Installing and configuring Squid and DansGuardian under FreeBSD

This handbook has been contributed to the Project by Kumar Udai with updates and additions to it made by Marin Atanasov Nikolov

Table of Contents

• General Information
• Installation of Squid
• Configuration of Squid
• Installation of DansGuardian
• Configuration of DansGuardian

General Information

In the following handbook we will show you how to install and configure Squid acting as a transparent proxy server and DansGuardian for content filtering on a FreeBSD system.

Squid is a caching proxy server, which is used for reducing network bandwidth usage and accelerating the web content.

From the official site of Squid:

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU GPL.

For more information about Squid, please visit the official website of Squid.

In the second part of the handbook we will see how to install and configure DansGuardian - a web content filtering system.

From the official site of DansGuardian:

DansGuardian is an award winning Open Source web content filter which currently runs on Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, HP-UX, and Solaris. It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering. It does not purely filter based on a banned list of sites like lesser totally commercial filters.

For more information about DansGuardian, please visit the official site of DansGuardian.

The goal of this handbook is to build a FreeBSD gateway machine that acts as a Squid and DansGuardian content filtering server.

This setup has been tested and confirmed to be running successfully on a FreeBSD 8.2 system. The important thing about our setup is that our firewall and gateway are running on the same machine as Squid and DansGuardian are, in order to have transparent proxy capabilities.

Requirements

• root access or sudo rights
• Basic understand of the OpenBSD Packet Filter
• Your machine is configured and works as the gateway and firewall for your network. Please have a look at the Gateways and Routes chapter of the FreeBSD Handbook for more information.

Installation of Squid

The first part of the handbook covers the installation and configuration of Squid.

In order to install Squid we will use the FreeBSD Ports Collection.

Let's start with the installation of Squid:

# cd /usr/ports/www/squid && make install clean

During the installation of Squid in this handbook the following options were selected.

• SQUID_LDAP_AUTH
• SQUID_DELAY_POOLS
• SQUID_CARP
• SQUID_WCCP
• SQUID_IDENT
• SQUID_ARP_ACL
• SQUID_PF
• SQUID_FOLLOW_XFF
• SQUID_KQUEUE
• SQUID_SSL
• SQUID_REFERER_LOG
• SQUID_USERAGENT_LOG
• SQUID_ARP_ACL
• SQUID_LARGEFILE

Once the installation of Squid is over you should see something similar:

===> post-installation information for squid-2.7.9_1:

     o You can find the configuration files for this package in the
       directory /usr/local/etc/squid.

     o The default cache directory is /var/squid/cache.
       The default log directory is /var/squid/logs.

       Note:
       You must initialize new cache directories before you can start
       squid.  Do this by running "squid -z" as 'root' or 'squid'.
       If your cache directories are already initialized (e.g. after an
       upgrade of squid) you do not need to initialize them again.

     o The default configuration will deny everyone but local networks
       as defined in RFC 1918 access to the proxy service.
       Edit the "http_access allow/deny" directives in
       /usr/local/etc/squid/squid.conf to suit your needs.

     To enable Squid, set squid_enable=yes in either
     /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/squid
     Please see /usr/local/etc/rc.d/squid for further details.

     Note:
     If you just updated your Squid installation from 2.6 or earlier,
     make sure to check your Squid configuration against the 2.7 default
     configuration file /usr/local/etc/squid/squid.conf.default.

     Additionally, you should check your configuration by calling
     'squid -f /path/to/squid.conf -k parse' before starting Squid.

===>   Compressing manual pages for squid-2.7.9_1
===>   Registering installation for squid-2.7.9_1
===> SECURITY REPORT: 
      This port has installed the following files which may act as network
      servers and may therefore pose a remote security risk to the system.
/usr/local/sbin/squid

      This port has installed the following startup scripts which may cause
      these network services to be started at boot time.
/usr/local/etc/rc.d/squid

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage: 
http://www.squid-cache.org/
===>  Cleaning for squid-2.7.9_1

Now that Squid is installed we can go to the next step and configure it.