VideoCache

videocache and squid working but squidGuard not blocking

by Anonymous on 16 Jan 2009

I've configure videocache on fedora core 9 with the newest rpm packages , it's work perfectly, than i configure zapchain to make videocache and squidGuard working together in squid (as describe in videocache hacks), than problem occurs videocache working but squidGuard stop blocking forbidden site but from system process squidGuard is loaded as usual.

Than I make some modification on videocache configuration on squid.conf, i've comment out all except :

url_rewrite_program /usr/local/bin/zapchain "/usr/bin/squidGuard -c /etc/squid/squidGuard.conf" "/usr/bin/python2.5 /usr/share/videocache/videocache.py"

than squidGuard start blocking site again but videocache not caching video. can you please help me to find the error ?

Adzanny - Indonesia

4 Answers

by bellera on 16 Jan 2009

Hello!

Do you see squidGuard & videocache processes looking with ps command?

ps -aux | grep squidGuard
ps -aux | grep videocache

If yes, they are working together.

Are your squidGuard making any redirection for denied pages? Example (squidGuard.conf):

default {
pass none
redirect http://localwebserver/denied_form.html
log squidGuard.log.filter
}

If not, perhaps you need to do it. I have a squidGuard.conf similar to above example.

I think you must ensure that the second redirector (videocache) will receive a different URL from the first redirector (squidGuard). It can be anything, an empty page or a denied form page for your users.

Try this question and comment to us the results, please.

Regards,

Josep Pujadas

by Anonymous on 17 Jan 2009

Yes, I check with ps command both squidGuard and videocache is running, but squidGuard still not bloking forbiden site. Maybe you can help me to find error in my config file ?

squid.conf

#-----------------------------------------
#PORT
#-----------------------------------------
http_port 3128 transparent
#-----------------------------------------
#PROXY
#-----------------------------------------
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \\?
no_cache deny QUERY

#-----------------------------------------
# ADMINISTRATIVE PARAMETERS
#-----------------------------------------

cache_mgr adzanny
visible_hostname 192.168.1.1
cache_effective_user squid
cache_effective_group squid

#-----------------------------------------
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
#-----------------------------------------
cache_dir ufs /mnt/data/squid 40000 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
client_netmask 255.255.255.255
unlinkd_program /usr/lib/squid/unlinkd

cache_mem 16 MB
cache_swap_low 75%
cache_swap_high 85%

minimum_object_size 0 KB
maximum_object_size 50 MB
maximum_object_size_in_memory 32 KB

ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDFS
log_fqdn off
buffered_logs off

#-----------------------------------------
#SQUID AUTHENTICATION
#-----------------------------------------
auth_param basic children 5
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

#-----------------------------------------
# OPTIONS FOR TUNING THE CACHE
#-----------------------------------------
refresh_pattern /.gif       10080   100%    43200
refresh_pattern /.jpg       10080   100%    43200
refresh_pattern /.jpeg      10080   100%    43200
refresh_pattern /.png       10080   100%    43200
refresh_pattern /.ico       10090   100%    43200
refresh_pattern ^http://www.friendster.com/.*   720     100%    10080
refresh_pattern ^http://mail.yahoo.com/.*       720     100%    10080
refresh_pattern ^http://*.yahoo.*/.*            720     100%    7200
refresh_pattern ^http://*.google.com/.*         720     100%    10080
refresh_pattern ^http://kaskus.us*/.*       720     100%    28800
refresh_pattern ^http://*.blogsome.com/.*       720     80%     10080
refresh_pattern ^http://*.wordpress.com/.*      720     80%     10080
refresh_pattern ^http://detik.com/.*            720     90%     2880
refresh_pattern ^http://google.co.id/.*     720     90%     2880
refresh_pattern ^http://okezone.com/.*          720     90%     2880
refresh_pattern ^ftp:           14400   90%     43200
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       50%     4320

quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 95

range_offset_limit 0 KB

#-----------------------------------------
# TIMEOUTS
#-----------------------------------------
negative_ttl 5 minutes
positive_dns_ttl 6 hours
negative_dns_ttl 10 minutes

connect_timeout 360 seconds
read_timeout 15 minutes
request_timeout 360 seconds
pconn_timeout 120 seconds
ident_timeout 10 seconds
client_lifetime 1 day
half_closed_clients off
shutdown_lifetime 30 seconds
announce_period 7 day

