Difference between revisions of "Projects/Adblocker"
Jump to navigation
Jump to search
(Created page with "==Hardware== *Virtual Machine on HP Proliant Gen8 with eSXI Hypervisor *40GB HDD *1x 2,3 GhZ CPU *1GB RAM *2x 1 GBit Network connection (only one being used currently) ==Soft...") |
|||
| (4 intermediate revisions by one other user not shown) | |||
| Line 7: | Line 7: | ||
==Software== | ==Software== | ||
| − | * | + | ===Operating system=== |
| + | *Ubuntu 16.04.1 LTS | ||
===Services=== | ===Services=== | ||
*Squid3 (Ad filtering) | *Squid3 (Ad filtering) | ||
| Line 13: | Line 14: | ||
*DHCP-Server (isc-dhcp-server) to automatically distribute Proxy settings via DHCP attribute | *DHCP-Server (isc-dhcp-server) to automatically distribute Proxy settings via DHCP attribute | ||
| − | == Configuration == | + | ==System Configuration== |
| − | <source | + | *Assign system a fixed IP address, DNS and Gateway |
| − | + | ===IP address and DNS server=== | |
| − | + | <source>sudo nano /etc/network/interfaces</source> | |
| − | { | + | <source> |
| − | + | # This file describes the network interfaces available on your system | |
| − | + | # and how to activate them. For more information, see interfaces(5). | |
| + | |||
| + | source /etc/network/interfaces.d/* | ||
| + | |||
| + | # The loopback network interface | ||
| + | auto lo | ||
| + | iface lo inet loopback | ||
| + | |||
| + | # The primary network interface | ||
| + | auto ens160 | ||
| + | iface ens160 inet static | ||
| + | address 192.168.178.13 | ||
| + | netmask 255.255.255.0 | ||
| + | network 192.168.178.0 | ||
| + | gateway 192.168.178.1 | ||
| + | dns-nameservers 192.168.178.1 | ||
| + | </source> | ||
| + | |||
| + | ===Default gateway route=== | ||
| + | <source>sudo ip route change default via 192.168.178.1 dev ens160</source> | ||
| + | |||
| + | Restart networking to apply changes: | ||
| + | <source>sudo service networking restart</source> | ||
| + | |||
| + | ===Update software=== | ||
| + | Run the following commands to install the latest software updates available for your system: | ||
| + | <source> | ||
| + | sudo apt update | ||
| + | sudo apt -y upgrade | ||
| + | <source> | ||
| + | ==Services configuration== | ||
| + | Install required packages: | ||
| + | <source>sudo apt install apache2 isc-dhcp-server squid squidguard</source> | ||
| + | |||
| + | ===Apache=== | ||
| + | Create a new site for WPAD distribution | ||
| + | <source> | ||
| + | sudo -u www-data nano /etc/apache2/sites-availabe/wpad.conf | ||
| + | </source> | ||
| + | And paste the following: | ||
| + | <source> | ||
| + | # Auto Proxy Configuration | ||
| + | <VirtualHost *:80> | ||
| + | ServerAdmin webmaster@example.com | ||
| + | DocumentRoot /var/www/wpad | ||
| + | ServerName wpad.webfilter.local | ||
| + | ServerAlias wpad | ||
| + | |||
| + | AddType application/x-ns-proxy-autoconfig .dat | ||
| + | AddType application/x-ns-proxy-autoconfig .pac | ||
| + | </VirtualHost> | ||
| + | </source> | ||
| + | |||
| + | Create 3 files for the automatic proxy server distribution via DHCP: | ||
| + | <source>sudo -u www-data nano /var/www/wpad/XXXXXXXXX.XXX</source> | ||
| + | Replace "XXXXXXXXX.XXX" with the following filenames: | ||
| + | |||
| + | '''proxy.dat''' | ||
| + | <source> | ||
