I'm glad you got it working. > I finally found the problem.
I'm sorry that my previous suggestions weren't any help. > The problem was file permissions! After 15 hours I > finally found it! Well, I tried to do the best I could with your "shotgun" reporting style. I did ask you to clarify your statement that "Squidguard log file shows no errors, everything is all right there." If you'll remember, I asked if the log was empty... because it should never be empty, unless the permissions are set wrong. > I am really pissed, So where do you direct your anger? Who is it that has failed you? > since I lost so much time and > there are 100s of walkthroughs and no one mentions this. No one mentions *what*... file ownership and permissions? Clip from the squidGuard FAQ <http://www.squidguard.org/faq/> squidGuard does not block? ... squidGuard goes into emergency mode. Reasons may be syntax errors in the config file, reference to non existing database files, file protection problems or missing directories. Check the squidGuard log. Note:When run under Squid, squidGuard is run with the same user and group ID as Squid (cache_effective_user and cache_effective_group in squid.conf). The squidGuard configuration and database files must be readable for this user and/or group and the squidGuard log directory must be writable for this user and/or group. If not squidGuard will go into the "pass all for all" emergency mode. ------- end of clip ---------- Clip from squidGuard configuration <http://www.squidguard.org/config/> To avoid publishing to your users a complete guide to banned sites, you probably want to have some or all of these files protected by for instance: chmod 640 /wherever/filter/db/dest/adult/* chown cache_effective_user /wherever/filter/db/dest/adult/* chgrp cache_effective_group /wherever/filter/db/dest/adult/* where cache_effective_user and cache_effective_group are the values for the corresponding tags as defined in squid.conf. ------- end of clip ---------- > It seems that you all out there have no problems with > permissions and don't think that it is necessary to > mention this, but I have recently migrated from windows > 98 and am a little lost with all these file permissions. I've probably pointed out permission problems 2 or 3 times in just the past week right here on this mailing list. (I believe an archive is available, too.) I point out permissions as soon as I hear its symptoms. I would have pointed it out immediately to you had you reported that the log file was empty. FWIW, I would imagine that more than half of us here have were Windows-only users 3 to 5 years ago. We all had to learn it. > Below I post a small FAQ, which covers some > of the problems I believe are not mentioned > anywhere else. I have a couple of comments listed below. > Squid: > visible_hostname wrfan (who cares about > this??? but squid doesn't want to work if > it is not set) My copy of squid included a squid.conf file that was about 80k; just packed with in-line documentation. I read through the file, made my changes when I knew what I needed, and in some cases I had to go study to find out what entry I needed. Here's the in-line documentation for visible_hostname: # TAG: visible_hostname # If you want to present a special hostname in error messages, etc, # then define this. Otherwise, the return value of gethostname() # will be used. If you have multiple caches in a cluster and # get errors about IP-forwarding you must set them to have individual # names with this setting. # #Default: # none > First of all, permissions have to be set > rightly for Squid!!! If in root mode, the folders, > in which the blacklist files are located (and the files > themselves), have to be executable etc. Everything that I read advised against running Squid as root. The blacklists do not need to be executable. As was mentioned above from the configuration page: chmod 640 /wherever/filter/db/dest/adult/* > Also Squid itself has to be configured correctly: I confess that (here on the squidGuard mailing list) we expect squid was installed, configured and working properly before work started on squidGuard. > Second, the domains blacklist seems to be completely > useless and should be avoided. Urls is enough, one > can include domains there too, otherwise it is confusing Who wrote this stuff? I surely wouldn't listen to them! The explanation on the squidGuard site didn't explain this for you? Clipped from <http://www.squidguard.org/doc/>: The URL and domain matching is case insensitive. Thus http://www.what.ever.com/where/ever and http://wWw.wHat.evER.com/Where/Ever doesn't matter. The protocol (proto://) prefixes are ignored by squidGuard in both domain and URL matching, but not