Personal tools

SquidGuard package

From PFSenseDocs

Jump to: navigation, search
This article is part of the HOWTO series.

What is a squidGuard

SquidGuard is a URL redirector used to use blacklists with the proxy software Squid. There are two big advantages to squidguard: it is fast and it is free. SquidGuard is published under GNU Public License.

SquidGuard can be used to

  • limit the web access for some users to a list of accepted/well known web servers and/or URLs only.
  • block access to some listed or blacklisted web servers and/or URLs for some users.
  • block access to URLs matching a list of regular expressions or words for some users.
  • enforce the use of domainnames/prohibit the use of IP address in URLs.
  • redirect blocked URLs to an info page.
  • redirect banners to an empty GIF.
  • have different access rules based on time of day, day of the week, date etc.

Installation Squid2 + SquidGuard on pfsense 2.0.x

  1. Open Packages list: click System > Packages
  2. Install the Squid2 package, if it is not installed.
  3. Configure Squid package.
  4. Install SquidGuard package.

Installation Squid3 + SquidGuard on pfsense 2.0.x

  1. Open Packages list: click System > Packages
  2. Install the Squid2 package, if it is not installed.
  3. Install SquidGuard package which depends on Squid2 package.
  4. Install the Squid3 package
  5. Configure Squid3 package.
  6. Configure SquidGuard package.

Installation Squid2/3 + SquidGuard on pfsense 2.1.x

  1. Open Packages list: click System > Packages
  2. Install the Squid2/3 package, if it is not installed.
  3. Install SquidGuard package
  4. Configure Squid2/3 package.
  5. Configure SquidGuard package.

Configure the SquidGuard Package

Blacklist

Blacklists are optional, but often useful for allowing access to certain types of sites.

SquidGuard comes with a small blacklist basically for testing purposes. In production you don't want to use them. A better way is to start with one of the blacklist collections listed (alphabetically) below.

Downloading blacklist:

  1. Open General Settings tab in SquidGuard package GUI, found at Services > Proxy Filter.
  2. Check Blacklist to enable the use of blacklists
  3. Enter blacklist url in the field Blacklist URL.
  4. If your firewall is itself behind a proxy, enter the proxy informaion in Blacklist proxy (this step is not necessary for most people)
  5. Click Save
  6. Navigate to the Blacklist tab inside of Squidguard
  7. Click the Download button.
  8. Wait, while blacklist will downloaded and prepared to use(10-35 min). Progress will be displayed on that page as the list is downloaded and processed.

Basic configuration

Here describes how to enable and configure SquidGuard, and common users access.

  1. Open General settings tab.
    1. Check the Enable box to activate the package.
    2. Set Blacklist options if you want to use blacklist categories. (See above, optional)
    3. Click Save button.
  2. Open Common ACL page.
    1. Click Target Rules List to show defined blacklists and target categories
      1. Define default user access: select Default access [all] as allow or deny.
      2. Define other category actions:
        1. Select '---', to ignore a category.
        2. Select allow, to allow this category for clients.
        3. Select deny, to deny this category for clients.
        4. Select white, to allow this category without any restrictions. This option is used for exceptions to prohibited categories.
      3. If you want to prohibit clients from using IP address in the URL, you must check the Not to allow IP addresses in URL box.
      4. Select Redirect mode:
        1. Int error page - to use the built-in error page. You may enter a custom message in the Redirect info box below.
        2. Int blank page - to redirect to a blank page
        3. The other options are various redirects to external error pages, and you must enter a URL in the Redirect info box if they are chosen.
      5. Use safe search engine - set this option to protect customers from unwanted search results. Now it is supported by Google, Yandex, Yahoo, MSN, Live Search. Make sure that these search engines are available. If this protection should be strictly enforced, you should disable access to all other search engines.
  3. After settings are complete, return to the General Settings tab and press Apply.


-= HERE UNDER CONSTRUCTION =-

HowTo

Exclude domain/URL from blacklist

In the squidGuard GUI (Services > Proxy Filter):

  1. Open Target categories page
  2. Click + to add a new item
  3. Enter a name for the category - 'myWhitelist' for example.
  4. Add domains and/or URL's to the lists as needed. Entries should be separated by a space. The examples on the page show how entries should be formatted.
  5. As with the Common ACL discussed previously, you may set redirect and logging options specific to this category.
  6. Save
  7. Open Common ACL or Groups ACL page (where you want to make an exclusion).
  8. Click Target Rule List to expand the list of categories. The newly created category should show alphabetically in the list, above any blacklist categories. Find the MyWhiteList entry in the list and select white.
  9. Save
  10. Return to the General Settings tab and press Apply.

Block download by Extension

In the squidGuard GUI (Services > Proxy Filter):

  1. Open Target categories page
  2. Click + to add a new item
  3. Enter a name for the category - 'myBlockExt' for example.
  4. Add Expressions (for example for asf, zip, exe and etc files):
(.*\/.*\.(asf|wm|wma|wmv|zip|rar|cab|mp3|avi|mpg|swf|exe|mpeg|mp.|mpv|mp3|wm.|vpu))
  1. Save
  2. Open Common ACL or Groups ACL page (where you want to make an exclusion).
  3. Click Target Rule List to expand the list of categories. The newly created category should show alphabetically in the list, above any blacklist categories. Find the myBlockExt entry in the list and select deny.
  4. Save
  5. Return to the General Settings tab and press Apply.


-= to be continued =-