[Guide] Setup Squid and SquidGuard with Ubuntu Server 14.04.1 LTS

By fusi0n
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

fusi0n

Posted
Posted

After reading a lot of guides on how to set this up, I never found one guide that didn't leave something out that made me have to search for some answers.. I've made a very straightforward and simple guide on how to setup Squid/SquidGuard on a network.. If you have any questions or something in the guide is left out/wrong, please let me know.

How to setup a Squid Server with SquidGuard 
Protecting your Network from Ads/Spyware/Malware
Follow this guide at your own risk! I will not be held responsible for any damages

For this guide, we are going to use Ubuntu 14.04.1 LTS, I will assume that you have the knowledge on how to install an Ubuntu Server on hardware or a VM. Also, set a static IP for the server.

Just follow these commands, and you’ll be up and running!

1. sudo apt-get update
2.  sudo apt-get upgrade
3. sudo apt-get install squid3
4. sudo nano /etc/squid3/squid.conf
5. You can actually just copy and paste this into the squid.conf, everything is commented out..  Just change the hostname to the hostname of the server.. 
visible_hostname your-machines-hostname
http_port 3128
cache_dir ufs /var/spool/squid 1000 16 256
cache_access_log /var/log/squid/access.log
6. Add this also to your squid.conf “intranet” is just the name of the group you are making to allow access to the squid server. Make sure you use your IP range and correct subnet. You can make additional groups if needed, either to allow or deny them. The next is giving access to the group, “intranet”.
acl intranet 10.50.0.0/32
http_access allow intranet
7. sudo service restart squid3

Now, you have a fully working squid server that is going to only allow the IP range of 10.50.0.0/32. If someone tries to connect to the proxy server in a different IP range, they will be blocked by the proxy. You can use this to limit access to certain departments and groups as well as set up times which they can allow internet access.. That is for a more in-depth guide. 
To test your proxy with Firefox, go to options, Advance, Network, Connection Settings. Enter your proxy’s IP and proxy’s port number. Default port number is 3128 as we set in the squid.conf. If you want to use a different port number, edit it in the squid.conf under “http_port”. 


Now, it’s time to install SquidGuard!
1.    sudo apt-get install squidguard
2.    sudo mkdir /opt/3rdparty
We are going to use the list from shalalist.de for “testing”, since it’s 100% free for non-commerical.  For a bigger and much more through blacklist, I use http://urlblacklist.com/. It’s free to try once, and has different pricing tiers for person/school/business.
3.    sudo wget http://www.shallalist.de/Downloads/shallalist.tar.gz
4.    sudo tar xzf shallalist.tar.gz
5.    sudo cp -a /opt/3rdparty/BL/porn/var/lib/squidguard/db
sudo cp -a /opt/3rdparty/BL/adv/var/lib/squidguard/db
sudo cp -a /opt/3rdparty/BL/spyware /var/lib/squidguard/db
6.    Add this to  /etc/squid3/squid.conf , type “sudo nano /etc/squid3/squid.conf”
url_rewrite_program /usr/bin/squidGuard
7.    sudo squidGuard -C all
8.    chown -R proxy:proxy /var/lib/squidguard/db
9.    Add this to my /etc/squid3/squid.conf  type, “sudo nano /etc/squid3/squid.conf”
url_rewrite_program /usr/bin/squidGuard

Now, we need to edit the squidGuard.conf

I recommend to make a backup of your squidGuard.conf then making a new one..
1. sudo cp /etc/squidguard/squidGuard.conf /etc/squidGuard.conf.bak
2. sudo rm /etc/squidguard/squidGuard.conf
3.sudo nano /etc/suqidgurd/squidGuard.conf
Copy and paste this,
#
# CONFIG FILE FOR SQUIDGUARD
#
dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/logs
dest porn {
domainlist porn/domains
urllist porn/urls
}
dest adv {
domainlist adv/domains
urllist adv/urls
}
dest spyware {
domainlist spyware/domains
urllist spyware/urls
}
acl {
default {
pass !porn !adv !spyware all
redirect http://localhost/block.html
}
}
You can test your squidguard by doing a dry run
sudo echo "http://www.pornhub.com 10.50.55.10/- - GET" | squidGuard -c /etc/squidguard/squidGuard.conf –d