in the regex matching. Domain matching includes subdomains. Thus if you have a domainlist containing bad.com all these URLs will match that destination group since they are equal to or subdomains of bad.com: http://bad.com http://bad.com/whatever ftp://bad.com wais://bad.com http://www2.bad.com http://whatever.bad.com http://www56.whatever.bad.com but not: http://www.verybad.com unless www.verybad.com or verybad.com is in that list too. The domain prefixes www[0-9]? and web[0-9]? are ignored by squidGuard in URL matching. Thus if you have an urllist containing "bar.com/~baduser" then all these URLs will match that destination group: http://bar.com/~baduser http://www.bar.com/~baduser/whatever http://www2.bar.com/~baduser/whatever/bar.html but not: http://foo.bar.com/~baduser unless foo.bar.com/~baduser is in that list too. squidGuard will match subpaths for URLs. Thus if you have an urllist containing "foo.bar.com/~baduser" then all these URLs will match that destination group: http://foo.bar.com/~baduser http://foo.bar.com/~baduser/ http://foo.bar.com/~baduser/index.html http://foo.bar.com/~baduser/whatever/foo.html http://www.foo.bar.com/~baduser/whatever http://www2.foo.bar.com/~baduser/whatever/bar.html but not: http://foo.bar.com/~baduserhome nor http://foo.bar.com/~gooduser http://foo.bar.com/~gooduser/foo.html http://foo.bar.com/~gooduser/whatever/bar.html unless foo.bar.com/~baduserhome and/or foo.bar.com/~gooduser is in that list too. --------- End of clip ----------- I'm going to need to stop here for tonight, and pick back up on the rest tomorrow. Rick Matthews -----Original Message----- From: PhoenixWR [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 17, 2002 6:47 PM To: Rick Matthews Subject: Re: squidguard does not work properly (or is it rather squid that doesn't redirect properly to squidguard)? Hi, and thanx for your answer. I finally found the problem. The problem was file permissions! After 15 hours I finally found it! I am really pissed, since I lost so much time and there are 100s of walkthroughs and no one mentions this. It seems that you all out there have no problems with permissions and don't think that it is necessary to mention this, but I have recently migrated from windows 98 and am a little lost with all these file permissions. Below I post a small FAQ, which covers some of the problems I believe are not mentioned anywhere else. But before I would like to ask you, how can I use an anonymous proxy inside squid(guard), so that all non-blacklisted sites are opened through that proxy, while all blacklisted are blocked? After searching for some time on google I found a possibility to use an external anonymous proxy inside Squid, but unfortunately if it is switched on, ALL sites are redirected to that proxy, also the blacklisted ones. Below are also a couple of questions, maybe you can answer them as well if you know the answers. In particular I am interested in blocking a domain altogether, also all second level domains, like, just as an example, squid.squidguard.com. If I insert squidguard into the urls blacklist file, all squidguard domains would be blocked, *.com, *.de etc, but not second level domains of that domain. Sure, I could insert second level domains, but I don't always know them, like with spyware producers like kazaa.com, hell knows which second level domains they have. In webwasher one could use *.webwasher.com, but squidguard doesn't understand the wildcard (*)?. ::: I) Specific intro for newbies: Squid: visible_hostname wrfan (who cares about this??? but squid doesn't want to work if it is not set) redirect_program /usr/bin/squidGuard -c /etc/squidGuard/squidGuard.conf redirect_children 5 First of all, permissions have to be set rightly for Squid!!! If in root mode, the folders, in which the blacklist files are located (and the files themselves), have to be executable etc. Also the name of the user/group must be " squid " (default in the squid.conf): # cache_effective_user squid # cache_effective_group squid Also Squid itself has to be configured correctly: #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access allow !