LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Squid / DansGuardian problem (https://www.linuxquestions.org/questions/linux-newbie-8/squid-dansguardian-problem-619500/)

ketchukf 02-07-2008 10:32 PM
Squid / DansGuardian problem
 
Hi all. Thanks for reading my tale of woe.

I'm trying to build a test Squid/Dans Guardian box on SuSE 10.1. Squid is squid-2.5.STABLE12-18.9, Dans Guardian is 2.9.9.2. Single NIC. When I set the browser's proxy port to 3128 everything works as it should, but when I set the browser's proxy to the DG port (8080) I get this in the squid access.log:

1202444056.897 193 127.0.0.1 TCP_DENIED/403 1414 GET some url/ - DIRECT/72.14.205.104 text/html

and this in the squid cache.log:

2008/02/07 14:44:09| comm_udp_sendto: FD 5, 192.168.0.1, port 53: (1) Operation not permitted

192.168.0.1 is the gateway and DNS server.

An attempt to browse to a DG-banned site results in the DG 'you've been blocked' page. Sites that should be allowed result in 'Access denied'. Why? Where have I gone wrong?

I've taken iptables out of the equation for now. Here's the output of iptables -L:

sles:/var/log/dansguardian # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain LOGDROP (0 references)
target prot opt source destination

Chain forward_ext (0 references)
target prot opt source destination

Chain input_ext (0 references)
target prot opt source destination

Chain reject_func (0 references)
target prot opt source destination

My squid.conf file:

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl to_localhost dst 127.0.0.0/8
acl CONNECT method CONNECT
acl localnet src 192.168.0.0/255.255.255.0
acl all src 192.168.0.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
http_access allow localnet
http_access allow localhost
http_access allow CONNECT SSL_ports
http_access deny all
http_access allow manager localhost
http_access deny manager
http_reply_access allow all
icp_access allow all
coredump_dir /var/cache/squid

My dansguardian.conf file:

reportinglevel = 3
languagedir = '/usr/local/share/dansguardian/languages'
language = 'ukenglish'
loglevel = 2
logexceptionhits = 2
logfileformat = 1
loglocation = '/var/log/dansguardian/access.log'
filterip =
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128
accessdeniedaddress = 'my dg box's url'
nonstandarddelimiter = on
usecustombannedimage = on
custombannedimagefile = '/usr/local/share/dansguardian/transparent1x1.gif'
filtergroups = 1
filtergroupslist = '/usr/local/etc/dansguardian/lists/filtergroupslist'
bannediplist = '/usr/local/etc/dansguardian/lists/bannediplist'
exceptioniplist = '/usr/local/etc/dansguardian/lists/exceptioniplist'
showweightedfound = on
weightedphrasemode = 2
urlcachenumber = 1000
urlcacheage = 900
scancleancache = on
phrasefiltermode = 2
preservecase = 0
hexdecodecontent = off
forcequicksearch = off
reverseaddresslookups = off
reverseclientiplookups = off
logclienthostnames = off
createlistcachefiles = on
maxuploadsize = -1
maxcontentfiltersize = 256
maxcontentramcachescansize = 2000
maxcontentfilecachescansize = 20000
filecachedir = '/tmp'
deletedownloadedtempfiles = on
initialtrickledelay = 20
trickledelay = 10
downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/fancy.conf'
downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/default.conf'
contentscannertimeout = 60
contentscanexceptions = off
recheckreplacedurls = off
forwardedfor = off
usexforwardedfor = off
logconnectionhandlingerrors = on
logchildprocesshandling = off
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 6
maxsparechildren = 32
maxagechildren = 500
maxips = 0
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
ipipcfilename = '/tmp/.dguardianipipc'
nodaemon = off
nologger = off
logadblocks = off
loguseragent = off
softrestart = off

Thanks in advance for your help!

Keith

ketchukf 02-10-2008 07:51 AM
Nevermind. Dan's Guardian has to point at the LAN IP of the proxy server, not the loopback address.


All times are GMT -5. The time now is 07:20 PM.