Squid / SquidGuard / dansguardian

De Wiki des Responsables Techniques du 85
Aller à : navigation, rechercher

Squid2.gif

Présentation

  • Squid est un logiciel serveur permettant de faire passerelle et cache mémoire des connexions Internet
  • Samba sert a authentifier les utilisateurs lors de leurs connexions
  • SquidGuard est un autre logiciel qui couplé a Squid permet de faire du filtrage des connexions Internet
  • DansGuardian a le même rôle que SquidGuard

Installation

Cette installation doit être effectuée sur un serveur Ubuntu de préférence, sinon Debian Jessie.

Tout d'abord on doit installer le paquet Squid

apt-get install squid

Ensuit il faut installer Samba pour la partie authentification

apt-get install samba winbind krb5-user libnss-winbind

On choisi enfin si on veux choisir SquidGuard ou DansGuardian

apt-get install squidguard

ou

apt-get install dansguardian

On installe ensuite Apache2 pour servir les erreurs / redirections

apt-get install apache2

On active le module d'execution des CGI

a2enmode cgi

Installation de Samba

L'installation et le paramétrage Samba est identique a celle réalise dans ce tutoriel pour FreeRADIUS : Samba

Configuration

Pour une meilleure sécurité il y a deux modes possibles :

  • Serveur Squid en "multi-patte" sur deux réseaux distinct, DansGuardian écoute sur un des réseaux sur le port 8080, valide la recherche suivant les règles et transmet la requête à Squid sur l'adresse loopback ( 127.0.0.1 ) qui lui peut sortir sur vers internet.
  • Un seul réseau ou plusieurs avec routage, même topo DansGuardian écoute sur le port 8080 transmet a squid en loopback qui lui est le seul à pouvoir passer le firewall pour l’accès à internet.

Authentification NTLM utilisateurs

chgrp winbindd_priv /var/lib/samba/winbindd_privileged
gpasswd -a proxy winbindd_priv

Fichier de configuration Squid

Voici un exemple de fichier de configuration Squid

dns_v4_first on
visible_hostname squid

error_directory /usr/share/squid/errors/French

cache_dir ufs /data/squid/spool 5000 16 256
cache_mem 256 MB
coredump_dir /data/squid/spool
cache_store_log none

auth_param ntlm program /usr/bin/ntlm_auth —helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive off
#auth_param ntlm realm ETAB

acl sitebypass dstdomain "/var/lib/squidguard/db/exception/bypassite/bypassite.url"
acl tor dst "/etc/squid/tor"

acl administrationzone src 172.21.0.0/16
acl srvzone src 172.20.0.0/16
acl ntlm proxy_auth REQUIRED
acl url_exe url_regex -i \.[Mm][Ss][Ii]$ \.[Dd][Ll][Ll]$


acl SSL_ports port 443
acl Safe_ports port 80    # http
acl Safe_ports port 21    # ftp
acl Safe_ports port 443    # https
acl Safe_ports port 70    # gopher
acl Safe_ports port 210    # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280    # http-mgmt
acl Safe_ports port 488    # gss-http
acl Safe_ports port 591    # filemaker
acl Safe_ports port 777    # multiling http
acl CONNECT method CONNECT

http_access deny tor
http_access deny url_exe
http_access allow administrationzone
http_access allow srvzone
http_access allow ntlm

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

http_access allow localhost

http_access deny all
http_port 8080

url_rewrite_program /usr/bin/squidGuard -P -c /etc/squidguard/squidGuard.conf
url_rewrite_children 5


coredump_dir /var/spool/squid
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .    0  20%  4320

Configuration SquidGuard

Exemple de fichier de configuration SquidGuard

#----------------------------------------------------------------

#CONFIGURATION DIRECTORIES
dbhome /var/lib/squidguard/db
#logdir /var/log/squidGuard/squidguard


#---PARAMETRE-LDAP---#
ldapbinddn cn=ldapsearch,cn=users,dc=etab,dc=local
ldapbindpass monmotdepasseultrasecret
ldapcachetime  400
ldapprotover 3

