OpenSuSe Leap 42.1 → Networking → Proxy Server: Squid + C-ICAP – File permission for SquidGuardDB

1 Configuration

1.1 Squid.conf

#-------------------------------------

Adaptation parameters

#-------------------------------------
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_preview_enable on
icap_preview_size 1024
icap_service_failure_limit -1

Virus scan service

#icap_service service_avi_req reqmod_precache icap://localhost:1344/virus_scan bypass=off
#adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://localhost:1344/virus_scan bypass=on
#adaptation_access service_avi_resp allow all

URL Check service

icap_service service_url_chk_req reqmod_precache icap://localhost:1344/srv_url_check bypass=on
#adaptation_access service_url_chk_resp allow all

ClamAV service

#icap_service service_avi_req reqmod_precache icap://localhost:1344/squidclamav bypass=on

adaptation_service_chain svcRequest service_url_chk_req service_avi_req
adaptation_access svcRequest allow all

1.2 c-icap.conf

User c-icap
Group c-icap

Include virus_scan.conf

Include srv_url_check.conf

1.3 srv_url_check.conf

TAG: url_check.LoadSquidGuardDB

url_check.LoadSquidGuardDB ads /var/lib/squidGuard/db/blacklists/ads/ “BlacklistURL Ads Sites”
url_check.LoadSquidGuardDB adult /var/lib/squidGuard/db/blacklists/adult/ “BlacklistURL Adult Sites”

url_check.Profile default block ads
url_check.Profile default block adult

Create the Berkeley DB:
c-icap-mods-sguardDB -C -db /var/lib/squidGuard/db/blacklists/ads
c-icap-mods-sguardDB -C -db /var/lib/squidGuard/db/blacklists/adult

2 Set file permission for SquidGuard DB

Change owner
chown -R squid:nogroup /var/lib/squidGuard/db/blacklists

ls -l /var/lib/squidGuard/db/blacklists/ads/
total 2872
-rw-r----- 1 squid nogroup 24576 Nov 13 17:05 __db.001
-rw-r----- 1 squid nogroup 212992 Nov 13 17:05 __db.002
-rw-r----- 1 squid nogroup 270336 Nov 13 17:05 __db.003
-rw-r----- 1 squid nogroup 802816 Nov 13 17:05 __db.004
-rw-r–r-- 1 squid nogroup 469362 Nov 1 01:16 domains
-rw-r----- 1 squid nogroup 1253376 Nov 13 17:05 domains.db
-rw-r–r-- 1 squid nogroup 649 Nov 1 01:16 expressions
-rw-r–r-- 1 squid nogroup 31064 Nov 1 01:16 urls
-rw-r----- 1 squid nogroup 53248 Nov 13 17:05 urls.db

3 Start c-icap service

systemctl status c-icap.service
c-icap.service - C implementation of ICAP protocol
Loaded: loaded (/usr/lib/systemd/system/c-icap.service; enabled)
Active: active (running) since Sat 2016-11-14 10:01:30 EST; 51s ago
Main PID: 6861 (c-icap)
CGroup: /system.slice/c-icap.service
������ 6861 /usr/bin/c-icap -N
������13687 /usr/bin/c-icap -N
������14618 /usr/bin/c-icap -N
������18663 /usr/bin/c-icap -N

Nov 14 10:02:21 shutndap c-icap[6861]: /var/lib/squidGuard/db/blacklists/adult/__db.001: Permission denied
Nov 14 10:02:21 shutndap c-icap[6861]: /var/lib/squidGuard/db/blacklists/ads/__db.001: Permission denied

What is the correct file permission for the SquidGuard DB?

I have also tried
a) chown -R c-icap:c-icap /var/lib/squidGuard/db/blacklists
and
b) chown -R squid:c-icap /var/lib/squidGuard/db/blacklists

You’re setting up something fairly complex.
Although I haven’t set up anything close to this on LEAP 42.1, in general…

• You need to describe where your software pieces come from. Did they all come from the OSS or from http://software.opensuse.org?
• You basic question makes little sense unless you have an older version of SquidGuard… The most recent version stores its data in a relational database (most likely MySQL)
  http://squidguard.org/
• From the last few paragraphs you posted, you might be asking about file permissions for whitelisting/blacklisting content… If that’s the case, then I think you’re not asking about SquidGuard but about c-icap. If that’s the case, then it again becomes important to know where you installed this software because if it’s an RPM, proper permissions should have already been configured if from an openSUSE repo, but might need to be set manually if you installed from source
  http://c-icap.sourceforge.net/

Besides the above links to the project pages, it looks like the community documentation project has an important guide
https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.squid.html

You might also find some useful information in the SUSE documentation
https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.squid.html

So, again…
Review whether you installed your apps from openSUSE or not,
And, if you did then inspect the documentation at the links I provided. There is probably more documentation in the usual places on your system.
You might be looking at the wrong thing, or looking at the wrong application if you think you have a file permissions problem.

If you still have a problem after reviewing the above,
Post again with the info I requested (Where your software came from, and as always run a “zypper up” after your installs to get latest versions with patches and fixes).

