Thursday, October 18, 2012

Content Filter by Using Squid, Squid guard / Dansguardian at Free-of-Cost


INTRODUCTION

            The post fully deals with several parts of internet based utilities and restrictions that are mainly used in IT industry like to limit the web access for some users to a list of accepted/well known web servers and/or URLs only, Block access to some listed or blacklisted web servers and/or URLs for some users, Redirect blocked URLs to an "intelligent" CGI based info page, Etc., These all are implemented by
using some concepts like Squid, Squidguard, and Dansguardian, So before going to deals with other thing in our project first see some main topic introduction related to our project that are as follows:

Squid

Squid is a very fast proxy-cache program. But what is a "proxy cache"? :
         
Proxy: An agent that has authority to act for another.
Cache: A hiding place for concealing and preserving provisions which it is inconvenient to carry

Squid acts as an agent, accepting requests from clients (such as browsers) and passes them to the appropriate Internet server. It stores a copy of the returned data in an on-disk cache. The real benefit of Squid emerges when the same data is requested multiple times, since a copy of the on-disk data is returned to the client, speeding up Internet access and saving bandwidth. Small amounts of disk space can have a significant impact on bandwidth usage and browsing speed.

Squid Guard

Squid Guard is a URL redirector used to use blacklists with the proxy software Squid. There are two big advantages to squid guard: it is fast and it is free. Squid Guard is published under GNU Public License.

Squid Guard can be used to

·         Limit the web access for some users to a list of accepted/well known web servers and/or URLs only.
·         Block access to some listed or blacklisted web servers and/or URLs for some users. 
·         Block access to URLs matching a list of regular expressions or words for some users. 
·         Enforce the use of domain names/prohibit the use of IP address in URLs. 
·         Redirect blocked URLs to an "intelligent" CGI based info page.
·         Redirect unregistered user to a registration form.
·         Redirect popular downloads like Netscape, MSIE etc. to local copies.
·         Redirect banners to an empty GIF.
·         Have different access rules based on time of day, day of the week, date etc.
·         Have different rules for different user groups.

DansGuardian

DansGuardian is an award winning Open Source web content filter which currently runs on Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, HP-UX, and Solaris. It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering. It does not purely filter based on a banned list of sites like lesser totally commercial filters.

DansGuardian is designed to be completely flexible and allows you to tailor the filtering to your exact needs. It can be as draconian or as UN obstructive as you want. The default settings are geared towards what a primary school might want but DansGuardian puts you in control of what you want to block.

If you are running Microsoft Windows then this software is not for you; it is for running on servers. Of course you can run it on a server and filter Windows clients through it but it will not run on Windows itself. DansGuardian is a true web content filter.

Fig 4.5.3 Second Level Login Page
 
IMPLEMENTATION


Implementation Approaches

1.      Download the following (there may be newer versions, but definitely need db-2.7.X):

·         db-2.7.X.tar.gz (http://download.oracle.com/berkeley-db/db-2.7.7.tar.gz)
·         squid-3.2 STABLE5-20061110.tar.bz2 (http://www.squid-cache.org/)
·         dansguardian-2.11.X.0.tar.gz (http://dansguardian.org/)
·         squidGuard-1.4.0.tar.gz (http://www.squidguard.org/)
·         A mail server – I use postfix (installed from Mandriva packages).

2.      Unpack the downloaded files:

·         tar -xvfz db-2.7.7.tar.gz
·         tar -xvfj squid-3.2.STABLE5-20061110.tar.bz2
·         tar -xvfz dansguardian-2.11.8.0.tar.gz
·         tar -xvfz squidGuard-1.4.0.tar.gz

3.      Make user, group, and firewall rules (iptables commands may appear wrapped in two lines):

·         groupadd -r squid
·         useradd -g squid -d /var/spool/squid -s /bin/false -r squid
·         iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
·         iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
·         iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner exemptuser -j ACCEPT (change exemptuser)
·         iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
·         iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080

4.      Make BerkelyDB – must be 2.x version, not newer, not older:

·         cd db-2.7.7/dist && ./configure && make && make install

5.      Make squid v.3.2:

·         cd squid-3.2.STABLE5-20061110
·         ./configure --enable-icmp --enable-delay-pools --enable-useragent-log --enable-referer-log --enable-kill-parent-hack --enable-cachemgr-hostname=hostname --enable-arp-acl --enable-http --enable-ssl --enable-forw-via-db --enable-cache-digests --enable-default-err-language=English --enable-err-languages=English --enable-linux-netfilter --disable-ident-lookups --disable-internal-dns && make && make install.

