Ubuntu / Debian PROXY-SERVER-Installation:
1. Grundinstallation eines Ubuntu-Servers wird hier vorausgesetzt.
2. Szenario:
Integration in eine AD-Umgebung
Pflege von Blacklists / Whitelists / Vollzugriff
3. Installation:
sollte der zu installierende Server HINTER einer Proxy-Umgebung stehen müssen folgende Parameter angepasst werden.
Datei bash-bashrc mit vi /etc/bash.bashrc öffnen und am Ender der Datei folgende Zeilen einfügen:
export HTTP_PROXY=http://user:Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein. :port/
export FTP_PROXY=http://user:Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein. :port/
Samba-Server-Installation:
sudo apt-get install krb5-user libpam-krb5 winbind samba smbfs smbclient libpam-mountEin Textmenü erscheint, wo der KERBEROS realm-Name einzugeben ist (Domänenname der Ath.-Domäne) --> Eingabe
Entsprechend ist zu verfahren mit der Eingabe der Auth. Server
NTP installieren
sudo apt-get install ntp ntpdateanschließend entpsrechend die Zeitserver in die Konfigurationsdatei einrtragen:
vi /etc/default/ntpdateDie Einträge entsprechend vornehmen für NTP-Servers und anschl. NTP-Dienst neu starten
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
#server 0.debian.pool.ntp.org iburst
#server 1.debian.pool.ntp.org iburst
#server 2.debian.pool.ntp.org iburst
#server 3.debian.pool.ntp.org iburst
server dc.domain.extension iburst
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclientDienst neu starten:
sudo /etc/init.d/ntp restartHosts-Datei des Servers editieren
vi /etc/hosts und Einträge für den lokalen Server vornehmen:
127.0.0.1 localhost
127.0.1.1 proxy
127.0.0.1 proxy.domain.extension proxy
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allroutersSamba einrichten:
vi /etc/samba/smb.conf[global]
netbios name = proxy
workgroup = DOMAIN
realm = DOMAIN.EXTENSION
server string = proxy
security = ADS
winbind refresh tickets = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
domain master = no
local master = no
preferred master = no
winbind enum users = yes
winbind enum groups = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
#winbind separator = +
#winbind cache time = 10
winbind use default domain = yes
encrypt passwords = yes
log level = 5
log file = /var/log/samba/log.%m
max log size = 1000
encrypt passwords = true
load printers = noDienste neustarten
/etc/init.d/winbind stop
/etc/init.d/smbd restart
/etc/init.d/winbind startKerberos einrichten:
ACHTUNG: Die DomainNames (realms) müssen uppercase / GROSS geschrieben werden !
vi /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.LOCAL
[realms]
DOMAIN.LOCAL = {
kdc = DC.DOMAIN.LOCAL:88
admin_server = DC.DOMAIN.LOCAL:464
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.DOMAIN.LOCAL = DOMAIN.LOCAL
DOMAIN.LOCAL = DOMAIN.LOCALKerberos testen:
kinit dom-AdminKerberos Tickets anzeigen:
klistProxy-Server in die Domäne integrieren:
net ads join -U administratorDomänentests:
Benutzer abfragen: wbinfo -u
Gruppen abfragen: wbinfo -g
Beziehungsstatus prüfen: wbinfo -tSquid-Proxy-Installation:
sudo apt-get install squidFür eine Live-Ansicht kann auch SquidView hilfreich sein:
sudo apt-get install squidviewÄnderungen anpassen in /etc/squid3/squid.conf
#AD-Authentifizierung
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Proxy Server
auth_param basic credentialsttl 5 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
authenticate_ttl 0 seconds
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
# ACLS
acl all src all
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
# Zugriff vom lokalen Netz erlauben
http_access allow manager localhost
# erlaubte Ports definieren
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
#http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access allow localnet
http_access allow localhost
# Am Ende jeden anderen Zugriff auf Proxy-Server verbieten
http_access deny all
# Portdefinition
http_port 8080
url_rewrite_access deny localhost
icp_access deny all
htcp_access deny all
cache_mem 512 MB
cache_dir ufs /var/spool/squid3 5000 16 256
logfile_rotate 90
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
negative_ttl 0 seconds
#SquidGuard einbinden
redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.confSquidGuard-Installation:
apt-get squidguardBlacklist-Datenbank herunterladen und im Verzeichnis /var/lib/squidguard/db entpacken:
Blacklistprovider z.B. http://www.shallalist.de/Downloads/shallalist.tar.gz
wählen und entsprechend herunterladen mit:
wget http://www.shallalist.de/Downloads/shallalist.tar.gzdanach entpacken mit:
tar –xzvf shallalist.tar.gz –C /var/lib/squidGuard/db Datenbank anhand der heruntergeladenen Blacklist im Namenskontext des proxy erstellen : (Auf Ausgabe des squidguardlog achten – sollten keine Fehler auftauchen !)