# SOURCE ADDRESSES:

#BANNIS
source no_respect {
        user            superadmin
}

#--------------- Gestion des acces internet —-------------
source okip {
    iplist    /etc/squidguard/ipok
}
###################################################---FILTRE-LDAP---#########################################

# PROF FILTRE LDAP

src PROFS {
ldapusersearch ldap://172.20.0.1:3268/dc=etab,dc=local?sAMAccountName?sub?(&(memberof=CN=SQUIDPROFS%2cOU=GROUPE%2cOU=UTILISATEURS%2cOU=COLLEGE%2cDC=etab%2cDC=local)(sAMAccountName=%s))
  }

#---------------------------------------------

src ELEVES {
ldapusersearch ldap://172.20.0.1:3268/dc=etab,dc=local?sAMAccountName?sub?(&(memberof=CN=ELEVES%2cOU=ELEVES%2cOU=UTILISATEURS_PEDAGO%2cOU=UTILISATEURS%2cOU=COLLEGE%2cDC=etab%2cDC=local)(sAMAccountName=%s))
  }

####################################################---BASE-SITE---###########################################################################

# DESTINATION CLASSES:

#dest adblock {
#  expressionlist adblock/expressions
#  log adblock.log
#}
destination bl_ads {
    domainlist blacklists/ads/domains
    urllist blacklists/ads/urls
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
    log pub.log
}

destination bl_financial {
    domainlist blacklists/financial/domains
    urllist blacklists/financial/urls
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
    log pub.log
}

destination bl_adult {
    domainlist blacklists/adult/domains
    urllist blacklists/adult/urls
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
    log porn.log
}

destination bl_manga {
    domainlist blacklists/manga/domains
    urllist blacklists/manga/urls
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
    log manga.log
}

destination bl_dating {
    domainlist blacklists/dating/domains
    urllist blacklists/dating/urls
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
    log dating.log
}
destination bl_agressif {
    domainlist blacklists/agressif/domains
    urllist blacklists/agressif/urls
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
    log violence.log
}

destination bl_audio-video {
    domainlist blacklists/audio-video/domains
    urllist blacklists/audio-video/urls
    log media.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_dangerous_material {
    domainlist blacklists/dangerous_material/domains
    urllist blacklists/dangerous_material/urls
    log dangerous.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_drogue {
    domainlist blacklists/drogue/domains
    urllist blacklists/drogue/urls
    log drogue.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_filehosting {
    domainlist blacklists/filehosting/domains
    urllist blacklists/filehosting/urls
    log hosting.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_gambling {
    domainlist blacklists/gambling/domains
    urllist blacklists/gambling/urls
    log game.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_games {
    domainlist blacklists/games/domains
    urllist blacklists/games/urls
    log game.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_hacking {
    domainlist blacklists/hacking/domains
    urllist blacklists/hacking/urls
    log warez.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_mail {
    domainlist blacklists/mail/domains
    urllist blacklists/mail/urls
    log mail.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_mixed_adult {
    domainlist blacklists/mixed_adult/domains
    urllist blacklists/mixed_adult/urls
    log porn.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_phishing {
    domainlist blacklists/phishing/domains
    urllist blacklists/phishing/urls
    log phishing.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_radio {
    domainlist blacklists/radio/domains
    urllist blacklists/radio/urls
    log radio.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_redirector {
    domainlist blacklists/redirector/domains
    urllist blacklists/redirector/urls
    log redirector.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_proxy {
    domainlist blacklists/proxy/domains
    urllist blacklists/proxy/urls
    log proxy.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_strong_redirector {
    domainlist blacklists/strong_redirector/domains
    urllist blacklists/strong_redirector/urls
    log redirector.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}
destination bl_strict_redirector {
    domainlist blacklists/strict_redirector/domains
    urllist blacklists/strict_redirector/urls
    log redirector.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_sect {
    domainlist blacklists/sect/domains
    log sect.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_tricheur {
    domainlist blacklists/tricheur/domains
    urllist blacklists/tricheur/urls
    log tricheur.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_warez {
    domainlist blacklists/warez/domains
    urllist blacklists/warez/urls
    log warez.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_social_networks {
    domainlist blacklists/social_networks/domains
    urllist blacklists/social_networks/urls
    log socialnetworks.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}


destination bl_download {
    domainlist blacklists/download/domains
    urllist blacklists/download/urls
    log download.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

