Squid / DansGuardian problem
Hi all. Thanks for reading my tale of woe.
I'm trying to build a test Squid/Dans Guardian box on SuSE 10.1. Squid is squid-2.5.STABLE12-18.9, Dans Guardian is 2.9.9.2. Single NIC. When I set the browser's proxy port to 3128 everything works as it should, but when I set the browser's proxy to the DG port (8080) I get this in the squid access.log: 1202444056.897 193 127.0.0.1 TCP_DENIED/403 1414 GET some url/ - DIRECT/72.14.205.104 text/html and this in the squid cache.log: 2008/02/07 14:44:09| comm_udp_sendto: FD 5, 192.168.0.1, port 53: (1) Operation not permitted 192.168.0.1 is the gateway and DNS server. An attempt to browse to a DG-banned site results in the DG 'you've been blocked' page. Sites that should be allowed result in 'Access denied'. Why? Where have I gone wrong? I've taken iptables out of the equation for now. Here's the output of iptables -L: sles:/var/log/dansguardian # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain LOGDROP (0 references) target prot opt source destination Chain forward_ext (0 references) target prot opt source destination Chain input_ext (0 references) target prot opt source destination Chain reject_func (0 references) target prot opt source destination My squid.conf file: hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl to_localhost dst 127.0.0.0/8 acl CONNECT method CONNECT acl localnet src 192.168.0.0/255.255.255.0 acl all src 192.168.0.0/255.255.255.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 http_access allow localnet http_access allow localhost http_access allow CONNECT SSL_ports http_access deny all http_access allow manager localhost http_access deny manager http_reply_access allow all icp_access allow all coredump_dir /var/cache/squid My dansguardian.conf file: reportinglevel = 3 languagedir = '/usr/local/share/dansguardian/languages' language = 'ukenglish' loglevel = 2 logexceptionhits = 2 logfileformat = 1 loglocation = '/var/log/dansguardian/access.log' filterip = filterport = 8080 proxyip = 127.0.0.1 proxyport = 3128 accessdeniedaddress = 'my dg box's url' nonstandarddelimiter = on usecustombannedimage = on custombannedimagefile = '/usr/local/share/dansguardian/transparent1x1.gif' filtergroups = 1 filtergroupslist = '/usr/local/etc/dansguardian/lists/filtergroupslist' bannediplist = '/usr/local/etc/dansguardian/lists/bannediplist' exceptioniplist = '/usr/local/etc/dansguardian/lists/exceptioniplist' showweightedfound = on weightedphrasemode = 2 urlcachenumber = 1000 urlcacheage = 900 scancleancache = on phrasefiltermode = 2 preservecase = 0 hexdecodecontent = off forcequicksearch = off reverseaddresslookups = off reverseclientiplookups = off logclienthostnames = off createlistcachefiles = on maxuploadsize = -1 maxcontentfiltersize = 256 maxcontentramcachescansize = 2000 maxcontentfilecachescansize = 20000 filecachedir = '/tmp' deletedownloadedtempfiles = on initialtrickledelay = 20 trickledelay = 10 downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/fancy.conf' downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/default.conf' contentscannertimeout = 60 contentscanexceptions = off recheckreplacedurls = off forwardedfor = off usexforwardedfor = off logconnectionhandlingerrors = on logchildprocesshandling = off maxchildren = 120 minchildren = 8 minsparechildren = 4 preforkchildren = 6 maxsparechildren = 32 maxagechildren = 500 maxips = 0 ipcfilename = '/tmp/.dguardianipc' urlipcfilename = '/tmp/.dguardianurlipc' ipipcfilename = '/tmp/.dguardianipipc' nodaemon = off nologger = off logadblocks = off loguseragent = off softrestart = off Thanks in advance for your help! Keith |
Nevermind. Dan's Guardian has to point at the LAN IP of the proxy server, not the loopback address.
|
All times are GMT -5. The time now is 07:20 PM. |