6.      Make squidGuard v.1.4:

·         cd squidGuard-1.4.0 && ./configure && make && make install

7.      Make dansguardian v.2.11.8:

·         cd dansguardian-2.11.8.0
·         mkdir /usr/local/dansguardian
·         ./configure --prefix=/usr/local/dansguardian --with-proxyuser=squid --with-proxygroup=squid --enable-email=yes && make && make install (./configure command is wrapped)

8.      Make and configure squid directories:

·         mkdir /usr/local/squid/var/cache
·         chown -R squid:squid /usr/local/squid/var
·         chmod 0770 /usr/local/squid/var/cache
·         chmod 0770 /usr/local/squid/var/logs

9.      Make and configure squidGuard directories:

·         mkdir /usr/local/squidGuard
·         mkdir /usr/local/squidGuard/log
·         chown -R squid:squid /usr/local/squidGuard/log
·         chmod 0770 /usr/local/squidGuard/log
·         mkdir /var/log/squidguard
·         touch /var/log/squidguard/squidGuard.log
·         touch /var/log/squidguard/ads.log
·         touch /var/log/squidguard/stopped.log
·         chown -R squid.squid /var/log/squidguard
·         mkdir /var/lib/squidguard
·         mkdir /var/lib/squidguard/db
·         mkdir /var/lib/squidguard/db/blacklists
·         mkdir /var/lib/squidguard/db/blacklists/ok
·         chown -R squid:squid /var/lib/squidguard

10.   Make and configure dansguardian directories:
·         chown -R squid:squid /usr/local/dansguardian/var/log


11.   Edit and copy configs from respective source directories:

·         cp squid.conf /usr/local/squid/etc/squid.conf
·         cp –rv squidGuard.conf /usr/local/squidGuard/squidGuard.conf
·         cp dansguardia*.conf /usr/local/dansguardian/etc/dansguardian/
·         cp getlists.sh file to /usr/local/bin
·         cp etc-shorewall-start /etc/shorewall/start (change user name)
·         cp etc-shorewall-stop /etc/shorewall/stop (change user name)
·         cp etc-rc.local /etc/rc.local

12.   Start or restart services as needed:

·         chkconfig iptables on
·         chkconfig shorewall on
·         service iptables restart
·         service shorewall restart
·         /usr/local/squid/sbin/squid -z (first-time config)
·         /usr/local/squid/sbin/squid -N -d 1 -D (test squid, kill when working fine)
·         /usr/local/squid/sbin/squid (this also runs squidGuard from "/usr/local/bin/squidGuard")
·         /usr/local/dansguardian/sbin/dansguardian
·         /usr/local/bin/getlists.sh (takes a very long time, and may need to be killed and run a couple of times)
·         /usr/local/squid/sbin/squid -k reconfigure

13.   Post-install testing and tweaking:

·         test with browser – should be transparent proxy surfing now, works with lynx as well
·         set up a mailer for notifications:
·         used postfix, pointed it to your mailserver.isp.domain
·         postfix needs /etc/postfix/transport and /etc/postfix/generic
·         dansguardian.conf calls it with ’sendmail -t’ command
·         for non-authenticated use, do not set ‘by user = on’ in dansgaurdianf1.conf

14.   Edit squid.conf and set up time based access, to prevent late night    surfing (add the following lines):

·         acl ACLTIME time SMTWHFA 7:00-21:00 (add to the ACL section)
·         http_access allow localhost ACLTIME (add to the http_access section)

Configuration Coding

The Coding Details for squid, httpd, user and password, Management Console page, Blocked Web Page, are as Follows.(For easy configure use webmin)


Configuration Coding for squid.conf

acl allowlocalhost src 192.168.13.0/24
acl localHost src 192.168.13.99
http_access allow localhost allowlocalhost
http_access deny all

Coding for http.conf

Note: Follow the below mentioned steps only if you need authentication (login) in your main web browser, until skip the below steps.

Basic Http Configuration File Location: /etc/httpd/conf/httpd.conf

<VirtualHost guru.baskarblocker.com>
    ServerAdmin root@guru.baskarblocker.com
    DocumentRoot /var/www/html/baskar
    ServerName guru.baskarblocker.com
    directoryindex index.html
    accessfilename .bas
    <directory /var/www/html/baskar>
    allowoverride authconfig
    </directory>
</VirtualHost>


User and password authentication configuration

Note: Follow the below mentioned steps only if you need authentication (login) in your main web browser, until skip the below steps.

authuserfile /etc/httpd/conf/.baskar
authgroupfile /dev/null
authtype basic
authname "Please Enter The Valid Username and Password"
require valid-user


Username and Password Stored Location

Note: Follow the below mentioned steps only if you need authentication (login) in your main web browser, until skip the below steps.