sudo -u proxy squidGuard -C allEbenso ist auf die korrekten Berechtigungen des proxyusers zu achten (Besitzrechte folgender Ordner bzw. Dateien !)
chown proxy:proxy /etc/squidguard/squidGuard.confchown -R proxy:proxy /var/lib/squidguard/db/chown -R proxy:proxy /var/log/squid3/Live-logging des squidguard-Dienstes anschauen:
tail -f /var/log/squidguard/squidGuard.logÜberprüfung, ob der squidguardfilter funktioniert: (Ip-Adresse eines proxy-Clients)
echo "http://www.sex.com 172.0.0.1/- - GET" | squidGuard -c /etc/squidguard/squidGuard.confZum Schluss muss die Konfiguration im squid neu geladen werden mit:
/etc/init.d/squid3 reloadAnpassung der squidguard.conf
#
# CONFIG FILE FOR SQUIDGUARD
#
# Caution: do NOT use comments inside { }
#
dbhome /var/lib/squidguard/db
logdir /var/log/squidguard
#
# TIME RULES:
# abbrev for weekdays:
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat
time Dienstzeit {
weekly mtwhfas 00:00 - 23:59
date *-*-01 08:00 - 16:30
}
#
# SOURCE ADDRESSES:
#
src gesperrteUser {
user gesperrter.user
}
src admin {
ip 192.168.200.1 192.168.200.250
}
src local_lan {
ip 192.168.0.0/16
within Dienstzeit
}
source server {
ip 192.168.100.0/24
within Dienstzeit
}
#####
# Zu filternde Kategorien
#####
destination good {
urllist good.desturllist
expressionlist good.destexprlist
}
dest local {
}
dest adv {
domainlist BL/adv/domains
urllist BL/adv/urls
redirect http://proxy/block.html
}
dest aggressive {
domainlist BL/aggressive/domains
urllist BL/aggressive/urls
redirect http://proxy/block.html
}
dest alcohol {
domainlist BL/alcohol/domains
urllist BL/alcohol/urls
redirect http://proxy/block.html
}
dest anonvpn {
domainlist BL/anonvpn/domains
urllist BL/anonvpn/urls
redirect http://proxy/block.html
}
dest chat {
domainlist BL/chat/domains
urllist BL/chat/urls
redirect http://proxy/block.html
}
dest downloads {
domainlist BL/downloads/domains
urllist BL/downloads/urls
redirect http://proxy/block.html
}
dest drugs {
domainlist BL/drugs/domains
urllist BL/drugs/urls
redirect http://proxy/block.html
}
dest porn {
domainlist BL/porn/domains
urllist BL/porn/urls
redirect http://proxy/block.html
}
dest violence {
domainlist BL/violence/domains
urllist BL/violence/urls
redirect http://proxy/block.html
}
dest warez {
domainlist BL/warez/domains
urllist BL/warez/urls
redirect http://proxy/block.html
}
dest hacking {
domainlist BL/hacking/domains
urllist BL/hacking/urls
redirect http://proxy/block.html
}
dest gamble {
domainlist BL/gamble/domains
urllist BL/gamble/urls
redirect http://proxy/block.html
}
dest spyware {
domainlist BL/spyware/domains
urllist BL/spyware/urls
redirect http://proxy/block.html
}
dest weapons {
domainlist BL/weapons/domains
urllist BL/weapons/urls
redirect http://proxy/block.html
}
#
# ACL RULES:
#
acl {
admin {
pass any
}
gesperrteUser {
redirect http://proxy/block.html
pass !adv !aggressive !alcohol !anonvpn !chat !downloads !drugs !porn !violence !warez !hacking !spyware !weapons none
rewrite none
}
local_lan within Dienstzeit {
pass !aggressive !alcohol !anonvpn !chat !drugs !porn !violence !warez !hacking !spyware !weapons
redirect http://proxy/block.html
}
server {
pass !aggressive !alcohol !anonvpn !chat !drugs !porn !violence !warez !hacking !spyware !weapons any
redirect http://proxy/block.html
}
default {
pass local none
redirect http://proxy/block.html
}
}Sarg-Installation zum grafischen Report:
apt-get install sarg# sarg.conf
#
# TAG: access_log file
# Where is the access.log file
# sarg -l file
#
access_log /var/log/squid/access.log
# TAG: graphs yes|no
# Use graphics where is possible.
# graph_days_bytes_bar_color blue|green|yellow|orange|brown|red
#
#graphs yes
#graph_days_bytes_bar_color orange
# TAG: graph_font
# The full path to the TTF font file to use to create the graphs. It is required
# if graphs is set to yes.
#
#graph_font /usr/share/fonts/truetype/ttf-dejavu/DejaVuSans.ttf
# TAG: title
# Especify the title for html page.
#
title "Nutzungsstatistik Proxy-Server"
# TAG: font_face
# Especify the font for html page.
#
font_face Tahoma,Verdana,Arial
# TAG: header_color
# Especify the header color
#
header_color darkblue
# TAG: header_bgcolor
# Especify the header bgcolor
#
header_bgcolor blanchedalmond
# TAG: font_size
# Especify the text font size
#
font_size 9px
# TAG: header_font_size
# Especify the header font size
#
#header_font_size 9px
# TAG: title_font_size
# Especify the title font size
#
#title_font_size 11px
# TAG: background_color
# TAG: background_color
# Html page background color
#
background_color white
# TAG: text_color
# Html page text color
#
text_color #000000
# TAG: text_bgcolor
# Html page text background color
#
text_bgcolor lavender
# TAG: title_color
# Html page title color
#
title_color green
# TAG: logo_image
# Html page logo.
#
#logo_image none
# TAG: logo_text
# Html page logo text.
#
#logo_text ""