| + | function FindProxyForURL(url,host) { | ||
| + | if(isInNet(host,"127.0.0.1","255.0.0.0")) | ||
| + | return "DIRECT"; | ||
| + | |||
| + | if(isPlainHostName(host)) | ||
| + | return "DIRECT"; | ||
| + | |||
| + | if(isInNet(host,"192.168.178.0","255.255.255.0")) | ||
| + | return "PROXY 192.168.178.13:8080; DIRECT"; | ||
| + | |||
| + | else | ||
| + | return "PROXY 192.168.178.13:8080; DIRECT"; | ||
| + | } | ||
| + | </source> | ||
| + | '''proxy.pac''' | ||
| + | <source> | ||
| + | function FindProxyForURL(url,host) { | ||
| + | if(isInNet(host,"127.0.0.1","255.0.0.0")) | ||
| + | return "DIRECT"; | ||
| + | |||
| + | if(isPlainHostName(host)) | ||
| + | return "DIRECT"; | ||
| + | |||
| + | if(isInNet(host,"192.168.178.0","255.255.255.0")) | ||
| + | return "PROXY 192.168.178.13:8080; DIRECT"; | ||
| + | |||
| + | else | ||
| + | return "PROXY 192.168.178.13:8080; DIRECT"; | ||
| + | } | ||
| + | </source> | ||
| + | '''wpad.dat''' | ||
| + | <source> | ||
| + | function FindProxyForURL(url,host) { | ||
| + | if(isInNet(host,"127.0.0.1","255.0.0.0")) | ||
| + | return "DIRECT"; | ||
| + | |||
| + | if(isPlainHostName(host)) | ||
| + | return "DIRECT"; | ||
| + | |||
| + | if(isInNet(host,"192.168.178.0","255.255.255.0")) | ||
| + | return "PROXY 192.168.178.13:8080; DIRECT"; | ||
| + | |||
| + | else | ||
| + | return "PROXY 192.168.178.13:8080; DIRECT"; | ||
| + | } | ||
| + | </source> | ||
| + | |||
| + | Enable the new Apache2 site by running | ||
| + | <source>sudo a2ensite wpad</source> | ||
| + | Reload Apache to apply the changes | ||
| + | <source>sudo service apache2 reload</source> | ||
| + | |||
| + | ===DHCPd=== | ||
| + | Edit /etc/dhcp/dhcpd.conf: | ||
| + | <source> sudo nano /etc/dhcp/dhcpd.conf</source> | ||
| + | |||
| + | Adjust as follows: | ||
| + | <source> | ||
| + | # | ||
| + | # Sample configuration file for ISC dhcpd for Debian | ||
| + | # | ||
| + | # Attention: If /etc/ltsp/dhcpd.conf exists, that will be used as | ||
| + | # configuration file instead of this file. | ||
| + | # | ||
| + | # | ||
| + | |||
| + | # The ddns-updates-style parameter controls whether or not the server will | ||
| + | # attempt to do a DNS update when a lease is confirmed. We default to the | ||
| + | # behavior of the version 2 packages ('none', since DHCP v2 didn't | ||
| + | # have support for DDNS.) | ||
| + | ddns-update-style none; | ||
| + | |||
| + | # option definitions common to all supported networks... | ||
| + | option domain-name "homenet.local"; | ||
| + | option domain-name-servers 192.168.178.1; | ||
| + | |||
| + | default-lease-time 600; | ||
| + | max-lease-time 7200; | ||
| + | |||
| + | # If this DHCP server is the official DHCP server for the local | ||
| + | # network, the authoritative directive should be uncommented. | ||
| + | #authoritative; | ||
| + | |||
| + | # Use this to send dhcp log messages to a different log file (you also | ||
| + | # have to hack syslog.conf to complete the redirection). | ||
| + | log-facility local7; | ||
| + | |||
| + | # No service will be given on this subnet, but declaring it helps the | ||
| + | # DHCP server to understand the network topology. | ||
| + | |||
| + | #subnet 10.152.187.0 netmask 255.255.255.0 { | ||
| + | #} | ||
| + | |||
| + | # This is a very basic subnet declaration. | ||
| + | |||