You should see, 
squidGuard ready for requests 
squidGuard stopped 
If there are errors, it will tell you.. The most likely errors you’ll run into are permission issues.. If it gives you permission issues with your database, make sure that you set the user and group named “proxy” ownership. You can tell that by “sudo ls -l /var/lib/squidguard/db*”

You can now use the Firefox browser you setup to use with your proxy server to make sure you are blocking porn and ads. For better protection, I recommend using the blacklist from,  http://urlblacklist.com/

Grand Master

fusi0n

Posted
  • Author
Posted

Yes I need this. We've got one set up and it looks like a botched up job. I'll be following this guide to set and test a proxy. 

Cheers

Thanks! 

Shouldn't this be in the guide section and not in visualization

Ah, I thought it would be best in the networking section.. Maybe the mods will move it.. Thanks.  

Grand Master

fusi0n

Posted
  • Author
Posted

why did you put it under vitalization subsection?

It looks like it is under Home  Technical Help & Support  Internet, Network & Security  [Guide] Setup Squid and SquidGuard with Ubuntu Server 14.04.1 LTS like I intended it to me..  

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • The Trump administration doesn't want you to use OpenAI's GPT-5.6 without its approval

      By excalpius · Posted

      For a guy who claims to hate Farage and the ignorant, gullible, rightwing racist skinheads sponsored by Putin that his lies represent, you sure are quoting them time and time and time again, mate. I guess you're conveniently ignoring the fact that your country and commonwealth just happened to work much better when it was still part of the E.U.? Denial isn't just a river in Egypt.
    • The Trump administration doesn't want you to use OpenAI's GPT-5.6 without its approval

      By ad47uk · Posted

      Do you live in the U.K? Do any of the people here that are against the UK leaving the E.U, live in the U.K? If not then why are you bothered? If you do live here then it is a different thing . Brexit was a good idea, should have done it years before, it was done badly, but the idea was good. You are saying the same thing as remainers do, oh we did what Putin wanted, we listened to the lies and Farage. I hate Farage and never believed most of what he said, certainly did not believe the £350m a week for the NHS. But we did pay a lot of money to the E.U and yes some of it came back, but what is the point of paying it out for only some of it to come back? Get out of the E.U, no money to them and in theory we can use the money to do things in the country. I said in theory, but our governments are a total and complete waste of space. No matter what colour rosette they wear. You and others say it was a mistake and yet the two main parties in the U.K are not looking at rejoining the EU, I wonder why that is? I was not tricked by anyone. Makes no odds now, we are out and have been for 10 years, what we need is a decent government to run the country. All they do is shout at each other like a load of kids and seems to do nothing and make this country more into a police and nanny state. Getting more like China all the time.
    • 4TB TEAMGROUP MP44Q, 2TB T-Force G50, and 2TB WD My Passport SSDs drop to great prices

