Paranoid Penguin - Building a Secure Squid Web Proxy, Part IV

Add squidGuard's blacklist functionality to your Squid proxy.

In my previous three columns [April, May and July 2009], I described the concept, benefits and architectural considerations of outbound Web proxies (Part I); discussed basic Squid installation, configuration and operation (Part II); and explained Squid Access Control Lists (ACLs), its ability to run as an unprivileged user and provided some pointers on running Squid in a chroot jail (Part III).

Although by no means exhaustively detailed, those articles nonetheless cover the bulk of Squid's built-in security functionality (ACLs, running nonroot and possibly running chrooted). This month, I conclude this series by covering an important Squid add-on: squidGuard.

squidGuard lets you selectively enforce “blacklists” of Internet domains and URLs you don't want end users to be able to reach. Typically, people use squidGuard with third-party blacklists from various free and commercial sites, so that's the usage scenario I describe in this article.

Introduction to squidGuard

Put simply, squidGuard is a domain and URL filter. It filters domains and URLs mostly by comparing them against lists (flat files), but also, optionally, by comparing them against regular expressions.

squidGuard does not filter the actual contents of Web sites. This is the domain of appliance-based commercial Web proxies such as Blue Coat, and even products like that tend to emphasize URL/domain filtering over actual content parsing due to the high-computing (performance) cost involved.

You may wonder, what have URL and domain filtering got to do with security? Isn't that actually a form of censorship and bandwidth-use policing? On the one hand, yes, to some extent, it is.

Early in my former career as a firewall engineer and administrator, I rankled at management's expectation that I maintain lists of the most popular URLs and domains visited. I didn't think it was my business what people used their computers for, but rather it should be the job of their immediate supervisors to know what their own employees were doing.

But the fact is, organizations have the right to manage their bandwidth and other computing resources as they see fit (provided they're honest with their members/employees about privacy expectations), and security professionals are frequently in the best “position” to know what's going on. Firewalls and Web proxies typically comprise the most convenient “choke points” for monitoring or filtering Web traffic.

Furthermore, the bigger domain/URL blacklists frequently include categories for malware, phishing and other Web site categories that do, in fact, have direct security ramifications. For example, the free Shalla's Blacklists include more than 27,600 known sources of spyware!

Even if you don't care about conserving bandwidth or enforcing acceptable-use policies, there's still value in configuring squidGuard to block access to “known dangerous” Web sites. That's precisely what I'm going to show you how to do.

Getting and Installing squidGuard

If you run a recent version of Fedora, SUSE, Debian or Ubuntu Linux, squidGuard is available as a binary package from your OS's usual software mirrors (in the case of Ubuntu, it's in the universe repositories). If you run RHEL or CentOS, however, you need to install either Dag Wieers' RPM of squidGuard version 1.2, Excalibur Partners' RPM of squidGuard version 1.4, or you'll have to compile squidGuard from the latest source code, available at the squidGuard home page (see Resources for the appropriate links).

Speaking of squidGuard versions, the latest stable version of squidGuard at the time of this writing is squidGuard 1.4. But, if your Linux distribution of choice provides only squidGuard 1.2, as is the case with Fedora 10 and Ubuntu 9.04, or as with OpenSUSE 11.1, which has squidGuard 1.3, don't worry. Your distribution almost certainly has back-ported any applicable squidGuard 1.4 security patches, and from a functionality standpoint, the most compelling feature in 1.4 absent in earlier versions is support for MySQL authentication.

Hoping you'll forgive my Ubuntu bias of late, the command to install squidGuard on Ubuntu systems is simply:

bash-$ sudo apt-get squidguard

As noted above, squidGuard is in the universe repository, so you'll either need to uncomment the universe lines in /etc/apt/sources.list, or open Ubuntu's Software Sources applet, and assuming it isn't already checked, check the box next to Community-maintained Open Source software (universe), which will uncomment those lines for you.

Besides using apt-get from a command prompt to install squidGuard, you could instead use the Synaptic package manager. Either of these three approaches automatically results in your system's downloading and installing a deb archive of squidGuard.

If you need a more-current version of squidGuard than what your distribution provides and are willing to take it upon yourself to keep it patched for emerging security bugs, the squidGuard home page has complete instructions.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

getting squidguard to work!

Shane's picture

First, I am using ubuntu 9.0.4. My squid is 2.7stable3. My squidguard is 1.2.

Squid has been working fine for several days, I have a fairly complex set of acls and http_access rules because I am trying to dole out computer time to my kids during the holidays. I am also trying to stop access to certain sites during my "peak time" allocated by my ISP. After working through the obvious errors that a relative newb introduces without meaning to, it is stable, and predictable in behaviour and performance. Suffice to say that I have stripped the squid.conf of unneccesary clutter (comments and unused settings) and have added some structure to it that makes sense to me when going in to tweak it. I do have the original file in two places for referencing when I get into trouble, so can always reinstall and add my tweaks if needed.

Next step was to add squidguard for a deeper level of filtering...

So, I have assiduously followed the instructions here even to the point of copying the errors which reveal themselves on re-reading, e.g. "bash-$ /etc/init.d/squid reload" is missing sudo at the start of the line (it is dereferenced in the preceeding paragraph. After correcting the obvious errors

However, the moment I reload squid or restart squid it fails to load

I actually rebuilt a server because this happened the first time (over a week ago now) thinking that I had damaged some system files (of course I hadn't , but it was worth the practice of installing a new version of the server anyway)

So what can I be doing wrong? The only thing that makes sense is that I am adding the squidguard lines in the wrong place, but after having reviewed the original squid.conf my original placement was correct. So, are there any hidden traps for beginners that aren't mentioned in the article.

Feeling like,... "a Penguin in Bondage, boy!!!


Shane's picture

Well - I found it, after checking the squidguard log file

wrong type of braces in the definitions of dest rules

I had used parantheses () instead of curly braces {}, which with my eyesight the way it is these days (even with my computer prescription glasses) are so similar to a glance rather than a close inspection, that it totally slipped on by

Caught by the worst of the gotchas for newbs who aren't new to programming (hangs head in shame)

Ah, well, at least if anyone else runs across this there is a solution already (I'd gone looking for the matching braces problem and found the bigger one)

bonds loosened but not released, yet!