# HG changeset patch # User Eric Joseph-Alexandre # Date 1401314163 -7200 # Node ID bbe208efc3ed35a9532365007c4c69e7c18bc69d # Parent 1fad0cb2918771d2de2436876643648bbcc1b372 squidguard: Add support for squid 3.4.x diff -r 1fad0cb29187 -r bbe208efc3ed squidguard/receipt --- a/squidguard/receipt Thu Apr 17 10:54:51 2014 +0000 +++ b/squidguard/receipt Wed May 28 23:56:03 2014 +0200 @@ -27,6 +27,10 @@ squidGuard-1.4-patch-20091015.tar.gz squidGuard-1.4-patch-20091019.tar.gz EOT + # Add support for squid 3.4 + patch -p1 < $stuff/squidGuard-1.4_upgrade.patch + patch -p1 < $stuff/squidGuard-1.4-dnsbl.patch + ./configure --prefix=/usr --infodir=/usr/share/info \ --sysconfdir=/etc --with-sg-config=/etc/squidGuard/squidGuard.conf \ --with-sg-logdir=/var/lib/squidGuard/log \ diff -r 1fad0cb29187 -r bbe208efc3ed squidguard/stuff/squidGuard-1.4-dnsbl.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/squidguard/stuff/squidGuard-1.4-dnsbl.patch Wed May 28 23:56:03 2014 +0200 @@ -0,0 +1,282 @@ +diff -Naurb squidGuard-1.4/doc/configuration.html squidGuard-1.4-dnsbl/doc/configuration.html +--- squidGuard-1.4/doc/configuration.html 2007-11-16 17:58:32.000000000 +0100 ++++ squidGuard-1.4-dnsbl/doc/configuration.html 2009-03-04 18:07:15.000000000 +0100 +@@ -1630,6 +1630,15 @@ + "^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}($|[:/])". + +
++ dnsbl ++
++
++ !dnsbl can be used to dynamically check domain names against ++ DNS-based blacklists, such as black.uribl.com, which is the default. ++ The DNS blacklist can be set to another domain by setting ++ !dnsbl:your.blacklist.domain.com ++
++
+ any +
+
+@@ -2419,6 +2428,9 @@ + even if they would match a blocking regex: +
+  + limiting the usage of IP-address URLs: ++
++  + blocking sites known to be part of the ++ black.uribl.com DNS blacklist. +

+ + +@@ -2442,7 +2454,7 @@ + + acl { + default { +- pass local good !in-addr !porn all ++ pass local good !in-addr !porn !dnsbl:black.uribl.com all + redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u + } + } +diff -Naurb squidGuard-1.4/doc/configuration.txt squidGuard-1.4-dnsbl/doc/configuration.txt +--- squidGuard-1.4/doc/configuration.txt 2007-11-16 17:58:32.000000000 +0100 ++++ squidGuard-1.4-dnsbl/doc/configuration.txt 2009-03-04 18:09:39.000000000 +0100 +@@ -637,6 +637,12 @@ + "^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9 + ]\{1,3\}($|[:/])". + ++ dnsbl ++ !dnsbl can be used to dynamically check domain names against ++ DNS-based blacklists, such as black.uribl.com, which is the default. ++ The DNS blacklist can be set to another domain by setting ++ !dnsbl:your.blacklist.domain.com ++ + any + matches any URL and is a fast equivalent to the + expression ".