tech:filtrage_web_avec_squidguard
Ceci est une ancienne révision du document !
Filtrage web avec SquidGuard
- /etc/squid/squid.conf
cache_peer localhost parent 8118 0 default no-query no-digest no-netdb-exchange acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 # https acl SSL_ports port 563 # snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl Safe_ports port 9920 # JIRA acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all icp_access allow localnet icp_access deny all http_port 3128 hierarchy_stoplist cgi-bin ? access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] upgrade_http0.9 deny shoutcast acl apache rep_header Server ^Apache broken_vary_encoding allow apache extension_methods REPORT MERGE MKACTIVITY CHECKOUT hosts_file /etc/hosts coredump_dir /var/spool/squid header_access From deny all header_access Server deny all #header_access WWW-Authenticate deny all header_access Link deny all header_access Cache-Control deny all header_access Proxy-Connection deny all header_access X-Cache deny all header_access X-Cache-Lookup deny all header_access Via deny all header_access Forwarded-For deny all header_access X-Forwarded-For deny all header_access Pragma deny all header_access Keep-Alive deny all header_access Referer deny all redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf redirect_children 10 never_direct allow all
- /etc/squidguard/squidGuard.conf
# # CONFIG FILE FOR SQUIDGUARD # dbhome /var/lib/squidguard/db logdir /var/log/squid src allusers { ip 127.0.0.1/32 } dest white { domainlist white/domains urllist white/urls log dest_white.log } dest adblock { expressionlist adblock/expressions log dest_adblock.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest adult1 { domainlist tlse/adult/domains urllist tlse/adult/urls expressionlist tlse/adult/very_restrictive_expression log dest_adult1.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest gambling1 { domainlist tlse/gambling/domains urllist tlse/gambling/urls log dest_gambling1.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest phishing1 { domainlist tlse/phishing/domains urllist tlse/phishing/urls log dest_phishing1.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest publicite1 { domainlist tlse/publicite/domains urllist tlse/publicite/urls expressionlist tlse/publicite/expressions log dest_publicite1.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest malware1 { domainlist tlse/malware/domains urllist tlse/malware/urls expressionlist tlse/malware/expressions log dest_malware1.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest marketingware1 { domainlist tlse/marketingware/domains urllist tlse/marketingware/urls log dest_marketingware1.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest dating1 { domainlist tlse/dating/domains urllist tlse/dating/urls log dest_dating1.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest mobile1 { domainlist tlse/mobile-phone/domains urllist tlse/mobile-phone/urls log dest_mobile1.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest social1 { domainlist tlse/social_networks/domains log dest_social1.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest ads2 { domainlist mesd/ads/domains urllist mesd/ads/urls log dest_ads2.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest gambling2 { domainlist mesd/gambling/domains urllist mesd/gambling/urls log dest_gambling2.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest porn2 { domainlist mesd/porn/domains urllist mesd/porn/urls log dest_porn2.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest spyware2 { domainlist mesd/spyware/domains urllist mesd/spyware/urls log dest_spyware2.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest suspect2 { domainlist mesd/suspect/domains urllist mesd/suspect/urls log dest_suspect2.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest adult3 { domainlist isak/Adult_domains.txt urllist isak/Adult_urls.txt log dest_adult3.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest ads3 { domainlist isak/Advertisements_domains.txt urllist isak/Advertisements_urls.txt log dest_ads3.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest gambling3 { domainlist isak/Gambling_domains.txt urllist isak/Gambling_urls.txt log dest_gambling3.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest phishing3 { domainlist isak/Phishing_domains.txt urllist isak/Phishing_urls.txt log dest_phishing3.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest spyware3 { domainlist isak/Spyware_domains.txt log dest_spyware3.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest mobile3 { domainlist isak/Mobilephones_domains.txt urllist isak/Mobilephones_urls.txt log dest_mobile3.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } dest jibe { domainlist jibe/domains urllist jibe/urls log dest_jibe.log redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } acl { allusers { pass white !gambling1 !gambling2 !gambling3 !phishing1 !phishing3 !publicite1 !ads2 !ads3 !malware1 !spyware2 !spyware3 !marketingware1 !suspect2 !mobile1 !mobile3 !jibe any redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u } default { pass none } }
- squid-install.sh
