HOWTO - Setup Parental Controls with DansGuardian and Squid

Ignoring the dangers implicit with censorship, this guide should provide a simple way to filter what some may consider 'objectionable' content from the vast pit of corruption that is the web (this is not meant as a negative thing, mind you. Just a simple observation).

The configuration outlined here may also have the added benefit of caching web requests, which can provide not-insignificant performance gains for many home users, most often in the case of frequent accesses to the same site (such as Facebook, which seems to be popular at the time of this writing).

Requirements

• Proxy software (we will use Squid in this example)
• Something to filter the content (we will use DansGuardian)
• A blacklist of some sort (Optional)

Why Content Filtering
A blacklist alone is no longer sufficient for filtering web content effectively. Given the rate at which the web is growing: Approximately 334 new domains were registered every minute over the last 24 hours, according to Domain Tools. Add the amount of new content being added to existing domains, and we have a lot of sites to filter. Managing a list of it all would not only require a massive amount of human effort (or computational resources), the size of such a list would be ridiculous, even if compressed. If every request to retreive a site were checked against such a list, the verification delay would be very inconvenient (think of feeding a 5GB+ file to grep, looking for a specific address).

Enter Content Filtering, a technology that inspects individual pages for 'objectionable' material, and decides based on the contents of those pages whether or not to allow access to them. A blacklist can supplement this technology to improve performance (if the blacklist is small enough, it can be faster to search than the contents of a large page).

Together, they form an effective means of 'cleaning' the content served to users of your system (or network).

Installing and Configuring Squid

First, we need to install and configure a proxy. We'll be using squid for this example, as the caching capabilities it offers provide benefits not found in many competing proxies.

Download Squid and install it.


$ tar xzvf squid-*RELEASE*.tar.gz
$ cd squid-*
$ ./configure
$ make
# make install


In the case of Debian/Ubuntu users compiling from source, some minor tweaks should be made to the configure line, to accomodate the subtle differences in filesystem layout from what Squid would otherwise expect.


$ ./configure --prefix=/usr --localstatedir=/var --libexecdir=/usr/lib/squid --srcdir=. --datadir=/usr/share/squid --sysconfdir=/etc/squid


While it is technically possible to build and install Squid on a Debian or Ubuntu system without these changes, they will ensure that the installation aligns with the general filesystem layout of those distributions, and should make distribution-specific troubleshooting a bit easier.

Additionally, a minor tweak to ./src/Makefile.am in the directory you extracted to, prior to running make will avoid the need to do silly things. Change this line:


DEFAULT_LOG_PREFIX = $(localstatedir)/logs


To make it look like this:


DEFAULT_LOG_PREFIX = $(localstatedir)/log


Users of Debian-derivatives (such as Ubuntu or MEPIS) who do not wish to compile from source can simply fetch a recent binary from the supported repositories, and install it. This is easily accomplished with the provided package management tools:


$ sudo apt-get install squid


Edit /etc/squid/squid.conf with your editor of choice, paying special attention to the acl/http_access section. Something similar to the following configuration should work (configure according to your network range, of course):


acl local_network src 192.168.0.0/24 192.168.254.0/24
http_access allow local_network


Installing and Configuring DansGuardian

Download DansGuardian and install it:


$ tar xzvf DansGuardian-*
$ ./configure
$ make
# make install


Debian/Ubuntu users can do the following:


$ sudo apt-get install dansguardian


Edit /etc/dansguardian/dansguardian.conf, commenting out the UNCONFIGURED line once complete. Things to pay attention to are...


filterip =
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128


Configuring Firefox to Filter Content

Setting up a content filtering proxy is effective, but only if it filters information. If requests are not directed through the proxy, it cannot effectively 'clean' the content of 'objectionable' material.

• Edit -> Preferences -> General -> Connection Settings -> Manual Proxy Configuration
• Input 127.0.0.1 as the proxy IP
• Input 8080 as the proxy port
• Enable the checkbox for 'Use this proxy server for all protocols'

Please note that these settings only affect Firefox. Other web browsers and software will need to be configured as well. Configuration steps should be similar. If you would like specific examples, please post your requests in the comments for this article.

Preventing Users from Disabling the Filter

The restrictions created by a content-filtering proxy can be easily circumvented by simply not using the proxy. Assuming that the users so restricted do not have administrative access, this can be prevented as follows:

Edit /usr/lib/firefox/firefox.cfg and add the following entries:


lockPref("network.proxy.http","127.0.0.1");
lockPref("network.proxy.http_port",8080);
lockPref("network.proxy.type,1);
lockPref("network.proxy.no_proxies_on","localhost,127.0.0.1");


Sources

• http://unixadmintalk.com/f11/content-filtering-proxy-82337/
• http://wiki.squid-cache.org/SquidFaq/CompilingSquid
• http://ubuntuforums.org/showthread.php?t=207008
• http://ubuntuforums.org/showthread.php?t=320733
• http://dansguardian.org/downloads/content_filtering_challenges.pdf