######SUPLEMENTAIRE BASE PERSO

destination bl_blocksite {
    domainlist exception/blocksite/domains
    urllist exception/blocksite/urls
    log download.log
    redirect        http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
}

destination bl_whitesite {
    domainlist      exception/white/domains
    urllist         exception/white/urls
}

destination bl_bypassite {
    domainlist exception/bypassite/bypassite
    log bypassite.log
}

destination bl_localsite {
    domainlist exception/localsite/localsite
    log localsite.log
}
#######################################---EXCEPTIONS---###################################################


        #PROF EXCEPTION
destination bl_exceptionprofs {
        domainlist      exception/profs/domains
        urllist         exception/profs/urls
}


############################################---ACL---######################################################


# ACLs
acl {



no_respect {
               pass bl_localsite none
             redirect http://172.20.0.6/cgi-bin/squidGuardbanni.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
        }

okip {
                pass bl_localsite bl_whitesite !bl_blocksite bl_bypassite !in-addr !bl_ads !bl_adult !bl_dating !bl_agressif !bl_dangerous_material !bl_drogue !bl_gambling !bl_hacking !bl_mixed_adult !bl_phishing !bl_redirector !bl_strong_redirector !bl_strict_redirector !bl_sect !bl_tricheur !bl_warez !bl_proxy any
             redirect http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
        }

ELEVES {
				pass bl_localsite !bl_blocksite bl_whitesite bl_bypassite !in-addr !bl_ads !bl_social_networks !bl_manga !bl_financial !bl_adult !bl_dating !bl_agressif !bl_audio-video !bl_dangerous_material !bl_drogue !bl_filehosting !bl_gambling !bl_games !bl_hacking !bl_mail !bl_mixed_adult !bl_phishing !bl_radio !bl_redirector !bl_strong_redirector !bl_strict_redirector !bl_sect !bl_tricheur !bl_warez !bl_proxy !bl_download any
              redirect http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
		}

PROFS {
                pass bl_localsite bl_exceptionprofs !bl_blocksite bl_whitesite bl_bypassite !in-addr !bl_ads !bl_adult !bl_dating !bl_agressif !bl_dangerous_material !bl_drogue !bl_gambling !bl_mixed_adult !bl_phishing !bl_redirector !bl_strong_redirector !bl_strict_redirector !bl_sect !bl_tricheur !bl_warez !bl_hacking !bl_proxy any
             redirect http://172.20.0.6/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
        }

default {
               pass bl_localsite bl_bypassite none
             redirect http://172.20.0.6/cgi-bin/squidGuardnogroupe.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
        }

#---------------------------------------------------------

}

Script de mise à jour des listes Toulouse

Ce script a pour but de télécharger automatiquement les listes mises à jour par l'académie de Toulouse et qui nous servent a bloquer en fonction de catégories.

# rapatriement de la blacklist /temp

wget ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz -O /tmp/blacklists.tar.gz


# decompression  /tmp/blacklist
/bin/tar -xzf /tmp/blacklists.tar.gz  -C /tmp
# nettoyage de la blacklist

FILE=/tmp/blacklists/financial/domains

if [ -f $FILE ];
then
echo "File $FILE exist. on continue"

/bin/rm -rf /tmp/blacklists/*/expressions

# arret de squid
/usr/sbin/service squid stop

# copie la nouvelle blacklist ds /etc/squid/squidguard/blacklists/
/bin/echo "debut traitement"
/bin/rm -rf /var/lib/squidguard/db/blacklists/*
/bin/cp -R /tmp/blacklists/* /var/lib/squidguard/db/blacklists/
/bin/tar -xf /tmp/blacklists_diff.tar

