LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue78/adam.html

1373 lines
44 KiB
HTML
Raw Permalink Blame History

<!--startcut ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>The Weekend Mechanic LG #78</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->
<CENTER>
<A HREF="http://www.linuxgazette.com/">
<IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.png"
WIDTH="600" HEIGHT="124" border="0"></A>
<BR>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="lg_bytes.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue78/adam.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="alcidi.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
<P>
</CENTER>
<!--endcut ============================================================-->
<H4 ALIGN="center">
"Linux Gazette...<I>making Linux just a little more <font COLOR="red">lovable!</font></i>"
<img ALT="" SRC="../gx/adam/heart.png" WIDTH="30" HEIGHT="25">
</H4>
<!-- END header -->
<p> <hr> <p> <!--===================================================================-->
<p ALIGN=CENTER><img ALT="[picture of mechanic]" SRC="../gx/adam/mechanic.png" ALT="Weekend Mechanic Logo" ALIGN=BOTTOM WIDTH=399 HEIGHT=135 BORDER=0></p>
<h1 ALIGN=CENTER><font COLOR="maroon">The Weekend Mechanic</font></h1>
<h4 ALIGN=CENTER>By <a HREF="mailto:thomas_adam16@yahoo.com">Thomas
Adam</a></h4>
<p> <hr> <p> <!--===================================================================-->
<!-- END header -->
<!-- =======================================================================-->
<!-- --------------- -->
<!-- BEGIN: contents -->
<!-- --------------- -->
<UL>
<LI><A HREF="#preamble">Welcome to the May edition</A></LI>
<LI><A HREF="#squid">A brief Introduction: Squid</A></LI>
<LI><A HREF="#squidg">A brief Introduction: SquidGuard</A></LI>
<LI><A HREF="#keyfiles">Keyfiles: A handy BASH backup script</A></LI>
<LI><A HREF="#prognedit">Program Review: Nedit</A></LI>
<LI><A HREF="#closet">Closing Time</A></LI>
</UL>
<!-- --------------- -->
<!-- END: contents -->
<!-- --------------- -->
<HR>
<! -- ======================================================================= -->
<! -- --------------- -->
<! -- BEGIN: preamble -->
<! -- --------------- -->
<H2><A NAME="preamble">Welcome to the May edition</A></H2>
<FONT COLOR="red"><P><I>
[ ** This edition is dedicated to a very dear friend of mine called <B>Natalie
Wakelin</B>, who I am indebted to for helping me recently. She has been an
absolute star and true friend to me, and although she may not understand a
word this &quot;technical&quot; document may have to offer -- I dedicate it to
her all the same. Thanks Natalie!! :-) ** ]
</FONT></I></P>
<HR Width=25%>
<I>
What song the Syrens sang<BR>
or what name Achilies assumed<BR>
when he hid himself among women, <BR>
although puzzling questions <BR>
are not beyond all conjecture <BR>
<BR>
--Sir Thomas Browne <BR>
Taken from:<I> &quot;The Murders in the Rue Morgue&quot; -- Edgar Allan Poe</I>
</I>
<HR WIDTH=25%>
<P>Yes, yes, I know. You can stop clapping and applauding. I'm back :-)
Seriously, I can only apologise for the "holiday" that the LWM has taken
over the past &quot;couple&quot; of months. I have taken rather a large
leap into the world of freedom and University life, and I found it more
difficult to adjust to than I had originally anticipated!!</P>
<P>But that is by the by.....</P>
<P>For the keen eyed among you, the quote at the top of this column rather
sums up the userability of Linux overall. Indeed, no matter how strange a
problem may appear to be within Linux, it is not beyong the realm of
possibility that it cannot be solved by using Linux. I have been finding
that out for myself quite a lot recently :-)</P>
<P>Aside from all the University work, I have been actively helping out
with problems at the <A HREF="http://www.hants.lug.org.uk" TARGET="_blank">
Hants LUG</A>, both in person and via their mailing list. Actually it has
been quite exciting. I have also learn a lot!!</P>
<P>Well that is enough preamble for one month. Enjoy this issue, won't
you?</P>
<!-- ============= -->
<!-- END: preamble -->
<!-- ============= -->
<HR>
<!-- ======================================================================== -->
<!-- ============= -->
<!-- BEGIN: squid -->
<!-- ============= -->
<H2><A NAME="squid">A Brief Introduction: Squid</A></H2>
<!-- --------------------- -->
<!-- BEGIN: squid contents -->
<!-- --------------------- -->
<UL>
<LI><A HREF="#wsquid">What is Squid?</A></LI>
<LI><A HREF="#sqinst">Installation</A></LI>
<LI><A HREF="#squidconf">Configuration</A></LI>
<LI><A HREF="#filtering">Filtering (Access Control)</A></LI>
<LI><A HREF="#initsquid">Initialising Squid</A></LI>
</UL>
<HR>
<!-- ==================== -->
<!-- END: squid: contents -->
<!-- ==================== -->
<!-- =================== -->
<!-- ==================== -->
<!-- BEGIN: squid: wsquid -->
<!-- ==================== -->
<H2><A NAME="wsquid">What is Squid?</A></H2>
<P>Those of you who read the <A HREF="http://www.linuxgazette.com/issue70/adam.html#apache"
TARGET="_blank"> September</A> edition will remember that I wrote an article
about the use of <I>Apache</I>. I had some nice feedback on that (thanks to
all who sent their comments). I thought it a nice idea to do a tutorial on
<I>squid</I>.</P>
<P>For those of you who don't know, <A HREF="http://www.squid-cache.org"
TARGET="_blank"><I>Squid</I></A> (other than being a sea
creature) is a Linux internet proxy program. Why is it called
<I>squid</I>? Apparently because (quote: &quot;all the good names were taken&quot;)</P>
<P>Squid, works by channelling internet requests through a machine (called a proxy
server).
