Squidguard, a few pointers needed on setting it up

English Network/Internet
#1

I want to set up squiguard and there’s one or two things I’m not quite sure about so wanna run them by anyone out there with some knowledge of configuring squidguard

So here’s the first one:

I have three groups one of which I want to have unrestricted access (group3), the other two slightly different restrictions on what they can access

What I thought to do is create folders within squidguard’s db folder for the restricted groups with domains and urls files inside them

i.e db/group1/domains & db/group1/urls, db/group2/domains & db/group2/urls

I’m assuming I don’t need anything in there for group3 as I don’t want to restrict group3 in any way

By defining the relevant domains and urls in the db files if I understand it correctly should I then be able to create rules that restrict access for groups 1 & 2 to the domains/urls defined for them in their ‘sections’ in the db

Would I be right in thinking the statements below should do what I’m looking for?

src group1 {
	 ip	   192.168.0.0/24
     }

     src group2 {
	 ip	   192.168.0.0/24
     }

     src group3 {
	 ip	   192.168.0.0/24
     }
     dest group1 {
	 domainlist group1/domains
	 urllist    group1/urls
     }
     dest group2 {
	 domainlist group2/domains
	 urllist    group2/urls
     }
     acl {
	 group3 {
	     pass all
	 }

	 group2 {
	      pass !group2 all
	      redirect http://localhost/blocked.html
      }
	 group1 {
	      pass !group1 all
	      redirect http://localhost/blocked.html
}
default {
	     pass none
	     redirect http://localhost/blocked.html
	 }
    }

Incidentally squidguard’s online documentation says it’s files are in these paths

dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/logs

I installed squidguard with Yast’s Software Management module and the files are here instead

dbhome /var/lib/squidGuard/db
logdir /var/log/squidGuard

That shouldn’t cause any problems provided I have the paths to where Yast put them correctly defined in squidguard.conf right?

#2

Well it’s been a while since I used squidguard, but a glance at your rules shows that you have no effective way to classify users into groups since the same IPs belong to all groups. You need a way, perhaps a login, perhaps an IP range.

#3

I thought I would have been able to just use groups from pam

When you say logins do you mean a login for the proxy itself?

Can’t see anything in Yast’s Squid module for defining any if that’s the case, so how would I do it?

#4

The login to squid would be passed to squidguard, IIRC.

#5

Yeah that’s what I thought mate, but I don’t know how to set up logins for squid

What does IIRC mean btw?

#6

If I Recall Correctly

#7

aha

Wouldn’t happen to recall how to set up squid logins too would ya? :stuck_out_tongue:

#8

A search on squid authentication configuration turned up this as a first hit. More comprehensive than I would be able to write.

Features/Authentication - Squid Web Proxy Wiki

#9

Found this page: Features/Authentication - Squid Web Proxy Wiki

Page says it can use pam for basic authentication

'In order to authenticate users, you need to compile and install one of the supplied authentication modules found in the helpers/basic_auth/ directory, one of the others, or supply your own. ’

That sounds like it’s well worth a look … just not at 2 am, I’d be guaranteed to break something so I’ll give it a try tomorrow

#10

Funny … we must’ve been reading that at the same time lol

#11

Hello.

The redirector filtering will work even without having the users to authenticate to the squid proxy. In you want user based filtering, here is the basic info: SquidGuard (you will need to have the users login to squid first though)

For the IP based filtering (your rules have same IP block in all groups) have a look here: SquidGuard

Regarding the file locations: it’s good that you did put them in the squidguard.conf file.

A tip here: pay attention to the squidguard files owners/groups (SquidGuard ) - the owner and group should be the same with the user / group squid is running (see that in your squid.conf) otherwise your filtering / logging will not work.

If you use webmin, there is also a squidGuard module which will make it easier to configure.

I will come back later with a great resource link for setting squidGuard but it’s in french.

Other resources:
Squidguard
Installation and Configuration of the SquidGuard web filter
FAQ-Plus

Cheers and good luck.

#12

As promised here is the link in french with step by step instructions: Squid et SquidGuard [L’internet rapide et permanent]

#13

I don’t need to filter by user, just by the three groups, as for the ip stuff I included the ip addresses because they were in the example of squidguard’s site I was working from

I don’t know how filtering by ip would work when all the groups will be using any and all of the four or five machines, I suppose in that case I could take the ip addresses out altogether?

