• Filtering server: if use of the proxy is mandated (and outgoing connections are blocked unless they go through the proxy), then the proxy can determine whether or not the request is to be granted.

Falcot Corp selected Squid as their proxy server.

The squid3 Debian package only contains the modular (caching) proxy. Turning it into a filtering server requires installing the additional squidguard package. In addition, squid-cgi provides a querying and administration interface for a Squid proxy.

Enabling the caching server feature is a simple matter of editing the /etc/squid3/squid.conf configuration file and allowing machines from the local network to run queries through the proxy. The following example shows the modifications made by the Falcot Corp administrators:

例 11.25. The /etc/squid3/squid.conf file (excerpts)

squid itself does not perform the filtering; this action is delegated to . The former must then be configured to interact with the latter. This involves adding the following directive to the /etc/squid3/squid.conf file:

The /usr/lib/cgi-bin/squidGuard.cgi CGI program also needs to be installed, using /usr/share/doc/squidguard/examples/squidGuard.cgi.gz as a starting point. Required modifications to this script are the $proxy and $proxymaster variables (the name of the proxy and the administrator’s contact e-mail, respectively). The and $redirect variables should point to existing images representing the rejection of a query.

The working database must be regenerated with update-squidguard after each change of the configuration file (or one of the lists of domains or URLs it mentions). The configuration file syntax is documented on the following website:

→

ALTERNATIVE DansGuardian

The dansguardian package is an alternative to squidguard. This software does not simply handle a blacklist of forbidden URLs, but it can take advantage of the PICS system (Platform for Internet Content Selection) to decide whether a page is acceptable by dynamic analysis of its contents.