[squid-users] SquidGuoard ignoring blacklist

[Dan Egli]

I'm trying to setup squidguard on my RH 8.0 box, and am having some 
problems. Hopefully someone can tell me what I did wrong.

I have squid, squidGuard, and the chastity-list all installed, and it 
looks ok, but when I try to visit any site on the blacklist from my 
browser, I get through. Shouldn't I get an error indicating that access 
was denied or something?  I'm attaching the squid.conf and 
squidGuard.conf files below, incase this helps.

--- Dan

squid.conf: (relevant portions at least)

#  TAG: redirect_program
#    Specify the location of the executable for the URL redirector.
#    Since they can perform almost any function there isn't one included.
#    See the Release-Notes for information on how to write one.
#    By default, a redirector is not used.
#
#Default:
# none
redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard-chastity.conf
# ACCESS CONTROLS
# 
----------------------------------------------------------------------------- 

#  TAG: acl
#    Defining an Access List
#
#    acl aclname acltype string1 ...
#    acl aclname acltype "file" ...
#
#    when using "file", the file should contain one item per line
#
#    acltype is one of src dst srcdomain dstdomain url_pattern
#        urlpath_pattern time port proto method browser user
#
#    By default, regular expressions are CASE-SENSITIVE.  To make
#    them case-insensitive, use the -i option.
#
#    acl aclname src      ip-address/netmask ... (clients IP address)
#    acl aclname src      addr1-addr2/netmask ... (range of addresses)
#    acl aclname dst      ip-address/netmask ... (URL host's IP address)
#    acl aclname myip     ip-address/netmask ... (local socket IP address)
#
#    acl aclname srcdomain   .foo.com ...    # reverse lookup, client IP
#    acl aclname dstdomain   .foo.com ...    # Destination server from URL
#    acl aclname srcdom_regex [-i] xxx ...   # regex matching client name
#    acl aclname dstdom_regex [-i] xxx ...   # regex matching server
#      # For dstdomain and dstdom_regex  a reverse lookup is tried if a IP
#      # based URL is used. The name "none" is used if the reverse lookup
#      # fails.
#
#    acl aclname time     [day-abbrevs]  [h1:m1-h2:m2]
#        day-abbrevs:
#        S - Sunday
#        M - Monday
#        T - Tuesday
#        W - Wednesday
#        H - Thursday
#        F - Friday
#        A - Saturday
#        h1:m1 must be less than h2:m2
#    acl aclname url_regex [-i] ^http:// ...    # regex matching on 
whole URL
#    acl aclname urlpath_regex [-i] \.gif$ ...    # regex matching on 
URL path
#    acl aclname port     80 70 21 ...
#    acl aclname port     0-1024 ...        # ranges allowed
#    acl aclname myport   3128 ...        # (local socket TCP port)
#    acl aclname proto    HTTP FTP ...
#    acl aclname method   GET POST ...
#    acl aclname browser  [-i] regexp
#      # pattern match on User-Agent header
#    acl aclname ident    username ...
#    acl aclname ident_regex [-i] pattern ...
#      # string match on ident output.
#      # use REQUIRED to accept any non-null ident.
#    acl aclname src_as   number ...
#    acl aclname dst_as   number ...
#      # Except for access control, AS numbers can be used for
#      # routing of requests to specific caches. Here's an
#      # example for routing all requests for AS#1241 and only
#      # those to mycache.mydomain.net:
#      # acl asexample dst_as 1241
#      # cache_peer_access mycache.mydomain.net allow asexample
#      # cache_peer_access mycache_mydomain.net deny all
#
#    acl aclname proxy_auth username ...
#    acl aclname proxy_auth_regex [-i] pattern ...
#      # list of valid usernames
#      # use REQUIRED to accept any valid username.
#      #
#      # NOTE: when a Proxy-Authentication header is sent but it is not
#      # needed during ACL checking the username is NOT logged
#      # in access.log.
#      #
#      # NOTE: proxy_auth requires a EXTERNAL authentication program
#      # to check username/password combinations (see
#      # authenticate_program).
#      #
#      # WARNING: proxy_auth can't be used in a transparent proxy. It
#      # collides with any authentication done by origin servers. It may
#      # seem like it works at first, but it doesn't.
#
#    acl aclname snmp_community string ...
#      # A community string to limit access to your SNMP Agent
#      # Example:
#      #
#      #    acl snmppublic snmp_community public
#
#    acl aclname maxconn number
#      # This will be matched when the client's IP address has
#      # more than <number> HTTP connections established.
#
#    acl req_mime_type mime-type1 ...
#      # regex match agains the mime type of the request generated
#      # by the client. Can be used to detect file upload or some
#      # types HTTP tunelling requests.
#      # NOTE: This does NOT match the reply. You cannot use this
#      # to match the returned file type.
#
#Examples:
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl localnet src 192.168.0.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443 563    # https, snews
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

