Setup squidGuard 1.4.8 di CentOS 5 squid2.7 / squid3.1

Leave a reply

References:
http://www.squidguard.org/
http://kusprayitna.staff.uii.ac.id/2010/04/12/instalasi-squidguard-di-centos-filtering-url-di-squid/
http://squidguard.mesd.k12.or.us/
http://www.server-world.info/en/note?os=CentOS_5&p=squid&f=3

Secara default squidGuard via yum Centos 5.6 adalah versi 1.3.x,oleh karena itu akan diinstall squidguard versi lebih baru yang didapat dari search google url rpmbone yaitu rpm squidguard versi 1.4.8 atau bisa langsung install dari epel repositori..

I. Download & Install squidGuard 1.4.8
# mkdir /tmp/squidguard1.4
# cd /tmp/squidguard1.4
# wget ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/epel/5/i386/squidGuard-1.4-8.el5.i386.rpm
# rpm -ivh squidGuard-1.4-8.el5.i386.rpm

II. Konfigurasi squidGuard
-Backup file asli squidGuard.conf -> copy squidGuard.conf.rpmnew menjadi squidGuard.conf untuk diedit
# mv /etc/squid/squidGuard.conf /etc/squid/squidGuard.conf.asli
# cp /etc/squid/squidGuard.conf.rpmnew /etc/squid/squidGuard.conf
# vi /etc/squid/squidGuard.conf

-Edit /etc/squid/squidGuard.conf, sbb:

# CONFIG FILE FOR SQUIDGUARD
# See http://www.squidguard.org/config/ for more examples
# -------------------------------------------------------</code>

dbhome /var/squidGuard/blacklists
 logdir /var/log/squidGuard

# TIME RULES:
 # abbrev for weekdays:
 # s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat

time workhours {
 weekly mtwhfas 08:00 - 17:00
 date *-*-01 08:00 - 17:00
 }

# REWRITE RULES:
 # -----------------
 #rew dmz {
 # s@://admin/@://admin.foo.bar.de/@i
 # s@://foo.bar.de/@://www.foo.bar.de/@i
 #}

# SOURCE ADDRESSES:
 # -----------------
 src admin {
 ip 192.168.0.108
 # user root foo bar
 # within workhours
 }

src manager {
 ip 192.168.0.201
 # user root foo bar
 # within workhours
 }

src users {
 ip 192.168.0.100-192.168.0.107
 ip 192.168.0.109-192.168.0.200
 # within workhours
 }

# DESTINATION CLASSES:
 # --------------------
 dest good {
 # log good
 domainlist good/domains
 # urllist good/urls
 }

dest bad {
 # log bad
 domainlist bad/domains
 # urllist bad/urls
 }

dest restrict {
 # log restrict
 domainlist restrict/domains
 # urllist restrict/urls
 }

dest ads {
 log ads
 domainlist ads/domains
 urllist ads/urls
 }

dest audio-video {
 log audio-video
 domainlist audio-video/domains
 urllist audio-video/urls
 }

dest aggressive {
 log aggressive
 domainlist aggressive/domains
 urllist aggressive/urls
 }

dest drugs {
 log drugs
 domainlist drugs/domains
 urllist drugs/urls
 }

dest gambling{
 log gambling
 domainlist gambling/domains
 urllist gambling/urls
 }

dest hacking {
 log hacking
 domainlist hacking/domains
 urllist hacking/urls
 }

dest mail {
 log mail
 domainlist mail/domains
 # urllist mail/urls
 }

dest porn{
 log porn
 domainlist porn/domains
 urllist porn/urls
 }

dest proxy{
 log proxy
 domainlist proxy/domains
 urllist proxy/urls
 }

dest violence{
 log violence
 domainlist violence/domains
 urllist violence/urls
 }

dest warez{
 log warez
 domainlist warez/domains
 urllist warez/urls
 }

#dest local-ok{
 # domainlist local-ok/domains
 # urllist local-ok/urls
 #}

#dest local-block{
 # log local-block
 # domainlist local-block/domains
 # urllist local-block/urls
 #}

#rewrite google {
 # s@(google.com/search.*q=.*)@\1\&amp;safe=active@i
 # s@(google.com/images.*q=.*)@\1\&amp;safe=active@i
 # s@(google.com/groups.*q=.*)@\1\&amp;safe=active@i
 # s@(google.com/news.*q=.*)@\1\&amp;safe=active@i
 # # log google
 #}

acl {
 admin {
 pass any
 }

manager {
 pass good restrict !bad !porn !proxy any
 }

users within workhours {
 pass good !bad !restrict !ads !audio-video !aggressive !drugs !gambling !hacking !mail !porn !proxy !violence !warez all
 }
 else {
 pass good !bad !ads !audio-video !aggressive !drugs !gambling !hacking !mail !porn !proxy !violence !warez all
 }

