SquidGuard FAQ Supplement
|
 | The configuration file is not in the place compiled into squidguard or specified in
squid.conf. Make sure squidguard is started with this line in squid.conf: redirect_program <path to squidGuard binary>/squidGuard -c <path to squidguard.conf>/squidguard.conf |
| The database files are not in the place defined in squidguard.conf. Make sure the
following is one of the first lines in squidguard.conf: dbhome <path to blacklists> For instance, I use: dbhome /usr/local/squidguard/db/blacklists |
| The ownership of the configuration file, logfiles, or blacklist files is not correct.
These files should be owned by the user and group under which the squid program runs. Look
for the following lines in squid.conf: cache_effective_user nobody http://cri.univ-tlse1.fr/documentations/cache/squidguard.html "nobody" may be different ("squid" is also common) depending on various random factors. To make sure the ownership is correct, run the following commands: chown nobody.nobody <path to squidguard.conf> chown -R nobody.nobody <path to blacklists> chown -R nobody.nobody <path to logfiles> |
| The permissions of the configuration file, logfiles, or blacklist files is not correct.
Set the permissions as follows: chmod 644 <path to squidguard.conf> chmod -R 640 <path to blacklists> chmod -R 644 <path to logfiles> find <path to blacklists> -type d -exec chmod 755 \{\} \; -print chmod 755 <path to logfiles> |
| There is a line-end before the "{" character in source or dest lists: ## bad src adults { ## good src adults { |
For more ideas see item 1, or else try the real FAQ
Back to Top
Why is Squidguard blocking some category of sites but not others?
Most likely the ownership or permissions of the blacklist files for that category are not correct. Check the item above.
Back to Top
Why isn't Squidguard blocking sites in a particular domain?
If you have both a domain and a subdomain listed in your "domains" file, squidGuard will usually only block the listed subdomain. For instance, if you have "badsite.com" and "porn.badsite.com" in your domains file, then you will find that squidGuard does not block access to "warez.badsite.com" or "badsite.com/nasty.html". This is probably an un-intended result of the way squidGuard uses b-trees to store the site lists.
There is a post in the forums about this which provides a more complete description. In that post, the question comes up on how to ensure that your domainlists don't contain any such harmful duplicates. Thankfully, a squidGuard user provides access to a thread on the old newsgroup, where scripts to process domainlists and urllists may be found.
Back to Top
Why does Squidguard not block clients designated with src { ip x.x.x.x }?
If you try to designate which clients get blocked by using a source group with the
clients designated by ip address, you must have a line in your squid.conf file to cause
squid to supply the entire ip address for each client. For instance, if you have:
src kids {
ip 192.168.1.10
ip 192.168.1.13
}
then you must put the following line into your squid.conf file:
client_netmask 255.255.255.255
Otherwise, squid will only supply the upper 16 bits of the client ip addresses and no
clients will match the result.
Back to Top
Is there a way to automatically update the lists of blocked sites?
Here is a shell script which will do this. This script was originally written by Rick Matthews. I have made some small changes to it; for instance, I have the script create the new directories it may need when it first runs. Also, I have changed it to reflect the change of address for squidguard.org's ftp site.
After downloading the script, you should edit it to give correct values to the variables which point to your squid and squidGuard binaries, and to your squidGuard blacklist databases. This script also uses the "wget" utility to download the files. It is more reliable and easier to use wget than to script an FTP session. If your system does not have it already, it is available as an RPM package for RedHat, or in other forms from Sunsite, among other places.
Back to Top
When I run squidGuard -C, the process never finishes.
See if there is a space at the start of the squidguard.conf file (there should not be).
Back to Top
How can I have a list of sites which are never blocked no matter what?
Create a blacklist called ok (or whatever you want). In blacklists/ok/domains list the
domains you want to allow; do the same thing with urls in blacklists/ok/urls, and with
expressions etc. In your acl list use the ok blacklist at the start of your pass block as
follows:
pass ok !porn !agressive !drugs... all
Back to Top
The "users" parameter in src blocks doesn't seem to work. How can I block sites from some network users but not others?