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # - Mozilla, e.g., demands the http_access allow !Safe_ports , while Opera doesn't care whether it is allow or deny. Those stupid browsers don't stick to the standards, this is for sure. Second, the domains blacklist seems to be completely useless and should be avoided. Urls is enough, one can include domains there too, otherwise it is confusing Third, inserting a domain blocks it with and without www, so inserting webwasher.com blocks www.webwasher.com and http://webwasher.com inserting a url webwasher.com/sucks.htm blocks only the sucks.htm page, but not the whole domain, i.e., the other pages...whatever. if you want to blacklist all sites with a certain word in it, insert just the word: webwasher blocks webwasher.com, org, de etc.,: ---------------------------------------------------- unsure about this: but not the second level domains of webwasher, like sucks.webwasher.com. How to do this? in webwasher *.webwasher com blocks all second level domains, but not in SquidGuard, it doesn't understand the wildcard (?) Is lookup of ips of respective corresponding domains possible to blacklist them as well? Apache 2 proxy module supports this... unfortunately the proxy module doesn't work properly yet, seems to be full of bugs, since in beta mode. Would be interesting whether SquidGuard can do this, otherwise we have to insert the ip and domain twice, and update database twice, and reconfigure Squid twice and... well, you see, this pretty much sucks. --------------------------------------------------------------- Fourth: the procedure: insert the blacklisted url into urls file, save file. update database: squidGuard -C file|all ( " squidGuard -C all " is ok, I guess, takes just a second. Why the capital letter C is used to distinguish from the also used small letter c instead of some other letter, has remained a riddle for me...) reconfigure Squid (yes, right, so much for the "squid doesn't have to be restarted/reconfigured with the latest version of squidguard...: squid -k reconfigure II) General: squidGuard: a) select an alternative file: /usr/bin/squidGuard -c /etc/squidGuard/squidGuard.conf b) show version: squidGuard -v -------------------- unsure: c) update *.db files from *.diff files (whatever this is??): squidGuard -u ------------------------------- d) Update database: squidGuard -C file|all (what does file stand for?) squidGuard -C domains squidGuard -C urls squidGuard -C all --------------------------------------- unsure about this: or reread conf file with squidguard: killall -HUP squid whatever... doesn't seem to work --------------------------------------------- unsure about this: squidguard (total restart?): squidGuard -c /etc/squidGuard/squidGuard.conf -u --> is also a combination possible?: squidGuard -c /etc/squidGuard/squidGuard.conf -C all -u ----------------------------------------- Squid: a) shutdown: squid -k shutdown b) newstart: squid c) reconfigure: squid -k reconfigure -------------------------------- unsure: d) squid restart: shutdown -r now (???) ------------------------------------ My squidGuard config file: -------------------------------------------------------------------- -------- - #---------------------------------------------------------------- # SquidGuard CONFIGURATION FILE #---------------------------------------------------------------- # CONFIGURATION DIRECTORIES dbhome /usr/share/squidGuard-1.2.0/db logdir /var/log/squidGuard/log # TIME RULES: # abbrev for weekdays: # s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat time workhours { weekly s 09:30-12:00 13:00-19:00 weekly m 09:00-12:00 13:00-19:00 weekly t 09:00-11:00 12:00-19:00 weekly w 09:00-12:00 12:00-18:00 weekly h 09:00-13:00 13:00-18:00 weekly f 09:00-12:00 13:30-18:00 weekly a 08:20-13:00 13:30-19:00 } # SOURCE ADDRESSES: src privilegedsource { iplist privilegedsource/ips } src bannedsource { iplist bannedsource/ips } src lansource { iplist lansource/lan } # DESTINATION CLASSES: dest porn { domainlist porn/domains urllist porn/urls expressionlist porn/expressions } dest adult { domainlist adult/domains urllist adult/urls expressionlist adult/expressions } dest audio-video { domainlist audio-video/domains urllist audio-video/urls } dest forums { domainlist forums/domains urllist forums/urls expressionlist forums/expressions } dest hacking { domainlist hacking/domains urllist hacking/urls } dest redirector { domainlist redirector/domains urllist redirector/urls expressionlist redirector/expressions } dest warez { domainlist warez/domains urllist warez/urls } dest ads { domainlist ads/domains urllist ads/urls } dest aggressive { domainlist aggressive/domains urllist aggressive/urls } dest drugs { domainlist drugs/domains urllist drugs/urls } dest gambling { domainlist gambling/domains urllist gambling/urls } dest publicite { domainlist publicite/domains urllist publicite/urls expressionlist publicite/expressions } dest violence { domainlist violence/domains urllist violence/urls expressionlist violence/expressions } dest banneddestination { domainlist banneddestination/domains urllist banneddestination/urls expressionlist banneddestination/expressions } dest advertising { domainlist advertising/domains urllist advertising/urls redirect