squidguard实现
一、下载资源:
# wget http://www.xoroz.com/files/db-4.6.21.tar.gz
# wget http://www.squidguard.org/Downloads/squidGuard-1.4.tar.gz
http://www.oracle.com/technology/products/berkeley-db/db/update/4.6.21/patch.4.6.21.html
上面是BerkeleyDB4.6.21的补丁
#ls -l
-rw-r--r-- 1 root root 11881885 May 17 14:21 db-4.6.21.tar.gz
-rw-r--r-- 1 root root 2475 May 17 14:24 patch.4.6.21.1
-rw-r--r-- 1 root root 892 May 17 14:26 patch.4.6.21.2
-rw-r--r-- 1 root root 1911 May 17 14:26 patch.4.6.21.3
-rw-r--r-- 1 root root 41501 May 17 14:27 patch.4.6.21.4
-rw-r--r-- 1 root root 2577 May 17 10:16 squidGuard-1.4-patch-20091015.tar.gz
-rw-r--r-- 1 root root 9597 May 17 10:21 squidGuard-1.4-patch-20091019.tar.gz
-rw-r--r-- 1 root root 1968492 May 17 10:22 squidGuard-1.4.tar.gz
二、安装BerkeleyDB
#tar zxvf db-4.6.21.tar.gz
#cd db-4.6.21
#patch -p0 < ../patch.4.6.21.1
#patch -p0 < ../patch.4.6.21.2
#patch -p0 < ../patch.4.6.21.3
#patch -p0 < ../patch.4.6.21.4
# cd build_unix/
# ../dist/configure --prefix=/usr/local/BerkeleyDB
#make
#make install
# echo '/usr/local/BerkeleyDB/lib' >> /etc/ld.so.conf
# ldconfig
# ldconfig -v|grep libdb-4
三、安装squidguard
#tar zxvf squidGuard-1.4.tar.gz
#cd squidGuard-1.4
./configure --with-squiduser=squid --with-sg-config=/usr/local/squidGuard/squidGuard.conf --with-sg-logdir=/usr/local/squidGuard/logs --with-sg-dbhome=/usr/local/squidGuard/db
#make
#make install
The initial configuration is complete.
Congratulation. SquidGuard is sucessfully installed
四、配置squidGuard
#vi /usr/local/squid/etc/squid.conf
redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
#cd /usr/local/squidGuard/
#vi squidGuard.conf
dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/logs
# TIME RULES:
# abbrev for weekdays:
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat
time workhours {
weekly mtwhf 09:00 - 11:00
weekly mtwhf 13:00 - 15:00
}
time afterwork {
weekly mtwhf 17:00 - 24:00 # After work
weekly mtwhf 00:00 - 09:00 # After work
weekly mtwhf 11:00 - 13:00 # After work
weekly sa 00:00 - 24:00 # After work
date *-01-01 # New Year's Day
date *-01-02 # New Year's Day
date *-01-03 # New Year's Day
date *-05-01 # 5.1
date *-05-02 # 5.2
date *-05-03 # 5.3
date *-10-01 # 10.1
date *-10-02 # 10.2
date *-10-03 # 10.3
}
#
# REWRITE RULES:
#
#rew dmz {
# s@://admin/@://admin.foo.bar.de/@i
# s@://foo.bar.de/@://www.foo.bar.de/@i
#}
#
# SOURCE ADDRESSES:
#
src admin {
ip 172.21.41.21 172.21.41.22
# user lwt
}
src vipclient {
ip 172.21.41.25-172.21.41.29 172.21.41.35
# user jf
}
src clinets {
ip 172.21.41.0/24
# user wentao
}