<P>Furthermore, squid offers the ability to <A HREF="#filtering">filter</A>
certain webpages, to either allow or disallow viewing. The ability to do this is
through ACLs (Access Control Lists). More on these later.</P>
<!-- ================== -->
<!-- END; squid: wsquid -->
<!-- ================== -->
<HR WIDTH=25%>
<!-- --------------------- -->
<!-- =================== -->
<!-- BEGIN: squid sqinst -->
<!-- =================== -->
<H2><A NAME="sqinst">Installation</A></H2>
<P>Installing squid <I>should</I> be straight forward enough. Squid is supplied
with all major distributions (RedHat, SuSE, Caldera, Debian, etc) so it should
be easily accessible from your distribition CD's.</P>
<P>For those of you that have a Linux distribution that supports the <B>RPM</B>
format, you can check to see if you already have it installed, by using the
following command:</P>
<PRE>rpm -qa | grep -i squid</PRE>
<P>If it is installed, then you should find that &quot;squid2-2.2.STABLE5-190&quot;
(or similar) is returned. If you get no responce then install squid from your
distibution CD.</P>
<P>If squid is not on your distribution CD, or you are using a version of Linux
(such as Debian and Slackware) that does not support the RPM format, then
download the source in .tgz (tar.gz) format from
<A HREF="http://www.squid-cache.org" TARGET="_blank">http://www.squid-cache.org/download</A>.
<P>To install Squid from its sources copy the tar ball to &quot;/tmp&quot; and then issue the
following commands:</P>
<PRE>
1. If you are not user "root", su, or log in as root
2. cd /tmp
3. tar xzvf ./name_of_squid.tar.gz -- [or possibly .tgz]
4. Now run:
./configure
5. After which, you should have no errors. Then you can simply type:
make && make install
to compile and install the files.
</PRE>
<P>Typically. from a standard RPM installation, these directories will be used:</P>
<PRE>
/usr/bin
/etc
/etc/squid (possibly -- used to be under RH 5.0)
/var/squid/log/
[/usr/local/etc] <-- perhaps symlinked to "/etc"
</PRE>
<P>If you're compiling it from source, then a lot of the files will end up in:</P>
<PRE>
/etc
/etc/squid (possibly -- used to be under RH 5.0)
/usr/local/bin
/var
[/usr/local/etc] <-- perhaps symlinked to "/etc"
</PRE>
<P>Suffice to say, it does not really matter, but unless you specifically have
requested otherwise, this is where the files will end up.</P>
<P>Now that you have squid installed, let us move onto the next section....
configuration</P>
<!-- ================== -->
<!-- END; squid: sqinst -->
<!-- ================== -->
<HR WIDTH=25%>
<!-- --------------------- -->
<!-- ======================= -->
<!-- BEGIN: squid: squidconf -->
<!-- ======================= -->
<H2><A NAME="squidconf">Configuration</A></H2>
<P>So, you've installed squid, and are wondering....&quot;Is that it?&quot; ha --
if only it were true, gentle reader. Nope....there are lots of things still to do
before we can have ourselves a good old proxy server.</P>
<P>Our efforts now shall be concentrated on one file <B>/etc/squid.conf</B>. It is
this file which holds all the settings for squid. Because we will be editing this
file, I always find it a good idea, to keep a copy of the original file. So, I think
it would be a good idea, if you all issued the command:</P>
<PRE>
cp /etc/squid.conf /etc/squid.conf.orig
</PRE>
<P>And then fire up your favourite editor, and lets begin editing squid.conf</P>
<P>Actually trying to use this file to run squid &quot;out of the box&quot; is
impossible. There are a number of things that you'll have to configure before you can
have an up-and-running proxy server. At first glance, this file is about a mile long, but
the developers have been helpful, since the majority of the file consists of comments about
each option that is available.</P>
<P>The first thing, is to tell squid the IP address of the machine it is operating on
and at which port it is to listen to. In squid.conf, you should find a commented line
which looks like:</P>
<PRE>#http_port 3128</PRE>
<P>Uncomment this line, by deleting the leading hash (#) symbol. Now by default, the port
number 3128 is chosen. However, should you wish to tell squid to listen on a different port,
then change it!! Thus on my proxy machine, I have specified:</P>
<PRE>http_port 10.1.100.1:8080</PRE>
<P>Which binds squid to listen on the above IP address with the port 8080. What you have to be
careful of, is making sure that no other running application is trying to use the same port
(such as apache), which is a very common mistake that a lot of people make.</P>
<P>Now, as we progress through this configuration file, the next major configuration option we
should now change is <B>cache_mem</B>. This option tells squid how much memory it should use for
things like caching.</P>
<P>I have just uncommented this line -- and left the default at 8 MB</P>
<P>Further on down from this option are some more options which tell squid about the high/low
cache &quot;watermark&quot;. This is simply a percentage of disk-space, that says that when it
gets to within 90/95% then squid should start deleting some of its cached items.</P>
<PRE>
#cache_swap_low 90
#cache_swap_high 95
</PRE>
<P>I have simply uncommented these, but I have changed their values. The reason being, is because
I have a 60 GB hard drive, one percent is hundreds of mega bytes, so I have changed the values to:</P>
<PRE>
cache_swap_low 97
cache_swap_high 98
</PRE>
<P>Right....so far so good. We have told squid on which IP and port to listen to, told it how much
memory it should use, and told it the percentage of drive space it should reach before it starts
deleting its own cached items. Great!! If you haven't do so already, save the file.</P>
<P>The next and penultimate option that I changed was quite an important one, since this one
determines the location and size of the cache directories. There is a TAG, which looks like:</P>
<PRE>
cache_dir /var/squid/cache 100 16 256
</PRE>
<P>What this says is that for the path &quot;/var/squid/cache&quot;each top-level directory will
hold 100MB. There will be 16 top-level directories and below that there will be 256 sub-directories
</P>
<P>The last major item that I shall be tweaking in this file, before moving on to filtering, is the
use of access logs. Just below the option we have just configured for the cache_dir, are options to
allow logging. Typically you have the option of logging the following:</P>
<UL>
<LI>access log</LI>
<LI>cache log</LI>
<LI>store log</LI>
<LI>swap log</LI>
</UL>
<P>Each of the above logs have their own advantage / disadvantage in the running of your proxy server.