# efface fichiers temporaire
#/bin/rm -Rf /tmp/blacklists
/bin/rm -f /tmp/blacklists.tar.gz
/bin/rm -f /tmp/blacklists_diff.tar

# création de la blacklist
# exception pour download
/bin/touch /var/lib/squidguard/db/blacklists/download/domains
/bin/touch /var/lib/squidguard/db/blacklists/download/urls

/usr/bin/squidGuard -C all

/bin/chown -R proxy:proxy  /var/lib/squidguard/db/blacklists
/bin/chmod -R 644 /var/lib/squidguard/db/blacklists/
/bin/chmod -R uga+X /var/lib/squidguard/db/blacklists/

# redemarrage de squid
/usr/sbin/service squid start

/bin/echo "Resultat de la mise à jour des bases Squid/SquidGuard : 0=OK 1=NOTOK  result : $?" | mail -s "Mise à jour des Bases SquidGuard" informatique@etab.fr

exit 0

else
   /bin/echo "Resultat de la mise à jour des bases Squid/SquidGuard : NOTOK  result : $?" | mail -s "Mise à jour des Bases SquidGuard" informatique@etab.fr
   exit 1
fi

Fichier CGI SquidGuard

Ce fichier CGI est utilisé pour la redirection en cas de blocage d'un site.

Il se situe ici :

/usr/lib/cgi-bin/squidGuard.cgi

Voici son contenu

#! /usr/bin/perl
#
# Sample CGI to explain to the user that the URL is blocked and by which rule set
#
# By Pål Baltzersen 1998
# Modifications by Christine Kronberg, 2007.
#

$QUERY_STRING = $ENV{'QUERY_STRING'};
$DOCUMENT_ROOT = $ENV{'DOCUMENT_ROOT'};

# Email Adresse des Proxy Administrators:
# Edit to your requirements. Make sure to keep the @ escaped.
my $PROXYEMAIL = "proxymaster\@foo.bar";
#
#
$clientaddr = "";
$clientname = "";
$clientuser = "";
$clientgroup = "";
$targetgroup = "";
$url = "";
$time = time;
@day = ("Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday");
@month = ("Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec");

while ($QUERY_STRING =~ /^\&?([^&=]+)=([^&=]*)(.*)/) {
  $key = $1;
  $value = $2;
  $QUERY_STRING = $3;
  if ($key =~ /^(clientaddr|clientname|clientuser|clientgroup|targetgroup|url)$/) {
    eval "\$$key = \$value";
  }
  if ($QUERY_STRING =~ /^url=(.*)/) {
    $url = $1;
    $QUERY_STRING = "";
  }
}

