killtec
Goto Top

Squidguard Config Problem

Hallo,
ich habe bei mir im LAN ein Squid mit Squidguard laufen. Es werden jedoch alle Adressen geblockt oder auf default umgeleitet.
Sehe gerade keinen Config-Fehler. Hier ist ein Teil der squidguard.conf

#
# CONFIG FILE FOR SQUIDGUARD
#

#
# VERSION: 1.0
#

dbhome /var/lib/squidGuard/db
logdir /var/log/squidGuard

#
# SOURCE ADDRESSES:
#

src localnetwork {
        ip 10.10.0.0/16
}


#
# DESTINATION CLASSES:
#
dest block{
        domainlist      block/domains
        urllist         block/urls
}
        
# Weitere Definitionen
		
		localnetwork {
                pass    whitelist !block !adv !aggressive !alcohol !anonvpn !automobile/cars !automobile/bikes !automobile/boats !automobile/planes !chat !costtraps !dating !downloads !drugs !dynamic !education/schools !finance/banking !finance/insurance !finance/moneylending !finance/other !finance/realestate !finance/trading !fortunetelling !forum !gamble !government !hacking !hobby/cooking !hobby/games-misc !hobby/games-online !hobby/gardening !hobby/pets !homestyle !hospitals !imagehosting !isp !jobsearch !library !military !models !movies !music !news !podcasts !politics !porn !radiotv !recreation/humor !recreation/martialarts !recreation/restaurants !recreation/sports !recreation/travel !recreation/wellness !redirector !religion !remotecontrol !ringtones !science/astronomy !science/chemistry !searchengines !sex/lingerie !sex/education !shopping !socialnet !spyware !tracker !updatesites !urlshortener !violence !warez !weapons !webmail !webphone !webradio !webtv all
                redirect        http://10.10.0.3/block
        }

        default {
                pass none
                redirect http://10.10.0.3
        }
}

Das ganze lief vorher über andere IP's. Diese habe ich lediglich in der squidguard.conf geändert.

Content-Key: 600106

Url: https://administrator.de/contentid/600106

Printed on: July 19, 2024 at 09:07 o'clock

Member: Looser27
Looser27 Aug 28, 2020 at 06:41:04 (UTC)
Goto Top
Moin,

war Deine redirekt-Adresse schon immer Bestandteil des src-Netzwerkes (also auch vor Deiner Änderung)?
Dienst mal neu gestartet? Gibt es Auffälligkeiten in den Logs?

Gruß

Looser
Member: killtec
killtec Aug 28, 2020 at 07:52:09 (UTC)
Goto Top
HI,
er macht ja nen redirect und sagt, dass er blockt.
Aber ja, die Redirect IP ist die gleiche wie die Proxy IP. Da ist noch ein Apache drauf für die Meldung was gesperrt wurde.

Gruß
Member: Looser27
Looser27 Aug 28, 2020 at 08:31:09 (UTC)
Goto Top
!webtv all

muss das nicht
!all
heißen?
Member: killtec
killtec Aug 28, 2020 at 09:32:44 (UTC)
Goto Top
Hi,
nee, er soll ja den rest "all" durch lassen, daher ohne Ausrufezeichen (ohne Negierung).
Member: killtec
killtec Aug 28, 2020 updated at 10:44:04 (UTC)
Goto Top
Hier mal der Vollständigkeit die komplette squid.conf und squidguard.conf

squid.conf
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)  
acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
acl localnet src fc00::/7       	# RFC 4193 local private network range
acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user  
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

#eigene Config
redirect_program /usr/sbin/squidGuard -c /etc/squidguard.conf

squidguard.conf
#
# CONFIG FILE FOR SQUIDGUARD
#

#
# VERSION: 1.0
#

dbhome /var/lib/squidGuard/db
logdir /var/log/squidGuard

#
# SOURCE ADDRESSES:
#

src localnetwork {
	ip 10.10.0.0/16
}


#
# DESTINATION CLASSES:
#

dest block{
	domainlist	block/domains
	urllist		block/urls
}

dest adv{
	domainlist 	adv/domains
	urllist		adv/urls
}

dest aggressive{
	domainlist 	aggressive/domains
	urllist		aggressive/urls
}

dest alcohol{
	domainlist 	alcohol/domains
	urllist		alcohol/urls
}

dest anonvpn{
	domainlist 	anonvpn/domains
	urllist		anonvpn/urls
}

dest automobile/cars{
	domainlist 	automobile/cars/domains
	urllist		automobile/cars/urls
}

dest automobile/bikes{
	domainlist 	automobile/bikes/domains
	urllist		automobile/bikes/urls
}

dest automobile/boats{
	domainlist 	automobile/boats/domains
	urllist		automobile/boats/urls
}

dest automobile/planes{
	domainlist 	automobile/planes/domains
	urllist		automobile/planes/urls
}