Typically, the only logs that I keep are the access logs and the cache log. The reason being simply
because the store and swap logs don't interest me :-). </P>
<P>It is the access log file which logs all the requests that users make (i.e. to which website a
particular user is going to). While I was at school, this file was invaluable in determining which
user was <I>trying</I> to get to banned sites. I recommend all sysadmins that have or are going to
set-up an internet proxy server to enable this feature -- it is very useful.</P>
<P>So, I did the following (uncommenting the TAGS):</P>
<PRE>
cache_access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
</PRE>
<P>I recommend that you leave the log names as they are.</P>
<P>Obviously, I have only covered the most basic options within the squid.conf file. There are a whole
mass of options for particular situations. Each option is fairly well commented, so should you wish to
see what a particular option does, it should not be too hard.</P>
<!-- ==================== -->
<!-- END squid: squidconf -->
<!-- ==================== -->
<HR WIDTH=25%>
<!-- --------------------- -->
<!-- ======================= -->
<!-- BEGIN: squid: filtering -->
<!-- ======================= -->
<H2><A NAME="filtering">Filtering (Access Control)</A></H2>
<P>This section is still using &quot;/etc/squid.conf&quot; but I shall go into the configuration options
for access control in a little more detail.</P>
<P>Access control gives the sysadmin a way of controlling which clients can actually connect to the
proxy server, be it via an IP address, or port, etc. This can be useful for computers that are in
a large network configuration.</P>
<P>Typically ACL's (Access Control Lists) can have the following properties to them:</P>
<UL>
<LI>src - Source i.e. client's IP addresses</LI>
<LI>dst - Destination i.e. server's IP addresses</LI>
<LI>srcdomain - Source i.e. client's domain name</LI>
<LI>dstdomain - Destination i.e. server's domain name</LI>
<LI>time - Time of day and day of week</LI>
<LI>url_regex - URL regular expression pattern matching</LI>
<LI>urlpath_regex - URL-path regular expression pattern matching, leaves out the protocol and hostname</LI>
<LI>proxy_auth - User authentication through external processes </LI>
<LI>maxconn - Maximum number of connections limit from a single client IP address</LI>
</UL>
<P>All access controls have the following format to them:</P>
<PRE>
acl acl_config_name type_of_acl_config values_passed_to_acl
</PRE>
<P>Thus in the configuration file, locate the line:</P>
<PRE>
http_access deny all
</PRE>
<P>And above which, add the following lines</P>
<PRE>
acl weekendmechnetwork 10.1.100.1/255.255.255.0
http_access allow weekendmechnetwork
</PRE>
<P>You can change the acl name of &quot;weekendmechnetwork&quot; to a name of your choice.
What this does, is it says that for the acl with the name &quot;weekendmechnetwork&quot;,
use the specified IP address 10.1.100.1 (the proxy server), with a netmask of 255.255.255.0
Thus, &quot;weekendmechnetwork&quot; is the name assigned to the clients on the network.</P>
<P>The line &quot;http_access allow weekendmechnetwork&quot; says that the rule is valid, and
so can be parsed by squid itself.</P>
<P>The next thing that we shall do, is look at allowing selected clients to access the internet.