| + | option local-wpad code 252 = text; | ||
| + | |||
| + | subnet 192.168.178.0 netmask 255.255.255.0 { | ||
| + | range 192.168.178.20 192.168.178.40; | ||
| + | option routers 192.168.178.1; | ||
| + | option local-wpad "http://192.168.178.13/proxy.pac"; | ||
| + | } | ||
| + | </source> | ||
| + | |||
| + | Restart DHCPd to apply the changes: | ||
| + | <source>sudo service isc-dhcp-server restart</source> | ||
| + | |||
| + | You can use the tool [https://blog.thecybershadow.net/2013/01/10/dhcp-test-client/ DHCP Test by Vladimir Panteleev] to verify your configuration was applied and works. | ||
| + | The output should look something like this: | ||
| + | <source> | ||
| + | dhcptest v0.5 - Written by Vladimir Panteleev | ||
| + | https://github.com/CyberShadow/dhcptest | ||
| + | Run with --help for a list of command-line options. | ||
| + | |||
| + | Listening for DHCP replies on port 68. | ||
| + | Type "d" to broadcast a DHCP discover packet, or "help" for details. | ||
| + | d | ||
| + | Sending packet: | ||
| + | op=BOOTREQUEST chaddr=20:6B:AD:EB:E2:85 hops=0 xid=26195EB3 secs=0 flags=8000 | ||
| + | ciaddr=0.0.0.0 yiaddr=0.0.0.0 siaddr=0.0.0.0 giaddr=0.0.0.0 sname= file= | ||
| + | 1 options: | ||
| + | 53 (DHCP Message Type): discover | ||
| + | Received packet from 192.168.178.13:67: | ||
| + | op=BOOTREPLY chaddr=20:6B:AD:EB:E2:85 hops=0 xid=26195EB3 secs=0 flags=8000 ciaddr=0.0.0.0 yiaddr=192.168.178.40 siaddr=192.168.178.13 giaddr=0.0.0.0 sname= file= | ||
| + | 8 options: | ||
| + | 53 (DHCP Message Type): offer | ||
| + | 54 (Server Identifier): 192.168.178.13 | ||
| + | 51 (IP Address Lease Time): 600 (10 minutes) | ||
| + | 1 (Subnet Mask): 255.255.255.0 | ||
| + | 3 (Router Option): 192.168.178.1 | ||
| + | 6 (Domain Name Server Option): 192.168.178.1 | ||
| + | 252 (Unknown): "http://192.168.178.13/proxy.pac" (68 74 74 70 3A 2F 2F 31 39 32 2E 31 36 38 2E 31 37 38 2E 31 33 2F 70 72 6F 78 79 2E 70 61 63) | ||
| + | 15 (Domain Name): homenet.local | ||
| + | </source> | ||
| + | |||
| + | If the DHCP is working as intended it should return an IP address from the pool we specified earlier and also should include the proxy.pac configuration (option 252). | ||
| + | |||
| + | ===Squid=== | ||
| + | Edit squid.conf | ||
| + | <source>sudo nano /etc/squid/squid.conf</source> | ||
| + | <source> | ||
| + | #acl lists | ||
| + | acl manager proto cache_object | ||
| + | acl localhost src 127.0.0.1/32 ::1 | ||
| + | #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 | ||
| + | acl localnet src 192.168.178.0/24 # RFC1918 possible internal network | ||
| + | acl ads dstdom_regex "/etc/squid/ad_block.txt" | ||
| + | http_access deny ads | ||
| + | |||
| + | #port connections | ||
| + | acl SSL_ports port 443 | ||
| + | acl SSL method CONNECT | ||
| + | acl Safe_ports port 80 # http | ||
| + | acl Safe_ports port 21 # ftp | ||
| + | acl Safe_ports port 443 # https | ||
| + | acl Safe_ports port 70 # gopher | ||
| + | acl Safe_ports port 210 # wais | ||
| + | acl Safe_ports port 1025-65535 # unregistered ports | ||
| + | acl Safe_ports port 280 # http-mgmt | ||
| + | acl Safe_ports port 488 # gss-http | ||
| + | acl Safe_ports port 591 # filemaker | ||
| + | acl Safe_ports port 777 # multiling http | ||
| + | acl CONNECT method CONNECT | ||