# TAG: logo_text_color
# Html page logo texti color.
#
#logo_text_color #000000
# TAG: logo_image_size
# Html page logo image size.
# width height
#
#image_size 80 45
# TAG: background_image
# Html page background image
#
#background_image none
# TAG: password
# User password file used by Squid authentication scheme
# If used, generate reports just for that users.
#
#password none
# TAG: temporary_dir
# Temporary directory name for work files
# sarg -w dir
#
temporary_dir /tmp
# TAG: output_dir
# The reports will be saved in that directory
# sarg -o dir
#
output_dir /var/www/html/squid-reports
#output_dir /var/lib/sarg
# TAG: output_email
# Email address to send the reports. If you use this tag, no html reports will be generated.
# sarg -e email
#
#output_email none
# TAG: resolve_ip yes/no
# Convert ip address to dns name
# sarg -n
resolve_ip yes
# TAG: user_ip yes/no
# Use Ip Address instead userid in reports.
# sarg -p
user_ip no
# TAG: topuser_sort_field field normal/reverse
# Sort field for the Topuser Report.
# Allowed fields: USER CONNECT BYTES TIME
#
# TAG: user_sort_field field normal/reverse
# Sort field for the User Report.
# Allowed fields: SITE CONNECT BYTES TIME
#
# TAG: exclude_users file
# users within the file will be excluded from reports.
# you can use indexonly to have only index.html file.
#
#exclude_users /etc/sarg/exclude_users
# TAG: exclude_hosts file
# Hosts, domains or subnets will be excluded from reports.
#
# Eg.: 192.168.10.10 - exclude ip address only
# 192.168.10.0/24 - exclude full C class
# s1.acme.foo - exclude hostname only
# *.acme.foo - exclude full domain name
#
#exclude_hosts /etc/sarg/exclude_hosts
# TAG: useragent_log file
# useragent.log file patch to generate useragent report.
#
#useragent_log none
# TAG: date_format
# Date format in reports: e (European=dd/mm/yy), u (American=mm/dd/yy), w (Weekly=yy.ww)
#
date_format e
# TAG: per_user_limit file MB
# Saves userid on file if download exceed n MB.
# This option allow you to disable user access if user exceed a download limit.
#
#per_user_limit none
# TAG: lastlog n
# How many reports files must be keept in reports directory.
# The oldest report file will be automatically removed.
# 0 - no limit.
#
#lastlog 0
# TAG: remove_temp_files yes
# Remove temporary files: geral, usuarios, top, periodo from root report directory.
#
remove_temp_files yes
# TAG: index yes|no|only
# Generate the main index.html.
# only - generate only the main index.html
#
index yes
# TAG: index_tree date|file
# How to generate the index.
#
#index_tree file
# TAG: overwrite_report yes|no
# yes - if report date already exist then will be overwrited.
# no - if report date already exist then will be renamed to filename.n, filename.n+1
#
overwrite_report yes
# TAG: records_without_userid ignore|ip|everybody
# What can I do with records without user id (no authentication) in access.log file ?
#
# ignore - This record will be ignored.
# ip - Use ip address instead. (default)
# everybody - Use "everybody" instead.
#
#records_without_userid ip
# TAG: use_comma no|yes
# Use comma instead point in reports.
# Eg.: use_comma yes => 23,450,110
# use_comma no => 23.450.110
#
#use_comma yes
# TAG: mail_utility mail|mailx
# Mail command to use to send reports via SMTP
#
#mail_utility mailx
# TAG: topsites_num n
# How many sites in topsites report.
#
#topsites_num 100
# TAG: topsites_sort_order CONNECT|BYTES A|D
# Sort for topsites report, where A=Ascendent, D=Descendent
#
# TAG: index_sort_order A/D
# Sort for index.html, where A=Ascendent, D=Descendent
#
#index_sort_order D
# TAG: exclude_codes file
# Ignore records with these codes. Eg.: NONE/400
# Write one code per line. Lines starting with a # are ignored.
# Only codes matching exactly one of the line is rejected. The
# comparison is not case sensitive.
#
#exclude_codes /etc/sarg/exclude_codes
# TAG: replace_index string
# Replace "index.html" in the main index file with this string
# If null "index.html" is used
#
#replace_index <?php echo str_replace(".", "_", $REMOTE_ADDR); echo ".html"; ?>
# TAG: max_elapsed milliseconds
# If elapsed time is recorded in log is greater than max_elapsed use 0 for elapsed time.
# Use 0 for no checking
#
#max_elapsed 28800000
# 8 Hours
# TAG: report_type type
# What kind of reports to generate.
# topusers - users, sites, times, bytes, connects, links to accessed sites, etc
# topsites - site, connect and bytes report
# sites_users - users and sites report
# users_sites - accessed sites by the user report
# date_time - bytes used per day and hour report
# denied - denied sites with full URL report
# auth_failures - autentication failures report
# site_user_time_date - sites, dates, times and bytes report
# downloads - downloads per user report
#
# Eg.: report_type topsites denied
#
#report_type topusers topsites sites_users users_sites date_time denied auth_failures site_user_time_date downloads