This is useful for networks where not all of the machines should connect to the internet.</P>
<P>Below what we have already added, we can specify something like:</P>
<PRE>
acl valid_clients src 192.168.1.2 192.168.1.3 192.168.1.4
http_access allow valid_clients
http_access deny !valid_clients
</PRE>
<P>What this says is that for the ACL name &quot;valid_clients&quot; with the src IP addresses
listed, allow http access to &quot;valid_clients&quot; <B>(http_access allow valid_clients)</B>,
and disallow anyother IP's which are not listed <B>(http_access deny !valid_clients)</B>.</P>
<P>If you wanted to allow <I>every</I> machine Internet access, then you can specify:</P>
<PRE>
http_access allow all
</PRE>
<P>But, we can extend the ACL's further, by telling squid that certain ACL's are only active
at certain times, for example:</P>
<PRE>
1. acl clientA src 192.168.1.1
2. acl clientB src 192.168.1.2
3. acl clientC src 192.168.1.3
4. acl morning time 08:00-12:00
5. acl lunch time 12:30-13:30
6. acl evening time 15:00-21:00
7. http_access allow clientA morning
8. http_access allow clientB evening
9. http_access allow clientA lunch
10. http_access allow clientC evening
11. http_access deny all
</PRE>
<B><I>[ ** N.B. Omit the line numbers when entering the above, I've added them here to make
explaination easier -- Thomas Adam ** ]</I></B>
<P>
<B>Lines 1-3</B> set-up the ACL names which identify the machines.<BR>
<B>Lines 4-6</B> set-up ACL names for the specified time limits (24-hour format).<BR>
<B>Line 7</B> says to allow <I>clientA</I> (and only clientA) access during &quot;morning&quot;
hours.<BR>
<B>Line 8</B> says to allow <I>clientB</I> (and only clientB) access during &quot;evening&quot;
hours.<BR>
<B>Line 9</B> says to allow <I>clientA</I> (and only clientA) access during &quot;lunch&quot;
hours.<BR>
<B>Line 10</B> says to allow <I>clientC</I> (and only clientC) access during &quot;evening&quot;
hours.<BR>
<B>Line 11</B> then says that if any other client attempts to connect -- disallow it.<BR>
<P>But we can also take the uses of ACL's further, by telling Squid to match certain regexes
in the URL expression, and in effect throw the request in the bin (or more accurately --
&quot&>/dev/null&quot; :-)</P>
<P>To do this, we can specify a new ACL name that will hold a particular pattern. For example</P>
<PRE>
1. acl naughty_sites url_regex -i sex
2. http_access deny naughty_sites
3. http_access allow valid_clients
4. http-access deny all
</PRE>
<B><I>[ ** Remember -- don't use the line numbers above!! ** ]</I></B>
<P>
<B>Line 1</B> says that the word &quot;sex&quot; is associated with the ACL name &quot;
naughty_sites&quot; the clause <B>url_regex</B> says that the ACL is of that type -- i.e.
it is to check the words contained within the URL. The <B>-i</B> says that it is to
ignore case-sensitivity.<BR>
<B>Line 2</B> says to deny all clients access to the website that contains anything from
the ACL &quot;naughty_sites&quot;<BR>
<B>Line 3</B> says to allow access from &quot;valid_clients&quot;.<BR>
<B>Line 4</B> says to deny any other requests.
</P>
<P>So,I suppose you are now wondering....&quot;how do I specify more than one regex?&quot;.
Well, the answer is simple....you can put them in a separate file. For example, suppose
you wanted to filter the following words, and dis-allow access to them, if they appeared
in the URL:</P>
<PRE>
sex
porn
teen
</PRE>
<P>You can add them to a file (one word at a time), say in:</P>
<PRE>
/etc/squid/bad_words.regex
</PRE>
<P>Then, in &quot;/etc/squid.conf&quot; you can specify:</P>
<PRE>
acl bad-sites url_regex -i "/etc/squid/bad_words.regex"
http_access deny bad_sites
http_access allow valid_clients
http-access deny all
</PRE>
<P>Which probably makes life easier!! :-). That means that you can add words to the list
whenever you need to.</P>
<P>There is also a much more easier way of filtering both regexes and domain names, by using
a program called <A HREF="#squidg">SquidGuard</A>. More about that later.....</P>
<!-- ==================== -->
<!-- END squid: filtering -->
<!-- ==================== -->
<HR WIDTH=25%>
<!-- --------------------- -->
<!-- ======================= -->
<!-- BEGIN: squid: initsquid -->
<!-- ======================= -->
<H2><A NAME="filtering">Initialising Squid</A></H2>
<P>Now we come to the most important part -- actully running squid. Unfortunately, if this is
the first ever time that you'll be initialising squid, then there are a few options that you must
pass to it.</P>
<P>Typically, the most common options that can be passed to squid, can be summed up in the following
table.</P>
<TABLE BORDER="1" ALIGN="center" WIDTH=100%>
<TH WIDTH=25% ALIGN="center">Flag</TH>
<TH WIDTH=75% ALIGN="center">Explanation</TH>
<TR>
<TD ALIGN="center">-z</TD>
<TD ALIGN="left">This creates the swap directories that squid needs. This should only ever
be used when running squid for the first time, or if your cache directories get deleted.</TD>
</TR>
<TR>
<TD ALIGN="center">-f</TD>
<TD ALIGN="left">This options allows you to specify an alternative file to use, rather
than the default &quot;/etc/squid/conf&quot;. However, this option should be rarily used.</TD>
</TR>
<TR>
<TD ALIGN="center">-k reconfigure</TD>
<TD ALIGN="left">This option tells squid to re-load its configuration file, without stopping
the squid daemon itself.</TD>
</TR>
<TR>
<TD ALIGN="center">-k rotate</TD>
<TD ALIGN="left">This option tells squid to rotate its logs, and start new ones. This
option is useful in a cron job.</TD>
</TR>
<TR>
<TD ALIGN="center">-k shutdown</TD>
<TD ALIGN="left">Stops the execution of Squid.</TD>
</TR>
<TR>
<TD ALIGN="center">-k check</TD>
<TD ALIGN="left">Checks to ensure that the squid deamon is up and running.</TD>
</TR>
<TR>
<TD ALIGN="center">-k parse</TD>
<TD ALIGN="left">Same as &quot;-k reconfigure&quot;.</TD>
</TR>
</TABLE>
<P>The full listing however for the available options are as follows:</P>
<PRE>
Usage: squid [-dhsvzCDFNRVYX] [-f config-file] [-[au] port] [-k signal]
-a port Specify HTTP port number (default: 3128).
