Here we are with the second part of this topic discussion.

This time I will talk about how I setup the proxy server in my Linux box to provide blacklist capability in my network. As explained in Part 1, the proxy server intercepts any web page request made from a browser and checks the requested URL against a blacklist. If the requested web site matches one present on the blacklist, the proxy server directly responds to the request with an error page, preventing the actual web site to respond to the request itself. If there is no match, then the request is forwarded to the actual web site, and the response goes back to the browser that made the request.

Seems complicated? Well, it really is more difficult to explain that to see it working. Fortunately, after a few steps to set it up, the program does all by itself, without any further control on your part.

Please be advised that the procedure I’m going to present reflects what I did on my Linux box, which is equipped with the Fedora 11 distro. If you have a different Linux distribution, the procedure may change a little bit, as different distributions use different ways to download packages and sometimes they store the configuration files in different places.  So, please refer to the documentation of your distribution for further details. I also used Squid as my preferred proxy server. If you decide to use a different one, please use this discussion only as a high level reference and read the documentation of your proxy server for the details.

Along with Squid, I also installed squidGuard, which is the actual tool that handles the blacklists and runs under Squid.

Note also that there are two ways to make the browsers in your network use the proxy server for their web access. One way is to configure each browser to use the proxy. Another way is to configure the network so that all the requests are automatically redirected to the proxy. Of the two solutions, I decided to go with the first one that, at the moment, seemed the simplest to implement. However, keep in mind that such mechanism may be counteracted if people change the browser configuration to bypass the proxy server. In such a case, you may want to consult the proxy server documentation to implement the second solution. Right now I didn’t have the need to do so.

And finally the installation and configuration procedure:

1. Download and install the Squid package on your Linux box. I easily accomplished that by using the Add/Remove Software tool available in my Fedora 11 Linux Distribution.
2. Create a Squid configuration file named squid.conf on the Linux box in the following directory: /etc/squid. You can download my copy of the configuration file here (right click and choose Save Link from the context menu). Note that my configuration file already contains the reference to squidGuard to redirect the browser request to the error message. If you don’t use my configuration file, please make sure you add the redirection instructions for squidGuard.
3. Download and install the squidGuard Package. Again, you can use the Add/Remove Software tool or the tool that comes with your Linux distribution.
4. If not already there, create the directory /var/squidGuard and copy there the script shalla_update.sh. My own copy of the script is available here for download.
5. Download the blacklists by running the script shalla_update.sh. Make sure you do so with root privileges. You’ll see that the new directory /var/squidGuard/blacklists will be created. Note that, for squidGuard to work correctly, the mysql service must be running in your Linux box. I will assume here that you know how to do that but, in any case, post a comment to address the issue and I will reply with the necessary information.
6. Create the configuration file for squidGuard. Believe it or not, it is named squidGuard.conf and needs to be located in the directory /etc/squid, along with squid.conf. A copy of my own version of this file can be downloaded here. You will have to edit this file to define the blacklists that you would like to use. Use those that I selected as an example on how to do it, and look under the directory /var/squidGuard/blacklists for the complete set of available blacklists.

At this point everything we need is installed and configured. We just need to learn how to actually start Squid. To do so, the easiest thing is to execute the following command as root:

service squid start

If everything was done correctly, squid will start running happily until you shut down the box.

And here comes a little problem: when you turn the box back on, Squid will not be running anymore! To avoid the inconvenience of manually start Squid every time you reboot your machine, you’ll have to tell the computer to automatically do so. This is achieved by running the following command as root:

chkconfig –level 345 squid on

Once that is done, you don’t have to worry anymore to start Squid. The computer will take care of that automatically every time you turn it on.

I’m sure now you are wandering about how the blacklists are updated. In fact, people continuously keep adding new web sites and new pages. How can we keep up with all the changes worldwide?  Well, we don’t have to do so. The Shalla organization takes care of that for us. We only have to run again the script shalla_update.sh every now and then, so the blacklists in our computer get updated. I do so by running the script every night, to make sure I catch all the most recent updates. You may choose to do the same, or instead do that once a week or once a month, depending on how long you feel comfortable to wait between updates. Anyhow, don’t waste your time doing updates more than once a day. The blacklists on the Shalla web site are updated only once a day, so there is no good in running the script more often than that.

That’s all, right? Hum… no, there is just one more thing: you have to instruct the WEB browsers in all your computers to point to the proxy server, so they will forward the users requests to Squid rather than directly to the WEB sites. This procedure depends on the browser you are using. I will show you how to do it for Internet Explorer and for Firefox. Other browsers, like Opera or Chrome, use a simila procedure.

Setting the proxy server in Internet Explorer:

Open the Tool menu and select Internet Options. Click on the tab Connections. Now click on the button LAN Settings and, in the dialog that comes up, select Use a proxy server for your LAN. Then add the IP address of your Linux box in the Address box and the number 8080 in the Port box (if you changed the port number in squid.conf, then put your number here, otherwise 8080 will work just fine). Click OK to close all the dialogs and accept the configuration changes. You are ready to go.

Setting the proxy server in Mozilla Firefox:

Open the Tool menu and select Options. Click on the Network tab. Click on the Settings button. Click on the radio button for Manual proxy configuration. Now write the IP address of the Linux box in the HTTP Proxy box and the number 8080 in the Port box (if you changed the port number in squid.conf, then put your number here, otherwise 8080 will work just fine). Check the box Use this proxy server for all protocols and click OK to close all the dialog.

OK, done. Now it is time to test the browser and make sure it works as expected. Try to request some WEB pages and make sure they are correctly retrieved. Try to request a WEB page you now is in the blacklists and check that an error will be reported and the web page is not retrieved.

If everything works fine, you’re done. Otherwise, review  all the previous steps and make sure you didn’t miss anything. If you still have problems, drop me a note and I’ll try to give you some extra advise.

Thank you all for following me through this long exposure. I hope it wasn’t too much boring and that somebody may actually find it useful.

Happy browsing and …  see you next time.