SquidGuard

HOME Downloads Documentation Development Blacklists Contributions Contact


  squidGuard - Configuration Examples


  • Example 0 - The absolutely minimal do nothing config:
  • The absolutely minimal config file is an emty but existing file (i.e. squidGuard -c /dev/null) which is equivalent to:

         acl {
    	  default {
    	       pass all
    	  }
         }
       

  • Example 1 - The recommended minimal do nothing config:
  • We do recommend, for clarity, to say explicitly what squidGuard is expected to do (makes things less magic for a new operator):

         logdir /usr/local/squidGuard/log
    
         acl {
    	 default {
    	     pass all
    	 }
         }
       

  • Example 2 - Limiting the access to one destination group only:
  • Now your acl looks like that:

         logdir /usr/local/squidGuard/log
         dbhome /usr/local/squidGuard/db
    
         dest local {
    	 domainlist local/domains
         }
    
         acl {
    	 default {
    	     pass local none
    	     redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u  
    	 }
         }
       

    This implies there must be a domain list file "/usr/local/squidGuard/db/local/domains" that may simply look like:

         example.com
       

  • Example 3 - Blocking the access for unknown or unprivileged clients:
  •      logdir /usr/local/squidGuard/log
         dbhome /usr/local/squidGuard/db
    
         src privileged {
    	 ip	10.0.0.1 10.0.0.73 10.0.0.233	# ONE OF single clients
    	 ip	10.0.0.10-10.0.0.20		# OR WITHIN range 10.0.0.10 - 10.0.0.20
    	 ip	10.0.1.32/27			# OR WITHIN range 10.0.1.32 - 10.0.1.63
    	 ip	10.0.2.0/255.255.255.0		# OR WITHIN range 10.0.2.0  - 10.0.2.255
    						# AND
    	 domain foo.bar				# MATCH foo.bar. OR *.foo.bar.
         }
    
         acl {
    	 privileged {
    	     pass all
    	 }
    
    	 default {
    	     pass none
    	     redirect http://info.foo.bar/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u  
    	 }
         }
       

    Using client domainname match implies reverse lookup is enabled (log_fqdn on) in squid.conf.

         example.com
       

  • Example 4 - Blocking inappropriate sites:
  •      logdir /usr/local/squidGuard/log
         dbhome /usr/local/squidGuard/db
    
         dest porn {
    	 domainlist porn/domains
    	 urllist    porn/urls
         }
    
         acl {
    	 default {
    	     pass !porn all
    	     redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u  
    	 }
         }
       

    This implies there must be a domain list file "/usr/local/squidGuard/db/porn/domains" and a domain list file "/usr/local/squidGuard/db/porn/urls". The domain list file may have a zillion lines like:

         porn.com
         sex.com
       

    The "url list file may have an other zillion lines like:

         foo.com/~porn
         bar.com/img/sex
       

  • Example 5 - Blocking inappropriate sites for some users and blocking unknown clients:
  •      logdir /usr/local/squidGuard/log
         dbhome /usr/local/squidGuard/db
    
         src grownups {
    	 ip	   10.0.0.0/24	  # range 10.0.0.0  - 10.0.0.255
    			       # AND
    	 user   foo bar	  # ident foo or bar
         }
    
         src kids {
    	 ip	   10.0.0.0/22	  # range 10.0.0.0 - 10.0.3.255
         }
    
         dest porn {
    	 domainlist porn/domains
    	 urllist    porn/urls
         }
    
         acl {
    	 grownups {
    	     pass all
    	 }
    
    	 kids {
    	     pass !porn all
    	 }
    
    	 default {
    	     pass none
    	     redirect http://info.foo.bar/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
    	 }
         }
       

    Using userident match implies RFC931/ident lookup is enabled in squid.conf, optionally only for the actual client groups, and that foo and bar's workstations must support RFC931.

  • Example 6 - Blocking inappropriate sites partially with regex:
  •  + ensuring local and good sites are passed even if they would match a blocking regex:
     + limiting the usage of IP-address URLs:

         logdir /usr/local/squidGuard/log
         dbhome /usr/local/squidGuard/db
    
         dest local {
    	 domainlist     local/domains
         }
    
         dest good {
    	 domainlist     local/domains
         }
    
         dest porn {
    	 domainlist     porn/domains
    	 urllist        porn/urls
    	 expressionlist porn/expressions
         }
    
         acl {
    	 default {
    	     pass local good !in-addr !porn all
    	     redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u  
    	 }
         }
       

  • Example 7 - Blocking inappropriate sites within business hours only:
    • Lets extend example 5 with:
    • a time constraint on censorship
    • logging redirections of inappropriate sites anonymized
    • redirecting inappropriate sites specially.
    • and still protecting the kids 24h.
         logdir /usr/local/squidGuard/log
         dbhome /usr/local/squidGuard/db
    
         time leisure-time {
    	 weekly * 00:00-08:00 17:00-24:00	# night and evening
    	 weekly fridays 16:00-17:00		# weekend
    	 date	*.01.01				# New Year's Day
    	 date	*.05.01				# Labour Day
    	 date	*.05.17				# National Day
    	 date	*.12.24 12:00-24:00		# Christmas Eve
    	 date	*.12.25				# Christmas Day
    	 date	*.12.26				# Boxing Day
    	 date	1999.03.31 12:00.24:00		# Ash Wednesday
    	 date	1999.04.01-1999.04.05		# Easter
    	 date	2000.04.19 12:00.24:00		# Ash Wednesday y2000
    	 date	2000.04.20-2000.04.24		# Easter y2000
         }
    
         src grownups {
    	 ip	10.0.0.0/24			# range 10.0.0.0  - 10.0.0.255
    						# AND
    	 user	foo bar				# ident foo or bar
         }
    
         src kids {
    	 ip	10.0.0.0/22			# range 10.0.0.0 - 10.0.3.255
         }
    
         dest porn {
    	 domainlist	porn/domains		# file listing domains	(clear text)
    	 urllist	porn/urls		# file listing URLs	(clear text)
    	 expressionlist porn/expressions	# file with expressions (clear text regex)
    	 redirect       302:http://info.foo.bar/images/blocked.gif
    						# redirect matches to this URL
    	 log anonymous  porn.log		# log redirects anonymized to logdir/porn.log
         }
    
         acl {
    	 grownups within leisure-time {
    	     pass all				# don't censor peoples leisure-time
    	 } else {
    	     pass !in-addr !porn all		# restrict access during business hours
    	 }
    
    	 kids {
    	     pass !porn all			# protect the kids 24h anyway
    	 }
    
    	 default {
    	     pass none				# reject unknown clients
    	     redirect http://info.foo.bar/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u  
    	 }
         }
       




    Documentation
    Installation
    Configuration
     Getting started
     Destination ACLs
     Source ACLs
     Redirect Rule
     Time Constraints
     Authentication
     Regular Expressions
     Examples

    Runtime Options
    About blocking
    Troubleshooting
    Known Issues
    Other Sources



      © Powered by Shalla Secure Services KG 2007-2012