-d level Write debugging to stderr also.
-f file Use given config-file instead of
/etc/squid/squid.conf
-h Print help message.
-k reconfigure|rotate|shutdown|interrupt|kill|debug|check|parse
Parse configuration file, then send signal to
running copy (except -k parse) and exit.
-s Enable logging to syslog.
-u port Specify ICP port number (default: 3130), disable with 0.
-v Print version.
-z Create swap directories
-C Do not catch fatal signals.
-D Disable initial DNS tests.
-F Foreground fast store rebuild.
-N No daemon mode.
-R Do not set REUSEADDR on port.
-V Virtual host httpd-accelerator.
-X Force full debugging.
-Y Only return UDP_HIT or UDP_MISS_NOFETCH during fast reload.
</PRE>
<P>If you are running squid for the first time, then log in as user &quot;root&quot; and
type in the following:</P>
<PRE>
squid -z
</PRE>
<P>This will create the cache.</P>
<P>Then you can issue the command:</P>
<PRE>
squid
</PRE>
<P>And that's it -- you have yourself a running proxy server. Well done!!</P>
<HR>
<!-- ======================================================================== -->
<!-- ============= -->
<!-- BEGIN: squidg -->
<!-- ============= -->
<H2><A NAME="squidg">A Brief Introduction: SquidGuard</A></H2>
<!-- --------------------- -->
<!-- BEGIN: squidg contents -->
<!-- --------------------- -->
<UL>
<LI><A HREF="#wsquidg">What is SquidGuard?</A></LI>
<LI><A HREF="#sginst">Installation</A></LI>
<LI><A HREF="#sgconf">Configuration</A></LI>
</UL>
<!-- ===================== -->
<!-- END: squidg: contents -->
<!-- ===================== -->
<HR>
<!-- ===================== -->
<!-- ====================== -->
<!-- BEGIN: squidg: wsquidg -->
<!-- ====================== -->
<H2><A NAME="wsquidg">What is SquidGuard?</A></H2>
<P>SquidGuard is an external &quot;redirect program&quot; whereby squid actually forwards the
requests sent to itself to the external SquidGuard daemon. SquidGuard's job is to allow a
greater control of filtering than Squid itself does.</P>
<P>Although, it should be pointed out that to carry out filtering, the use of SquidGuard is not
necessary for simple filters.</P>
<!-- ===================== -->
<!-- END: squidg: wsquidg -->
<!-- ===================== -->
<HR WIDTH=25%>
<!-- ======================== -->
<!-- ====================== -->
<!-- BEGIN: squidg: sginst -->
<!-- ====================== -->
<H2><A NAME="sginst">Installation</A></H2>
<P>SquidGuard is available from (funnily enough) <A HREF="http://www.squidguard.org/download"
TARGET="_blank"> http://www.squidguard.org/download</A>. This site is very informative and
has lots of useful information about how to configure SquidGuard.</P>
<P>As per Squid, SquidGuard is available in both rpm and .tgz format.
<P>If your distribution supports the RPM format then you can install it in the following way:</P>
<PRE>
su - -c "rpm -i ./SquidGuard-1.2.1.noarch.rpm"
</PRE>
<P>Should your distribution not support the RPM format, then you can download the sources and
compile it, in the following manner:</P>
<PRE>
tar xzvf ./SquidGuard-1.2.1.tgz
./configure
make && make install
</PRE>
<P>The files should be installed in &quot;/usr/local/squidguard/&quot;</P>
<!-- ==================== -->
<!-- END: squidg: sginst -->
<!-- ==================== -->
<HR WIDTH=25%>
<!-- ======================== -->
<!-- ====================== -->
<!-- BEGIN: squidg: sgconf -->
<!-- ====================== -->
<H2><A NAME="sgconf">Configuration</A></H2>
<P>Before we can actually start tweaking the main &quot;/etc/squidguard.conf&quot;, we
must first make one small change to our old friend <B>&quot;/etc/squid.conf&quot;</B>.
In the file, locate the TAG:</P>
<PRE>
#redirect_program none
</PRE>
<P>Uncomment it, and replace the the word &quot;none&quot; for the path to the main
<B>SquidGuard</B> file. If you don't know where the main file is, then you can issue
the command:</P>
<PRE>
whereis squidGuard
</PRE>
<P>And then enter the appropriate path and filename. Thus, it should now look like:</P>
<PRE>
redirect_program /usr/local/bin/squidGuard
</PRE>
<P>Save the file, and then type in the following:</P>
<PRE>
squid -k reconfigure
</PRE>
<P>Which will re-load the configuration file.</P>
<P>Ok, now the fun begins. Having told squid that we will be using a redirect program to
filter requests sent to it, we must now define rules to match that.</P>
<P>SquidGuard's main configuration file is <B>&quot;/etc/squidguard&quot;</B>. Out of the
box, this file looks like the following:</P>
<P ALIGN="center">-------------------</P>
<P>(<A HREF="misc/adam/squidguard.conf.txt">text version</A>)</P>
<PRE>
logdir /var/squidGuard/logs
dbhome /var/squidGuard/db
src grownups {
ip 10.0.0.0/24 # range 10.0.0.0 - 10.0.0.255
# AND
user foo bar # ident foo or bar
}
src kids {
ip 10.0.0.0/22 # range 10.0.0.0 - 10.0.3.255
}
dest blacklist {
domainlist blacklist/domains
urllist blacklist/urls
}
acl {
grownups {
pass all
}
kids {
pass !blacklist all
}
default {
pass none
redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}
}
</PRE>
<P ALIGN="center">-------------------</P>
<P>What I shall do, is take the config file in sections, and explain what each part of it does.</P>
<PRE>
logdir /var/squidGuard/logs
dbhome /var/squidGuard/db
</PRE>
<P>The first line sets up the directory where the logfile will appear, and creates it if it
does not exist.</P>
<P>The second line sets up the directory where the database(s) of banned sites, expressions,
etc, are stored.</P>
<PRE>
src grownups {
ip 10.0.0.0/24 # range 10.0.0.0 - 10.0.0.255
# AND
user foo bar # ident foo or bar
}
</PRE>
<P>The above block of code, sets up a number of things. Firstly, the src &quot;grownups&quot;
is defined by specifying an IP address range, and saying which users are a member of this block.
