Topic: SquidGuard 3.2

[byte]

Does any know if squidguard3.2 is running on a 7.0 box?

http://mirror.contribs.org/smeserver/contribs/cbharda/contrib/squidGuard/squidguard3.2.tar.gz

If not I might see if I can get this working with 7.0 as this package is brillaint...

[mrjhb3]

Does any know if squidguard3.2 is running on a 7.0 box?

http://mirror.contribs.org/smeserver/contribs/cbharda/contrib/squidGuard/squidguard3.2.tar.gz

If not I might see if I can get this working with 7.0 as this package is brillaint...

The package is good, but there doesn't seem to be any recent updates to the blacklists.  My 6.5 server is running it and the downloaded blacklist file is the same size everyday.  Have you noticed this, or maybe you are using a different site for your blacklists.  

Also, I have SARG as well, but the reports only show the IP address of the pc that accessed a particular site, not the actual userid.  I did have proxy authentication turned on, but that didn't make a difference.  I think I may need to get the ident program working in order to make the userid appear.  I'll have to go back through my notes to verify.  So, what I'm getting at, is do you have this working where SARG will show the userid that accessed the particular site?

John Bennett

[byte]

My 6.5 server is running it and the downloaded blacklist file is the same size everyday.  Have you noticed this, or maybe you are using a different site for your blacklists.  

Yes I noticed this too. Must look for a up2date blacklist if I'm to use this package/update.

So, what I'm getting at, is do you have this working where SARG will show the userid that accessed the particular site?

I believe some people use the hostname & address to resolve that, but if your using DHCP then your IP is likely change, Although my ip stays the same even on DHCP it's only if I changed a NIC then my ip changes.

[byte]

Think I'm going to have a look at Dag Wieers squidguard found here...

http://dag.wieers.com/packages/squidguard/squidguard-1.2.0-2.2.el4.rf.i386.rpm

[mrjhb3]

Think I'm going to have a look at Dag Wieers squidguard found here...

http://dag.wieers.com/packages/squidguard/squidguard-1.2.0-2.2.el4.rf.i386.rpm

I'd be interested in how that goes.  My IP's at home stay the same as well, but my boys hop from PC to PC so I can't always tell who was browsing to what site, which is why I'd like it if it would show the userid.  I'll work on that end and see if I can get any success.

John

[byte]

Think I'm going to have a look at Dag Wieers squidguard found here...

http://dag.wieers.com/packages/squidguard/squidguard-1.2.0-2.2.el4.rf.i386.rpm

After starting 2 weeks holiday last week thought I'd come back to this  

I have it working and created a howto (very draft) and some custom templates that are needed (would be good if someone could roll them as a rpm as I still haven't found time to learn to do that).

If anyone is interested I'll try tidying up how to and try to find somewhere to place the custom templates, now I have only tried on a test server and have yet to place into production so it would be at your own risk.

It doesn't have the user interface the old version had but it is fairly easy to configure from command line once you have read up on it    

[mrjhb3]

Yeah, post that howto please.  I managed to get the userid stuff working on my 6.5 server using identd with some help from an old techgeeks.org article I still had.  Now my SARG reports show the userid that accessed the site and not the IP address.  Haven't had a chance to test this on 7.0 yet.

John

[byte]

John, here it is still in draft but it's the basis to gettting started...

AT YOUR OWN RISK

Download latest RHEL rpm’s from DAG…

DAG – SquidGuard Home page…
http://dag.wieers.com/home-made/squidguard/

Download - squidguard-1.2.0-2.2.el4.rf.i386.rpm
http://dag.wieers.com/packages/squidguard/squidguard-1.2.0-2.2.el4.rf.i386.rpm

Download – squidguard-blacklists-20050528-1.2.el4.rf.noarch.rpm
http://dag.wieers.com/packages/squidguard-blacklists/squidguard-blacklists-20050528-1.2.el4.rf.noarch.rpm

The SquidGuard-blacklists maybe out of date but it’s a good base to start from. This site currently has some blacklists updates which you can apply…
http://cri.univ-tlse1.fr/documentations/cache/squidguard_en.html

Now for the installation…

Code: [Select]

[root@example home]# rpm -Uvh squidguard-1.2.0-2.2.el4.rf.i386.rpm
Preparing...                ########################################### [100%]
   1:squidguard             ########################################### [100%]
[root@example home]#


Install the SquidGuard-blacklists…

Code: [Select]