#-----------------------------------------
# ACCESS CONTROLS
#-----------------------------------------
acl SSL_ports port 443 563 21 6667 563 5432
acl Safe_ports port 80                # http
acl Safe_ports port 21                # ftp
acl Safe_ports port 443 563           # https, snews
acl Safe_ports port 70                # gopher
acl Safe_ports port 210               # wais
acl Safe_ports port 1025-65535        # unregistered ports
acl Safe_ports port 280               # http-mgmt
acl Safe_ports port 488               # gss-http
acl Safe_ports port 591               # filemaker
acl Safe_ports port 631               # cups
acl Safe_ports port 777               # multiling http
acl Safe_ports port 901           # SWAT

acl manager proto cache_object
acl ftp proto FTP

acl localhost   src 127.0.0.1/32
acl FREE    src 192.168.1.0/24
acl ENGINEERING src 192.168.2.3-192.168.2.253
acl HRDGA   src 192.168.3.0/24
acl INTERNET    src 192.168.4.0/24
acl LAN     src 192.168.0.0/16
acl ADMIN   src 192.168.2.1/32 192.168.2.2/32
acl SERVER  src 192.168.1.1/32

acl ncsa_users proxy_auth REQUIRED

acl CONNECT method CONNECT
always_direct allow localhost
always_direct allow ADMIN

http_access allow manager SERVER
http_access allow manager localhost
http_access deny manager

http_access allow ftp
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow ADMIN
http_access allow LAN
http_access deny all

# DELAY POOL PARAMETERS

acl limitfile url_regex -i \\.exe
acl limitfile url_regex -i \\.mp3
acl limitfile url_regex -i \\.vqf
acl limitfile url_regex -i \\.gz
acl limitfile url_regex -i \\.rpm
acl limitfile url_regex -i \\\\.zip
acl limitfile url_regex -i \\.rar
acl limitfile url_regex -i \\.avi
acl limitfile url_regex -i \\.mpeg
acl limitfile url_regex -i \\.mpe
acl limitfile url_regex -i \\.mpg
acl limitfile url_regex -i \\.wmv
acl limitfile url_regex -i \\.divx
acl limitfile url_regex -i \\.mov
acl limitfile url_regex -i \\.asf
acl limitfile url_regex -i \\.rm
acl limitfile url_regex -i \\.rmvb
acl limitfile url_regex -i \\.qt
acl limitfile url_regex -i \\.ram
acl limitfile url_regex -i \\.iso
acl limitfile url_regex -i \\.raw
acl limitfile url_regex -i \\.wav
acl limitfile url_regex -i \\.flv
acl limitfile url_regex -i \\.tgz
acl limitfile url_regex -i \\.bz
acl limitfile url_regex -i \\.bz2
acl limitfile url_regex -i \\.cab
acl limitfile url_regex -i \\.avm
acl limitfile url_regex -i \\.dat
acl limitfile url_regex -i \\.pdf
acl limitfile url_regex -i \\.3gp
acl limitfile url_regex -i \\.flv
acl limitfile url_regex -i \\.swf
acl limitfile url_regex -i ^ftp:

delay_pools 2

#Limit limitfile
delay_class 1 2
delay_parameters 1 20000/20000 8000/64000
delay_access 1 deny ADMIN
delay_access 1 allow ENGINEERING HRDGA
delay_access 1 allow limitfile
delay_access 1 deny all

#Unlimit internet
delay_class 2 2
delay_parameters 2 -1/-1 -1/-1
delay_access 2 allow LAN
delay_access 2 deny all