http://127.0.0.1:81/squidGuard/nulbanner.png log /var/log/squidGuard/log/advertising.log } dest myown { domainlist myown/domains urllist myown/urls log /usr/share/squidGuard-1.2.0/db/myown/myown } # ACLs rewrite groupi { } acl { privilegedsource { pass !advertising all redirect http://127.0.0.1:81/squidGuard/squidGuard.cgi?clientaddr=%a&srcclass =%s&targ etclass=%t&url=%u } bannedsource { pass none redirect http://127.0.0.1:81/squidGuard/squidGuard.cgi?clientaddr=%a&srcclass =%s&targ etclass=%t&url=%u } lansource { pass !adult !audio-video !forums !hacking !redirector !warez !ads !aggressive !drugs !gambling !publicite !violence !banneddestination !advertising all redirect http://127.0.0.1:81/squidGuard/squidGuard.cgi?clientaddr=%a&srcclass =%s&targ etclass=%t&url=%u } default { pass !myown all redirect http://127.0.0.1:81/squidGuard/squidGuard.cgi?clientaddr=%a&srcclass =%s&targ etclass=%t&url=%u } } ------------------------------------------------------------------- ----- Original Message ----- From: "Rick Matthews" <[EMAIL PROTECTED]> To: "PhoenixWR" <[EMAIL PROTECTED]> Cc: "Squidguard Mailing List" <[EMAIL PROTECTED]> Sent: Wednesday, April 17, 2002 8:06 AM Subject: RE: squidguard does not work properly (or is it rather squid that doesn't redirect properly to squidguard)? > I am really sorry that you put so much time into your testing > without success! It might help if I give you the run-down on a few > of the frequently reported issues and their resolution, along with a > comment or two about the results that you've posted. > > > Squidguard log file shows no errors, > > everything is all right there. > > I don't mean to question your report, but are you saying that the > squidGuard log shows nothing? or that it shows all the right things > and no errors? For example, if your only defined destination in > squidGuard.conf was porn/domains and porn/urls, and your squid.conf > specified "redirect_children 4", and using the dbhome that you list > below, you should see something like the following in squidGuard.log > when you restart squid: ("Date Time [pid]" in front of each line > removed) > ------- Sample of good log ---------------- > init domainlist /usr/local/squidGuard/db/porn/domains > loading dbfile /usr/local/squidGuard/db/porn/domains.db > init urllist /usr/local/squidGuard/db/porn/urls > loading dbfile /usr/local/squidGuard/db/porn/urls.db > squidGuard 1.1.4 started > squidGuard ready for requests > init domainlist /usr/local/squidGuard/db/porn/domains > loading dbfile /usr/local/squidGuard/db/porn/domains.db > init urllist /usr/local/squidGuard/db/porn/urls > loading dbfile /usr/local/squidGuard/db/porn/urls.db > squidGuard 1.1.4 started > squidGuard ready for requests > init domainlist /usr/local/squidGuard/db/porn/domains > loading dbfile /usr/local/squidGuard/db/porn/domains.db > init urllist /usr/local/squidGuard/db/porn/urls > loading dbfile /usr/local/squidGuard/db/porn/urls.db > squidGuard 1.1.4 started > squidGuard ready for requests > init domainlist /usr/local/squidGuard/db/porn/domains > loading dbfile /usr/local/squidGuard/db/porn/domains.db > init urllist /usr/local/squidGuard/db/porn/urls > loading dbfile /usr/local/squidGuard/db/porn/urls.db > squidGuard 1.1.4 started > squidGuard ready for requests > -------- End of Sample ------------- > > > only the paths are a little different on my system > > What does that mean? Are you saying that your squidGuard.conf file > points to one place and the files are in another place? Otherwise, > why show us one config file while you are using another? There's > additional room for error, right there. > > You don't mention any version numbers, but there are a couple of > issues with the Berkeley db that you need to be aware of, and the > documentation on the squidGuard site is wrong. This information is > very important: > > --- clipped from > http://www.maynidea.com/squidguard/faq-plus.html ----- > Squidguard 1.20 requires version 3.29 of the Berkeley db. It won't > work with version 2.27, nor will it work with 4.0. The assertion > that configure makes about requiring 3.2.