| + | |||
| + | #allow/deny | ||
| + | http_access allow manager localhost | ||
| + | http_access deny manager | ||
| + | http_access allow localnet | ||
| + | |||
| + | # Deny requests to certain unsafe ports | ||
| + | http_access deny !Safe_ports | ||
| + | |||
| + | # Deny CONNECT to other than secure SSL ports | ||
| + | http_access deny CONNECT !SSL_ports | ||
| + | |||
| + | # Example rule allowing access from your local networks. | ||
| + | http_access allow localnet | ||
| + | http_access allow localhost | ||
| + | |||
| + | # And finally deny all other access to this proxy | ||
| + | http_access deny all | ||
| + | |||
| + | #bind address default port is 3128 | ||
| + | http_port 192.168.178.13:8080 | ||
| + | |||
| + | #cache directory | ||
| + | cache_dir ufs /squid-cache/ 512 16 128 | ||
| + | #cache_mem 2048MB | ||
| + | #coredump_dir /home/serveruser/squidcache/ | ||
| + | |||
| + | #log | ||
| + | cache_store_log /var/log/squid/store.log | ||
| + | |||
| + | #rewrite program squidGuard | ||
| + | #url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf | ||
| + | #url_rewrite_children 5 #threads | ||
| + | #url_rewrite_concurrency 0 #jobs per threads | ||
| + | </source> | ||
| + | |||
| + | ===SquidGuard=== | ||
| + | Edit /etc/squidguard/squidguard.conf | ||
| + | <source>sudo nano /etc/squidguard/squidguard.conf</source> | ||
| + | <source> | ||
| + | # | ||
| + | # CONFIG FILE FOR SQUIDGUARD | ||
| + | # | ||
| + | # Caution: do NOT use comments inside { } | ||
| + | # | ||
| + | |||
| + | dbhome /var/lib/squidguard/db | ||
| + | logdir /var/log/squidguard | ||
| + | |||
| + | # | ||
| + | # TIME RULES: | ||
| + | # abbrev for weekdays: | ||
| + | # s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat | ||
| + | |||
| + | time workhours { | ||
| + | weekly mtwhf 08:00 - 16:30 | ||
| + | date *-*-01 08:00 - 16:30 | ||
| + | } | ||
| + | |||
| + | # | ||
| + | # SOURCE ADDRESSES: | ||
| + | # | ||
| + | |||
| + | src admin { | ||
| + | ip 1.2.3.4 1.2.3.5 | ||
| + | user root foo bar | ||
| + | within workhours | ||
| + | } | ||
| + | |||
| + | src foo-clients { | ||
| + | ip 172.16.2.32-172.16.2.100 172.16.2.100 172.16.2.200 | ||
| + | } | ||
| + | |||
| + | src bar-clients { | ||
| + | ip 172.16.4.0/26 | ||
| + | } | ||
| + | |||
| + | # | ||
| + | # DESTINATION CLASSES: | ||
| + | # | ||
| + | # [see also in file dest-snippet.txt] | ||
| + | |||
| + | dest good { | ||
| + | } | ||
| + | |||
| + | dest local { | ||
| + | } | ||
| + | |||
| + | dest porn { | ||
| + | } | ||
| + | |||
| + | #dest adult { | ||
| + | # domainlist BL/adult/domains | ||
| + | # urllist BL/adult/urls | ||
| + | # expressionlist BL/adult/expressions | ||
| + | # redirect http://admin.foo.bar.de/cgi-bin/blocked.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u | ||
| + | #} | ||
| + | |||
| + | # | ||
| + | # ACL RULES: | ||
| + | # | ||
| + | |||
| + | acl { | ||
| + | admin { | ||
| + | pass any | ||
| + | } | ||
| + | |||
| + | foo-clients within workhours { | ||
| + | pass good !in-addr !porn any | ||
| + | } else { | ||
| + | pass any | ||
| + | } | ||
| + | |||
| + | bar-clients { | ||
| + | pass local none | ||
| + | } | ||
| + | |||
| + | default { | ||
| + | pass local none | ||
| + | redirect http://admin.foo.bar.de/cgi-bin/blocked.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u | ||