# --BEGIN-- videocache config for squid
url_rewrite_program /usr/local/bin/zapchain "/usr/bin/squidGuard -c /etc/squid/squidGuard.conf" "/usr/bin/python2.5 /usr/share/videocache/videocache.py"
acl videocache_allow_url url_regex -i \\.youtube\\.com\\/get_video
acl videocache_allow_url url_regex -i \\.cache[a-z0-9]?[a-z0-9]?[a-z0-9]?\\.googlevideo\\.com\\/videoplayback
acl videocache_allow_url url_regex -i \\.cache[a-z0-9]?[a-z0-9]?[a-z0-9]?\\.googlevideo\\.com\\/get_video
acl videocache_allow_url url_regex -i proxy\\-[0-9][0-9]\\.dailymotion\\.com\\/
acl videocache_allow_url url_regex -i [a-z0-9][0-9a-z][0-9a-z]?[0-9a-z]?[0-9a-z]?\\.xtube\\.com\\/(.*)flv
acl videocache_allow_url url_regex -i bitcast\\.vimeo\\.com\\/vimeo\\/videos\\/
acl videocache_allow_url url_regex -i va\\.wrzuta\\.pl\\/wa[0-9][0-9][0-9][0-9]?
acl videocache_allow_url url_regex -i \\.files\\.youporn\\.com\\/(.*)\\/flv\\/
acl videocache_allow_url url_regex -i \\.msn\\.com\\.edgesuite\\.net\\/(.*)\\.flv
acl videocache_allow_dom dstdomain v.mccont.com vp.video.google.com dl.redtube.com
acl videocache_deny_url url_regex -i http:\\/\\/[a-z][a-z]\\.youtube\\.com http:\\/\\/www\\.youtube\\.com

url_rewrite_access deny videocache_deny_url
url_rewrite_access allow videocache_allow_url
url_rewrite_access allow videocache_allow_dom

#redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_children 5
url_rewrite_children 5
redirect_children 5
redirector_bypass on

# --END-- videocache config for squid

squidGuard.conf

#
# CONFIG FILE FOR SQUIDGUARD
#

dbhome /var/squidGuard/blacklists/blacklists
logdir /var/log/squid

#
# SOURCE ADDRESSES:
#

src client {
    ip 192.168.3.0/24
    ip 192.168.2.3-192.168.2.254
}

src admin {
    ip 192.168.2.1/255.255.255.255
    ip 192.168.2.2/255.255.255.255
}

src server {
    ip 192.168.1.1/255.255.255.255
    ip 10.0.0.2/255.255.255.255
}

time afterwork {
    weekly  * 00:01-07:59 12:00-13:00 16:01-23:59   # Jam istirahat kerja
    weekly  saturdays 14:00-15:30       # Hari Sabtu
    weekly  sundays 00:00-24:00     # Hari Minggu
    date    *.08.17             # Hari Kemerdekaan
    date    *.12.25             # Martujes
    date    *.01.01             # Tahun baru
    date    2008.12.29          # Tahun Baru Hijriah
}


#
# DESTINATION CLASSES:
#

dest adult_1 {
    domainlist porn_eng_1/domains
    urllist porn_eng_1/urls
    expressionlist porn_eng_1/expressions
    log pornaccess_adult_1
}

dest adult_2 {
    domainlist porn_eng_2/domains
    urllist porn_eng_2/urls
    log pornaccess_adult_2
}

dest adult_3 {
    domainlist porn_eng_3/domains
    urllist porn_eng_3/urls
    log pornaccess_adult_3
}

dest adult_indo {
    urllist porn_indo/ads
    domainlist porn_indo/domains
    log pornaccess_indo
}

#dest ads {
#   domainlist ads/domains
#   urllist ads/urls
#}

dest proxy {
    domainlist proxy/domains
    urllist proxy/urls
    log pornaccess_proxy
}

dest whitelist {
    domainlist whitelist/domains
    urllist whitelist/urls
    expressionlist whitelist/expressions
}

dest openblok {
    domainlist openblok/domains
}


dest openadmin {
    domainlist openadmin/domains
}


rewrite google {
    s@(google.co.id/search.*q=.*)@\\1\\&safe=active@i
    s@(google.co.id/images.*q=.*)@\\1\\&safe=active@i
    s@(google.co.id/groups.*q=.*)@\\1\\&safe=active@i
    s@(google.co.id/news.*q=.*)@\\1\\&safe=active@i 
    s@(google.com/search.*q=.*)@\\1\\&safe=active@i
    s@(google.com/images.*q=.*)@\\1\\&safe=active@i
    s@(google.com/groups.*q=.*)@\\1\\&safe=active@i
    s@(google.com/news.*q=.*)@\\1\\&safe=active@i
    # log google
    }

