websitelogo_transparency.png

  • Increase font size
  • Default font size
  • Decrease font size

Turn a Raspberry Pi into a Web Filter Proxy with SquidGuard

E-mail Print

Turn a Raspberry Pi into a Web Filter Proxy with SquidGuard Overview

Most routers for the home don't do a very good job at filtering objectionable web content. One possible solution is to turn a Raspberry Pi into a proxy web filter that can protect users on your home network. In this lab, I turn a Raspberry Pi running the Raspbian Linux operating system into a robust web proxy that filters objectionable web sites. In order to turn the Raspberry Pi into a web proxy I install and configure Squid and SquidGuard, and then I download and configure a blacklist file which is available for personal use through a creative commons license. This lab focuses on turning the Raspberry Pi into a standalone proxy server that can be reached by changing the network clients web browser proxy settings, or by configuring the router to direct web traffic to the proxy server. In a follow up lab, you could configure the Raspberry Pi as a transparent inline proxy server.

Step-by-step instructions

First, I recommend updating your repositories and then installing the program locate and updating the index/database of file locations. This will help you if you need search for the file paths to the Squid and SquidGuard configuration files. After installing Squid and SquidGuard you will want to run the sudo updatedb command again in order to make the newly installed files indexed and searchable with locate.

$ sudo apt-get update
$ sudo apt-get install locate
$ sudo updatedb

1. Install Squid, start it, and set it to start on boot

$ sudo apt-get install squid
$ sudo update-rc.d squid enable

Use netstat to check to see if Squid is listening on port 3128, also using ps notice that one of the process ids that Squid uses is proxy:proxy for the user and group

$ sudo netstat -antp |grep squid
$ sudo ps -aux |grep squid

2. Edit the Squid configuration file and then reload Squid. Notice, that I run updatedb and then use locate to find the location of the squid.conf file

$ sudo updatedb
S sudo locate squid.conf
$ sudo nano -c /etc/squid/squid.conf

on line 676 uncomment the line #http_access allow localnet

http_access allow localnet

on line 1114 make sure http_port 3128 is uncommented:

http_port 3128

save and quit.

$ sudo service squid reload

or

$ sudo service squid restart

3. Now that Squid is running you can test it from another computer on the network by going to another computer and changing the settings in Firefox or Chrome to point to the Squid web proxy on the Raspberry Pi. Open Firefox and go to File > Options > advanced > network tab > connection settings > manual proxy configuration

and set it to: <the ip address of the computer/RPi running squid>:3128

*Note: In order to test the Squid proxy server from another computer you will need to make sure that the proxy server's firewall is not blocking outside requests. Depending on your distribution of Linux the Linux firewalld or iptables firewall can be actively blocking outside requests. You will need to add a rule to allow requests on port 3128. On the Raspbian operating system by default there should be no firewall activated, but just in case, you can turn off the iptables firewall using the following command:

$ sudo service iptables stop

4. You can monitor the access log to see it working

$ sudo tail -f /var/log/squid/access.log

Now browse the web in Firefox, or the web browser of your choice to see if you are able to receive webpages through the Squid proxy. If you are able to successfully reach websites, then the Squid proxy is working correctly and allowing web requests. Look to the output of Squid's access.log file to see the requests reaching Squid (issue the tail command shown above)

5. With Squid working you can now install SquidGuard

$ sudo apt-get install squidGuard

6. Now that SquidGuard is installed, you will want to download a blacklist of websites and domains that you can block with SquidGuard. You can find more information at http://squidguard.org on SquidGuard and where to find blacklists. A great resource is located at http://dsi.ut-capitole.fr/blacklists/ which has an extensive blacklists.tar.gz file under a "creative commons" license. The website http://www.shallalist.de has a similar downloadable blacklist with similar license terms. You will find links to other commercial blacklist sites as well. For this lab, I recommend downloading the shallalist.tar.gz file from http://www.shallalist.de. You can download it from the command line using wget or from the gui using a webbrowser. Download the blacklist file to your Downloads or home folder but before you install a full blacklist let's create a testdomain file with test domains for SquidGuard to practice blocking

$ cd /var/lib/squidguard/db
$ sudo nano testdomains

type in three lines of text to add some test-domains to block:

yahoo.com
msn.com
whatever-you-want-to-block.com

save and exit.

7. Now edit the squidGuard.conf file to configure it to work with the testdomains file. You may want to back up the squidGuard.conf file before making changes.

$ cd /etc/squidguard
$ sudo cp squidGuard.conf squidGuard.conf.bak
$ sudo nano -c /etc/squidguard/squidGuard.conf

In the config file, add the following text elements in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. The beginning of the text file has been omitted.