# TAG: usertab filename
# You can change the "userid" or the "ip address" to be a real user name on the reports.
# If resolve_ip is active, the ip address is resolved before being looked up into this
# file. That is, if you want to map the ip address, be sure to set resolv_ip to no or
# the resolved name will be looked into the file instead of the ip address. Note that
# it can be used to resolve any ip address known to the dns and then map the unresolved
# ip addresses to a name found in the usertab file.
# Table syntax:
# userid name or ip address name
# Eg:
# SirIsaac Isaac Newton
# vinci Leonardo da Vinci
# 192.168.10.1 Karol Wojtyla
#
# Each line must be terminated with '\n'
# If usertab have value "ldap" (case ignoring), user names
# will be taken from LDAP server. This method as approaches for reception
# of usernames from Active Didectory
#
usertab /etc/sarg/usertab
# TAG: LDAPHost hostname
# FQDN or IP address of host with LDAP service or AD DC
# default is '127.0.0.1'
#LDAPHost 127.0.0.1
# TAG: LDAPPort port
# LDAP service port number
# default is '389'
#LDAPPort 389
# TAG: LDAPBindDN CN=username,OU=group,DC=mydomain,DC=com
# DN of LDAP user, who is authorized to read user's names from LDAP base
# default is empty line
#LDAPBindDN cn=proxy,dc=mydomain,dc=local
# TAG: LDAPBindPW secret
# Password of DN, who is authorized to read user's names from LDAP base
# default is empty line
#LDAPBindPW secret
# TAG: LDAPBaseSearch OU=users,DC=mydomain,DC=com
# LDAP search base
# default is empty line
#LDAPBaseSearch ou=users,dc=mydomain,dc=local
# TAG: LDAPFilterSearch uid=%s
# User search filter by user's logins in LDAP
# First founded record will be used
# %s - will be changed to userlogins from access.log file
# filter string can have some tags '%s'
# default value is 'uid=%s'
#LDAPFilterSearch uid=%s
# TAG: LDAPTargetAttr attributename
# Name of the attribute containing a name of the user
# default value is 'cn'
#LDAPTargetAttr cn
# TAG: long_url yes|no
# If yes, the full url is showed in report.
# If no, only the site will be showed
#
# YES option generate very big sort files and reports.
#
#long_url no
# TAG: date_time_by bytes|elap
# Date/Time reports show the downloaded volume or the elapsed time or both.
#
#date_time_by bytes
# TAG: charset name
# ISO 8859 is a full series of 10 standardized multilingual single-byte coded (8bit)
# graphic character sets for writing in alphabetic languages
# You can use the following charsets:
# Latin1 - West European
# Latin2 - East European
# Latin3 - South European
# Latin4 - North European
# Cyrillic
# Arabic
# Greek
# Hebrew
# Latin5 - Turkish
# Latin6
# Windows-1251
# Japan
# Koi8-r
# UTF-8
#
#charset Latin1
# TAG: user_invalid_char "&/"
# Records that contain invalid characters in userid will be ignored by Sarg.
#
#user_invalid_char "&/"
# TAG: privacy yes|no
# privacy_string "***.***.***.***"
# privacy_string_color blue
# In some countries the sysadm cannot see the visited sites by a restrictive law.
# Using privacy yes the visited url will be changes by privacy_string and the link
# will be removed from reports.
#
#privacy no
#privacy_string "***.***.***.***"
#privacy_string_color blue
# TAG: include_users "user1:user2:...:usern"
# Reports will be generated only for listed users.
#
#include_users none
# TAG: exclude_string "string1:string2:...:stringn"
# Records from access.log file that contain one of listed strings will be ignored.
#
#exclude_string none
# TAG: show_successful_message yes|no
# Shows "Successful report generated on dir" at end of process.
#
#show_successful_message no
# TAG: show_read_statistics yes|no
# Shows some reading statistics.
#
#show_read_statistics no
# TAG: topuser_fields
# Which fields must be in Topuser report.
#
#topuser_fields NUM DATE_TIME USERID CONNECT BYTES %BYTES IN-CACHE-OUT USED_TIME MILISEC %TIME TOTAL AVERAGE
# TAG: user_report_fields
# Which fields must be in User report.
#
#user_report_fields CONNECT BYTES %BYTES IN-CACHE-OUT USED_TIME MILISEC %TIME TOTAL AVERAGE
