Example 0 - The
absolutely minimal do nothing config:
The absolutely minimal config file is an emty but existing file
(i.e. squidGuard -c /dev/null) which is equivalent
to:
acl {
default {
pass all
}
}
|
Example 1 - The recommended minimal do nothing
config:
We do recommend, for clarity, to say explicitly what squidGuard is
expected to do (makes things less magic for a new operator):
logdir /usr/local/squidGuard/log
acl {
default {
pass all
}
}
|
Example 2 -
Limiting the access to one destination group only:
Now your acl looks like that:
logdir /usr/local/squidGuard/log
dbhome /usr/local/squidGuard/db
dest local {
domainlist local/domains
}
acl {
default {
pass local none
redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u
}
}
|
This implies there must be a domain list file "/usr/local/squidGuard/db/local/domains"
that may simply look like:
example.com
Example 3 -
Blocking the access for unknown or unprivileged clients:
logdir /usr/local/squidGuard/log
dbhome /usr/local/squidGuard/db
src privileged {
ip 10.0.0.1 10.0.0.73 10.0.0.233 # ONE OF single clients
ip 10.0.0.10-10.0.0.20 # OR WITHIN range 10.0.0.10 - 10.0.0.20
ip 10.0.1.32/27 # OR WITHIN range 10.0.1.32 - 10.0.1.63
ip 10.0.2.0/255.255.255.0 # OR WITHIN range 10.0.2.0 - 10.0.2.255
# AND
domain foo.bar # MATCH foo.bar. OR *.foo.bar.
}
acl {
privileged {
pass all
}
default {
pass none
redirect http://info.foo.bar/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u
}
}
|
Using client domainname match implies reverse lookup is enabled
(log_fqdn on) in squid.conf.
example.com
Example 4 -
Blocking inappropriate sites:
logdir /usr/local/squidGuard/log
dbhome /usr/local/squidGuard/db
dest porn {
domainlist porn/domains
urllist porn/urls
}
acl {
default {
pass !porn all
redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u
}
}
|
This implies there must be a domain list file "/usr/local/squidGuard/db/porn/domains"
and a domain list file "/usr/local/squidGuard/db/porn/urls". The
domain list file may have a
zillion lines like:
porn.com
sex.com
The "url list file may have an other
zillion lines like:
foo.com/~porn
bar.com/img/sex
Example 5 -
Blocking inappropriate sites for some users and blocking unknown
clients:
logdir /usr/local/squidGuard/log
dbhome /usr/local/squidGuard/db
src grownups {
ip 10.0.0.0/24 # range 10.0.0.0 - 10.0.0.255
# AND
user foo bar # ident foo or bar
}
src kids {
ip 10.0.0.0/22 # range 10.0.0.0 - 10.0.3.255
}
dest porn {
domainlist porn/domains
urllist porn/urls
}
acl {
grownups {
pass all
}
kids {
pass !porn all
}
default {
pass none
redirect http://info.foo.bar/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}
}
|
Using userident match implies RFC931/ident lookup is enabled in
squid.conf, optionally only for the actual client groups,
and that foo and bar's workstations must support RFC931.
Example 6 -
Blocking inappropriate sites partially with regex:
+ ensuring local and good sites are passed
even if they would match a blocking regex:
+ limiting the usage of IP-address URLs:
logdir /usr/local/squidGuard/log
dbhome /usr/local/squidGuard/db
dest local {
domainlist local/domains
}
dest good {
domainlist local/domains
}
dest porn {
domainlist porn/domains
urllist porn/urls
expressionlist porn/expressions
}
acl {
default {
pass local good !in-addr !porn all
redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u
}
}
|
Example 7 -
Blocking inappropriate sites within business hours only:
Lets extend example 5 with:
-
a time constraint on censorship
-
logging redirections of inappropriate sites anonymized
-
redirecting inappropriate sites specially.
-
and still protecting the kids 24h.
logdir /usr/local/squidGuard/log
dbhome /usr/local/squidGuard/db
time leisure-time {
weekly * 00:00-08:00 17:00-24:00 # night and evening
weekly fridays 16:00-17:00 # weekend
date *.01.01 # New Year's Day
date *.05.01 # Labour Day
date *.05.17 # National Day
date *.12.24 12:00-24:00 # Christmas Eve
date *.12.25 # Christmas Day
date *.12.26 # Boxing Day
date 1999.03.31 12:00.24:00 # Ash Wednesday
date 1999.04.01-1999.04.05 # Easter
date 2000.04.19 12:00.24:00 # Ash Wednesday y2000
date 2000.04.20-2000.04.24 # Easter y2000
}
src grownups {
ip 10.0.0.0/24 # range 10.0.0.0 - 10.0.0.255
# AND
user foo bar # ident foo or bar
}
src kids {
ip 10.0.0.0/22 # range 10.0.0.0 - 10.0.3.255
}
dest porn {
domainlist porn/domains # file listing domains (clear text)
urllist porn/urls # file listing URLs (clear text)
expressionlist porn/expressions # file with expressions (clear text regex)
redirect 302:http://info.foo.bar/images/blocked.gif
# redirect matches to this URL
log anonymous porn.log # log redirects anonymized to logdir/porn.log
}
acl {
grownups within leisure-time {
pass all # don't censor peoples leisure-time
} else {
pass !in-addr !porn all # restrict access during business hours
}
kids {
pass !porn all # protect the kids 24h anyway
}
default {
pass none # reject unknown clients
redirect http://info.foo.bar/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}
}
|
| 
SquidGuard