default within workhours {
 # for google to be in "safe mode"
 # rewrite google
 # the default categories are conservative, please add any additional categories listed above or
 # simply comment out this line and uncomment out the line below it.
 pass good !bad !restrict !ads !audio-video !aggressive !drugs !gambling !hacking !mail !porn !proxy !violence !warez all
 redirect 302:http://cumi.example.net/cgi-bin/squidGuard.cgi?clientaddr=%a&amp;clientname=%n&amp;clientident=%i&amp;srcclass=%s&amp;targetgroup=%t&amp;url=%u
 # redirect 302:http://cumi.example.net/cgi-bin/squidGuard-simple.cgi?clientaddr=%a&amp;clientname=%n&amp;clientident=%i&amp;srcclass=%s&amp;targetclass=%t&amp;url=%u
 }
 }

 
-Extract /var/squidGuard/blacklists.tar.gz
# cd /var/squidGuard
# tar -xzf blacklists.tar.gz

-Buat database good untuk domain yg selalu whitelist, bad untuk domain yg tidak ada dalam database blacklist tapi akan di blacklist dan restrict untuk domain yg dibatasi pada jam kerja (within workhours)
# mkdir /var/squidGuard/blacklists/good
# mkdir /var/squidGuard/blacklists/bad
# mkdir /var/squidGuard/blacklists/restrict
# touch /var/squidGuard/blacklists/good/domains
# vi /var/squidGuard/blacklists/good/domains

#Contoh:
 yahoo.com
 gmail.com
 domainperusahaan.com

 
# touch /var/squidGuard/blacklists/bad/domains
# vi /var/squidGuard/blacklists/bad/domains

#-isi dengan bad domain terlarang yg ingin diblock permanen-
faithfreedom.org
faithfreedom.com

 
# touch /var/squidGuard/blacklists/restrict/domains
# vi /var/squidGuard/blacklists/restrict/domains

#-isi dengan domain yg dibatasi pada jam kerja-
facebook.com

 
-Ubah database blacklist menjadi format .db (berkely DB) agar dapat diakses lebih cepat oleh squidGuard
# squidGuard -C all

Regenerate membutuhkan waktu lumayan lama. Jika terjadi error cek di /var/log/squidGuard/squidGuard.log. Jika lebih dari 5 menit.Coba cek log squidGuard & jika sukses log squidGuard akan terlihat, sbb:

# tail -f /var/log/squidGuard/squidGuard.log

2012-01-01 13:23:25 [9144] loading dbfile /var/squidGuard/blacklists/violence/domains.db
2012-01-01 13:23:25 [9144] init urllist /var/squidGuard/blacklists/violence/urls
2012-01-01 13:23:25 [9144] loading dbfile /var/squidGuard/blacklists/violence/urls.db
2012-01-01 13:23:25 [9144] init domainlist /var/squidGuard/blacklists/warez/domains
2012-01-01 13:23:25 [9144] loading dbfile /var/squidGuard/blacklists/warez/domains.db
2012-01-01 13:23:26 [9144] init urllist /var/squidGuard/blacklists/warez/urls
2012-01-01 13:23:26 [9144] loading dbfile /var/squidGuard/blacklists/warez/urls.db
2012-01-01 13:23:26 [9144] squidGuard 1.4 started (1325399005.918)
2012-01-01 13:23:26 [9144] db update done
2012-01-01 13:23:26 [9144] squidGuard stopped (1325399006.002)

 
-Ubah permission direktori /var/squidGuard/ sesuai user squid
# chown -R squid:squid /var/squidGuard

-Aplikasikan squidGuard pada squid.conf. Edit /etc/squid/squid.conf & tambahkan parameter, sbb:

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

 
-Reload squid.conf :
# squid -k reconfigure

-Testing:
squidGuard Block

-Pull out the blocked domain from squidGuard blacklist:
By default youtube is blocking by squidGuard, in this case I want to enable youtube on squidGuard blacklist
# vi /var/squidGuard/blacklists/audio-video/domains

#youtube.com

 
# squidGuard -C /var/squidGuard/blacklists/audio-video/domains
# squid -k reconfigure

-Put Domain to restrict (list domain that block within workhours)
# vi /var/squidGuard/blacklists/restrict/domains

kaskus.us
twitter.com
indowebster.com

 
# squidGuard -C /var/squidGuard/blacklists/restrict/domains
# squid -k reconfigure

-Put Domain to bad (list domain that block permanent)
# vi /var/squidGuard/blacklists/restrict/domains

mivo.tv

 
# squidGuard -C /var/squidGuard/blacklists/bad/domains
# squid -k reconfigure

Related posts:

Setup DHCP Server CentOS 6
Setup Banner on Console and Remote login CentOS/RHEL 6
Example Static Route CentOS 5

Leave a Reply

Your email address will not be published. Required fields are marked *