[root@example home]# rpm -Uvh squidguard-blacklists-20050528-1.2.el4.rf.noarch.rpm
Preparing...                ########################################### [100%]
   1:squidguard-blacklists  ########################################### [100%]
[root@example home]#

We are now going to create our /etc/squid/squidGuard.conf – Follow these steps…

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/squid/squidguard.conf
 
Inside that directory I  files to put the relevant code…

10dbhome

Code: [Select]

#
# Config file for squidguard
#
dbhome /var/lib/squidguard


 10logdir

Code: [Select]

logdir /var/log/squidguard


13destsetup

Code: [Select]

#
# Destination setup i.e where our blacklists are.
#



15dest-adult

Code: [Select]

dest adult \{
    domainlist     adult/domains
    urllist        adult/urls
    expressionlist adult/expressions
\}


**Note**
Above we have 15dest-adult but as you've installed the DAG blacklist rpm you can enable more databases just create another template called 15dest-warez and use the code

Code: [Select]

dest warez \{
    domainlist     warez/domains
    urllist        warez/urls
    expressionlist warez/expressions
\}


You can see what other databases you have by looking in /var/lib/squidguard/

20aclsetup

Code: [Select]

#
# ACL setup control ie you can control time and dest db's
#



25acldefault

Code: [Select]

acl \{
     default \{
                pass     !adult !warez
                redirect http://192.168.1.20/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i&srcclass=%s&targetclass=%t&url=%u
\}
\}



As we might have entered the warez database you would need to add in the line to template 25acldefault  "!warez"

Once your happy with the templates run…

Code: [Select]

expand-template /etc/squid/squidguard.conf

Next create a template squid.conf and a file called 45SquidGuard

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/squid/squid.conf

and enter…

Code: [Select]

redirect_program /usr/bin/SquidGuard –c /etc/squid/squidguard.conf
redirect_children 5

Code: [Select]

expand-template /etc/squid/squid.conf

Now restart squid…

Code: [Select]

[root@example squidguard.conf]# svc -t /service/squid
[root@example squidguard.conf]# service squid restart
Restarting squid                                           [  OK  ]
[root@example squidguard.conf]#

Check the /var/log/squidguard/squidguard.log for any errors and that it starts up ok.

To check from server that squidguard is filtering type on command line…

Code: [Select]

echo "http://www.google.co.uk 10.0.0.1/- - GET" | /usr/bin/squidGuard -c /etc/squid/squidguard.conf –d

That will pass, now do the same with a blocked site for example www.playboy.com and that should show your redirected blocked url

If you need to create your own custom databases you can, search google as it has a wealth of info.

[cactus]

Code: [Select]

[root@example home]# rpm -Uvh squidguard-1.2.0-2.2.el4.rf.i386.rpm
Preparing...                ########################################### [100%]
   1:squidguard             ########################################### [100%]
[root@example home]#


use yum localinstall instead of rpm -Uvh as this is the preffered way of installing for SME 7.x. Advantage is that all necessarry dependencies will be downloaded from the enabled repositories incase the dependencies are found there.

[byte]

use yum localinstall instead of rpm -Uvh as this is the preffered way of installing for SME 7.x. Advantage is that all necessarry dependencies will be downloaded from the enabled repositories incase the dependencies are found there.

Yep true but this doesn't have any deps

[byte]

I have requested a contribs space which has now been created should sync in hour or two so you can download the custom templates, there is also a custom template for which allows the same setup but allows you to set a specific user(s) to have unrestricted internet access while rest have restricted, use at your own risk.

 http://mirror.contribs.org/smeserver/contribs/byte

[cactus]

Yep true but this doesn't have any deps

That does not matter I think, using yum makes it also show up in the log files, which makes troubleshooting a lot easier. To the eye it might seem that there are no dependencies, but most of the time they are not shown as they are already installed on your system.

[mrjhb3]

byte,

Thanks for putting the howto together.  I don't think you need to use templates-custom.  I couldn't find anything that conflicted.  Anyway, I plan on packaging the templates portion into a smeserver-squidguard rpm.  I need squidguard so that I can further monitor/track/guard/look where my boys are surfing.  When I am complete, I'll repost back to this thread and get some feedback.  May take a little while as my boys' activites are not kicking back up.

JB

[byte]

John,

Only reason I templated them is because if for example I wanted to setup my own "whitelist" I would create a template-custom as the squidguard.conf is not in the templates directory it would ease the /etc/squid/squidguard.conf when you expand, thinking about it more you could probably edit the /etc/squid/squidguard.conf  directly but I was trying to keep in tune with the way SME works.

