Parental control with a Raspberry Pi, Squid and SquidGuard

Recently we bought an iPod for my daughter 9 years old, we are confronted with the harsh reality : children grow fast and the access to new technologies must be enclosed. hence the need for a control system for Internet access.

raspberry pi parental control

Without wishing to become a dictator or otherwise rely entirely on a parental control tool, still had to find a solution. The first is to explain the risks, that things are not to be seen, mais rien ne vaut un bon contrôle informatique en plus 🙂

  1. For performance issues, I used a minimalistic distribution which had just to be installed. You can find all the information on this page. If necessary, update your distribution
    apt-get update && apt-get upgrade -y
  2. Install Squid and SquidGuard
    apt-get install -y squid3 squidguard

    Remember that a user proxy has been created. It will be helpful to correctly position all rights for the software.

  3. Saving the configuration of Squid (in case of error)
    cp /etc/squid3/squid.conf /etc/squid3/squid.conf.origin
  4. Generate a lighter configuration by removing many (but useful) Comment lines.
    cat /etc/squid3/squid.conf.origin | egrep -v -e '^[[:blank:]]*#|^$' > /etc/squid3/squid.conf
  5. Add your network at the end of the list of ACLs. At home I am locally on the 192.168.1.x. So I added the following line
    acl LocalNet src 192.168.1.0/24
  6. Allow machines on the network to connect to the proxy. Add the red line. The link is done with the name. Here LocalNet.
    http_access allow localhost
    http_access allow LocalNet
    http_access deny all

You can now configure your browser or OS to use the HTTP proxy with the Raspberry Pi ip and port (by default) 3128.

You can change the setting from your cache : location, size, etc. The purpose is primarily to filter Internet access but also to improve navigation. At home I created a dedicated directory, with the type tmpfs of 500Mb. Not to used too much the SD card, I get this folder in memory. The cache must not use 100% of this space (80% is the best so 400Mb).

  1. Create the directory /cache
    mkdir /cache
  2. In the file /etc/fstab add the line
    tmpfs /cache tmpfs defaults,noatime,nosuid,size=500m 0 0
  3. In the file /etc/squid3/squid.conf add the following line to the end of file
    cache_dir ufs /cache 400 16 256
  4. It's time to generate the cache and restart Squid
    service squid3 stop
    squid3 -z
    service squid3 start

Configure SquidGuard

  1. Télécharger les blacklists. Filtering access by SquidGuard is based on domain lists, URLs or keywords. University of Toulouse maintains updated lists used from SquidGuard.
    wget http://dsi.ut-capitole.fr/blacklists/download/blacklists.tar.gz
    tar -zxvf blacklists.tar.gz
  2. Install the lists in the directory accessible by SquidGuard. Do not forget to change the rights for SuidGuard can access
    mv blacklists /var/lib/squidguard/db/
    chown -R proxy:proxy /var/lib/squidguard/db/
  3. Change the SquidGuard configuration in the file /etc/squidguard/squidGuard.conf In example below, all listed access to porn sites will be blocked for all users except devices whose IP group parents. Unauthorized access are logged into a file pornaccesses.
    dbhome /var/lib/squidguard/db
    logdir /var/log/squidguard
    
    src parents {
            ip 192.168.1.10 192.168.1.18 192.168.1.30
    }
    dest porn {
            domainlist blacklists / porn / domains
            urllist blacklists / porn / urls
            log pornaccesses
    }
    
    acl {
            parents {
                    pass all
            }
            default {
                    pass !porn all
                    redirect http://localhost/block.html
            }
    }
    
  4. Embed blacklists in SquidGuard. You'll need to run this command each time the SquidGuard configuration changes (/etc/squidguard/squidGuard.conf). Be patient, it's a little bit long with our tiny machines.
    squidGuard -C all
    chown -R proxy:proxy /var/lib/squidguard/db/
  5. Add the following line at the end of the Squid configuration file /etc/squid3/squid.conf
    url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
  6. You can test the configuration of SquidGuard and Squid and generate the cache directories
    service squid3 stop
    squid3 -z
  7. Start Squid
    service squid3 restart