*". +@@ -1052,6 +1058,7 @@ + + ensuring local and good sites are passed even if they would match a + blocking regex: + + limiting the usage of IP-address URLs: ++ + blocking sites known to be part of the black.uribl.com DNS blacklist: + logdir /usr/local/squidGuard/log + dbhome /usr/local/squidGuard/db + +@@ -1071,7 +1078,7 @@ + + acl { + default { +- pass local good !in-addr !porn all ++ pass local good !in-addr !porn !dnsbl:black.uribl.com all + redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n& + clientuser=%i&clientgroup=%s&url=%u + } +diff -Naurb squidGuard-1.4/doc/extended.html squidGuard-1.4-dnsbl/doc/extended.html +--- squidGuard-1.4/doc/extended.html 2007-11-16 17:58:37.000000000 +0100 ++++ squidGuard-1.4-dnsbl/doc/extended.html 2009-03-04 18:15:59.000000000 +0100 +@@ -168,6 +168,34 @@ + + +

++ ++
  • Using online DNS blacklists

    ++Several DNS based databases can be used to block domain names referrenced in ++blacklists. First choose which database you would like to trust (some well known ++are : http://www.uribl.com/, or http://www.surbl.org/). ++Be aware that this will raise several DNS requests every time squidGuard ++receives a request to filter. SquidGuard will not cache any DNS result, so make ++sure your DNS server does, and mesure the performance impact before using on ++production. ++To get squidGuard to request DNS dynamically and block listed domain names, just use : ++

    ++ ++ ++ ++ ++ ++
    Blocking domain names referenced in a DNS blacklist ++
    ++
     acl {
++        default {
++                pass !dnsbl:black.uribl.com all
++                redirect http://localhost/block.html
++        }
++ }
++
    ++
    ++

    ++ +
  • Logging blocked access tries +

    + It may be of interest who is accessing blocked sites. To track that +diff -Naurb squidGuard-1.4/doc/extended.txt squidGuard-1.4-dnsbl/doc/extended.txt +--- squidGuard-1.4/doc/extended.txt 2007-11-16 17:58:32.000000000 +0100 ++++ squidGuard-1.4-dnsbl/doc/extended.txt 2009-03-04 18:18:01.000000000 +0100 +@@ -100,6 +100,29 @@ + 172.16.12.0/255.255.255.0 + 10.5.3.1/28 + ++ Using online DNS blacklists ++ Several DNS based databases can be used to block domain names referrenced in ++ blacklists. First choose which database you would like to trust (some well known ++ are : http://www.uribl.com/, or http://www.surbl.org/). ++ Be aware that this will raise several DNS requests every time squidGuard ++ receives a request to filter. SquidGuard will not cache any DNS result, so make ++ sure your DNS server does, and mesure the performance impact before using on ++ production. ++ To get squidGuard to request DNS dynamically and block listed domain names, just use : ++acl { ++ default { ++ pass !dnsbl:black.uribl.com all ++ redirect http://localhost/block.html ++ } ++} ++ ++ ++ ++ ++ ++ ++ ++ + Logging blocked access tries + It may be of interest who is accessing blocked sites. To track that + down you can add a log directive to your src or dest definitions in +diff -Naurb squidGuard-1.4/src/sg.h.in squidGuard-1.4-dnsbl/src/sg.h.in +--- squidGuard-1.4/src/sg.h.in 2007-11-16 17:58:32.000000000 +0100 ++++ squidGuard-1.4-dnsbl/src/sg.h.in 2009-03-04 17:38:32.000000000 +0100 +@@ -68,6 +68,7 @@ + #define ACL_TYPE_DEFAULT 1 + #define ACL_TYPE_TERMINATOR 2 + #define ACL_TYPE_INADDR 3 ++#define ACL_TYPE_DNSBL 4 + + #define REQUEST_TYPE_REWRITE 1 + #define