First, you must configure squid with an acl of type "ident REQUIRED"
and use http_access allow or deny with that acl:
acl idents ident REQUIRED
http_access allow idents
Then you must run an ident client on each client PC. This is a little program which
runs in the background and listens for ident requests. You can get one at:
http://identd.sourceforge.net
When the user tries to access the proxy, then squid will issue an ident request to the
client. The ident program will get (from Windows) the username under which the user logged
on and return it to the proxy.
Note that this assumes that the user did log on to the client computer (i.e.
that the logon dialog wasn't bypassed by the user hitting escape, or that the computer is
not set up to bypass the logon step with either a default logon or a blank logon).
Also see "Why doesn't Ident work in transparent mode?"
Back to Top
Why does squidguard hang with "domains.diff%: no such file or directory" in the log file when I do"squidGuard -u"?
Problem description: (see http://marc.theaimsgroup.com/?l=squidguard&m=102008640828326&w=2)
The squidGuard -u command produces the following in squidguard.log:
2002-04-29 08:47:47 [20149] init domainlist /usr/local/squidguard/db/bl/ads/domains
2002-04-29 08:47:47 [20149] loading dbfile /usr/local/squidguard/db/bl/ads/domains.db
2002-04-29 08:47:47 [20149] update dbfile /usr/local/squidguard/db/bl/ads/domains.db
2002-04-29 08:47:47 [20149] /usr/local/squidguard/db/bl/ads/domains.diff$: No such file or directory
2002-04-29 08:47:47 [20149] going into emergency modeand the process hangs forever until I use ctrl-C to break out of it.
Answer: (see http://marc.theaimsgroup.com/?l=squidguard&m=103046416402992&w=2)
There is a bug in the squidGuard source code which causes a buffer overrun error. This bug has been present in squidGuard for several versions. The bug does not always cause any visible problems, but on some users' machines the symptom described above shows up: an extra character somehow gets appended to the ".diff" filename during an update operation. The solution is to fix the source code bug and recompile, as described in the above cited newsgroup post. Here is a brief summary of the fix:
...edit the file src/sgDb.c (squidGuard V1.2.0 sources). Go to line 146 and replace:
update = (char *) sgMalloc(strlen(file) + 5);
with
update = (char *) sgMalloc(strlen(file) + 6);Then recompile.
Back to Top
The stock squidGuard.cgi hangs up with newer versions of Perl on RedHat 8.0 and later.
When you install squidGuard onto RedHat 8.0 or later with all of the updates applied, your perl version will be perl-5.8.0-55 or later. If you run the squidGuard.cgi file which is provided with the squidGuard distribution under those conditions, and a blocked page is encountered, the user's browser will time out on your redirection script. If you run the script from the command line, you will see a bunch of messages like this one:
"Using a hash as a reference is deprecated in .../squidGuard.cgi line 84".
To eliminate the messages, edit squidGuard.cgi and go to the very first line, which reads:
#! /usr/bin/perl -w
Change this to read
#!/usr/bin/perl
This will eliminate the warning messages (for now). Apparently the warnings prevent the script from completing when run as the squid user.
A better solution would be to change the code in every line which the perl interpreter thinks that a hash is being used as a reference.
Also note that I have removed the space between '!' and '/usr'. This was the suggestion I received via Rick Matthews from fellow squidguard user Stan Markham. It seems that some newer Red Hat installations don't like the space. He also suggested including "LANG=C; export LANG" in one's .bash_profile or /etc/profile to correct this and some display issues seen in newer Red Hat installations. For my own installation, I made the following entries in /etc/sysconfig/i18n instead:
LANG="en_US.UTF-8"
LANG="en_US"
Back to Top
Why are the blacklist databases no longer available from squidguard.org?
The new ftp site address is:
ftp.teledanmark.no/pub/www/proxy/squidguard/contrib/blacklists.tar.gz
You can access the file via http or ftp.
Back to Top
Why can't I compile squidGuard on Mandrake or on Redhat 9.2?
Some variants of Linux need to have the "pthread" library included when using BerkeleyDB with applications like squidGuard. You can do this as follows:
export LIBS="-lpthread";./configure <other configure options>