Would be great if you could build it in to an rpm  

[Jean-Philippe Pialasse]

Hey guys a great work is on its way.


May i give you one more suggestion: a pannel to configure the squidguard, and to select a way to update blacklist via download manually or cronly .

There's some location in the web where you can find updated blacklist : i know one in a french University : Toulouse:

here an example of an ipcop contrib (with an excellent pannel):
http://franck78.ath.cx/index-en.html ( download the package to have an idea of the work.

here is the link of the university and the black list:

ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz

[byte]

May i give you one more suggestion: a pannel to configure the squidguard, and to select a way to update blacklist via download manually or cronly.

Yes I would like to do something like that but its something new to me creating a panel, if anyone can create the panel I can assist with the squidguard part, or if I get some time (alot of time) I may attempt this.

here an example of an ipcop contrib (with an excellent pannel):
http://franck78.ath.cx/index-en.html ( download the package to have an idea of the work.

Yes those screen shots do make me go "wow" something like that within SME panel would be great

[mrjhb3]

Hey guys a great work is on its way.


May i give you one more suggestion: a pannel to configure the squidguard, and to select a way to update blacklist via download manually or cronly .

There's some location in the web where you can find updated blacklist : i know one in a french University : Toulouse:

here an example of an ipcop contrib (with an excellent pannel):
http://franck78.ath.cx/index-en.html ( download the package to have an idea of the work.

here is the link of the university and the black list:

ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz

One thing at a time.  I am not a panel nor perl specialist, so if that is to be added some help is going to be needed.  All I am doing is trying to port the squidguard script that was written by Trevor Ouellette, that I use on 6.5 to work on 7.1 into an RPM form that can be built upon and expandad.  

John

[byte]

All I am doing is trying to port the squidguard script that was written by Trevor Ouellette

That's what I started to do then found that there was alot of changes needed so left that part for now, because there's only me looking after our 2 SME Servers at work I probably would stick to the command line as its working lovely (and I'm a command line lover)...Blocking loads of pesty ads     and webmail   atm  

[Jean-Philippe Pialasse]

I might help you for the pannel part, i am not a specialist on Perl, but i am able to make a tiny simple pannel, I can start with one without the multilingual support thanks to FormMagick, and add it in a second time.

just give me 2 weeks.

[byte]

I might help you for the pannel part, i am not a specialist on Perl, but i am able to make a tiny simple pannel, I can start with one without the multilingual support thanks to FormMagick, and add it in a second time.

just give me 2 weeks.

OK - Be interested in what you do.

[mrjhb3]

I might help you for the pannel part, i am not a specialist on Perl, but i am able to make a tiny simple pannel, I can start with one without the multilingual support thanks to FormMagick, and add it in a second time.

just give me 2 weeks.

Don't work on creating a panel yet.  From my limited testing, I have everything working 99%, and the previous install contrib had a server-manager like panel that you could use as a reference.  I do need to add 1 or 2 more things that I want, and will hopefully finish that over the weekend and post a link for testing.

JB

[Jean-Philippe Pialasse]

ok so i wait for some new defore doing anything

[mrjhb3]

Install to a non-production server first!!!!

You can find all the RPMS and the SRPM here once the mirrors sync. http://mirror.contribs.org/smeserver/contribs/jbennett/sme7/squidguard/.  I did a heck of a lot more things that I had planned on, but I did learn quite a bit in the process.  Here is a summary of the changes/updates:
1.  All of the entries are now DB settings.  To view - config show squidguard
2.  All of the entries in the Squidguard_Alllow and Block DB values will be  populated to the squidguard.conf once the template is expanded.  No  more manually creating the ACL templates unless you use some of the new topics from the new blacklist that is noted within the package.  Actually the whole squidguard.conf file will use entries from the DB values.
3.  If you use SARG and an Ident program you can - config setprop squid Ident enabled ; expand-template /etc/squid/squid.conf ; /etc/rc7.d/S90squid stop ; /etc/rc7.d/S90squid start.  This will allow you to view SARG reports based on userid and not PC name or locally resolved DNS name.
4.  The supdate cron job has been re-worked to work with the new shalla blacklist as the old blacklist site wasn't being updated.  More info at squidguard.org.  If you leave the default in place, then you won't get any updates.  If you change to the shalla list, then make sure to adhere to their terms.  They have a lot more entries.  I have been testing this on my 333 Celeron and it takes 20 minutes to reload squidguard once I use their list.
5.  If you make changes to the trusted or untrusted entries, you have to manually restart squid before the entries will be used.
6. I have not tested the fullaccess and noaccess options.