REQUEST_TYPE_REDIRECT 2 +@@ -301,6 +302,7 @@ + + struct AclDest { + char *name; ++ char *dns_suffix; + struct Destination *dest; + int access; + int type; +diff -Naurb squidGuard-1.4/src/sg.y.in squidGuard-1.4-dnsbl/src/sg.y.in +--- squidGuard-1.4/src/sg.y.in 2008-05-17 20:25:18.000000000 +0200 ++++ squidGuard-1.4-dnsbl/src/sg.y.in 2009-03-22 21:43:08.000000000 +0100 +@@ -2253,6 +2274,7 @@ + int allowed; + #endif + { ++ char *subval = NULL; + struct Destination *dest = NULL; + struct sgRewrite *rewrite = NULL; + struct AclDest *acldest; +@@ -2264,6 +2286,9 @@ + allowed=0; + else if(!strcmp(value,"in-addr")){ + type = ACL_TYPE_INADDR; ++ } else if (!strncmp(value,"dnsbl",5)) { ++ subval = strstr(value,":"); ++ type = ACL_TYPE_DNSBL; + } else { + if((dest = sgDestFindName(value)) == NULL){ + sgLogFatalError("%s: ACL destination %s is not defined in configfile %s", +@@ -2278,6 +2303,25 @@ + acldest->dest = dest; + acldest->access = allowed; + acldest->type = type; ++ if (type == ACL_TYPE_DNSBL) ++ { ++ if ((subval==NULL) || (subval[1])=='\0')//Config does not define which dns domain to use ++ { ++ acldest->dns_suffix = (char *) sgCalloc(1,strlen(".black.uribl.com")+1); ++ strcpy(acldest->dns_suffix, ".black.uribl.com"); ++ }else{ ++ subval=subval+1; ++ if (strspn(subval,".-abcdefghijklmnopqrstuvwxyz0123456789") != ++ strlen(subval) ) ++ { ++ sgLogFatalError("%s: provided dnsbl \"%s\" doesn't look like a valid domain suffix", ++ progname,subval); ++ } ++ acldest->dns_suffix = (char *) sgCalloc(1,strlen(subval)+1); ++ strcpy(acldest->dns_suffix, "."); ++ strcat(acldest->dns_suffix,subval); ++ } ++ } + acldest->next = NULL; + if(lastAcl->pass == NULL){ + lastAcl->pass = acldest; +@@ -2365,6 +2409,56 @@ + return acl; + } + ++char *strip_fqdn(char *domain) ++{ ++ char *result; ++ result=strstr(domain,"."); ++ if (result == NULL) ++ return NULL; ++ return (result+1); ++} ++ ++int is_blacklisted(char *domain, char *suffix) ++{ ++ char target[MAX_BUF]; ++ struct addrinfo *res; ++ int result; ++ //Copying domain to target ++ if (strlen(domain)+strlen(suffix)+1>MAX_BUF) ++ { ++ //Buffer overflow risk - just return and accept ++@NOLOG1@ ++ if( globalDebug == 1 ) { sgLogError("dnsbl : too long domain name - accepting without actual check"); } ++@NOLOG2@ ++ return(0); ++ } ++ strncpy(target,domain,strlen(domain)+1); ++ strcat(target,suffix); ++ ++ result = getaddrinfo(target,NULL,NULL,&res); ++ if (result == 0) //Result is defined ++ { ++ freeaddrinfo(res); ++ return 1; ++ } ++ //If anything fails (DNS server not reachable, any problem in the resolution, ++ //let's not block anything. ++ return 0; ++} ++ ++int blocked_by_dnsbl(char *domain, char *suffix) ++{ ++ char *dn=domain; ++ while ((dn !=NULL) && (strchr(dn,'.')!