#! /bin/bash mkdir -p /var/lib/squidguard/db/white mkdir -p /var/lib/squidguard/db/jibe mkdir -p /var/lib/squidguard/db/adblock # Creation fichiers echo "\ video.google.com mts1.google.com mts0.google.com maps.google.com mt0.google.com mt1.google.com code.google.com" >/var/lib/squidguard/db/white/domains echo "\ www.google.com/recaptcha/" >/var/lib/squidguard/db/white/urls touch /var/lib/squidguard/db/adblock/expressions echo "\ facebook.com facebook.net fbcdn.com fbcdn.net fbshare.me twitter.com twimg.com addthis.com google-analytics.com google.fr google.com 1e100.net googleapis.com gmodules.com stats.buzzea.com data.gosquared.com d1l6p2sc9645hc.cloudfront.net d1ros97qkrwjf5.cloudfront.net fstatic.iadvize.com flux.com meetic-partners.com stats.wattimpact.com els.a4.tl radar.cedexis.com greatviews.de get.adobe.com #microsoft.com ie.microsoft.com windowsupdate.microsoft.com update.microsoft.com download.windowsupdate.com live.com latestdl.info #go-mono.com traficmax.com atdmt.com r.msn.com #msn.com yesmessenger.com yes-messenger.com sexe4x.com clic.ws publicite-sexe.com adtech.de adultfriendfinder.com datasecureprocess.com tvwebgay.com partie-membres.com piximedia.fr piximedia.com tns-counter.ru mc.yandex.ru direction-x.com empiredusexe.com thumbs-share.com the-adult-company.com plugin-x.com xcams.com lescelibataires.net sexxxtape.net vador.com pub.oumma.com acces-charme.com pornattitude.com" > /var/lib/squidguard/db/jibe/domains echo "\ clck.yandex.com/ fr.search.yahoo.com/r/ wwwimages.adobe.com/www.adobe.com/images/shared/download_buttons/ www.adobe.com/images/shared/download_buttons/ www.topachat.com/images/bandeaux/ go-mono.com/moonlight/ www.microsoft.com/getsilverlight/ go.microsoft.com/fwlink/?LinkId=161376 yandex.st/serp/31.89/pages/foreign/_foreign.js" > /var/lib/squidguard/db/jibe/urls # Droits fichiers chown proxy: /var/lib/squidguard/db/jibe/urls /var/lib/squidguard/db/jibe/domains /var/lib/squidguard/db/white/domains /var/lib/squidguard/db/white/urls /var/lib/squidguard/db/adblock/expressions
- squid-update.sh
#! /bin/bash # Definition des variables squiddb="/var/lib/squidguard/db" tmp_folder="/tmp" lst_logs_dest="dest_adblock.log dest_ads2.log dest_ads3.log dest_adult1.log dest_adult3.log dest_dating1.log dest_gambling1.log dest_gambling2.log dest_gambling3.log dest_malware1.log dest_marketingware1.log dest_mobile1.log dest_mobile3.log dest_phishing1.log dest_phishing3.log dest_porn2.log dest_publicite1.log dest_social1.log dest_spyware2.log dest_spyware3.log dest_suspect2.log dest_white.log dest_jibe.log"; cd $tmp_folder exec 2>$tmp_folder/squid-update.err #exec 1>$tmp_folder/squid-update.log # Fin normal fin_ok() { echo "FIN." cat $tmp_folder/squid-update.err exit 0 } # Fin erreur fin_err() { echo -e "ERREUR: \n" cat $tmp_folder/squid-update.err exit 1 } # Cleanning des Logs clean() { rm -f /var/log/squid/*.gz 2>/dev/null rm -f /var/log/squid/*[0-9] 2>/dev/null rm -f /var/log/privoxy/*.gz rm -f /var/log/squidguard/*.[0-9] echo "" > /var/log/dansguardian/access.log echo "" > /var/log/privoxy/logfile echo "" > /var/log/squid/squidGuard.log echo "" > /var/log/squid/cache.log echo "" > /var/log/squid/access.log echo "" > /var/log/squid/store.log for fic in $lst_logs_dest do echo "" >/var/log/squid/${fic} done } # Téléchargement des blacklists et expressions régulière (adblock) download() { #wget -nv -N http://adblockplus.mozdev.org/easylist/liste_fr+easylist.txt; wget -nv -N ftp://ftp.univ-tlse1.fr/blacklist/blacklists.tar.gz && mv blacklists.tar.gz tlse.tar.gz wget -nv -N http://squidguard.mesd.k12.or.us/blacklists.tgz && mv blacklists.tgz mesd.tar.gz wget -nv -N http://download.isak.gplindustries.com/isakurldbtext.tar.gz && mv isakurldbtext.tar.gz isak.tar.gz } # Décompression des lists uncompress() { tar xzf tlse.tar.gz && rm -rf /var/lib/squidguard/db/tlse && mv -f blacklists ${squiddb}/tlse tar xzf mesd.tar.gz && rm -rf /var/lib/squidguard/db/mesd && mv -f blacklists ${squiddb}/mesd tar xzf isak.tar.gz && rm -rf /var/lib/squidguard/db/isak && mv -f isakurldbtext ${squiddb}/isak } # Mise à jour update() { #/usr/share/doc/adzapper/examples/update-zapper #cat $tmp_folder/liste_fr+easylist.txt | sed -f $tmp_folder/adblock.sed > /var/lib/squidguard/db/adblock/expressions squidGuard -C all; } # Définition des droits droits() { chown -R proxy:proxy /var/log/squid; chown -R proxy:proxy /var/lib/squidguard; chmod -R 760 /var/lib/squidguard/db; } ##### DEBUT clean || fin_err; echo -e "1. Cleanning des Logs \t\t\t\t [OK]"; download || fin_err; echo -e "2. Téléchargement des listes \t\t\t [OK]"; uncompress || fin_err; echo -e "3. Décompression des listes \t\t\t [OK]"; update || fin_err; echo -e "4. Mise à jour \t\t\t\t\t [OK]"; droits || fin_err; echo -e "5. Définition des droits sur les fichiers \t [OK]\n"; killall -1 squid; fin_ok;
Autre système de filtrage :
- stay focused
- detoxify
- bulldog blocker
- pluckeye
tech/filtrage_web_avec_squidguard.1742825205.txt.gz · Dernière modification : de 127.0.0.1