Wednesday, July 10, 2013

Transparent Squid3 with DansGuardian Content Filtering

In many organizations today use varies kinds of open-source web controlling systems, this tutorial is focused on Squid and DansGuardian based  web content caching and filtering system installation and configuration on an Ubuntu base.

Squid is  a web caching proxy which supports HTTP,HTTPS,FTP, etc. It is licensed under GNU GPL and it also has an extensive access control system.  On the other hand DansGuardian is an open source web content filter which can filter any type of content based on pages, URLs, phrases even pictures. For more details can found on  Squid and DansGuardian.

On my example I’m going to show how to integrate a squid/dansguardian system as a transparent proxy system. As shown in the proxy is between the firewall and the local LAN.
Transparent Proxy


I have used certain IP ranges about they can be changed according to your requirement.
Once the setup is done then we have to install the Ubuntu latest server edition to the server, Make sure you use a server with two Gigabit Ethernet ports and it is better to have at least 16GB of RAM and 2GHz processor and a 1T HDD.

Then after installing the Ubuntu latest server edition, we have to install all required packages, this can be done by using apt-get but it should be updated first so as sudo:

sudo apt-get update
sudo apt-get install squid3 clamav-freshclam iptables dansguardian

After installing we have to edit the squid configuration file,
sudo vi /etc/squid3/squid.conf

On that make the changes as required…
....
http_port 3128 transparent
....
acl intranet src 172.16.0.0/16
acl localnet src 127.0.0.1/255.255.255.255
....
http_access allow intranet
http_access allow localnet
....
always_direct allow all
....
cache_dir ufs /var/spool/squid3 716800 256 256
....

You may have to change the intranet IP ranges and the cache directory sizes, also please refer the squid documentation.
After editing the squid.conf we need to restart the squid service.

sudo /etc/init.d/squid3 restart

After we do these we might need to log squid activities, but for squid3 to log we have to link its log paths to squid2.0 paths because most of the loggers and Ubuntu repository is configured as Squid2.

ln -s /var/log/squid3 /var/log/squid

After that before configuring the Dansguardian we have to download a blacklists from a site such as http://urlblacklist.com/?sec=download

Then,
tar -xzf bigblacklist.tar.gz
sudo mv blacklists /etc/dansguardian/blacklists
sudo chown -R root:root /etc/dansguardian/blacklists

When configuring you would likely want to customize some filtering options. In particular, you may want to comment (#) or uncomment options in these files:
  • /etc/dansguardian/lists/bannedextensionlist
  • /etc/dansguardian/lists/bannedsitelist
  • /etc/dansguardian/lists/bannedurllist
Then edit the conf file
sudo vi /etc/dansguardian/dansguardian.conf

...
#UNCONFIGURED - Please remove this line after configuration
...
filterip = 127.0.0.1
...
daemonuser = 'proxy'
...
daemongroup = 'proxy'
...
accessdeniedaddress = 'http://localhost/cgi-bin/dansguardian.pl'
...

Now configure the logging,
sudo chown -R proxy:proxy /var/log/dansguardian
sudo /etc/init.d/dansguardian start

Finally we have to configure iptables to redirect internet traffic
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT
sudo iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner proxy -j ACCEPT
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
sudo iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080
sudo iptables-save > iptables
sudo mv iptables /etc/dansguardian/iptables
/sbin/iptables-restore < /etc/dansguardian/iptables
sudo chmod 750 /etc/rc2.d/S60iptables


Also we have to add the following to the end of /etc/dansguardian/lists/exceptionextensionlist: (this will allow Ubuntu to download updates)

# Archives & packages
.bz2
.gz
.tbz2
.tar
.deb
.gpg


This is how I configured my network to several thousands of clients and hope this will help someone, enjoy...!!!