=NULL)) //No need to lookup "com.black.uribl.com" ++ { ++ if (is_blacklisted(dn,suffix)) ++ return(1); ++ dn=strip_fqdn(dn); ++ } ++ return 0; ++} ++ ++ + #if __STDC__ + char *sgAclAccess(struct Source *src, struct Acl *acl, struct SquidInfo *req) + #else +@@ -2397,6 +2491,16 @@ + } + continue; + } ++ // http://www.yahoo.fr/ 172.16.2.32 - GET ++ if(aclpass->type == ACL_TYPE_DNSBL){ ++ if (req->dot) ++ continue; ++ if (blocked_by_dnsbl(req->domain, aclpass->dns_suffix)){ ++ access=0; ++ break; ++ } ++ continue; ++ } + if(aclpass->dest->domainlistDb != NULL){ + result = defined(aclpass->dest->domainlistDb, req->domain, &dbdata); + if(result != DB_NOTFOUND) { diff -r 1fad0cb29187 -r bbe208efc3ed squidguard/stuff/squidGuard-1.4_upgrade.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/squidguard/stuff/squidGuard-1.4_upgrade.patch Wed May 28 23:56:03 2014 +0200 @@ -0,0 +1,76 @@ +diff -urN squidGuard-1.4.orig/src/main.c squidGuard-1.4.upgraded/src/main.c +--- squidGuard-1.4.orig/src/main.c 2013-12-11 17:42:15.000000000 +1300 ++++ squidGuard-1.4.upgraded/src/main.c 2013-12-11 19:04:09.000000000 +1300 +@@ -175,7 +175,7 @@ + sgReloadConfig(); + } + if(failsafe_mode) { +- puts(""); ++ puts("ERR message=\"squidGuard failsafe mode\""); + fflush(stdout); + if(sig_hup){ + sgReloadConfig(); +@@ -184,7 +184,7 @@ + } + if(parseLine(buf,&squidInfo) != 1){ + sgLogError("Error parsing squid line: %s",buf); +- puts(""); ++ puts("BH message=\"squidGuard error parsing squid line\""); + } + else { + src = Source; +@@ -196,14 +196,14 @@ + acl = sgAclCheckSource(src); + if((redirect = sgAclAccess(src,acl,&squidInfo)) == NULL){ + if(src == NULL || src->cont_search == 0){ +- puts(""); ++ puts("ERR"); + break; + } else + if(src->next != NULL){ + src = src->next; + continue; + } else { +- puts(""); ++ puts("ERR"); + break; + } + } else { +@@ -215,9 +215,10 @@ + squidInfo.ident[0] = '-'; + squidInfo.ident[1] = '\0'; + } +- fprintf(stdout,"%s %s/%s %s %s\n",redirect,squidInfo.src, +- squidInfo.srcDomain,squidInfo.ident, +- squidInfo.method); ++ if (isdigit(redirect[0]) && isdigit(redirect[1]) && isdigit(redirect[2]) && redirect[3]==':') { ++ fprintf(stdout,"OK status=%c%c%c url=\"%s\"\n", redirect[0], redirect[1], redirect[2], &redirect[4]); ++ } else ++ fprintf(stdout,"OK rewrite-url=\"%s\"\n",redirect); + /* sgLogError("%s %s/%s %s %s\n",redirect,squidInfo.src,squidInfo.srcDomain,squidInfo.ident,squidInfo.method); */ + break; + } +diff -urN squidGuard-1.4.orig/src/sgDiv.c squidGuard-1.4.upgraded/src/sgDiv.c +--- squidGuard-1.4.orig/src/sgDiv.c 2013-12-11 17:42:15.000000000 +1300 ++++ squidGuard-1.4.upgraded/src/sgDiv.c 2013-12-11 18:58:33.000000000 +1300 +@@ -771,7 +771,7 @@ + } + sgLogError("Going into emergency mode"); + while(fgets(buf, MAX_BUF, stdin) != NULL){ +- puts(""); ++ puts("ERR"); + fflush(stdout); + } + sgLogError("ending emergency mode, stdin empty"); +diff -urN squidGuard-1.4.orig/src/sgDiv.c.in squidGuard-1.4.upgraded/src/sgDiv.c.in +--- squidGuard-1.4.orig/src/sgDiv.c.in 2013-12-11 17:42:15.000000000 +1300 ++++ squidGuard-1.4.upgraded/src/sgDiv.c.in 2013-12-11 18:58:40.000000000 +1300 +@@ -782,7 +782,7 @@ + } + sgLogError("Going into emergency mode"); + while(fgets(buf, MAX_BUF, stdin) != NULL){ +- puts(""); ++ puts("ERR"); + fflush(stdout); + } + sgLogError("ending emergency mode, stdin empty");