dest chat{
	domainlist 	chat/domains
	urllist		chat/urls
}

dest costtraps{
	domainlist 	costtraps/domains
	urllist		costtraps/urls
}

dest dating{
	domainlist 	dating/domains
	urllist		dating/urls
}

dest downloads{
	domainlist 	downloads/domains
	urllist		downloads/urls
}

dest drugs{
	domainlist 	drugs/domains
	urllist		drugs/urls
}

dest dynamic{
	domainlist 	dynamic/domains
	urllist		dynamic/urls
}

dest education/schools{
	domainlist 	education/schools/domains
	urllist		education/schools/urls
}

dest finance/banking{
	domainlist 	finance/banking/domains
	urllist		finance/banking/urls
}

dest finance/insurance{
	domainlist 	finance/insurance/domains
	urllist		finance/insurance/urls
}

dest finance/moneylending{
	domainlist 	finance/moneylending/domains
	urllist		finance/moneylending/urls
}

dest finance/other{
	domainlist 	finance/other/domains
	urllist		finance/other/urls
}

dest finance/realestate{
	domainlist 	finance/realestate/domains
	urllist		finance/realestate/urls
}

dest finance/trading{
	domainlist 	finance/trading/domains
	urllist		finance/trading/urls
}

dest fortunetelling{
	domainlist 	fortunetelling/domains
	urllist		fortunetelling/urls
}

dest forum{
	domainlist 	forum/domains
	urllist		forum/urls
}

dest gamble{
	domainlist 	gamble/domains
	urllist		gamble/urls
}

dest government{
	domainlist 	government/domains
	urllist		government/urls
}

dest hacking{
	domainlist 	hacking/domains
	urllist		hacking/urls
}

dest hobby/cooking{
	domainlist 	hobby/cooking/domains
	urllist		hobby/cooking/urls
}

dest hobby/games-misc{
	domainlist 	hobby/games-misc/domains
	urllist		hobby/games-misc/urls
}

dest hobby/games-online{
	domainlist 	hobby/games-online/domains
	urllist		hobby/games-online/urls
}

dest hobby/gardening{
	domainlist 	hobby/gardening/domains
	urllist		hobby/gardening/urls
}

dest hobby/pets{
	domainlist 	hobby/pets/domains
	urllist		hobby/pets/urls
}

dest homestyle{
	domainlist 	homestyle/domains
	urllist		homestyle/urls
}

dest hospitals{
	domainlist 	hospitals/domains
	urllist		hospitals/urls
}

dest imagehosting{
	domainlist 	imagehosting/domains
	urllist		imagehosting/urls
}

dest isp{
	domainlist 	isp/domains
	urllist		isp/urls
}

dest jobsearch{
	domainlist 	jobsearch/domains
	urllist		jobsearch/urls
}

dest library{
	domainlist 	library/domains
	urllist		library/urls
}

dest military{
	domainlist 	military/domains
	urllist		military/urls
}

dest models{
	domainlist 	models/domains
	urllist		models/urls
}

dest movies{
	domainlist 	movies/domains
	urllist		movies/urls
}

dest music{
	domainlist 	music/domains
	urllist		music/urls
}

dest news{
	domainlist 	news/domains
	urllist		news/urls
}

dest podcasts{
	domainlist 	podcasts/domains
	urllist		podcasts/urls
}

dest politics{
	domainlist 	politics/domains
	urllist		politics/urls
}

dest porn{
	domainlist 	porn/domains
	urllist		porn/urls
}

dest radiotv{
	domainlist 	radiotv/domains
	urllist		radiotv/urls
}

dest recreation/humor{
	domainlist 	recreation/humor/domains
	urllist		recreation/humor/urls
}

dest recreation/martialarts{
	domainlist 	recreation/martialarts/domains
	urllist		recreation/martialarts/urls
}

dest recreation/restaurants{
	domainlist 	recreation/restaurants/domains
	urllist		recreation/restaurants/urls
}

dest recreation/sports{
	domainlist 	recreation/sports/domains
	urllist		recreation/sports/urls
}

dest recreation/travel{
	domainlist 	recreation/travel/domains
	urllist		recreation/travel/urls
}

dest recreation/wellness{
	domainlist 	recreation/wellness/domains
	urllist		recreation/wellness/urls
}

dest redirector{
	domainlist 	redirector/domains
	urllist		redirector/urls
}

dest religion{
	domainlist 	religion/domains
	urllist		religion/urls
}

dest remotecontrol{
	domainlist 	remotecontrol/domains
	urllist		remotecontrol/urls
}

dest ringtones{
	domainlist 	ringtones/domains
	urllist		ringtones/urls
}

dest science/astronomy{
	domainlist 	science/astronomy/domains
	urllist		science/astronomy/urls
}

dest science/chemistry{
	domainlist 	science/chemistry/domains
	urllist		science/chemistry/urls
}

dest searchengines{
	domainlist 	searchengines/domains
	urllist		searchengines/urls
}

dest sex/lingerie{
	domainlist 	sex/lingerie/domains
	urllist		sex/lingerie/urls
}