This excerpt from an example conf on this page (Example Config File) is the kind of thing I’m after:

acl {
  super {
    pass all
  }
  adults {
    pass bl_ok !bl_notok !bl_ads !bl_drugs !bl_gambling !bl_hacking !bl_porn !bl_violence !bl_warez all
}
  kids within authtime {
    pass bl_ok !bl_notok !bl_ads !bl_drugs !bl_gambling !bl_hacking !bl_porn !bl_violence !bl_warez all
  }
  else {
    pass none
    redirect whatever.cgi 
  }
  default {
    pass none
    redirect whatever.cgi 
  }
}

In my setup the super, adults and kids could be my three groups, I can’t see anything in that conf to identify/classify the different groups so I’m guessing they must simply be the unix groups that users in pam belong to?

If so that would suggest I don’t need any kind of authentication other than just adding users to the relevant groups, which would be ideal

#14

Squid and squidguard have no knowledge of what user and hence what group they belong to unless you make the user authenticate. Remember the user may be on another machine on the LAN and isn’t logged in on the proxy. Because it’s a network connection, there’s is no way to know who the user is unless you make them authenticate.

#15

Something I should perhaps have mentioned, users logon via nis, the nis server being the same machine as squid & squidguard are running on

Don’t know what if any impact that has on how I set things up

I’ve looked for the helpers/basic_auth/ folder mentioned on the page you and I both found last night ken, and it doesn’t exist anywhere on the machine squid runs on, so I downloaded the squidguard tarball from their site and it’s not in there either

I’ll download squid itself and see if it’s in there

#16

NIS login makes no difference. It’s a separate service from HTTP even if it’s on the same server and there is no correlation between the two.

It can only work where there is a LAN-wide single sign on, and squid is able to retrieve the SSO particulars. In fact this feature has been requested of squid to reduce the number of authentications, but AFAIK there is no such facility in squid yet.

#17

Downloaded squid and found the folder helpers/basic_auth/PAM but running make from that directory doesn’t work

The directory has four files in it

Makefile.am
Makefile.in
pam_auth.8
pam_auth.c

All I can find on how to install auth modules is this from squid.conf

% make

% make installhelpers

So I’ve hit a bit of a brick wall now

#18

Why are you downloading squid? If you install squid from the openSUSE repos, these programs are already provided:

/usr/sbin/digest_ldap_auth
/usr/sbin/digest_pw_auth
/usr/sbin/fakeauth_auth
/usr/sbin/getpwname_auth
/usr/sbin/msnt_auth
/usr/sbin/ncsa_auth
/usr/sbin/ntlm_auth
/usr/sbin/pam_auth
/usr/sbin/smb_auth
/usr/sbin/squid_ldap_auth
/usr/sbin/squid_ldapauth
/usr/sbin/yp_auth
#19

Ah right

I was looking for what the info in squid.conf was directing me to

The example given is this: auth_param basic program /usr/libexec/ncsa_auth /usr/etc/passwd

So I need to change

#auth_param negotiate program <uncomment and complete this line to activate>

To something like

auth_param negotiate program /usr/sbin/pam_auth or auth_param negotiate program /usr/sbin/pam_auth /etc/passwd

#20

Hmmm, I am trying to understand what you want here…

squidGuard works as a redirector with “advanced” (list / database based) filtering.

Like squid proxy it does require some Access Control Lists (acls) and rules to decide what to do.

I think the documentation on squidguard website was pretty clear:
IP based filtering means that your ACLS and the rules will rely on the IP of the machine connecting to your proxy, e.g.

  • 192.168.2.25-192.168.2.35 are the “grownups” and can browser anywhere - for these the rule is "pass all
  • 192.168.2.45-192.168.2.100 are the “kids” and are denied some destination links from the lists used

All of this is assumes the fact that the user / person is bound to using the same IP / computer all the time. This is the method I use.

Example 3 from SquidGuard is quite good for a start, just add the other “users” as source IP’s and set the rules for them too.

If you want to filter for the users that can logon to different computers / IP’s than you will need to implement the authentication in squid and in squidguard.

An example is presented on the french page but rather complicated. I think for squid there are some tutorials on the website with “perfect” things - e.g. “perfect suse setup” (sorry but I usually get there with a google search).

Cheers.