Here we are with the second part of this topic discussion.

This time I will talk about how I setup the proxy server in my Linux box to provide blacklist capability in my network. As explained in Part 1, the proxy server intercepts any web page request made from a browser and checks the requested URL against a blacklist. If the requested web site matches one present on the blacklist, the proxy server directly responds to the request with an error page, preventing the actual web site to respond to the request itself. If there is no match, then the request is forwarded to the actual web site, and the response goes back to the browser that made the request.

Seems complicated? Well, it really is more difficult to explain that to see it working. Fortunately, after a few steps to set it up, the program does all by itself, without any further control on your part.

Please be advised that the procedure I’m going to present reflects what I did on my Linux box, which is equipped with the Fedora 11 distro. If you have a different Linux distribution, the procedure may change a little bit, as different distributions use different ways to download packages and sometimes they store the configuration files in different places.  So, please refer to the documentation of your distribution for further details. I also used Squid as my preferred proxy server. If you decide to use a different one, please use this discussion only as a high level reference and read the documentation of your proxy server for the details.

Along with Squid, I also installed squidGuard, which is the actual tool that handles the blacklists and runs under Squid.

Note also that there are two ways to make the browsers in your network use the proxy server for their web access. One way is to configure each browser to use the proxy. Another way is to configure the network so that all the requests are automatically redirected to the proxy. Of the two solutions, I decided to go with the first one that, at the moment, seemed the simplest to implement. However, keep in mind that such mechanism may be counteracted if people change the browser configuration to bypass the proxy server. In such a case, you may want to consult the proxy server documentation to implement the second solution. Right now I didn’t have the need to do so.

And finally the installation and configuration procedure:

1. Download and install the Squid package on your Linux box. I easily accomplished that by using the Add/Remove Software tool available in my Fedora 11 Linux Distribution.
2. Create a Squid configuration file named squid.conf on the Linux box in the following directory: /etc/squid. You can download my copy of the configuration file here (right click and choose Save Link from the context menu). Note that my configuration file already contains the reference to squidGuard to redirect the browser request to the error message. If you don’t use my configuration file, please make sure you add the redirection instructions for squidGuard.
3. Download and install the squidGuard Package. Again, you can use the Add/Remove Software tool or the tool that comes with your Linux distribution.
4. If not already there, create the directory /var/squidGuard and copy there the script shalla_update.sh. My own copy of the script is available here for download.
5. Download the blacklists by running the script shalla_update.sh. Make sure you do so with root privileges. You’ll see that the new directory /var/squidGuard/blacklists will be created. Note that, for squidGuard to work correctly, the mysql service must be running in your Linux box. I will assume here that you know how to do that but, in any case, post a comment to address the issue and I will reply with the necessary information.
6. Create the configuration file for squidGuard. Believe it or not, it is named squidGuard.conf and needs to be located in the directory /etc/squid, along with squid.conf. A copy of my own version of this file can be downloaded here. You will have to edit this file to define the blacklists that you would like to use. Use those that I selected as an example on how to do it, and look under the directory /var/squidGuard/blacklists for the complete set of available blacklists.

At this point everything we need is installed and configured. We just need to learn how to actually start Squid. To do so, the easiest thing is to execute the following command as root:

service squid start

If everything was done correctly, squid will start running happily until you shut down the box.

And here comes a little problem: when you turn the box back on, Squid will not be running anymore! To avoid the inconvenience of manually start Squid every time you reboot your machine, you’ll have to tell the computer to automatically do so. This is achieved by running the following command as root:

chkconfig –level 345 squid on

Once that is done, you don’t have to worry anymore to start Squid. The computer will take care of that automatically every time you turn it on.

I’m sure now you are wandering about how the blacklists are updated. In fact, people continuously keep adding new web sites and new pages. How can we keep up with all the changes worldwide?  Well, we don’t have to do so. The Shalla organization takes care of that for us. We only have to run again the script shalla_update.sh every now and then, so the blacklists in our computer get updated. I do so by running the script every night, to make sure I catch all the most recent updates. You may choose to do the same, or instead do that once a week or once a month, depending on how long you feel comfortable to wait between updates. Anyhow, don’t waste your time doing updates more than once a day. The blacklists on the Shalla web site are updated only once a day, so there is no good in running the script more often than that.

