{{tag>Brouillon Web Proxy}}
= Filtrage web avec SquidGuard
Listes :
* https://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=0&mimetype=plaintext
''/etc/squid/squid.conf''
cache_peer localhost parent 8118 0 default no-query no-digest no-netdb-exchange
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl Safe_ports port 9920 # JIRA
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
hosts_file /etc/hosts
coredump_dir /var/spool/squid
header_access From deny all
header_access Server deny all
#header_access WWW-Authenticate deny all
header_access Link deny all
header_access Cache-Control deny all
header_access Proxy-Connection deny all
header_access X-Cache deny all
header_access X-Cache-Lookup deny all
header_access Via deny all
header_access Forwarded-For deny all
header_access X-Forwarded-For deny all
header_access Pragma deny all
header_access Keep-Alive deny all
header_access Referer deny all
redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
redirect_children 10
never_direct allow all
''/etc/squidguard/squidGuard.conf''
#
# CONFIG FILE FOR SQUIDGUARD
#
dbhome /var/lib/squidguard/db
logdir /var/log/squid
src allusers {
ip 127.0.0.1/32
}
dest white {
domainlist white/domains
urllist white/urls
log dest_white.log
}
dest adblock {
expressionlist adblock/expressions
log dest_adblock.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest adult1 {
domainlist tlse/adult/domains
urllist tlse/adult/urls
expressionlist tlse/adult/very_restrictive_expression
log dest_adult1.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest gambling1
{
domainlist tlse/gambling/domains
urllist tlse/gambling/urls
log dest_gambling1.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest phishing1
{
domainlist tlse/phishing/domains
urllist tlse/phishing/urls
log dest_phishing1.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest publicite1
{
domainlist tlse/publicite/domains
urllist tlse/publicite/urls
expressionlist tlse/publicite/expressions
log dest_publicite1.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest malware1
{
domainlist tlse/malware/domains
urllist tlse/malware/urls
expressionlist tlse/malware/expressions
log dest_malware1.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest marketingware1
{
domainlist tlse/marketingware/domains
urllist tlse/marketingware/urls
log dest_marketingware1.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest dating1
{
domainlist tlse/dating/domains
urllist tlse/dating/urls
log dest_dating1.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest mobile1
{
domainlist tlse/mobile-phone/domains
urllist tlse/mobile-phone/urls
log dest_mobile1.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest social1
{
domainlist tlse/social_networks/domains
log dest_social1.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest ads2
{
domainlist mesd/ads/domains
urllist mesd/ads/urls
log dest_ads2.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest gambling2
{
domainlist mesd/gambling/domains
urllist mesd/gambling/urls
log dest_gambling2.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest porn2
{
domainlist mesd/porn/domains
urllist mesd/porn/urls
log dest_porn2.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest spyware2
{
domainlist mesd/spyware/domains
urllist mesd/spyware/urls
log dest_spyware2.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest suspect2
{
domainlist mesd/suspect/domains
urllist mesd/suspect/urls
log dest_suspect2.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest adult3
{
domainlist isak/Adult_domains.txt
urllist isak/Adult_urls.txt
log dest_adult3.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest ads3
{
domainlist isak/Advertisements_domains.txt
urllist isak/Advertisements_urls.txt
log dest_ads3.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest gambling3
{
domainlist isak/Gambling_domains.txt
urllist isak/Gambling_urls.txt
log dest_gambling3.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest phishing3
{
domainlist isak/Phishing_domains.txt
urllist isak/Phishing_urls.txt
log dest_phishing3.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest spyware3
{
domainlist isak/Spyware_domains.txt
log dest_spyware3.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest mobile3
{
domainlist isak/Mobilephones_domains.txt
urllist isak/Mobilephones_urls.txt
log dest_mobile3.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
dest jibe
{
domainlist jibe/domains
urllist jibe/urls
log dest_jibe.log
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
acl {
allusers {
pass white !gambling1 !gambling2 !gambling3 !phishing1 !phishing3 !publicite1 !ads2 !ads3 !malware1 !spyware2 !spyware3 !marketingware1 !suspect2 !mobile1 !mobile3 !jibe any
redirect http://localhost/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
}
default {
pass none
}
}
''squid-install.sh''
#! /bin/bash