HTH,
TSU

Thank you for your reply and especially for your hints.
Following is the requested info.

0 Installation

Install Squid using yast2.

Add repository: url = http://download.opensuse.org/repositories/server:/proxy/openSUSE_Leap_42.1/
Then install c-icap, c-icap-modules, clamav using yast2.

Therefore, all software packages do come from http://download.opensuse.org/

Download bigblacklist.tar.gz from urlblacklist.com and untar it at /var/lib/squidGuard/db/

1 Configuration

1.1 Squid.conf

#-------------------------------------

Adaptation parameters

#-------------------------------------
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_preview_enable on
icap_preview_size 1024
icap_service_failure_limit -1

Virus scan service

#icap_service service_avi_req reqmod_precache icap://localhost:1344/virus_scan bypass=off
#adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://localhost:1344/virus_scan bypass=on
#adaptation_access service_avi_resp allow all

URL Check service

icap_service service_url_chk_req reqmod_precache icap://localhost:1344/srv_url_check bypass=on
#adaptation_access service_url_chk_resp allow all

ClamAV service

#icap_service service_avi_req reqmod_precache icap://localhost:1344/squidclamav bypass=on

adaptation_service_chain svcRequest service_url_chk_req service_avi_req
adaptation_access svcRequest allow all

1.2 c-icap.conf

User c-icap
Group c-icap

Include virus_scan.conf

Include srv_url_check.conf

1.3 srv_url_check.conf

TAG: url_check.LoadSquidGuardDB

url_check.LoadSquidGuardDB ads /var/lib/squidGuard/db/blacklists/ads/ “BlacklistURL Ads Sites”
url_check.LoadSquidGuardDB adult /var/lib/squidGuard/db/blacklists/adult/ “BlacklistURL Adult Sites”

url_check.Profile default block ads
url_check.Profile default block adult

1.4 Create the Berkeley DB

c-icap-mods-sguardDB -C -db /var/lib/squidGuard/db/blacklists/ads
c-icap-mods-sguardDB -C -db /var/lib/squidGuard/db/blacklists/adult

2 Set file permission for SquidGuard DB

Change owner
chown -R squid:nogroup /var/lib/squidGuard/db/blacklists

ls -l /var/lib/squidGuard/db/blacklists/ads/
total 2872
-rw-r----- 1 squid nogroup 24576 Nov 13 17:05 __db.001
-rw-r----- 1 squid nogroup 212992 Nov 13 17:05 __db.002
-rw-r----- 1 squid nogroup 270336 Nov 13 17:05 __db.003
-rw-r----- 1 squid nogroup 802816 Nov 13 17:05 __db.004
-rw-r–r-- 1 squid nogroup 469362 Nov 1 01:16 domains
-rw-r----- 1 squid nogroup 1253376 Nov 13 17:05 domains.db
-rw-r–r-- 1 squid nogroup 649 Nov 1 01:16 expressions
-rw-r–r-- 1 squid nogroup 31064 Nov 1 01:16 urls
-rw-r----- 1 squid nogroup 53248 Nov 13 17:05 urls.db

3 Start c-icap service

systemctl status c-icap.service
c-icap.service - C implementation of ICAP protocol
Loaded: loaded (/usr/lib/systemd/system/c-icap.service; enabled)
Active: active (running) since Sat 2016-11-14 10:01:30 EST; 51s ago
Main PID: 6861 (c-icap)
CGroup: /system.slice/c-icap.service
������ 6861 /usr/bin/c-icap -N
������13687 /usr/bin/c-icap -N
������14618 /usr/bin/c-icap -N
������18663 /usr/bin/c-icap -N

Nov 14 10:02:21 shutndap c-icap[6861]: /var/lib/squidGuard/db/blacklists/adult/__db.001: Permission denied
Nov 14 10:02:21 shutndap c-icap[6861]: /var/lib/squidGuard/db/blacklists/ads/__db.001: Permission denied

What is the correct file permission for the SquidGuard DB?

I have also tried
a) chown -R c-icap:c-icap /var/lib/squidGuard/db/blacklists
and
b) chown -R squid:c-icap /var/lib/squidGuard/db/blacklists

For starters,
The openSUSE documentation says that you need to create an entry in your squid.conf that re-directs to squidGuard.

I don’t see that in what you’ve posted so far.
You may have to experiment with positioning the entry, nothing says if it must be top, bottom or if position matters in the configuration (I suspect that positioning does matter).

I’d have to look more closely at your blacklist files.
I guess you do know that you can do URL blocking (but not content blocking, you need to use c-icap for that) using squidGuard, right? But, if you do so then you need to import your blacklist into the MySQL database, not use raw text files. If you’ve done this correctly, then file permissions is a non-sequiter. the MySQL application always has required permissions to access its database files.

Don’t know what you’re using for documentation and guides, but if you installed the package squidGuard-doc, then you should have a multitude of help documentation for squid and squidGuard in

/usr/share/doc/packages/squid/
/usr/share/doc/packages/squidGuard/

HTH,
TSU