# TAG: bytes_in_sites_users_report yes|no
# Bytes field must be in Site & Users Report ?
#
#bytes_in_sites_users_report no
# TAG: topuser_num n
# How many users in topsites report. 0 = no limit
#
#topuser_num 0
# TAG: datafile file
# Save the report results in a file to populate some database
#
#datafile none
# TAG: datafile_delimiter ";"
# ascii character to use as a field separator in datafile
#
#datafile_delimiter ";"
# TAG: datafile_fields all
# Which data fields must be in datafile
# user;date;time;url;connect;bytes;in_cache;out_cache;elapsed
#
#datafile_fields user;date;time;url;connect;bytes;in_cache;out_cache;elapsed
# TAG: datafile_url ip|name
# Saves the URL as ip or name in datafile
#
#datafile ip
# TAG: weekdays
# The weekdays to take account ( Sunday->0, Saturday->6 )
# Example:
#weekdays 1-3,5
# Default:
#weekdays 0-6
# TAG: hours
# The hours to take account
# Example:
#hours 7-12,14,16,18-20
# Default:
#hours 0-23
# TAG: dansguardian_conf file
# DansGuardian.conf file path
# Generate reports from DansGuardian logs.
# Use 'none' to disable it.
# dansguardian_conf /usr/dansguardian/dansguardian.conf
#
#dansguardian_conf none
# TAG: dansguardian_filter_out_date on|off
# This option replaces dansguardian_ignore_date whose name was not appropriate with respect to its action.
# Note the change of parameter value compared with the old option.
# 'off' use the record even if its date is outside of the range found in the input log file.
# 'on' use the record only if its date is in the range found in the input log file.
#
#dansguardian_filter_out_date on
# TAG: squidguard_conf file
# path to squidGuard.conf file
# Generate reports from SquidGuard logs.
# Use 'none' to disable.
# You can use sarg -L filename to use an alternate squidGuard log.
# squidguard_conf /usr/local/squidGuard/squidGuard.conf
#
#squidguard_conf none
# TAG: redirector_log file
# the location of the web proxy redirector log such as one created by squidGuard or Rejik. The option
# may be repeated up to 64 times to read multiple files.
# If this option is specified, it takes precedence over squidguard_conf.
# The command line option -L override this option.
#
#redirector_log /usr/local/squidGuard/var/logs/urls.log
# TAG: redirector_filter_out_date on|off
# This option replaces squidguard_ignore_date and redirector_ignore_date whose names were not
# appropriate with respect to their action.
# Note the change of parameter value compared with the old options.
# 'off' use the record even if its date is outside of the range found in the input log file.
# 'on' use the record only if its date is in the range found in the input log file.
#
#redirector_filter_out_date on
# TAG: redirector_log_format
# Format string for web proxy redirector logs.
# This option was named squidguard_log_format before sarg 2.3.
# REJIK #year#-#mon#-#day# #hour# #list#:#tmp# #ip# #user# #tmp#/#tmp#/#url#/#end#
# SQUIDGUARD #year#-#mon#-#day# #hour# #tmp#/#list#/#tmp#/#tmp#/#url#/#tmp# #ip#/#tmp# #user# #end#
#redirector_log_format #year#-#mon#-#day# #hour# #tmp#/#list#/#tmp#/#tmp#/#url#/#tmp# #ip#/#tmp# #user# #end#