For convenience sake, the generic terms &quot;foo&quot; and &quot;bar&quot; are used here as an
example.</P>
<P>It should also be pointed out that the <B>user</B> TAG can only be used if an ident server
is running on the server that forwards the request onto the squid proxy server, otherwise it will
be void.</P>
<PRE>
src kids {
ip 10.0.0.0/22 # range 10.0.0.0 - 10.0.3.255
}
</PRE>
<P>This section of statements sets up another block, this time called &quot;kids&quot; which is
determined by a range of IP addresses, but no users.</P>
<P>You can think of <B>grownups</B> and <B>kids</B> as being ACL names similar to those found in
&quot;/etc/squid.conf&quot;.</P>
<PRE>
dest blacklist {
domainlist blacklist/domains
urllist blacklist/urls
expression blacklist/expressions
}
</PRE>
<P>This section of code is significant since it defines a <B>dest</B> list to specific filtering
processes. By processes, there are three main ways that SquidGuard applies its filtering
process:</P>
<P>1. domainlist -- lists domains, and only those, one line at a time, for example:</P>
<PRE>
nasa.gov.org
squid-cache.org
cam.ac.uk
</PRE>
<P>2. urllist -- actually specifying specific webpages (and omitting the &quot;www.&quot;,
e.g.</P>
<PRE>
linuxgazette.com/current
cam.ac.uk/~users
</PRE>
<P>3. expression -- regex words that should be banned within the URL, thus:</P>
<PRE>
sex
busty
porn
</PRE>
<P>The last block of code:-</P>
<PRE>
acl {
grownups {
pass all
}
kids {
pass !blacklist all
}
default {
pass none
redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}
}
</PRE>
<P>Says that for the <B>acl</B> block, and for the &quot;grownups&quot; section, pass all the
requests to it -- i.e. allow those URL's / expressions, etc, that are contained witin the <B>dest
</B> blacklists.</P>
<P>Then, it says that for the &quot;kids&quot; section, pass all requests, <B>except</B> those
contained within the <B>dest blacklists</B>. At which point, if a URL is matched from the dest
blacklists, it is then forwarded, to the <B>default</B> section.</P>
<P>The <B>default</B> section says that if requests are found not to come from either &quot;
grownups&quot; or &quot;kids&quot; then it won't allow access to the website, and will
redirect you to another webpage, which is most likely an error page.</P>
<P>The variables passed with this redirect statement, specify the type of request, etc,
which can then be processed by a cgi-script to produce a custom error message, for example.</P>
<P>It should be pointed out that in order for filtering to take place, then the following
piece of code should be present:</P>
<PRE>
default {
pass none
}
</PRE>
<P>Either with or without the <B>redirect</B> clause.</P>
<P>There are more advanced configuration options that can be used within this file. Examples
can be found out at <A HREF="http://www.squidguard.org/configuration" TARGET="_blank">
http://www.squidguard.org/configuration</A>.</P>
<P>Thus completes the tutorial for both <B>Squid</B> and <B>SquidGuard</B>. Further
information can be found at the all of the URL's embedded in this document, and at my
website, which is at the following address:</P>
<A HREF="http://www.squidproxyapps.org.uk" TARGET="_blank">www.squidproxyapps.org.uk</A>
<!-- ==================== -->
<!-- END: squidg: sgconf -->
<!-- ==================== -->
<HR>
<!-- ======================== -->
<!-- ====================== -->
<!-- BEGIN: keyfiles -->
<!-- ====================== -->
<H2><A NAME="keyfiles">Keyfiles: A Handy BASH backup script</A></H2>
<P>OK, ok, I know you're all thinking: &quot;Not <I>another</I> backup script&quot;.
Well, there has been some talk of this on TAG (The Answer Gang) mailing list recently
so, I thought, I'd jump on the band-wagon.....</P>
<P>This script is really quite simple -- it uses a configuration file (plain text)
which lists all of the files (and directories) that you want backed up, and then
puts them in a gzipped tarball, in a specified location.</P>
<P>Those of you who are familiar with BASH shell scripting, might find this a little
rumedial, however, I hope that my in-line comments will aid those who are still trying
to learn the shell</P>
<P ALIGN="center">-------------------</P>
<P>(<A HREF="misc/adam/keyfiles.sh.txt">Text Version</A>)</P>
<PRE>
#!/bin/bash
#################################################
#Keyfiles - tar/gzip configuration files #
#Version: Version 1.0 (first draft) #
#Ackn: based on an idea from Dave Turnbull #
#Authour: Thomas Adam #
#Date: Monday 28 May 2001, 16:05pm BST #
#Website: www.squidproxyapps.org.uk #
#Contact: thomas@squidproxyapps.org.uk #
#################################################
#Comments herein are for the benefit of Dave Turnbull :-).