mkdir -p /var/lib/squidguard/db/white
mkdir -p /var/lib/squidguard/db/jibe
mkdir -p /var/lib/squidguard/db/adblock
# Creation fichiers
echo "\
video.google.com
mts1.google.com
mts0.google.com
maps.google.com
mt0.google.com
mt1.google.com
code.google.com" >/var/lib/squidguard/db/white/domains
echo "\
www.google.com/recaptcha/" >/var/lib/squidguard/db/white/urls
touch /var/lib/squidguard/db/adblock/expressions
echo "\
facebook.com
facebook.net
fbcdn.com
fbcdn.net
fbshare.me
twitter.com
twimg.com
addthis.com
google-analytics.com
google.fr
google.com
1e100.net
googleapis.com
gmodules.com
stats.buzzea.com
data.gosquared.com
d1l6p2sc9645hc.cloudfront.net
d1ros97qkrwjf5.cloudfront.net
fstatic.iadvize.com
flux.com
meetic-partners.com
stats.wattimpact.com
els.a4.tl
radar.cedexis.com
greatviews.de
get.adobe.com
#microsoft.com
ie.microsoft.com
windowsupdate.microsoft.com
update.microsoft.com
download.windowsupdate.com
live.com
latestdl.info
#go-mono.com
traficmax.com
atdmt.com
r.msn.com
#msn.com
yesmessenger.com
yes-messenger.com
sexe4x.com
clic.ws
publicite-sexe.com
adtech.de
adultfriendfinder.com
datasecureprocess.com
tvwebgay.com
partie-membres.com
piximedia.fr
piximedia.com
tns-counter.ru
mc.yandex.ru
direction-x.com
empiredusexe.com
thumbs-share.com
the-adult-company.com
plugin-x.com
xcams.com
lescelibataires.net
sexxxtape.net
vador.com
pub.oumma.com
acces-charme.com
pornattitude.com" > /var/lib/squidguard/db/jibe/domains
echo "\
clck.yandex.com/
fr.search.yahoo.com/r/
wwwimages.adobe.com/www.adobe.com/images/shared/download_buttons/
www.adobe.com/images/shared/download_buttons/
www.topachat.com/images/bandeaux/
go-mono.com/moonlight/
www.microsoft.com/getsilverlight/
go.microsoft.com/fwlink/?LinkId=161376
yandex.st/serp/31.89/pages/foreign/_foreign.js" > /var/lib/squidguard/db/jibe/urls
# Droits fichiers
chown proxy: /var/lib/squidguard/db/jibe/urls /var/lib/squidguard/db/jibe/domains /var/lib/squidguard/db/white/domains /var/lib/squidguard/db/white/urls /var/lib/squidguard/db/adblock/expressions
''squid-update.sh''
#! /bin/bash
# Definition des variables
squiddb="/var/lib/squidguard/db"
tmp_folder="/tmp"
lst_logs_dest="dest_adblock.log dest_ads2.log dest_ads3.log dest_adult1.log dest_adult3.log dest_dating1.log dest_gambling1.log dest_gambling2.log dest_gambling3.log dest_malware1.log dest_marketingware1.log dest_mobile1.log dest_mobile3.log dest_phishing1.log dest_phishing3.log dest_porn2.log dest_publicite1.log dest_social1.log dest_spyware2.log dest_spyware3.log dest_suspect2.log dest_white.log dest_jibe.log";
cd $tmp_folder
exec 2>$tmp_folder/squid-update.err
#exec 1>$tmp_folder/squid-update.log
# Fin normal
fin_ok() {
echo "FIN."
cat $tmp_folder/squid-update.err
exit 0
}
# Fin erreur
fin_err() {
echo -e "ERREUR: \n"
cat $tmp_folder/squid-update.err
exit 1
}
# Cleanning des Logs
clean() {
rm -f /var/log/squid/*.gz 2>/dev/null
rm -f /var/log/squid/*[0-9] 2>/dev/null
rm -f /var/log/privoxy/*.gz
rm -f /var/log/squidguard/*.[0-9]
echo "" > /var/log/dansguardian/access.log
echo "" > /var/log/privoxy/logfile
echo "" > /var/log/squid/squidGuard.log
echo "" > /var/log/squid/cache.log
echo "" > /var/log/squid/access.log
echo "" > /var/log/squid/store.log
for fic in $lst_logs_dest
do
echo "" >/var/log/squid/${fic}
done
}
# Téléchargement des blacklists et expressions régulière (adblock)
download() {
#wget -nv -N http://adblockplus.mozdev.org/easylist/liste_fr+easylist.txt;
wget -nv -N ftp://ftp.univ-tlse1.fr/blacklist/blacklists.tar.gz && mv blacklists.tar.gz tlse.tar.gz
wget -nv -N http://squidguard.mesd.k12.or.us/blacklists.tgz && mv blacklists.tgz mesd.tar.gz
wget -nv -N http://download.isak.gplindustries.com/isakurldbtext.tar.gz && mv isakurldbtext.tar.gz isak.tar.gz
}
# Décompression des lists
uncompress() {
tar xzf tlse.tar.gz && rm -rf /var/lib/squidguard/db/tlse && mv -f blacklists ${squiddb}/tlse
tar xzf mesd.tar.gz && rm -rf /var/lib/squidguard/db/mesd && mv -f blacklists ${squiddb}/mesd
tar xzf isak.tar.gz && rm -rf /var/lib/squidguard/db/isak && mv -f isakurldbtext ${squiddb}/isak
}
# Mise à jour
update() {
#/usr/share/doc/adzapper/examples/update-zapper
#cat $tmp_folder/liste_fr+easylist.txt | sed -f $tmp_folder/adblock.sed > /var/lib/squidguard/db/adblock/expressions
squidGuard -C all;
}
# Définition des droits
droits() {
chown -R proxy:proxy /var/log/squid;
chown -R proxy:proxy /var/lib/squidguard;
chmod -R 760 /var/lib/squidguard/db;
}
##### DEBUT
clean || fin_err;
echo -e "1. Cleanning des Logs \t\t\t\t [OK]";
download || fin_err;
echo -e "2. Téléchargement des listes \t\t\t [OK]";
uncompress || fin_err;
echo -e "3. Décompression des listes \t\t\t [OK]";
update || fin_err;
echo -e "4. Mise à jour \t\t\t\t\t [OK]";
droits || fin_err;
echo -e "5. Définition des droits sur les fichiers \t [OK]\n";
killall -1 squid;
fin_ok;
Autre système de filtrage :
* stay focused
* detoxify
* bulldog blocker
* pluckeye