Squidguard update


#1

I’m new to the forum, so thank you all for the information stored here.

I’ve been using Vyatta/Vyos for lab environments for a while now, but have worked with the url-filtering very little. I’m looking to the possibility of replacing our current physical edge device with a virtual instance of Vyos; however, when updating the blacklist categories for Squidguard, it defaults to ftp.univ-tlse1.fr for the download. Can someone point me in the right direction for changing the URL/ip used for the default download of the blacklist categories?

Thanks again,
James


#2

There is no way to set it from the CLI right now. Web proxy was quite a neglected feature in Vyatta because it was a bit out of the enterprise/ISP router scope and now it is quite a neglected feature in VyOS too because people don’t drop by any often to ask for webproxy improvements (other than SSL MitM filtering which I have VERY mixed feeling about), so…
None of the core developers uses it either at this time, though back when bandwidth at my place was many times more expensive, caching and filtering really helped to reduce traffic consumption and keep the bills reasonable, and I know in a lot of places it’s still just as expensive, so we have absolutely no plans to drop support for web proxy, even if we don’t spend much time on improving it.

Anyway, if you are one of those who do use it, you can help us make it better. Please tell us the following:

  • Where do you get your blacklists for manually configured squidguard? Is there more than one place/list? If yes, is achive format the same in all those places you use?
  • Are categories any standardized?
  • Do you have any ideas how to switch from hardcoded to configurable blacklist archive URL gracefully?
  • What you think should happen if the user switches from one URL to another?
  • Do you have any ideas how to detect if archive at the URL is a valid blacklist archive, for the case when people enter a wrong URL by mistake?

If you’ve got time, it would be awesome if you go to the wiki and create a design document for this feature using this template: http://wiki.vyos.net/wiki/Design_document_template rather than just post it in the forum.


#3

dmbaturin - thanks for your reply. I did a little more digging on google and found this -> https://community.ubnt.com/t5/EdgeMAX/Webproxy-Blacklist-Update/td-p/898622

It’s part of Ubiquiti EdgeMAX, but I took a chance and found the vyatta-sg-blacklist.pl file mentioned in their forum. And in the .pl, they talk about the blacklist database file format. Since this is still in a lab environment, and I’m still testing, I changed the .pl on my vyos instance to pull the blacklist categories from squidblacklist.org. Worked great.


#4

Note that, unlike ubiquiti, we have the source code in browseable form. :wink: https://github.com/vyos/vyatta-webproxy/blob/current/scripts/vyatta-sg-blacklist.pl
Just to clarify, I’m one of those who wrote that code. I’m not asking how we are doing it now, I know how we are doing it. And the reason we are doing it this way is that hardcoded URL that gives an archive with a known format just works, and making it configurable requires a lot of additional decisions.

You are not answering a single question I asked in my previous post. Please understand, the code that makes it into mainline, it must work for everyone.
This is why I’m asking you, a current squidguard user, if all squidguard blacklist distributions use the same format and same categories, and if not, which ones are known to use the same format and how to tell them, automatically, from those that don’t.
That code must also work after upgrading older versions. What you think should happen when someone who used the old version that had the URL hardcoded upgrades to a new version that has it configurable? We need to decide because having people’s config break after ugrade is not an option, it must work.


#5

dmbaturin,

I know this is an old post, but are you still interested in this information? I would appreciate some level of configuration for squidguard and am willing to answer some questions.