[URLFilter(squidGuard)] | ||||
|| | ||||
(INTERNET) | ------- | -------[PROXY(squid)]------- | ------- | (USER) |
|| | ||||
[ICAP(c-icap)] | ||||
|| | ||||
[squidClamav] | ||||
|| | ||||
[AntiVirus(clamdscan)] |
$ sudo aptitude install squid3 squidGuard
acl localnet src xxx.xxx.xxx.xxx/xx http_access allow localnetlocalのドメイン名のサーバを追加し、直接接続に指定。
acl direct-servers dstdomain xxx.xxx.jp always_direct allow direct-serverslocalhostへの接続も直接接続に指定。
always_direct allow to_localhostlogfileのローテートを30日分にする
logfile_rotate 30IPv4での接続を優先にする(インターネッットにIPv6接続していない場合)
dns_v4_first onclientのIPアドレスを付加して送信させない(不要な情報を送信しない)
forwarded_for offsquidGuardを設定する(squidcalmavから呼び出す事もできるが、コンテンツ取ってくる前にチェックした方が効率良さそう)。
url_rewrite_program /usr/bin/squidGuard url_rewrite_children 5 url_rewrite_access deny to_localhost
$ sudo /usr/bin/squidGuard -C all $ cd /var/lib/squidguard/ $ sudo chown -R proxy.proxy db
dbhome /var/lib/squidguard/db logdir /var/log/squid src admins { ip 192.168.x.zz } src user { ip 192.168.x.yy } dest myguard { domainlist myguard/domains } dest garaparo { domainlist garaparo/domains urllist garaparo/urls } dest dating { domainlist dating/domains urllist dating/urls } dest drugs { domainlist drugs/domains urllist drugs/urls } dest porn { domainlist porn/domains urllist porn/urls } dest spyware { domainlist spyware/domains urllist spyware/urls } dest violence { domainlist violence/domains urllist violence/urls } dest warez { domainlist warez/domains urllist warez/urls } dest suspect { domainlist suspect/domains urllist suspect/urls } dest adult { domainlist adult/domains urllist adult/urls } dest kidstimewasting { domainlist kidstimewasting/domains urllist kidstimewasting/urls } dest phishing { domainlist phishing/domains urllist phishing/urls } dest virusinfected { domainlist virusinfected/domains urllist virusinfected/urls } acl { user { pass garaparo !myguard !dating !drugs !porn !spyware !violence !warez !suspect !adult !kidstimewasting !phishing !virusinfected all redirect http://127.0.0.1/guard/squidGuard.cgi?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u } admins { pass !myguard !dating !drugs !spyware !violence !warez !suspect !kidstimewasting !phishing !virusinfected all redirect http://127.0.0.1/guard/squidGuard.cgi?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u } default { pass !myguard !dating !drugs !porn !spyware !violence !warez !suspect !adult !kidstimewasting !phishing !virusinfected all redirect http://127.0.0.1/guard/squidGuard.cgi?clientaddr=%a+clientname=%n+clientuser=%i+clientgroup=%s+targetgroup=%t+url=%u } }
$ sudo aptitude install c-icap libc-icap-mod-clamav libc-icap-mod-squidclamav libc-icap-mod-urlcheck
redirect http://127.0.0.1/cgi-bin/clwarn.cgi/etc/c-icap/c-icap.confを下記のように設定
ServerAdmin icap@xxx.xxx.jp ServerName xxx.xxx.jp Service squidclamav squidclamav.so
icap_enable on icap_preview_enable on icap_preview_size 128 icap_send_client_ip on icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav adaptation_access service_req deny CONNECT adaptation_access service_req allow all adaptation_access service_resp deny CONNECT adaptation_access service_resp allow allでsquid3をrestartさせましょう。