Setting Up Parental Controls with DansGuardian and Squid

Ignoring the dangers implicit with censorship, this guide should offer a simple way to filter what some may consider “objectionable” content from the cesspool that is the internet.

The configuration outlined here may also have the added benefit of caching web requests, which can lead to noticeable performance gains for many home users, most often in the case of frequent accesses to the same site (such as Facebook, which seems popular at the time of this writing).

Requirements

  • Proxy software (we will use Squid in this example)
  • Something to filter the content (we will use DansGuardian)
  • A blacklist of some sort (Optional)

Why Content Filtering
A blacklist alone is no longer enough to filter web content effectively. Given the rate at which the web is growing: With roughly 334 new domains registered every minute over the last 24 hours (according to Domain Tools). Add the amount of new content being added to existing domains, and we have a lot of sites to filter. Managing a list of it all would not only need a massive amount of human effort (or computational resources), the size of such a list would be ridiculous, even if compressed. If every request to retrieve a site checked against such a list, the verification delay would be very inconvenient (think of feeding a 5GB+ file to grep, looking for a specific address).

Enter Content Filtering, a technology that inspects each page for ‘objectionable’ material, and decides based on the contents of those pages whether or not to allow access to them. A blacklist can supplement this technology to improve performance (if the blacklist is small enough, it is often faster to search than the contents of a large page).

Together, they form an effective means of ‘cleaning’ the content served to users of your system (or network).

Installing and Configuring Squid

First, we need to install and configure a proxy. We will use squid for this example, as it offers robust caching capabilities not found in many competing proxies.

Download Squid and install it.


$ tar xzvf squid-*RELEASE*.tar.gz
$ cd squid-*
$ ./configure
$ make
# make install

In the case of Debian/Ubuntu users compiling from source, the configure line requires some minor tweaks to accomodate the subtle differences in filesystem layout from what Squid would otherwise expect.


$ ./configure --prefix=/usr --localstatedir=/var --libexecdir=/usr/lib/squid --srcdir=. --datadir=/usr/share/squid --sysconfdir=/etc/squid

While it is technically possible to build and install Squid on a Debian or Ubuntu system without these changes, they will make sure that the installation aligns with the general filesystem layout of those distributions, and should make distribution-specific troubleshooting a bit easier.

Additionally, a minor tweak to ./src/Makefile.am in the directory you extracted to, prior to running make will avoid the need to do silly things. Change this line:


DEFAULT_LOG_PREFIX = $(localstatedir)/logs

To make it look like this:


DEFAULT_LOG_PREFIX = $(localstatedir)/log

Users of Debian-derivatives (such as Ubuntu or MEPIS) who do not wish to compile from source can simply fetch a recent binary from the supported repositories, and install it. This is easily accomplished with the provided package management tools:


$ sudo apt-get install squid

Edit /etc/squid/squid.conf with your editor of choice, paying special attention to the acl/http_access section. Something similar to the following configuration should work (configure according to your network range, of course):


acl local_network src 192.168.0.0/24 192.168.254.0/24
http_access allow local_network

Installing and Configuring DansGuardian

Download DansGuardian and install it:


$ tar xzvf DansGuardian-*
$ ./configure
$ make
# make install

Debian/Ubuntu users can do the following:


$ sudo apt-get install dansguardian

Edit /etc/dansguardian/dansguardian.conf, commenting out the UNCONFIGURED line once complete. Things to pay attention to are…


filterip =
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128

Configuring Firefox to Filter Content

Setting up a content filtering proxy is effective, but only if it filters information. If requests are not directed through the proxy, it cannot effectively “clean” the “objectionable” material.

  • Edit -> Preferences -> General -> Connection Settings -> Manual Proxy Configuration
  • Input 127.0.0.1 as the proxy IP
  • Input 8080 as the proxy port
  • Enable the check box for ‘Use this proxy server for all protocols’

Please note that these settings only affect Firefox. Other web browsers and software will need configuration as well. Configuration steps are similar, but if you would like specific examples, please post your requests in the comments for this article.

Preventing Users from Disabling the Filter

The restrictions created by a content-filtering proxy are easily circumvented by simply not using the proxy. Assuming that the users so restricted do not have administrative access, the following method prevents this:

Edit /usr/lib/firefox/firefox.cfg and add the following entries:


lockPref("network.proxy.http","127.0.0.1");
lockPref("network.proxy.http_port",8080);
lockPref("network.proxy.type,1);
lockPref("network.proxy.no_proxies_on","localhost,127.0.0.1");

Sources

Full Disclosure

I oppose censorship in all forms (and have written a guide on evading censorship), including self-censorship. I fully understand that if I choose not share this information, it is available elsewhere. I offer it here in the hopes that I may balance the knowledge of how to do it, with the wisdom of why it not to.

Censorship is not a substitute for effective parenting.

Finished reading? Try one of the following:

  • Tell me what you think in the comments!
  • Get the feed, and keep tabs on new content.
  • Write a response on your blog, and post a link in the comments.
Readability - (FRE: 53.3 | FKI: 8.6 | GFI: 11.6)
5 Responses to Setting Up Parental Controls with DansGuardian and Squid
  1. Allen
    July 1, 2012 | 01:43

    How to configure with other web browser such as Chromium, so that use the proxy and the user cannot disable the filter?

     

    Possibly Abusive

    Held For Review

    • Chris Olstrom
      July 18, 2012 | 17:32

      That’s a good question. I’ll look into it, and see what I can dig up.

    • lyub0m1R
      October 31, 2012 | 06:17

      For chromium:
      On linux machine start chromium with –proxy-server option, like this:
      $chromium –proxy server=localhost:8080

      On windows, edit the chromium shortcut and add the same option to the executable file.

       

      Possibly Abusive

      Held For Review

  2. Jinhee
    February 12, 2013 | 19:43

    While dansguardian is a great solution its installation and setup is painful even if you have some knowledge of Linux OS. And its client setup is also not that easy. I think dns-filtering is better than web-filtering in several aspects. It’s faster than web-filtering as it doesn’t require all the HTTP traffic going thru one proxy and its client setup is very easy if you use DHCP server. I developed both dns-filter and web-filter. In my case I decided go with dns-filter.

     

    Possibly Abusive

    Held For Review

  3. resoun
    April 5, 2013 | 11:04

    In the above you have the line:

    lockPref(“network.proxy.type,1);

    Shouldn’t this be:

    lockPref(“network.proxy.type”,1);

    ?

    Looks like a missed closing “

Leave a Reply

Wanting to leave an <em>phasis on your comment?

Trackback URL http://chris.olstrom.com/howto/setup-content-filtering-with-dansguardian/trackback/
More in Guides (6 of 10 articles)