That's all of the major changes I can remember.  When you install, do a signal-event post-upgrade ; signal-event reboot.  There are a potential 3 templates that need to be expanded, and I didn't create an action to automatically do that which is why the post-upgrade ; reboot is recommended.  Maybe later I'll look at creating an event.

Good Luck to all,

John Bennett

P.S. Make sure to check the MD5SUM on the smeserver rpm.  I uploaded it using Horde's Gollem File Manager and I would like to make sure the files uploaded correctly.

[EDIT]  Did some further testing, the fullaccess and no access work just fine after you stop and start squid.  I am going to add a different message for noaccess users.  After that, I'm finished.  So, for me, I'm very pleased with the outcome.

[Tib]

mrjhb3

I'm getting a bad sinature error when trying to install

error: squidguard-blacklists-20050528-1.2.el4.rf.noarch.rpm: V3 DSA signature: BAD, key ID 6b8d79e6

Regards,

Tib

[mrjhb3]

mrjhb3

I'm getting a bad sinature error when trying to install

error: squidguard-blacklists-20050528-1.2.el4.rf.noarch.rpm: V3 DSA signature: BAD, key ID 6b8d79e6

Regards,

Tib

Damn, looks like Gollem has messed up the upload.  I'll upload them again.  You will know it's good when smeserver-squidguard is at 1.0-2

JB

[mrjhb3]

Just re-uploaded them.  Had to do it twice because I stopped squid on my test server and that was the server I was going through.  If the Md5sums still don't match for the other RPMS, you could add and enable the DAG repo by doing this:

To add the DAG repo do this:
/sbin/e-smith/db yum_repositories set dag repository \
Name 'Dag - EL4' \
BaseURL 'http://apt.sw.be/redhat/el4/en/$basearch/dag' \
EnableGroups no \
GPGCheck yes \
GPGKey http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt \
Visible yes \
Exclude freetype,htop,iptraf,rsync,syslinux \
status disabled

expand-template /etc/yum.conf

Then install,  yum --enablerepo=dag install smeserver-squidguard-1.0-2.noarch.rpm.  I just did this and the two other files were found.

John

[Tib]

mrjhb3

Everything loaded with no errors this time .... so files must be good.

Now to test a few things

Regards,

Tib

[p-jones]

Is this good for 7.2 ? Is yum localinstall the way to go ? Are there any updated threads or links ?
Thanks P

[mrjhb3]

Is this good for 7.2 ? Is yum localinstall the way to go ? Are there any updated threads or links ?
Thanks P

Am I using this on my 7.2 server.  I would suggest putting it on a test server first to make sure it will do what you need/want it to do.  Look at the changelog so you will see what some of the db settings do.

John

[p-jones]

Thanks John. Yum localinstall ??
Peter

[mrjhb3]

Thanks John. Yum localinstall ??
Peter

Download the three files and yes localinstall.

[p-jones]

Uhmmm...installed OK but has broken the server manager (Bad Gateway
The proxy server received an invalid response from an upstream server.) and it is not to keen to be uninstalled !!!

[mrjhb3]

Uhmmm...installed OK but has broken the server manager (Bad Gateway
The proxy server received an invalid response from an upstream server.) and it is not to keen to be uninstalled !!!

Did you post-upgrade and reboot?  I am running this on 7.2 with all of the latest updates and server-manager does work with it.

[p-jones]

Yep - Certainly Did - And I aint sure how to repair the server panel !

[p-jones]

Trawling through the logs, I have come across this in teh httpd-admin log

@4000000046d15cc23b64f2cc Syntax error on line 296 of /etc/httpd/admin-conf/httpd.conf:
@4000000046d15cc23b66043c Invalid command 'php_value', perhaps mis-spelled or defined by a module not included in the server configuration

 which references this block of code

# squidguard
#------------------------------------------------------------
#<Directory /var/lib/squidguard/www>
 #   AllowOverride None
 #   order deny,allow
 #   deny from all
 #   allow from  allow from 127.0.0.1 192.168.2.0/255.255.255.0 210.86.0.38/255.255.255.0
 #   AuthType Basic
 #   TKTAuthLoginURL /server-common/cgi-bin/login
 #   require user admin
  #  SetEnv IMGHDR_SRC "/e-smith-common/server-manager.jpg"
  #  AddType application/x-httpd-php .php .php3
  #  php_value register_globals "On"
#    Satisfy all
# </Directory>

#  squidguard end

 but I have no idea what I am looking at .