| + | } | ||
| + | } | ||
| + | |||
| + | #create ads category | ||
| + | dest ads { | ||
| + | #location of blacklists, domains, urls, expressions. | ||
| + | domainlist blacklists/ads/domains | ||
| + | urllist blacklists/ads/urls | ||
| + | #expressionlist blacklists/ads/expressions | ||
| + | } | ||
| + | acl { | ||
| + | default { | ||
| + | #allow except 'ads' | ||
| + | pass !ads all | ||
| + | #redirect to transparent gif | ||
| + | redirect http://localhost/blank.gif | ||
| + | |||
| + | } | ||
} | } | ||
</source> | </source> | ||
| + | |||
| + | ==Keeping the lists up to date== | ||
| + | <source>sudo curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=0&mimetype=plaintext" > ad_block.txt</source> | ||
| + | =Useful links= | ||
| + | http://www.itbert.de/raspberry-pi-squid-block-ads/<br> | ||
| + | https://wiki.gentoo.org/wiki/ProxyAutoConfig<br> | ||
| + | https://calomel.org/squid_adservers.html<br> | ||
| + | http://askubuntu.com/questions/140126/how-do-i-install-and-configure-a-dhcp-server<br> | ||
| + | http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers#Automatic_WPAD_with_DNS<br> | ||
| + | http://serverfault.com/questions/633108/automatic-proxy-discovery-wpad-example-com-doesnt-work<br> | ||
| + | https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol<br> | ||
| + | https://codepoets.co.uk/2014/squid-3-4-x-with-ssl-for-debian-wheezy/<br> | ||
| + | http://ubuntuserverguide.com/2012/06/how-to-setup-squid3-as-transparent-proxy-on-ubuntu-server-12-04.html<br> | ||
| + | http://pgl.yoyo.org/adservers/<br> | ||
Latest revision as of 19:09, 13 January 2017
Contents
Hardware[edit]
- Virtual Machine on HP Proliant Gen8 with eSXI Hypervisor
- 40GB HDD
- 1x 2,3 GhZ CPU
- 1GB RAM
- 2x 1 GBit Network connection (only one being used currently)
Software[edit]
Operating system[edit]
- Ubuntu 16.04.1 LTS
Services[edit]
- Squid3 (Ad filtering)
- Apache2 (only for WPAD file distribution)
- DHCP-Server (isc-dhcp-server) to automatically distribute Proxy settings via DHCP attribute
System Configuration[edit]
- Assign system a fixed IP address, DNS and Gateway
IP address and DNS server[edit]
sudo nano /etc/network/interfaces# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto ens160
iface ens160 inet static
address 192.168.178.13
netmask 255.255.255.0
network 192.168.178.0
gateway 192.168.178.1
dns-nameservers 192.168.178.1Default gateway route[edit]
sudo ip route change default via 192.168.178.1 dev ens160Restart networking to apply changes:
sudo service networking restartUpdate software[edit]
Run the following commands to install the latest software updates available for your system:
sudo apt update
sudo apt -y upgrade
<source>
==Services configuration==
Install required packages:
<source>sudo apt install apache2 isc-dhcp-server squid squidguardApache[edit]
Create a new site for WPAD distribution
sudo -u www-data nano /etc/apache2/sites-availabe/wpad.confAnd paste the following:
# Auto Proxy Configuration
<VirtualHost *:80>
ServerAdmin webmaster@example.com
DocumentRoot /var/www/wpad
ServerName wpad.webfilter.local
ServerAlias wpad
AddType application/x-ns-proxy-autoconfig .dat
AddType application/x-ns-proxy-autoconfig .pac
</VirtualHost>Create 3 files for the automatic proxy server distribution via DHCP:
sudo -u www-data nano /var/www/wpad/XXXXXXXXX.XXXReplace "XXXXXXXXX.XXX" with the following filenames:
proxy.dat
function FindProxyForURL(url,host) {
if(isInNet(host,"127.0.0.1","255.0.0.0"))
return "DIRECT";
if(isPlainHostName(host))
return "DIRECT";
if(isInNet(host,"192.168.178.0","255.255.255.0"))
return "PROXY 192.168.178.13:8080; DIRECT";
else
return "PROXY 192.168.178.13:8080; DIRECT";
}proxy.pac
function FindProxyForURL(url,host) {
if(isInNet(host,"127.0.0.1","255.0.0.0"))
return "DIRECT";
if(isPlainHostName(host))
return "DIRECT";
if(isInNet(host,"192.168.178.0","255.255.255.0"))
return "PROXY 192.168.178.13:8080; DIRECT";
else
return "PROXY 192.168.178.13:8080; DIRECT";
}wpad.dat
function FindProxyForURL(url,host) {
if(isInNet(host,"127.0.0.1","255.0.0.0"))
return "DIRECT";
if(isPlainHostName(host))
return "DIRECT";
if(isInNet(host,"192.168.178.0","255.255.255.0"))
return "PROXY 192.168.178.13:8080; DIRECT";
else
return "PROXY 192.168.178.13:8080; DIRECT";
}Enable the new Apache2 site by running
sudo a2ensite wpadReload Apache to apply the changes
sudo service apache2 reloadDHCPd[edit]
Edit /etc/dhcp/dhcpd.conf:
sudo nano /etc/dhcp/dhcpd.confAdjust as follows:
#
# Sample configuration file for ISC dhcpd for Debian
#
# Attention: If /etc/ltsp/dhcpd.conf exists, that will be used as
# configuration file instead of this file.
#
#
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# option definitions common to all supported networks...
option domain-name "homenet.local";
option domain-name-servers 192.168.178.1;
default-lease-time 600;
max-lease-time 7200;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
option local-wpad code 252 = text;
subnet 192.168.178.0 netmask 255.255.255.0 {
range 192.168.178.20 192.168.178.40;
option routers 192.168.178.1;
option local-wpad "http://192.168.178.13/proxy.pac";
}Restart DHCPd to apply the changes:
sudo service isc-dhcp-server restartYou can use the tool DHCP Test by Vladimir Panteleev to verify your configuration was applied and works. The output should look something like this:
dhcptest v0.5 - Written by Vladimir Panteleev
https://github.com/CyberShadow/dhcptest
Run with --help for a list of command-line options.
Listening for DHCP replies on port 68.
Type "d" to broadcast a DHCP discover packet, or "help" for details.
d
Sending packet:
op=BOOTREQUEST chaddr=20:6B:AD:EB:E2:85 hops=0 xid=26195EB3 secs=0 flags=8000
ciaddr=0.0.0.0 yiaddr=0.0.0.0 siaddr=0.0.0.0 giaddr=0.0.0.0 sname= file=
1 options:
53 (DHCP Message Type): discover
Received packet from 192.168.178.13:67:
op=BOOTREPLY chaddr=20:6B:AD:EB:E2:85 hops=0 xid=26195EB3 secs=0 flags=8000 ciaddr=0.0.0.0 yiaddr=192.168.178.40 siaddr=192.168.178.13 giaddr=0.0.0.0 sname= file=
8 options:
53 (DHCP Message Type): offer
54 (Server Identifier): 192.168.178.13
51 (IP Address Lease Time): 600 (10 minutes)
1 (Subnet Mask): 255.255.255.0
3 (Router Option): 192.168.178.1
6 (Domain Name Server Option): 192.168.178.1
252 (Unknown): "http://192.168.178.13/proxy.pac" (68 74 74 70 3A 2F 2F 31 39 32 2E 31 36 38 2E 31 37 38 2E 31 33 2F 70 72 6F 78 79 2E 70 61 63)
15 (Domain Name): homenet.localIf the DHCP is working as intended it should return an IP address from the pool we specified earlier and also should include the proxy.pac configuration (option 252).