#dest adult {
#   domainlist        BL/porn/domains
#   urllist        BL/porn/urls
#   expressionlist    BL/adult/expressions
#   redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u
#}

dest test {
     domainlist testdomains
}

acl {
     admin {
     pass any
     }

     foo-clients within workhours {
      pass good !in-addr !adult any
     } else {
           pass any
     }

     bar-clients {
     pass local none
     }

     default {
            pass !test any
            redirect http://127.0.0.1/blocked.html
     }
}

Save and exit

8. Now install the Apache2 webserver and create a blocked.html page using nano

$ sudo apt-get install apache2
$ cd /var/www/
$ sudo nano blocked.html

<html>
<head>
<title>Blocked!</title>
</head>
<body>
<h1>You have been blocked by Raspberry Pi administrator!</h1>
</body>
</html>

Save and exit

9. Now compile the SquidGuard blacklists and change ownership of the files that need to be accessible by Squid

$ sudo squidGuard -b -d -C all
$ sudo chown proxy:proxy /etc/squidguard/squidGuard.conf
$ sudo chown -R proxy:proxy /var/lib/squidguard/db
$ sudo chown -R proxy:proxy /var/log/squidguard

10. Edit the squid.conf file and then reload Squid

$ sudo nano -c /etc/squid/squid.conf

add the following line to the squid.conf file on line 31:

url_rewrite_program /usr/bin/squidGuard

$ sudo service squid reload

11. Now open the Firefox browser from another computer and test to see if the domains listed in the testdomains file in step 6 are successfully blocked. Domains not listed in the testdomains file should be allowed. In other words, from another computer with the web browser configured with the proxy settings of the Raspberry Pi's ip address and port number 3128, try browsing to msn.com or one of the domains listed in the testdomains file that you created in step 6

12. If you were successful at blocking the testdomains then it's time to extract and decompress the shallalist.tar.gz file that you downloaded in Step 6. When you extract shallalist.tar.gz is will extract into a folder titled BL. You will then copy BL to the squidguard db folder

$ cd ~/Downloads
$ tar -xzf shallalist.tar.gz
$ ls
$ sudo cp BL -R /var/lib/squidguard/db
$ cd /var/lib/squidguard/db

Now recursively change permissions on the BL blacklists folder so you can list through the various blacklist categories that you may wish to activate. You will need to know the name paths of the categories, folders and files that you will want to compile to work with SquidGuard 

$ sudo chmod -R 755 /var/lib/squidguard/db/BL
$ ls
/var/lib/squidguard/db/BL

13. Now you can edit the squidGuard.conf file to configure it to begin blocking undesirable content

$ sudo nano -c /etc/squidguard/squidGuard.conf

In the config file, change the following lines in red. Be careful in your edits, incorrect syntax will cause squidGuard to fail. You will need to remove 4 lines of comments from the dest adult block as well as changing the paths to the content you intend to block. Notice under dest adult that I change the paths under domainlist and urllist to match the content and paths in the BL folder


dest adult {
   domainlist        BL/porn/domains
   urllist        BL/porn/urls

#  expressionlist    BL/porn/expressions
#  redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u

}

dest test {
    domainlist testdomains
}

acl {
     admin {
     pass any
     }

     foo-clients within workhours {
     #   pass good !in-addr !adult any
     } else {
           pass any
     }

     bar-clients {
     pass local none
     }

     default {
            pass !adult !test any
            redirect http://127.0.0.1/blocked.html
     }
}

Save and exit

14. Now you need to recompile the SquidGuard blacklists which will create new squidGuard blacklist database files. Then change ownership of the files in the db folder to proxy

$ sudo squidGuard -b -d -C all
$ sudo chown -R proxy:proxy /var/lib/squidguard/db

15. Reload Squid and then use Firefox from another computer to test to see if Squid and SquidGuard are blocking websites with known adult content. You may want to execute this test privately or with the majority of the web browser dragged off screen ... just in case it doesn't work!

$ sudo service squid reload

 

Last Updated on Friday, 27 November 2015 13:47
 

Routing and Switching Essentials Practice Final - Packet Tracer 6

E-mail Print

Lab Overview - Routing and Switching Essentials Practice Final

I designed this Packet Tracer 6 lab activity as a final review for the CCNA2: Routing and Switching Essentials. This lab covers many of the skill and knowledge areas necessary for the Cisco Academy CCNA5.0, Routing and Switching Essentials Final, Hands-on Lab Final and Packet Tracer Final. This Packet Tracer activity also includes IPv6  configurations that are covered in the new curriculum. You will need Packet Tracer 6.0.1 to open the activity file. The activity tracks your overall progress and provides feedback on correctly executed tasks. Here is a list of the knowledge and skill areas that it covers:

• IPv4 addressing and IPv6 addressing,
• VLANs, Trunks and InterVLAN routing,
• OSPFv2 and OSPFv3 for IPv6
• DHCPv4 as well as SLAAC and Stateless DHCPv6
• NAT for IPv4,
• ACLs and IPv6 ACLs,

The scoring is based on the total number of items correctly configured. Remember that when entering configurations the system is case sensitive. When you are finished, you should be able to communicate across the network. In this PT activity access to the CLI tab has not been disabled. Have fun!

 

Download

CCNA2_RoutingNSwitching-practice-final.zip

Note: You will need Packet Tracer version 6.0.1 to open this activity

 

Video Tutorials

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Last Updated on Wednesday, 19 March 2014 15:42
 
  • «
  •  Start 
  •  Prev 
  •  1 
  •  2 
  •  3 
  •  4 
  •  5 
  •  6 
  •  7 
  •  8 
  •  9 
  •  10 
  •  Next 
  •  End 
  • »


Page 1 of 27

Pearson Education (InformIT)