ContentFiltering

Proxy

Status

Introduction

Easy ContentFiltering (deferred goal from breezy, see below)

To look at how to provide a default Proxy/web filtering solution, especially for kids/schools, for parental control. A GUI and mechanism for auto-updates are also desirable features to enhance ease of use and effectiveness.

Rationale

School and home environments might want a default proxy with content control, without having to configure proxy/web content settings manually.

Scope and Use Cases

  • There are two GPL web filtering engines, squidGuard and DansGuardian

  • squidGuard is a squid redirector that filters solely on domain/url blacklists/whitelists

  • DansGuardian proxies squid that has a number of filtering techniques including phrase matching, PICS filtering and URL filtering.

  • squidGuard and DansGuardian are complimentary, they may both be used at the same time.

Pros of squidGuard

  • It is fast, the squidGuard web site claims that a Pentium 500 can analyze 100,000 queries in about 10 seconds.
  • It is reliable

Cons of squidGuard

  • It only filters based on domains/URLs, it is reactive rather than proactive.
  • Requires a source of quality, timely blacklist updates.

Pros of DansGuardian

  • It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering
  • It can use the same blacklists as squidGuard, as such it can block at least as many sites as squidGuard

Cons of DansGuardian

  • It is much more resource intensive than squidGuard
  • It is more complicated to tune, as such it is more likely to generate false-positives

Implementation Plan

  • include squidGuard and/or DansGuardian packages

Packages Affected

  • squid.conf needs to be modified for squidGuard:

    • redirect_program /usr/sbin/squidGuard -c /etc/squid/squidGuard.conf

  • transparent proxying requires squid.conf modification:

    • httpd_accel_host virtual
      httpd_accel_port 80
      httpd_accel_with_proxy on
      httpd_accel_uses_host_header on

  • transparent proxying requires IPTables rule
    • for squidGuard:

      • /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

      for DansGuardian:

      • /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

User Interface Requirements

The K12LTSP implementation of squidGuard avoids modifying /etc/squid/squid.conf by creating a /etc/init.d/squidGuard service that is similar to /etc/init.d/squid except it specifies an alternate squid.conf file that has the squidGuard and transparent proxying modifications.

Likewise, a /etc/init.d/transparent_proxying service is created that can add/remove the REDIRECT iptables rules.

A graphical utility to edit the DansGuardian and squidGuard configurations should be developed.

Outstanding Issues

squidGuard

  • While squidGuard is widely used, it has not been in active development.
  • Requires a source for blacklist updates.

DansGuardian

  • DansGuardian requires more resources

  • While it is GPL, the upstream maintainers prefer that it is not included in distributions.

  • Initial configuration of DansGuardian is more difficult than squidGuard, but does not require the frequent blacklist updates as with squidGuard.

Remarks

There exist more than 2 filtering proxies. I have never used it, but Willow seems to be interresting to me--it's written in python, GPL'ed, and uses "Bayesian" filtering similar to what's used in many spam filters. --JanClaeys

CategoryUdu CategorySpec

UbuntuDownUnder/BOFs/ContentFiltering (last edited 2008-08-06 16:22:53 by localhost)