# TAG: show_sarg_info yes|no
# shows sarg information and site path on each report bottom
#
#show_sarg_info yes
# TAG: show_sarg_logo yes|no
# shows sarg logo
#
#show_sarg_logo yes
# TAG: parsed_output_log directory
# Saves the processed log in a sarg format after parsing the squid log file.
# This is a way to dump all of the data structures out, after parsing from
# the logs (presumably this data will be much smaller than the log files themselves),
# and pull them back in for later processing and merging with data from previous logs.
#
#parsed_output_log none
# TAG: parsed_output_log_compress /bin/gzip|/usr/bin/bzip2|nocompress
# Command to run to compress sarg parsed output log. It may contain
# options (such as -f to overwrite existing target file). The name of
# the file to compresse is provided at the end of this
# command line. Don't forget to quote things appropriately.
#
#parsed_output_log_compress /bin/gzip
# TAG: displayed_values bytes|abbreviation
# how the values will be displayed in reports.
# eg. bytes - 209.526
# abbreviation - 210K
#
#displayed_values bytes
# Report limits
# TAG: authfail_report_limit n
# TAG: denied_report_limit n
# TAG: siteusers_report_limit n
# TAG: squidguard_report_limit n
# TAG: user_report_limit n
# TAG: dansguardian_report_limit n
# TAG: download_report_limit n
# report limits (lines).
# '0' no limit
#
#authfail_report_limit 10
#denied_report_limit 10
#siteusers_report_limit 0
#squidguard_report_limit 10
#dansguardian_report_limit 10
#user_report_limit 10
#user_report_limit 50
# TAG: www_document_root dir
# Where is your Web DocumentRoot
# Sarg will create sarg-php directory with some PHP modules:
# - sarg-squidguard-block.php - add urls from user reports to squidGuard DB
#
www_document_root /var/www/
#www_document_root /var/www/html
# TAG: block_it module_url
# This tag allow you to pass urls from user reports to a cgi or php module,
# to be blocked by some Squid acl
#
# Eg.: block_it /sarg-php/sarg-block-it.php
# sarg-block-it is a php that will append a url to a flat file.
# You must change /var/www/html/sarg-php/sarg-block-it to point to your file
# in $filename variable, and chown to a httpd owner.
#
# sarg will pass http://module_url?url=url
#
#block_it none
# TAG: external_css_file path
# Provide the path to an external css file to link into the HTML reports instead of
# the inline css written by sarg when this option is not set.
#
# In versions prior to 2.3, this used to be an absolute file name to
# a file to include verbatim in each HTML page but, as it takes a lot of
# space, version 2.3 switched to a link to an external css file.
# Therefore, this option must contain the HTTP server path on which a client
# browser may find the css file.
#
# Sarg use theses style classes:
# .logo logo class
# .info sarg information class, align=center
# .title_c title class, align=center
# .header_c header class, align:center
# .header_l header class, align:left
# .header_r header class, align:right
# .text text class, align:right
# .data table text class, align:right
# .data2 table text class, align:left
# .data3 table text class, align:center
# .link link class
#
# Sarg can be instructed to output the internal css it inline
# into the reports with this command:
#
# sarg --css
#
# You can redirect the output to a file of your choice and edit
# it to your liking.
#
#external_css_file none
# TAG: user_authentication yes|no
# Allow user authentication in User Reports using .htaccess
# Parameters:
# AuthUserTemplateFile - The template to use to create the
# .htaccess file. In the template, %u is replaced by the
# user's ID for which the report is generated. The path of the
# template is relative to the directory containing sarg
# configuration file.
#
# user_authentication no
# AuthUserTemplateFile sarg_htaccess
# TAG: download_suffix "suffix,suffix,...,suffix"
# file suffix to be considered as "download" in Download report.
# Use 'none' to disable.
#
#download_suffix "zip,arj,bzip,gz,ace,doc,iso,adt,bin,cab,com,dot,drv$,lha,lzh,mdb,mso,ppt,rtf,src,shs,sys,exe,dll,mp3,avi,mpg,mpeg"
# TAG: ulimit n
# The maximum number of open file descriptors to avoid "Too many open files" error message.
# You need to run sarg as root to use ulimit tag.
# If you run sarg with a low privilege user, set to 'none' to disable ulimit
#
#ulimit 20000
# TAG: ntlm_user_format username|domainname+username
# NTLM users format.
#
#ntlm_user_format domainname+username
# TAG: realtime_refresh_time num sec
# How many time to auto refresh the realtime report
# 0 = disable
#
# realtime_refresh_time 3
# TAG: realtime_access_log_lines num
# How many last lines to get from access.log file
#
# realtime_access_log_lines 1000
# TAG: realtime_types: GET,PUT,CONNECT,ICP_QUERY,POST
# Which records must be in realtime report.
#
# realtime_types GET,PUT,CONNECT
# TAG: realtime_unauthenticated_records: ignore|show
# What to do with unauthenticated records in realtime report.
#
# realtime_unauthenticated_records: show
# TAG: byte_cost value no_cost_limit
# Cost per byte.
# Eg. byte_cost 0.01 100000000
# per byte cost = 0.01
# bytes with no cost = 100 Mb
# 0 = disable
#
# byte_cost 0.01 50000000
# TAG: squid24 on|off
# Compatilibity with squid version <= 2.4 when using emulate_http_log on
#
# squid24 off
#resolve_ip yes