That makes SquidGuard installed and configured to block adult sites

raspberry pi squid squidguard filtering

You see that the error is not the good one. Indeed, in case of an error, the configuration redirects the user to the page block.html. As we do not installed it, this generates an error. If you want to customize the message, I advise you to’install Nginx and create the page block.html with the layout that you want. Here is what I have at home :

raspberry pi proxy squid squidguard block screen

Install Webmin and calamaris for log analysis

  1. Install Webmin. I did that from the folder /root (yes I know that's bad …)
    mkdir webmin
    cd webmin /
    wget http://prdownloads.sourceforge.net/webadmin/webmin-1.760.tar.gz
    tar zxvf webmin-1.760.tar.gz
    cd webmin-1.760/
    ./setup.sh /usr/local/webmin
  2. Install the calamaris log Analyzer, very convenient for usage of the proxy information
    apt-get install calamaris

You can now connect to the ip of your Pi Raspberry on port 10000. You identify yourself with the id and password from step 1. Squid module is in the category Server. If you want to speed up the browsing, I suggest the theme Stress Free.

Another log analysis tool that I have installed is LightSquid (a demo is available here). It allows to have information per day / month / user, etc. Quite handy to see what's happening on the network.

Script automatically update blacklists

The lists are not fixed forever. They are kept up to date and regularly evolve (I do not know the exact frequency). It is therefore necessary to download and update SquidGuard. Here is a sample script that you can put in your cron table to run daily or weekly :

#!/bin/sh

cd /var/lib/squidguard/db
rm -rf blacklists
wget http://dsi.ut-capitole.fr/blacklists/download/blacklists.tar.gz
tar -zxvf blacklists.tar.gz
rm blacklists.tar.gz
squidGuard -C all
chown -R proxy:proxy /var/lib/squidguard/db/
service squid3 restart

I've created this script in /etc/cron.daily. The default execution time is 6:25, I have changed for 01:00 in the morning to make sure the update does not bother, because Squid is restarted.

Automatic URL for the proxy configuration

With your web server you can distribute the configuration of your proxy to your systems. A .pac file must be created :

  1. Create automatic configuration file. You create it in /usr/share/nginx/www and I have called proxy.pac. The content is a javascript function :
        function FindProxyForURL(url, host) {
            if (
                isInNet(myIpAddress(), "127.0.0.0", "255.0.0.0") ||
                isInNet(myIpAddress(), "192.168.0.0", "255.255.255.0")) {
                return "DIRECT";
            } else {
                if (shExpMatch(url, "http:*"))
                    return "PROXY 192.168.1.28:3128" ;
                if (shExpMatch(url, "https:*"))
                    return "PROXY 192.168.1.28:3128" ;
                return "DIRECT";
            }
        }
    

    This file gives the proxy HTTP and HTTPS. To localhost and the local network, the device can access it directly.

  2. Change the mime-types of .pac files. Add at the end of file /etc/nginx/mime.type
    application/x-ns-proxy-autoconfig .pac;
  3. Restart Nginx
    service nginx restart
  4. Set up your device to use automatic configuration to URL http://<ip of your raspberry>/proxy.pac
    No need to take every information.

Script for the generation of destinations based on blacklists

Here is a small script to generate the destinations based downloaded lists. It can help you to not have to type everything.

#!/bin/sh

SQUIDLIB=/var/lib/squidguard/db
SQUIDLIB_BLACKLISTS=$SQUIDLIB"/blacklists"

if [ -d $ SQUIDLIB_BLACKLISTS ]; Then
away folderName in `ls $ SQUIDLIB_BLACKLISTS`; do
		if [ -d "$SQUIDLIB_BLACKLISTS/$folderName" ]; then
			echo "dest $folderName {"
			if [ -e "$SQUIDLIB_BLACKLISTS/$folderName/domains" ]; then
				echo "      domainlist blacklists/$folderName/domains"
			fi
			if [ -e "$SQUIDLIB_BLACKLISTS/$folderName/urls" ]; then
				echo "      urllist blacklists/$folderName/urls"
			fi
			echo "}"
		be
done
be

VoilĂ  ! I will now look at Apple Configurator to set up the proxy configuration without it being modified by the user. If some of you know an equivalent for Android, please share it in the comments.

Like this article ? Bear with me on patreon!

You may also like...