Squid[edit]
Edit squid.conf
sudo nano /etc/squid/squid.conf#acl lists
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.178.0/24 # RFC1918 possible internal network
acl ads dstdom_regex "/etc/squid/ad_block.txt"
http_access deny ads
#port connections
acl SSL_ports port 443
acl SSL method CONNECT
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#allow/deny
http_access allow manager localhost
http_access deny manager
http_access allow localnet
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Example rule allowing access from your local networks.
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
#bind address default port is 3128
http_port 192.168.178.13:8080
#cache directory
cache_dir ufs /squid-cache/ 512 16 128
#cache_mem 2048MB
#coredump_dir /home/serveruser/squidcache/
#log
cache_store_log /var/log/squid/store.log
#rewrite program squidGuard
#url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
#url_rewrite_children 5 #threads
#url_rewrite_concurrency 0 #jobs per threadsSquidGuard[edit]
Edit /etc/squidguard/squidguard.conf
sudo nano /etc/squidguard/squidguard.conf#
# CONFIG FILE FOR SQUIDGUARD
#
# Caution: do NOT use comments inside { }
#
dbhome /var/lib/squidguard/db
logdir /var/log/squidguard
#
# TIME RULES:
# abbrev for weekdays:
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat
time workhours {
weekly mtwhf 08:00 - 16:30
date *-*-01 08:00 - 16:30
}
#
# SOURCE ADDRESSES:
#
src admin {
ip 1.2.3.4 1.2.3.5
user root foo bar
within workhours
}
src foo-clients {
ip 172.16.2.32-172.16.2.100 172.16.2.100 172.16.2.200
}
src bar-clients {
ip 172.16.4.0/26
}
#
# DESTINATION CLASSES:
#
# [see also in file dest-snippet.txt]
dest good {
}
dest local {
}
dest porn {
}
#dest adult {
# domainlist BL/adult/domains
# urllist BL/adult/urls
# expressionlist BL/adult/expressions
# redirect http://admin.foo.bar.de/cgi-bin/blocked.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
#}
#
# ACL RULES:
#
acl {
admin {
pass any
}
foo-clients within workhours {
pass good !in-addr !porn any
} else {
pass any
}
bar-clients {
pass local none
}
default {
pass local none
redirect http://admin.foo.bar.de/cgi-bin/blocked.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}
}
#create ads category
dest ads {
#location of blacklists, domains, urls, expressions.
domainlist blacklists/ads/domains
urllist blacklists/ads/urls
#expressionlist blacklists/ads/expressions
}
acl {
default {
#allow except 'ads'
pass !ads all
#redirect to transparent gif
redirect http://localhost/blank.gif
}
}Keeping the lists up to date[edit]
sudo curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&showintro=0&mimetype=plaintext" > ad_block.txtUseful links[edit]
http://www.itbert.de/raspberry-pi-squid-block-ads/
https://wiki.gentoo.org/wiki/ProxyAutoConfig
https://calomel.org/squid_adservers.html
http://askubuntu.com/questions/140126/how-do-i-install-and-configure-a-dhcp-server
http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers#Automatic_WPAD_with_DNS
http://serverfault.com/questions/633108/automatic-proxy-discovery-wpad-example-com-doesnt-work
https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
https://codepoets.co.uk/2014/squid-3-4-x-with-ssl-for-debian-wheezy/
http://ubuntuserverguide.com/2012/06/how-to-setup-squid3-as-transparent-proxy-on-ubuntu-server-12-04.html
http://pgl.yoyo.org/adservers/