if ($url =~ /\.(gif|jpg|jpeg|mpg|mpeg|avi|mov)$/i) {
  print "Content-Type: image/gif\n";
  ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime($time);
  printf "Expires: %s, %02d-%s-%02d %02d:%02d:%02d GMT\n\n", $day[$wday],$mday,$month[$mon],$year,$hour,$min,$sec;
  open(GIF, "$DOCUMENT_ROOT/html/images/intranet.jpg");
  while (<GIF>) {
    print;
  }
  close(GIF)
} else {
  $url =~ s/</&lt;/g ;
  $url =~ s/>/&gt;/g ;
  print "Content-type: text/html\n";
  ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime($time);
  printf "Expires: %s, %02d-%s-%02d %02d:%02d:%02d GMT\n\n", $day[$wday],$mday,$month[$mon],$year,$hour,$min,$sec;
  print "<HTML>\n\n  <HEAD>\n    <TITLE>302 L'acc&egrave;s  &agrave; ce site est bloqu&eacute\n</TITLE>\n  </HEAD>\n\n";
  print "  <BODY BGCOLOR=\"#FFFFFF\">\n";
  if ($srcclass eq "unknown") {
    print "    <P ALIGN=RIGHT>\n";
    print "      <A HREF=\"http://intranet.etab.fr/\"><IMG SRC=\"/images/your-logo.gif\"\n";
    print "         BORDER=0></A>\n      </P>\n\n";
    print "    <H1 ALIGN=CENTER>Access denied because<BR>this client is not<BR>defined on the proxy</H1>\n\n";
    print "    <TABLE BORDER=0 ALIGN=CENTER>\n";
    print "      <TR><TH ALIGN=RIGHT>Supplementary info</TH><TH ALIGN=CENTER>:</TH><TH ALIGN=LEFT>&nbsp;</TH></TR>\n";
    print "      <TR><TH ALIGN=RIGHT>Client address</TH><TH ALIGN=CENTER>=</TH><TH ALIGN=LEFT>$clientaddr</TH></TR>\n";
    print "      <TR><TH ALIGN=RIGHT>Client name</TH><TH ALIGN=CENTER>=</TH><TH ALIGN=LEFT>$clientuser</TH></TR>\n";
    print "      <TR><TH ALIGN=RIGHT>User ident</TH><TH ALIGN=CENTER>=</TH><TH ALIGN=LEFT>$clientuser</TH></TR>\n";
    print "      <TR><TH ALIGN=RIGHT>Client group</TH><TH ALIGN=CENTER>=</TH><TH ALIGN=LEFT>$clientgroup</TH></TR>\n";
    print "    </TABLE>\n\n";
    print "    <P ALIGN=CENTER>If this is wrong, contact<BR>\n";
    print "      <A HREF=$PROXYEMAIL>$PROXYEMAIL</A>\n";
    print "    </P>\n\n";
  } elsif ($targetclass eq "in-addr") {
    print "    <P ALIGN=CENTER>\n";
    print "      <A HREF=\"http://intranet.etab.fr/\"><IMG SRC=\"/images/your-logo.gif\"\n";
    print "         BORDER=0></A>\n      </P>\n\n";
    print "    <H1 ALIGN=CENTER>IP address URLs<BR>are not allowed<BR>from this client</H1>\n\n";
    print "    <TABLE BORDER=0 ALIGN=CENTER>\n";
    print "      <TR><TH ALIGN=RIGHT>Information compl&eacute;mentaire</TH><TH ALIGN=CENTER>:</TH><TH ALIGN=LEFT>&nbsp;</TH></TR>\n";
    print "      <TR><TH ALIGN=RIGHT>Adresse de la machine</TH><TH ALIGN=CENTER>=</TH><TH ALIGN=LEFT>$clientaddr</TH></TR>\n";
    print "      <TR><TH ALIGN=RIGHT>Utilisateur</TH><TH ALIGN=CENTER>=</TH><TH ALIGN=LEFT>$clientuser</TH></TR>\n";
    print "      <TR><TH ALIGN=RIGHT>Groupe de filtrage</TH><TH ALIGN=CENTER>=</TH><TH ALIGN=LEFT>$clientgroup</TH></TR>\n";
    print "      <TR><TH ALIGN=RIGHT>URL</TH><TH ALIGN=CENTER>=</TH><TH ALIGN=LEFT>$url</TH></TR>\n";
    print "      <TR><TH ALIGN=RIGHT>Groupe cible</TH><TH ALIGN=CENTER>=</TH><TH ALIGN=LEFT>$targetgroup</TH></TR>\n";
	print "    </TABLE>\n\n";
    print "    <P ALIGN=CENTER>No domain matching the given IP address could be found. Access to this\n";
    print "    kind of address is forbidden.<BR>\n";
    print "    If this is wrong, contact<BR>\n";
    print "    <A HREF=mailto:$PROXYEMAIL>$PROXYEMAIL</A>\n";
    print "    </P>\n\n";
  } else {
    print "    <P ALIGN=CENTER>\n";
    print "      <A HREF=\"http://intranet.etab.fr/\"><IMG SRC=\"/images/your-logo.gif\"\n";
    print "         BORDER=0></A>\n      </P>\n\n";
    print "    <H1 ALIGN=CENTER>L'acc&egrave;s   &agrave; ce site est bloqu&eacute;</H1>\n\n";
    print "    <TABLE BORDER=0 ALIGN=CENTER>\n";
    print "      <TR><TH ALIGN=RIGHT>Information compl&eacute;mentaire</TH><TH ALIGN=CENTER>:</TH><TH ALIGN=LEFT>&nbsp;</TH></TR>\n";
    print "      <TR><TH ALIGN=RIGHT>Adresse de la machine</TH><TH ALIGN=CENTER>=</TH><TH ALIGN=LEFT>$clientaddr</TH></TR>\n";
    print "      <TR><TH ALIGN=RIGHT>Utilisateur</TH><TH ALIGN=CENTER>=</TH><TH ALIGN=LEFT>$clientuser</TH></TR>\n";
    print "      <TR><TH ALIGN=RIGHT>Groupe de filtrage</TH><TH ALIGN=CENTER>=</TH><TH ALIGN=LEFT>$clientgroup</TH></TR>\n";
    print "      <TR><TH ALIGN=RIGHT>URL</TH><TH ALIGN=CENTER>=</TH><TH ALIGN=LEFT>$url</TH></TR>\n";
    print "      <TR><TH ALIGN=RIGHT>Groupe cible</TH><TH ALIGN=CENTER>=</TH><TH ALIGN=LEFT>$targetgroup</TH></TR>\n";
    print "    </TABLE>\n\n";
    print "    <P ALIGN=CENTER>Si vous pensez qu'il s'agit d'une erreur, contactez le service informatique <BR>\n";
    print "    </P>\n\n";
  }
  print "  </BODY>\n\n</HTML>\n";
}
exit 0;