#Declare Variables
configfile="/etc/keyfiles.conf"
tmpdir="/tmp"
wrkdir="/var/log/keyfiles"
tarfile=keyfiles-$(date +%d%m%Y).tgz
method=$1 #options passed to "keyfiles"
submethod=$2 #options supplied along with "$1"
quiet=0 #Turns on verbosity (default)
cmd=`basename $0` #strip path from filename.
optfiles="Usage: $cmd [--default (--quiet)] [--listconffiles] [--restore (--quiet)] [--editconf] [--delold] [--version]"
version="keyfiles: Created by Thomas Adam, Version 1.0 (Tuesday 5 June 2001, 23:42)"
#handle error checking...
if [ ! -e $configfile ]; then
for beepthatbell in 1 2 3 4 5; do
echo -en "\x07"
mail -s "[Keyfiles]: $configfile not found" $USER
done
fi
#Make sure we have a working directory
[ ! -d $wrkdir ] && mkdir $wrkdir
#Parse options sent via command-line
if [ -z $method ]; then
echo $optfiles
exit 0
fi
#Check command line syntax
check_syntax ()
{
case $method in
--default)
cmd_default
;;
--listconffiles)
cmd_listconffiles
;;
--restore)
shift 1
cmd_restore
;;
--editconf)
exec $EDITOR $configfile
exit 0
;;
--delold)
cd $wrkdir && rm -f ./*.old > /dev/null
exit 0
;;
--version)
echo $version
exit 0
;;
--*|-*|*)
echo $optfiles
exit 0
;;
esac
}
#Now the work begins.....
#declare function to use "--default" settings
cmd_default ()
{
#tar/gz all files contained within $configfile
if [ $submethod ]; then
tar -cZPpsf $tmp/$tarfile $(cat $configfile) &>/dev/null 2>&1
else
tar -vcZPpsf $tmp/$tarfile $(cat $configfile)
fi
#If the contents of the directory is empty......
if test $(ls -1 $wrkdir | grep -c -) = "0"; then
mv $tmp/$tarfile $wrkdir
exit 0
fi
for i in $(ls $wrkdir/*.tgz); do
mv $i $i.old
done
mv $tmp/$tarfile $wrkdir
}
#List files contained within $configfile
cmd_listconffiles ()
{
sort -o $configfile $configfile
cat $configfile
exit 0
}
#Restore files......
cmd_restore ()
{
cp $wrkdir/keyfiles*.tgz /
cd /
#Check for quiet flag :-)
if [ $submethod ]; then
tar vzxfmp keyfiles*.tgz &>/dev/null 2>&1
rm -f /keyfiles*.tgz
exit 0
else
tar vzxfmp keyfiles*.tgz
rm -f /keyfiles*.tgz
exit 0
fi
}
#call the main function
check_syntax
</PRE>
<P ALIGN="center">-------------------</P>
<P>Suffice to say, the main changes that you might have to make, are to the following
variables:</P>
<PRE>
configfile="/etc/keyfiles.conf"
tmpdir="/tmp"
wrkdir="/var/log/keyfiles"
</PRE>
<P>However, my script is sufficiently intelligent, to check for the presence of $wrkdir,
and if it doesn't exist -- create it.</P>
<P>You will also have to make sure that you set the appropriate permissions, thus:</P>
<PRE>
chmod 700 /usr/local/bin/keyfiles
</PRE>
<P>The most important file, is the script's configuration file, which, for me, looks like
the following:</P>
<P ALIGN="center">-------------------</P>
<P>(<A HREF="misc/adam/keyfiles.conf.txt">Text Version</A>)</P>
<PRE>
/etc/keyfiles.conf
/etc/rc.config
/home/*/.AnotherLevel/*
/home/*/.fvwm2rc.m4
/home/solent/ada/*
/root/.AnotherLevel/*
/root/.fvwm2rc.m4
/usr/bin/header.sed
/usr/bin/loop4mail
/var/spool/mail/*
</PRE>
<P ALIGN="center">-------------------</P>
<P>Since this file, is passed to the main <B>tar</B> program, then the use of wildcards is
valid, as in the above file.</P>
<P>It should be pointed out that each time the script runs, the last backup file created, i.e &quot;keyfiles-DATE.tgz&quot; is renamed to &quot;keyfiles-DATE.tgz.old&quot; before the new file
takes its place.</P>
<P>This is so that if you need to restore the backup file at anytime, my script knows which file
to use by checking for a &quot.tgz&quot; extension.</P>
<P>Because of this feature, I have also included a &quot;--delold&quot; option which deletes all the
old backup files from the directory.</P>
<P>To use the program, type:</P>
<PRE>
keyfiles --default
</PRE>
<P>Which will start the backup process. If you want to surpress the verbosity, you can add the flag:
</P>
<PRE>
keyfiles --default --quiet
</PRE>
<P>The other options that this program takes, are pretty much self-explanatory.</P>
<P>This backup script is by no means perfect, and there are better ones available. Any
comments that you have, would be appreciated!!</P>
<!-- ==================== -->
<!-- END: keyfiles -->
<!-- ==================== -->
<HR>
<!-- ======================== -->
<!-- ====================== -->
<!-- BEGIN: keyfiles -->
<!-- ====================== -->
<H2><A NAME="prognedit">Program Review: Nedit</A></H2>
<P>Way, way, back in the days when the illustrious founder of this special magazine, <B>
John Fisk</B> was writing this column, another authour, <B>Larry Ayers</B> used to do a
series of program reviews. He mentioned briefly a new program called <I>Nedit</I>, but
never reviewed it.</P>
<P>So, I will :-)</P>