src yange {
user liwentao
}
#
# DESTINATION CLASSES:
#
dest eyi {
domainlist eyi/domains
# urllist eyi/urls
redirect http://网站/p_w_picpaths/p_w_picpath002.jpg
}
dest nongchang {
domainlist nongchang/domains
urllist nongchang/urls
redirect http://网站/p_w_picpaths/p_w_picpath001.jpg
}
dest youxi {
domainlist youxi/domains
# urllist youxi/urls
redirect http://网站/p_w_picpaths/p_w_picpath001.jpg
}
dest webtv {
domainlist webtv/domains
urllist webtv/urls
redirect http://网站/p_w_picpaths/p_w_picpath001.jpg
}
acl {
admin {
pass !eyi any
}
vipclient within afterwork {
pass !eyi !nongchang any
}
else {
pass !eyi !nongchang any
}
clients within afterwork {
pass !eyi any
}
else {
pass !eyi !nongchang !webtv !youxi any
}
yange within afterwork {
pass !eyi !nongchang !webtv !youxi any
}
else {
pass !eyi !nongchang !webtv !youxi any
}
default {
pass none
redirect http://localhost/block.html
}
}
#cd /usr/local/squidGuard/
#mkdir iplist
#cd iplist
#vi admin
#vi vipclient
#cd /usr/local/squidGuard/
#chown –R squid ./iplist
注意:这里我测试iplist iplist/admin跟iplist iplist/vipclient 里面设置ip地址的办法没有起效果。具体原因不明。所以还是修改成直接写ip地址了。
这里的思路是:下班时间只限制一个eyi,上班时间admin 也只是限制一个eyi,vipclient 限制eyi 或者加一个其他的什么(根据公司要求),client上班的时候都限制,yange是用来做测试的,什么都限制了。
这里的条件可以有交叉的,写在前面的条件优先,所以对于client大胆的把172.21.41.0/24写上去。
五、建立自己的db数据库
#squidGuard -C all
#chown -R squid /usr/local/squidGuard/db/*
#chown -R squid /usr/local/squidGuard/logs/*
开另一个linux远程客户端
#cat /usr/local/squidGuard/logs/squidGuard.log
squidGuard 1.4 started (1274115690.076)
db update done
squidGuard stopped (1274115690.218)
如果出现:Going into emergency mode
就去查错吧,
squidGuard: ACL source clients is not defined in configfile /usr/local/squidGuard/squidGuard.conf
比如以上我的错误就是 clients打成了clinets 所以在acl中就找不到这个clients的定义了。
测试:
/usr/local/squid/sbin/squid -k reconfigure
如果没有报错 就可以开始测试了!
对于src的匹配,如果是另起一行的,他们之间的关系为‘与’的关系,可以加上within worktime这样的条件,跟相关的ip范围‘与’
测试下来,重定向到一个图片,img001提示上班别做其他事情,img002提示有病毒的网站,测试了下原来文本有2.3w的记录,转换到db后,通过squid,访问速度很快,无延迟!
如果修改了,squidGuard.conf,只要
/usr/local/squid/sbin/squid -k reconfigure
就可以了
六、维护blacklist表:
国外的blacklist
http://squidguard.shalla.de/Downloads/shallalist.tar.gz
没什么用,老外根本不管我们国内的网站
国内的blacklist,到下面的网站去下载,然后编辑下就成了
http://www.mwsl.org.cn/%E4%B8%8B%E8%BD%BD/
我们国内如果使用国外的blacklist好像命中率不高,那些国外的站点速度慢,好像我们公司的员工,没什么人去上的,也没什么机会中访问到国外的恶意网站
所以还是根据实际情况自己维护这个db
我使用电脑报的hosts文件生成了eyi这个目录的domains,其他的自己编辑
#ls /usr/local/squidGuard/db
./nongchang 农场类网站
./eyi 恶意网站
./webtv 视频类网站
./youxi 游戏类网站
备注:
以上是我以前做的一个的备份,不过建议不要实施白名单上网,维护会比较累。虽然上面举例是实施的白名单。
建议实施黑名单,实际的效果很好的。
转载于:https://blog.51cto.com/smtlwt/1170433