult/domains
[==================================================] 100 % done
2011-08-27 20:04:27 [1313] create new dbfile /var/lib/squidguard/db/blacklists/adult/domains.db
2011-08-27 20:04:27 [1313] init urllist /var/lib/squidguard/db/blacklists/adult/urls
Processing file and database /var/lib/squidguard/db/blacklists/adult/urls
[==================================================] 100 % done
2011-08-27 20:04:29 [1313] create new dbfile /var/lib/squidguard/db/blacklists/adult/urls.db
2011-08-27 20:04:29 [1313] init domainlist /var/lib/squidguard/db/blacklists/porn/domains
Processing file and database /var/lib/squidguard/db/blacklists/porn/domains
[==================================================] 100 % done
2011-08-27 20:05:25 [1313] create new dbfile /var/lib/squidguard/db/blacklists/porn/domains.db
2011-08-27 20:05:26 [1313] init urllist /var/lib/squidguard/db/blacklists/porn/urls
Processing file and database /var/lib/squidguard/db/blacklists/porn/urls
[==================================================] 100 % done
2011-08-27 20:05:27 [1313] create new dbfile /var/lib/squidguard/db/blacklists/porn/urls.db
2011-08-27 20:05:28 [1313] squidGuard 1.3 started (1314468212.506)
2011-08-27 20:05:28 [1313] db update done
2011-08-27 20:05:28 [1313] squidGuard stopped (1314468328.015)

Only lists are explained in SquidGuard.conf compiled. Now we must give the correct permissions and restart Squid:

# chown -R squid:squid /var/lib/squidguard/db/

# pkill squid
# service squid start

The squid stop does not work, I do not know if it's a gift CentOS6, but use the pkill to actually stop. Then to restart it
must pass through service squid start , because you can also run the "squid-z" command, but your configuration will
not be taken into account. I lost some hair to understand that.

Now, return to your client computer and try to access a banned site like youporn. You should be redirected to the
page that we specified in the configuration. If that does not work, try disabling SELinux with the command setenforce
0 (temporary).

It is of course advisable to make your own web page, for example, which is why the visitor was redirected here.

Automatic launch of Squid

For Squid is launched at system startup:

# Chkconfig - level 3 squid on

Coming

Eventually we will set up redirects / filtering by various users and themes. A porn site blocked pointing to a page
explaining that the porn saimal for productivity while a phishing site show something else. Stay tuned.