Configuration DansGuardian

Bloquer le réseaux Tor

Dans le cas de nos réseaux pédagogiques en Collège/Lycée il peut sembler légitime de restreindre l'accès aux réseaux Tor.

Bloquer Tor avec Squid

On peut essayer de bloquer le réseau TOR sur son réseau avec squid.

Le premier essai est concluant:

1 - On récupère la liste des ip tor sur ce lien et on les stocks dans un fichier :

wget -O - --no-check-certificate https://www.dan.me.uk/torlist/ > /etc/squid/torlist

2 - On créer notre acl dans :

vim /etc/squid/squid.conf:

3 - On ajoute l'acl avec le http_access qui va avec :

acl tor dst "/etc/squid/torlist"
http_access deny tor

Bloquer Tor avec DansGuardian

Pour bloquer la liste des ip du réseau tor (comme expliquer plus haut) vous pouvez également la faire avec DansGuardian a ajoutant comme ceci toujours dans le fichier :

   /etc/dansguardian/lists/bannedsitelist

    # Bloc IP TOR
   .Include</etc/squid/torlist>

Bloquer le surf IP

Cela signifie que l'utilisateur ne pourra pas surfer en tapant directement d'adresse ip : http://92.222.29.147 par exemple

Attention cela peut entraîner d'autre soucis

Blocage surf IP SquidGuard

Sous squidguard il vous suffit il vous suffit de rajouter !in-addr a votre acl, comme ceci : Dans le fichier :

   
   /etc/squidguard/squidguard.conf

    profs {
                pass !in-addr !autresitebloquer all
                redirect http://172.21.254.254/cgi-bin/squidGuard.cgi?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u
    }


Blocage surf IP DansGuardian

Dans le fichier :

   /etc/dansguardian/lists/bannedsitelist


Dé-commenter les ligne comme ceci:

   #Blanket IP Block.  To block all sites specified only as an IP,
   #remove the # from the next line to leave only a '*ip':
   *ip

   #Blanket SSL/CONNECT IP Block.  To block all SSL and CONNECT
   #tunnels to sites specified only as an IP,
   #remove the # from the next line to leave only a '*ips':
   *ips

Sources