* or later is not really > correct. SquidGuard needs 3.2.x ( not sure which version is too > low) and we know specifically that it works quite nicely with > 3.2.9. I have tried it with 3.3.x and it craps out every time. > Same with 2.7.7. (Thanks to Robert Nickel for these specifics). > (It has been reported that squidguard 1.20 will work with other > versions of the db if you are using plain text files for your > blacklists; in other words, if there are no *.db files in your > blacklist directories. This can really slow down the startup time of > squid/squidguard, but otherwise may not be harmful.) > > Squidguard 1.14, on the other hand, requires Berkeley 2.27. > You can have version 2.27 and 3.2x installed at the same time > -------------- End of clip ----------------- > > You mentioned "webAdmin"; is this the same program as Webmin > <http://www.webmin.com/>? If so, are you using the squidGuard module > inside of Webmin? I'd recommend setting up squidGuard without using > the webmin module, then switch back after you have it running like > you want it. The Webmin module for squidGuard overlays its own > quirky personality over squidGuard. > > Try adding a logfile statement in your destination group > declaration, like this: > > dest porn { > domainlist porn/domains > urllist porn/urls > logfile /usr/local/squidGuard/log/porn.log > } > Then, whenever squidGuard will log to porn.log every time it blocks > because of porn/domains or porn/urls. Here's an entry from porn.log > (normally all on one line): > ------------ Log entry ----------- > 2002-04-15 23:08:23 [1180] > Request(kids/porn/-) http://www.whitehouse.com/ 192.168.44.2/- - GET > ---------------------------------- > > I hope that helps! Come back and let us know. > > Rick Matthews > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of PhoenixWR > Sent: Tuesday, April 16, 2002 7:28 PM > To: [EMAIL PROTECTED] > Subject: squidguard does not work properly (or is it rather squid > that doesn't redirect properly to squidguard)? > > > Squid and squidguard were installed by mandrake linux, so I didn't > have to compile them. I configured squid to use squidguard and tried > it out, but it doesn't work properly. The results are indeed very > strange. I used a simple config file for squidguard which looks like > this: > > logdir /usr/local/squidGuard/log > dbhome /usr/local/squidGuard/db > > dest porn { > domainlist porn/domains > urllist porn/urls > } > > acl { > default { > pass !porn all > redirect > http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser= > %i&clientgroup=%s&url=%u > } > } > > only the paths are a little different on my system. Now, the strange > thing is that it sometimes works and sometime does not. Using a > proxy in Opera and Mozilla browsers I tried, and the still, often I > could open the blacklisted websites in the /porn/domains. Also the > strange thing is that redirection works better if the proxy in > Mozilla is 127.0.0.1:3128 and not localhost:3128, which seems to be > a Mozilla problem (?). Anyway, after trying for 10 hours without > much success, I ended with the following situation: > > blocking doesn't work at all! only if the config file looks like > this: > > logdir /usr/local/squidGuard/log > dbhome /usr/local/squidGuard/db > > # dest porn { > #domainlist porn/domains > #urllist porn/urls > # } > > acl { > default { > pass none > redirect > http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser= > %i&clientgroup=%s&url=%u > } > } > > then all websites are indeed blocked, but if I uncomment the dest > directives, while leaving the default=none, it again doesn't work. > Blocking of porn blacklisted domains doesn't work at all now. I just > don't understand why, it did work first, even if not all the time, > which is very very strange. Squidguard log file shows no errors, > everything is all right there. Maybe I didn't configure Squid > properly? I added the redirect_program and redirect_children. All > the paths are correct, I checked and doublechecked 1 mio times. > > Also, even if it worked, it's rather uncomfortable to use, because > you have to add the blocked sites to the database, rebuild the *.db > files using squidguard and then restart squid. Yes, I know, somebody > said that with version 1.2 of squidguard you don't have to restart > squid, but this is not true, the changes take only place if I > restart squid or click on "apply changes" in webAdmin, a programme > which allows to configure all servers through the browser on secure > connection localhost port 10000. It is part of mandrake linux, but i > think it can be also downloaded from the net. Anyway, this is very > uncomfortable and takes too much time. I rather would like to use > webwasher like on windows, but it seems one has to pay, otherwise > the linux shareware version will not work properly with opera. > > I think there is a way to block websites using the apache server > module mod_proxy, i.e. using apache as a proxy server. But is it > also possible to rewrite the blocked sites using the re_write > module? maybe you know, then please email me. > > Anyway, I would like to know how to configure Squid, because I think > the problems are rather due to squid than to squidguard. If you know > how to configure squid in order to force it to redirect, please > email me. > > Regards, > Gerhart > >