That’s all, right? Hum… no, there is just one more thing: you have to instruct the WEB browsers in all your computers to point to the proxy server, so they will forward the users requests to Squid rather than directly to the WEB sites. This procedure depends on the browser you are using. I will show you how to do it for Internet Explorer and for Firefox. Other browsers, like Opera or Chrome, use a simila procedure.

Setting the proxy server in Internet Explorer:

Open the Tool menu and select Internet Options. Click on the tab Connections. Now click on the button LAN Settings and, in the dialog that comes up, select Use a proxy server for your LAN. Then add the IP address of your Linux box in the Address box and the number 8080 in the Port box (if you changed the port number in squid.conf, then put your number here, otherwise 8080 will work just fine). Click OK to close all the dialogs and accept the configuration changes. You are ready to go.

Setting the proxy server in Mozilla Firefox:

Open the Tool menu and select Options. Click on the Network tab. Click on the Settings button. Click on the radio button for Manual proxy configuration. Now write the IP address of the Linux box in the HTTP Proxy box and the number 8080 in the Port box (if you changed the port number in squid.conf, then put your number here, otherwise 8080 will work just fine). Check the box Use this proxy server for all protocols and click OK to close all the dialog.

OK, done. Now it is time to test the browser and make sure it works as expected. Try to request some WEB pages and make sure they are correctly retrieved. Try to request a WEB page you now is in the blacklists and check that an error will be reported and the web page is not retrieved.

If everything works fine, you’re done. Otherwise, review  all the previous steps and make sure you didn’t miss anything. If you still have problems, drop me a note and I’ll try to give you some extra advise.

Thank you all for following me through this long exposure. I hope it wasn’t too much boring and that somebody may actually find it useful.

Happy browsing and …  see you next time.

Ever faced the problem of let your own kids browsing the web without your supervision?

Here is the problem I had to solve recently: my daughter was about to turn 16 and she was eager to have her own computer on which to do her homework, handle her e-mail, socialize with her friends on-line, and do some research on the web. All of that without being subject to take turns with her brother on the family room computer.

Put it like than, everything seems to be very innocent and safe. But we know very well what lurks on the Internet, ready to jump on their prey. Or maybe just some inappropriate site that you really don’t want your kids to see.

So, how to solve the problem of giving my daughter her own computer, installed in her own room, where both my wife and I cannot really supervise?

I’m sure many of you are already thinking at the many programs available on the market that deal with these kind of things. Programs that you buy, and then you have to pay a subscription to keep updated the database with the  blacklisted web sites.

The point is, I don’t like those programs for different reasons:

1. I have little or no control on what can be put on those blacklists
2. I have to pay for the program
3. I have to pay the annual subscription or the database that comes with the program becomes quickly obsolete and basically useless.

What to do then?

Well, I happen to have an old computer that I use to experiment with Linux (you heard about it, right?). This is the kind of operating system that many web site providers use to handle their servers. It is a very powerful OS, it is very stable (you can keep the computer on for weeks without ever needing to reboot it). And it is free.  Since I had that, I thought: why don’t I use this computer (the Linux Box, as it’s named by the Linux community) to run a program capable of intercepting and filtering all the web traffic on the home network? Since it is Linux, I have the opportunity to look at the huge list of open source code available on this platform, and surely I will find something that can be used for my purpose.

So, I started studying the problem and came up with a very simple, efficient , and absolutely free solution for my problem: a program that acts as a proxy, like a middle man that sits between each computer in the network and the Internet itself, filtering everything that goes back and forth, and selecting what can be viewed and what cannot. It’s name: SQUID. Yeah, like the name of that very tasteful mollusk.

So I set it up on my Linux Box, made a few adjustments to the network configuration, installed its companion squidGuard, configured the blacklists the way I like it, and let it run.

It is now running in my home network since about a month, smoothly and efficiently, and I have to say it really does a good job the way I desired.

Want to know the details?  Keep watching this blog. Next time, I will describe all the details on how to set it up. And don’t be scared. It is not a difficult thing to do. If you ever had the need to install a program on your computer, then you are expert enough to handle this one too.

Hope to see you soon here again…