<P>I have been using Nedit for about three years now. I do all of my work in it -- when I
am in X11 that is. A typical window of Nedit, looks like <A HREF="misc/adam/nedit1.png">
this screenshot</A>.</P>
<P>This program offers a huge selection of features. Probably the most popular is the
syntax highlighting feature, for over a host of languages, many of which are:</P>
<UL>
<LI>C</LI>
<LI>C++</LI>
<LI>Java</LI>
<LI>JavaScript</LI>
<LI>Ada</LI>
<LI>Fortran</LI>
<LI>Pascal</LI>
<LI>Lex</LI>
<LI>Yacc</LI>
<LI>Perl</LI>
<LI>Python</LI>
<LI>Tcl</LI>
<LI>Awk</LI>
<LI>Sh Ksh Bash</LI>
<LI>Csh</LI>
<LI>Makefile</LI>
<LI>SGML HTMK</LI>
<LI>LaTeX</LI>
<LI>Postscript</LI>
<LI>SQL</LI>
<LI>Matlab</LI>
<LI>VHDL</LI>
<LI>Verilog</LI>
<LI>Xresources</LI>
<LI>Nedit Macro</LI>
<LI>CSS</LI>
<LI>Regex</LI>
<LI>XML</LI>
</UL>
<P>If, for some bizare reason, you program in an obscure langauge that is not listed in the
above then you can specify your own regex patterns.</P>
<P>Nedit also allows you to do complex search and replace methods by using case-sensitive
regex pattern matches.</P>
<P>A typical search / replace dialog box, looks like the following:</P>
<IMG SRC=".isc/adam/nedit2.png">
<P>Allowing you to form complex searches.</P>
<P>Each of the menus, can be torn-off and remain sticky windows. This can be particularly
useful, if you a particular menu over and over, and don't want to keep clicking on it
each time.</P>
<P>This program is over-loaded with options, many of which I am sure are useful, but I
have not been able to find a use for all of them yet. And as if that was not enough,
Nedit allows you to write custom macros so that you can define even more weirder
functions.</P>
<P>I recommend this program to <I>everyone</I>, and while I don't want to re-invent the
<B>Emacs / Vim</B> argument, I really would consider it a viable alternative to the
over-bloated &quot;X11-Emacs&quot; package that eats up far too much memory!! :-) </P>
<P>You can get Nedit from the following:</P>
<A HREF="http://www.nedit.org" TARGET="_blank">www.nedit.org</A>
<P>Enjoy it :-)</P>
<!-- ==================== -->
<!-- END: nedit -->
<!-- ==================== -->
<HR>
<!-- ======================== -->
<!-- ====================== -->
<!-- BEGIN: closing time -->
<!-- ====================== -->
<H2><A NAME="closet">Closing Time</A></H2>
<P>Well, that concludes it for this month -- I had not expected it to be quite this long!!.
My academic year is more or less at a close, and I have exams coming up at the end of May.
Then I shall be free over the summer to pursue all my Linux ideas that have been
formulating in my brain ( <B>-- that is whats left of it after Ben Okopnik brain washed me)
</B>:-)</P>
<P>Oh well, until next month -- take care.</P>
<!-- ==================== -->
<!-- END: closet -->
<!-- ==================== -->
<HR>
<!-- ** Begin table comments, etc. Oh wakey wakey you idiot Thomas ** -->
<TABLE width="60%" align=center border=0>
<TBODY>
<TR>
<TH></TH>
<TH></TH>
<TH></TH>
<TR>
<TD width="10%"><IMG height=64 alt="" src="../gx/adam/mail.png"
width=64 align=left></TD>
<TD align=middle width="80%"><FONT color=red size=5>Send Your
Comments</FONT></TD>
<TD width="10%"><IMG height=64 alt="" src="../gx/adam/mail.png"
width=64 align=left></TD></TR></TBODY></TABLE>
<P align=center><FONT size=3>Any comments, suggestions, ideas, etc can be mailed
to me by clicking the e-mail address link below:</FONT></P>
<P align=center><FONT size=3><A
href="mailto:thomas_adam16@yahoo.com">mailto:thomas_adam16@yahoo.com</A></FONT></P>
<HR>
<!-- *** BEGIN bio *** -->
<SPACER TYPE="vertical" SIZE="30">
<P>
<H4><IMG ALIGN=BOTTOM ALT="" SRC="../gx/note.gif">Thomas Adam</H4>
My name is Thomas Adam. I am 18, and am currently studying for A-Levels
(=university entrance exam). I live
on a small farm, in the county of Dorset in England. I am a massive Linux
enthusiast, and help with linux proxy issues while I am at school. I have been
using Linux now for about six years. When not using Linux, I play the piano,
and enjoy walking and cycling.
<!-- *** END bio *** -->
<!-- *** BEGIN copyright *** -->
<P> <hr> <!-- P -->
<H5 ALIGN=center>
Copyright &copy; 2002, Thomas Adam.<BR>
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
Published in Issue 78 of <i>Linux Gazette</i>, May 2002</H5>
<!-- *** END copyright *** -->
<!--startcut ==========================================================-->
<HR><P>
<CENTER>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="lg_bytes.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue78/adam.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="alcidi.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->
Reference in New Issue View Git Blame Copy Permalink