      By Fiza Ali · Posted

      4TB TEAMGROUP MP44Q, 2TB T-Force G50, and 2TB WD My Passport SSDs drop to great prices by Fiza Ali Prime Day may be over, but there are still worthwhile storage deals available, including discounts on SSDs for shoppers who missed the event or are looking to upgrade their storage solution. Particularly, 2TB Western Digital My Passport, 2TB TEAMGROUP T-Force G50, and 4TB TEAMGROUP MP44Q SSD are selling at great prices with up to 23% off. The 2TB TEAMGROUP T-Force G50 is an M.2 2280 PCIe 4.0 x4 NVMe SSD with sequential read speeds of up to 5,000MB/s and sequential write speeds of up to 4,500MB/s. The drive has an endurance rating of 1,300 TBW (terabytes written) and features a DRAM-less design. The company specifies a mean time between failures (MTBF) of 3 million hours. The drive includes an "ultra-thin" graphene heat spreader that helps dissipate heat without significantly increasing the drive's thickness. It also supports S.M.A.R.T. monitoring, allowing compatible software to monitor drive health and operating status. The SSD is rated for operating temperatures from 0°C to 70°C, with a storage temperature range of -40°C to 85°C. The drive is backed by a five-year limited warranty as well. 2TB TEAMGROUP T-Force G50 SSD: $269.99 (Amazon US) The TEAMGROUP MP44Q is an M.2 2280 PCIe 4.0 x4 NVMe SSD that delivers sequential read speeds of up to 7,000MB/s and sequential write speeds of up to 5,900MB/s. It uses 3D QLC NAND flash memory to provide 4TB of storage capacity for games, applications, media files, and other data. The drive has an endurance rating of 2,000 TBW and an MTBF of 1.6 million hours. The SSD features a DRAM-less design and supports TEAMGROUP's S.M.A.R.T. monitoring software, allowing users to monitor drive health, temperature, and remaining lifespan. For thermal management, the MP44Q also includes an "ultra-thin" graphene heat spreader. It is designed to operate at temperatures between 0°C and 70°C and can be stored at temperatures ranging from -40°C to 85°C. The SSD is also backed by a five-year limited warranty. 4TB TEAMGROUP MP44Q SSD: $478.99 (Amazon US) The 2TB WD My Passport SSD connects via a USB-C port using the USB 3.2 Gen 2 interface. It delivers sequential read speeds of up to 1,050MB/s and sequential write speeds of up to 1,000MB/s through NVMe technology. In terms of security features, the drive includes password protection with 256-bit AES hardware encryption. The SSD is also designed to resist shock and vibration and is rated to withstand drops from heights of up to 6.5 feet. The recommended operating temperature range is 5°C to 35°C, while the non-operating temperature range is -20°C to 65°C. This drive is also backed by a five-year limited warranty. 2TB Western Digital My Passport SSD: $279.99 (Amazon US) Good to know This Amazon deal is U.S. specific, and not available in other regions unless specified. We only use first-party seller links (at the time of article publishing); ensure that you purchase from a first-party seller link only. Check out Today's Deals on Amazon | or our recent tech deals. Become a Prime member (for Students or SNAP) via Neowin Get Prime Access - Prime for half price (for qualifying Medicaid, EBT, SNAP) Subscribe to Prime Video, Audible Plus, Music Unlimited or Kindle Unlimited via Neowin As an Amazon Associate, we earn from qualifying purchases.
    • Why Delta Chat is the best decentralized messenger you have probably never tried

      By Nas · Posted

      Yeah... The root of my comment, ostensibly, is how to spin the story via the actual technical merits of the solution! * Decentralized (aka federated) solution with built-in encrypted ephemeral message transport, * Transport via Relays (intermediary servers) with no message archival, * Second configurable pathway are actual email servers (if DNS records are programmed accordingly) via IMAP protocols carriage, * "Chat-over-Email" is the design pattern adopted; it can either leverage full-blown Email Server (must use the INBOX folder) to exchange all received messages/edits/reactions (so be weary of notifications overloads) [best practice is creating a separate email acct used explicitly for federated chat purposes!] or leverage its built-in Relay Server mechanism which actually resides on-device (by default but can be configured otherwise), * By virtue of be a decentralized/federated model, all other intermediary servers who may pass-along messages (while the recipient's final relay/device is inaccessible) cannot snoop on the messages due to the encrypted nature of contents. The intermediaries may, however, analyze the metadata due to the simple fact that routing mechanisms require hints for relay destinations. Unfortunately, whomever is posting about DeltaChat across socials are misleading with "zero metadata" claims -- especially when the Relays (according to their own technical documents) mandate the addition of chat-version metadata and other decorations in order to actually transport any message. -- Based on this summary, I'd prefer if they'd better dual-path message transport (email server add-in, federated relay engine) rather than patch-on email protocols to existing federated social media frameworks. They're frankensteining something rather than extending widely-deployed technology stacks.
    • You've tried DuckDuckGo and Brave Search, now get serious with SearXNG

      By Fleet Command · Posted

      Decentralized search result anonymization...

  • Recent Achievements

    • Week One Done
      flexorcist earned a badge
      Week One Done
    • One Month Later
      Woland13 earned a badge
      One Month Later
    • Week One Done
      Woland13 earned a badge
      Week One Done
    • One Year In
      bernmeister earned a badge
      One Year In
    • Week One Done
      Scoobystu earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      493
    2. 2
      +Edouard
      225
    3. 3
      PsYcHoKiLLa
      148
    4. 4
      Steven P.
      75
    5. 5
      FloatingFatMan
      71
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!