acl {
    client within afterwork {
        rewrite google
        pass whitelist openblok !adult_1 !adult_2 !adult_3 !adult_indo !proxy all
        redirect http://192.168.1.1/blok.html?caddr=%a&cname=%n&user=%i&group=%s&url=%u&target=%t&urix=%p
    }
    else {
        rewrite google
        pass whitelist !openblok !adult_1 !adult_2 !adult_3 !adult_indo !proxy all
        redirect http://192.168.1.1/blok.html?caddr=%a&cname=%n&user=%i&group=%s&url=%u&target=%t&urix=%p
    }

    admin {
        rewrite google
        pass whitelist openblok openadmin !adult_1 !adult_2 !adult_3 !adult_indo !proxy all
        redirect http://192.168.1.1/blok.html?caddr=%a&cname=%n&user=%i&group=%s&url=%u&target=%t&urix=%p
    }

    #server {
        #pass all
        #}

    default {
        pass none
        redirect http://192.168.1.1/nonregister.html
    }

}

videocache.conf

[main]
# file : /etc/videocache.conf

enable_video_cache = 1
cache_host = 192.168.1.1
proxy = http://192.168.1.1:3128/
proxy_username = 
proxy_password = 
base_dir = /mnt/data/videocache/
temp_dir = tmp
max_parallel_downloads = 30
logdir = /var/log/videocache/
max_logfile_size = 10
max_logfile_backups = 10
rpc_host = 127.0.0.1
rpc_port = 9100

enable_youtube_cache = 1
youtube_cache_dir = youtube
youtube_cache_size = 0
max_youtube_video_size = 0
min_youtube_video_size = 0


enable_metacafe_cache = 1
metacafe_cache_dir = metacafe
metacafe_cache_size = 0
max_metacafe_video_size = 0
min_metacafe_video_size = 0
enable_dailymotion_cache = 1
dailymotion_cache_dir = dailymotion
dailymotion_cache_size = 0
max_dailymotion_video_size = 0.
min_dailymotion_video_size = 0

enable_google_cache = 1
google_cache_dir = google
google_cache_size = 0
max_google_video_size = 0
min_google_video_size = 0

enable_redtube_cache = 0
redtube_cache_dir = redtube
redtube_cache_size = 0
max_redtube_video_size = 0
min_redtube_video_size = 0

enable_xtube_cache = 0
xtube_cache_dir = xtube
xtube_cache_size = 0
max_xtube_video_size = 0
min_xtube_video_size = 0

enable_vimeo_cache = 1
vimeo_cache_dir = vimeo
vimeo_cache_size = 0
max_vimeo_video_size = 0
min_vimeo_video_size = 0

enable_wrzuta_cache = 1
wrzuta_cache_dir = wrzuta
wrzuta_cache_size = 0
max_wrzuta_video_size = 0
min_wrzuta_video_size = 0


enable_youporn_cache = 0
youporn_cache_dir = youporn
youporn_cache_size = 0
max_youporn_video_size = 0
min_youporn_video_size = 0

enable_soapbox_cache = 1
soapbox_cache_dir = soapbox
soapbox_cache_size = 0
max_soapbox_video_size = 0
min_soapbox_video_size = 0
by bellera on 17 Jan 2009

Hello a new time!

Comment (for testing) all your

acl videocache_allow_url 
acl videocache_deny_url

lines at squid.conf. You don't need it, and probably they origine your problem.

You don't need it. All URLs must be passed to zapchain (and zapchain passes to squidGuard and videocache).

Please, say the results for your test ...

Regards,

Josep Pujadas

by Anonymous on 19 Jan 2009

At last it works, I comment all acl's and url_rewrite for videocache at squid.conf, and there are some mistake in squidGuard.conf

#server {
#pass all
#}

should be

server {
pass all
}

then
I delete all videocache cache

/usr/sbin/update-vc
squid -k reconfigure

That's All
Thanks Bellera

You need to sign in. Please sign in to add answer to this question.