When I do a yum remove on the rpms I installed it wont remove them because it thinks they ar not installed. Conversely, it wont re install them because it thinks they ARE installed.

I think I am a bit screwed on this.

My server is very standard EXCEPT for SME7ADMIN and GROUPOFFICE. All else seems to be working OK except server-manager.

[raem]

p-jones

When I do a yum remove on the rpms I installed it wont remove them because it thinks they ar not installed.

The developers have recommended NOT to use the yum remove command, as it may do a lot more than you want.
They do recommend using
rpm -e packagename
eg
rpm -e smeserver-squidguard
rpm -e squidguard-blacklists
rpm -e squidguard
signal-event post-upgrade
reboot

[mrjhb3]

Trawling through the logs, I have come across this in teh httpd-admin log

@4000000046d15cc23b64f2cc Syntax error on line 296 of /etc/httpd/admin-conf/httpd.conf:
@4000000046d15cc23b66043c Invalid command 'php_value', perhaps mis-spelled or defined by a module not included in the server configuration

 which references this block of code

# squidguard
#------------------------------------------------------------
#<Directory /var/lib/squidguard/www>
 #   AllowOverride None
 #   order deny,allow
 #   deny from all
 #   allow from  allow from 127.0.0.1 192.168.2.0/255.255.255.0 210.86.0.38/255.255.255.0
 #   AuthType Basic
 #   TKTAuthLoginURL /server-common/cgi-bin/login
 #   require user admin
  #  SetEnv IMGHDR_SRC "/e-smith-common/server-manager.jpg"
  #  AddType application/x-httpd-php .php .php3
  #  php_value register_globals "On"
#    Satisfy all
# </Directory>

#  squidguard end

 but I have no idea what I am looking at .

When I do a yum remove on the rpms I installed it wont remove them because it thinks they ar not installed. Conversely, it wont re install them because it thinks they ARE installed.

I think I am a bit screwed on this.

My server is very standard EXCEPT for SME7ADMIN and GROUPOFFICE. All else seems to be working OK except server-manager.

Those are the exact same lines I have, even with the duplicate allow from which I need to now fix.  Did you happen to upgrade your version of php?  The only other thing that I can think of is a corrupt download.  I'll upload them again along with the md5sums.  As Ray has stated use rpm -e to remove them.  If the system doesn't recognize them as being installed, then that could point to corrupted files.  You should be able to type - rpm -qa | grep squid - do see if the system recognizes them.

John

[p-jones]

Ray: Thanks for pointing that out. I did ommit to say I had also tried rpm - e and it reported that the package was not installed.  I revisited this morning, whether it was the more clear head  or overnight housekeeping but they did uninstall. Not sure. I cut and pasted the package name so I didnt have a typo.....

John: I havent specifically upgraded my version of php other than the normal SME updates. (Which I think included a php update several weeks ago ??)

A bit more playing last nite did reveal php_value register_globals "On"
was the line that was causing the server manager to fail, however after omitting that line, the content filtering option in the panel still did not work.

Thanks gentlemen for your input.

[raem]

I did ommit to say I had also tried rpm - e and it reported that the package was not installed.

A common mistake people make when using rpm -e is to quote the full packagename including the version number or to mispell the rpm name. Maybe you did this ?
eg
rpm -e squidguard-1.2.i386.rpm
which is wrong.

To uninstall you should only use
rpm -e squidguard

[p-jones]

Thanks Ray, yep, thats what I did !

[shawnbishop]

Good Day

This is a fantastic how to get the squid guard working, I am having one problem though.

I cant seem to get the banning of the internet access during working hours correct.

What format should the template be in and how should the template be incorparated into the squidguard.conf file??

[byte]

I cant seem to get the banning of the internet access during working hours correct.

Have a look at this:

http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-ef469ed90b785ebb496c66523bb69030e0b7c906

Tip - remember squid.conf reads the rules in order set up

What format should the template be in and how should the template be incorparated into the squidguard.conf file??

Create your custom-templates in /etc/e-smith/templates-custom/etc/squid/squid.conf/xxname

Where "xx" a number in which the order is defined.