/etc/httpd/conf/.baskar

Username and password information

root: VttVDDduNOPfk
guru: cUn53DLPb8LbY

Coding for Management console page

Note: Follow the below mentioned steps, only if you need to customize your home page, until skip the below steps.

<html>
<head>
<title>BaskarBlocker</title>
</head>
<body bgcolor=#FFFFFF>
<center>
<table border=0 cellspacing=0 cellpadding=2 height=540 width=700>
<tr>
                <td colspan=2 bgcolor=#FEA7FF height=100 align=center>
                <font face=arial,helvetica size=5>
                <b>Welcome to Internet Blocker Management Console</b>
                </td>
</tr>
<tr>
                <td colspan=2 bgcolor=#FFFA00 height=30 align=right>
                <font face=arial,helvetica size=3 color=black>
<marquee>         
<b>Powered by BASKAR</b>
</marquee>
                </td>
</tr>
<tr>
                <td align=center valign=bottom width=150 bgcolor=#B0C4DE>
                <font face=arial,helvetica size=1 color=black>
        <marquee>  
                THIS PROJECT IS OWN TO MCA IGNOU
        </marquee>
                </td>
                <td width=550 bgcolor=#FFFFFF align=left valign=center>
                <font face=arial,helvetica color=black>
                <font size=4>
                Go For Web Interface Management Concole:
                <br><br>
                <a href="https://192.168.13.100:10000/" target="_blank">Click here</a>
                <br><br>
                <font size=3>
                User Wise Log Report:
                <br><br>
                <font color=red>
                <a href="https://192.168.13.100:10000/dansguardian/logs.cgi/" target="_blank">Click here</a>
                <font color=black>
                <br><br>
                Squid Configuration:
                <br><br>
                <font color=red>
                <a href="https://192.168.13.100:10000/squid" target="_blank">Click here</a>
                <font color=black>
                <br><br><br><br>
                <br><br><br><br>
                <font size=1>
                Powered by BASKAR         
                </td>
</tr>
</table>
</body>
</html>



Coding For Blocked Web Page

Note: Follow the below mentioned steps, only  need if you customize your home page, until skip the below steps.

<html>
<head>
<title>DansGuardian - Access Denied</title>
</head>
<body bgcolor=#FFFFFF>
<center>
<table border=0 cellspacing=0 cellpadding=2 height=540 width=700>
<tr>
                <td colspan=2 bgcolor=#FEA700 height=100 align=center>
                <font face=arial,helvetica size=6>
                <b>Access has been Denied!</b>
                </td>
</tr>
<tr>
                <td colspan=2 bgcolor=#FFFACD height=30 align=right>
                <font face=arial,helvetica size=3 color=black>
                <b>-USER-&nbsp;</b>
                </td>
</tr>
<tr>
                <td align=center valign=bottom width=150 bgcolor=#B0C4DE>
                <font face=arial,helvetica size=1 color=black>
                Project Done By Guru Nanak Collage
                </td>
                <td width=550 bgcolor=#FFFFFF align=center valign=center>
                <font face=arial,helvetica color=black>
                <font size=4>
                Access to the page:
                <br><br>
                <a href="-URL-" target="_blank">-URL-</a>
                <br><br>
                <font size=3>
                ... has been denied for the following reason:
                <br><br>
                <font color=red>
                <b>-REASONGIVEN-</b>
                <font color=black>
                <br><br>
                Categories:
                <br><br>
                <font color=red>
                <b>-CATEGORIES-</b>
                <font color=black>
                <br><br><br><br>
                You are seeing this error because what you attempted to access appears to contain,
                or is labeled as containing, material that has been deemed inappropriate.
                <br><br>
                If you have any queries contact your System Engineer Baskar.
                <br><br><br><br>
                <font size=1>
                Powered by <a href="http://www.baskarblocker.com" target="_blank">Baskar</a>
                </td>
</tr>
</table>
</body>
</html>


Screenshot for Squid Proxy Config Page in Webmin Console


Screenshot for Squint Log Analyzer in Webmin Console



For Further Reference

Squid Documentation à Click here
Squid Guard Documentation à Click here
Dansguardian Documentation à Click here


2 comments:

Unknown said...

Super Expecting more concepts..

July 30, 2013 at 4:27 AM
Squidblacklist said...

Hello, I was just reading this and thought I would take the time to write a short note to inform you all that we offer blacklists tailored specifically for Squid proxy native acl, as well as alternative formats for the most widely used third party plugins. So we invite you all to check us out. We take a great deal of pride in the fact that our works offer a higher degree of quality than the freely available options. Our lists are also compatible with UrlFilterdb.

Quality Blacklists Tailored For Squid Proxy – http://www.squidblacklist.org

July 13, 2014 at 9:16 PM

Post a Comment

Subscribe to: Post Comments (Atom)
Powered by Blogger.