#  TAG: http_access
#    Allowing or Denying access based on defined access lists
#
#    Access to the HTTP port:
#    http_access allow|deny [!]aclname ...
#
#    NOTE on default values:
#
#    If there are no "access" lines present, the default is to deny
#    the request.
#
#    If none of the "access" lines cause a match, the default is the
#    opposite of the last line in the list.  If the last line was
#    deny, then the default is allow.  Conversely, if the last line
#    is allow, the default will be deny.  For these reasons, it is a
#    good idea to have an "deny all" or "allow all" entry at the end
#    of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# And finally deny all other access to this proxy
http_access allow localhost
http_access allow localnet
http_access deny all
#  TAG: icp_access
#    Allowing or Denying access to the ICP port based on defined
#    access lists
#
#    icp_access  allow|deny [!]aclname ...
#
#    See http_access for details
#
#Default:
# icp_access deny all
#
#Allow ICP queries from eveyone
icp_access allow all


squidGuard.conf:

#----------------------------------------------------------------
#   SquidGuard CONFIGURATION FILE
#----------------------------------------------------------------
# CONFIGURATION DIRECTORIES
dbhome /var/lib/chastity
logdir /var/log/squid
# TIME RULES:
# abbrev for weekdays:
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat
time workhours {
       weekly s 09:30-12:00 13:00-19:00
       weekly m 09:00-12:00 13:00-19:00
       weekly t 09:00-11:00 12:00-19:00
       weekly w 09:00-12:00 12:00-18:00
       weekly h 09:00-13:00 13:00-18:00
       weekly f 09:00-12:00 13:30-18:00
       weekly a 08:20-13:00 13:30-19:00
}
# SOURCE ADDRESSES:
#src privilegedsource {
#    iplist    /var/lib/squidguard/db/privilegedsource/ips
#}
#src bannedsource {
#    iplist    /var/lib/squidguard/db/bannedsource/ips
#}
#src lansource {
#    iplist /var/lib/squidguard/db/lansource/lan
#}
# DESTINATION CLASSES:

dest adult {
   domainlist adult/domains
   urllist adult/urls
   expressionlist  adult/expressions
#    log /var/log/squid/adult.log
}
dest audio-video {
   domainlist audio-video/domains
   urllist audio-video/urls
}
dest forums {
   domainlist forums/domains
   urllist forums/urls
   expressionlist  forums/expressions
}
dest hacking {
   domainlist hacking/domains
   urllist hacking/urls
}
dest redirector {
   domainlist redirector/domains
   urllist redirector/urls
   expressionlist  redirector/expressions
}
dest warez {
   domainlist warez/domains
   urllist warez/urls
}
dest ads {
   domainlist ads/domains
   urllist ads/urls
}
dest aggressive {
   domainlist aggressive/domains
   urllist aggressive/urls
}
dest drugs {
   domainlist drugs/domains
   urllist drugs/urls
}
dest gambling {
   domainlist gambling/domains
   urllist gambling/urls
}
dest violence {
   domainlist violence/domains
   urllist violence/urls
   expressionlist  violence/expressions
}
# ACLs
acl {
#    privilegedsource {
#        pass !adult all
#        redirect 
http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&srcclass=%s&targetclass=%t&url=%u 

#
#    }
   
#    bannedsource {
#        pass none
#        redirect 
http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&srcclass=%s&targetclass=%t&url=%u 

#
#    }
#    lansource {
#        pass !adult !audio-video !forums !hacking !redirector !warez 
!ads !aggressive !drugs !gambling !violence all
#        redirect 
http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&srcclass=%s&targetclass=%t&url=%u 

#    }

   
   default {
       pass !adult !audio-video !forums !hacking !redirector !warez 
!ads !aggressive !drugs !gambling !violence all
       redirect 
http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&srcclass=%s&targetclass=%t&url=%u 

   }
}