dest sex/education{
	domainlist 	sex/education/domains
	urllist		sex/education/urls
}

dest shopping{
	domainlist 	shopping/domains
	urllist		shopping/urls
}

dest socialnet{
	domainlist 	socialnet/domains
	urllist		socialnet/urls
}

dest spyware{
	domainlist 	spyware/domains
	urllist		spyware/urls
}

dest tracker{
	domainlist 	tracker/domains
	urllist		tracker/urls
}

dest updatesites{
	domainlist 	updatesites/domains
	urllist		updatesites/urls
}

dest urlshortener{
	domainlist 	urlshortener/domains
	urllist		urlshortener/urls
}

dest violence{
	domainlist 	violence/domains
	urllist		violence/urls
}

dest warez{
	domainlist 	warez/domains
	urllist		warez/urls
}

dest weapons{
	domainlist 	weapons/domains
	urllist		weapons/urls
}

dest webmail{
	domainlist 	webmail/domains
	urllist		webmail/urls
}

dest webphone{
	domainlist 	webphone/domains
	urllist		webphone/urls
}

dest webradio{
	domainlist 	webradio/domains
	urllist		webradio/urls
}

dest webtv{
	domainlist 	webtv/domains
	urllist		webtv/urls
}

dest whitelist{
	domainlist	whitelist/domains
	urllist		whitelist/urls
}

#
# ACCESS CONTROL:
#

acl {

	localnetwork {
		pass	whitelist !block !adv !aggressive !alcohol !anonvpn !automobile/cars !automobile/bikes !automobile/boats !automobile/planes !chat !costtraps !dating !downloads !drugs !dynamic !education/schools !finance/banking !finance/insurance !finance/moneylending !finance/other !finance/realestate !finance/trading !fortunetelling !forum !gamble !government !hacking !hobby/cooking !hobby/games-misc !hobby/games-online !hobby/gardening !hobby/pets !homestyle !hospitals !imagehosting !isp !jobsearch !library !military !models !movies !music !news !podcasts !politics !porn !radiotv !recreation/humor !recreation/martialarts !recreation/restaurants !recreation/sports !recreation/travel !recreation/wellness !redirector !religion !remotecontrol !ringtones !science/astronomy !science/chemistry !searchengines !sex/lingerie !sex/education !shopping !socialnet !spyware !tracker !updatesites !urlshortener !violence !warez !weapons !webmail !webphone !webradio !webtv all
		redirect	http://10.10.0.3/block
	}
	
	default {
		pass none
		redirect http://10.10.0.3
	}
	
}

Rufe ich z.B. Google auf, so wird der Aufruf entweder geblockt oder im Chrome kommt die Meldung err_tunnel_connection_failed
Member: Looser27
Looser27 Aug 28, 2020 at 11:17:37 (UTC)
Goto Top
Da der Squidguard alles blockt, greift Deine Einstellung

src localnetwork {
	ip 10.10.0.0/16
}

scheinbar nicht. Aus irgendeinem Grund ist der Squidguard der Meinung die Anfrage käme nicht aus diesem Netz.

Kannst Du den mal debuggen?

Vielleicht zeigt sich da die Ursache...
Member: killtec
killtec Aug 28, 2020 at 12:23:04 (UTC)
Goto Top
Hi,
nee, in der log sehe ich nichts. Ich überlege mir jedoch gerade einen anderen Lösungsansatz.
Es geht im Grunde ja nur um Kategorien zu blocken. Geht das nicht für das ganze Netz auch via pihole?

Gruß
Member: Looser27
Solution Looser27 Aug 28, 2020 at 12:38:33 (UTC)
Goto Top
Klar...und das wahrscheinlich einfacher, weil der pihole DNS Blocking macht und nicht wie der Squidguard einen Proxy braucht, der bei https eh (fast) sinnlos ist.

Zuhause hab ich nen pihole auf ner Ubuntu VM laufen um mein Netz werbefrei zu halten.

Anleitungen gibts dazu reichlich im Netz.
Member: killtec
killtec Aug 31, 2020 at 12:03:16 (UTC)
Goto Top
HI,
so, pi-Hole läuft auf nem Fedora in ner VM ;)
Hast du eine Idee, wie man bestimmten Conten von Seiten noch blocken kann?
Explizit: Keyword auf Youtube.

Danke.
Member: Looser27
Looser27 Aug 31, 2020 at 12:10:56 (UTC)
Goto Top
Hi,

da glaube ich nicht, dass das geht, da die Youtube-Inhalte alle mit kryptischen Links angezeigt werden.

Ohne es gestestet zu haben, könntest du aber die Suche in Youtube einschränken, indem Du die selbe Logik, wie für die Webseiten anwendest.
Das Problem ist hierbei, dass du jeden Begriff in jeder Schreibweise kennen mußt (oder musst) face-wink
Also analog zur Sperrung von erotischen FSK-18-Angeboten. Einen Versuch wäre das wert.

Gruß

Looser