LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-23-2006, 12:44 PM   #1
jasboy
LQ Newbie
 
Registered: May 2004
Posts: 24

Rep: Reputation: 15
Dansguardian and squid - multiple instance


I was unable to find anything on this topic to answer my question. I'm running squid and dansguardian which filter 6 public internets. I have just added 2 more computers that need to have access to only 3 websites. Do I run multiple instances of squid or dansguardian and run some sort of whitelist? The only reason I'm running squid is for dansguardian so I'm not sure how I would configure squid and I'm running version 2.8.0 of dansguardian and I can't find a howto to configure multiple instances of that version (there is one for 2.6 but the instructions didn't match for 2.8). Can anyone point me in the right direction?

Thanks
 
Old 08-23-2006, 02:48 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982
you don't need multiple instances to do this at all, personally i don't know dans well at all, within squid though, it's just a case of crafting suitable ACL constructs.

first you'd define ACL's which signify each block of data you wish to control - sites, client ip's, times, etc...

Code:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl test_client src 10.224.0.101
acl Banned dstdomain microsoft.com msn.co.uk
acl Whitelist dstdomain google.com google.co.uk www.google.com www.google.co.uk
and then just apply them in the right order to control the various valid combinations:

Code:
http_access allow manager localhost
http_access allow localhost
http_access allow test_client Banned
http_access allow Whitelist
http_access deny Banned
http_access deny all
not a real life example, so not massively useful, but you'd just step down through the rules until you get a suitable allow or deny. here localhost can go anywhere, test_client can go to the Banned sites anyone can go to the Whitelist sites, no one can go the the Banned sites and finally no one can go anywhere. As with the test_client example you can have as many acl's on one entry as you want, so in your state maybe you'd have
Code:
http_access allow customer1 cust1_sites
http_access allow customer2 cust2_sites
http_access deny all
so here you have two totally seperate forms of access where each customer (which would be a srcdomain or src acl for each potentially) can only go to their own unique whitelist (a dstdomain acl) that's your "parallel" bit right there.

Last edited by acid_kewpie; 08-23-2006 at 02:50 PM.
 
Old 08-23-2006, 04:10 PM   #3
jasboy
LQ Newbie
 
Registered: May 2004
Posts: 24

Original Poster
Rep: Reputation: 15
Well, that sounds doable. I'll look into that, thanks!
 
Old 08-24-2006, 04:23 PM   #4
jasboy
LQ Newbie
 
Registered: May 2004
Posts: 24

Original Poster
Rep: Reputation: 15
I'm trying to wrap my head around this. Is this even close?

Code:
 
acl homew1 src 192.168.5.251
acl homew2 src 192.168.5.252
acl Whitelist dstdomain tutor.com

http_access allow Whitelist
http_access deny all
I'm obviously missing something. All I want is for these 2 static ip's to not go anywhere except tutor.com. Reading squids access control manual I think is just confusing me more, maybe cause I'm tired. Any kind of mini HOWTO (I didn't find much googling) on doing such a thing?

Thanks
 
Old 08-25-2006, 03:35 AM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982
yes that looks fine, but the dstdomain entries match the FULL domain. so www.tutor.com would not match that entry... also there the src acl's are not actually being used there at all. often if you have a base level of hgh restriction you don't need to actually tie them down anyway. you'd only tie down the more free access lists.

note of course that there are a lot of other defaults in the acl in squid. the config file is normally very well commented to show a default location where you would insert these entries sso they are exectued correctly relative to others.
 
Old 08-29-2006, 02:26 PM   #6
jasboy
LQ Newbie
 
Registered: May 2004
Posts: 24

Original Poster
Rep: Reputation: 15
Ok, might need some more help, pretty please. I've done this a couple of ways now but to no avail. If I do
Code:
acl whitelist dstdomain www.google.com www.tutor.com

http_access allow whitelist
http_access deny all
Well, that works like it's supposed to. All 8 computers (regardless of port 8080(dans) or 3128) can only access google or tutor. So I thought for the 6 that use dansguardian I would do this
Code:
acl internets myport 8080

http_access allow internets
http_access allow whitelist
http_access deny all
That doesn't seem to work. No change after I run "squid -k reconfigure" I have printed many squid articles and sample acl's but they all talk about blocking or banning sites. I understand that part. I just can't seem to figure out how to let the 6 internets go through dansguardian (port 8080) normally and 2 homework pc's be able to access only 2 domains. Do you (or anybody) have any more hints?

Thanks for your help so far. It has helped!
 
Old 08-29-2006, 03:16 PM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982
ok, well what factors do you have that draw a distinitcion between these two kinds of host? if you can filter on ip address then that's pretty simple, just an acl for the "internet" computers on the source address and insert it anywhere before the deny. i've never used dans, i assume you're using it as a child proxy? if so i'd also assume that either 1) dans in itself can only allow certain sources or 2) dans can insert an X-Forwarded-For HTTP header. if it can add this header then squid can take the client ip address from this header instead of the actaul tcp packet (which would then have a source of 127.0.0.1 as it'd be from dans not the original client.
 
Old 08-29-2006, 05:53 PM   #8
jasboy
LQ Newbie
 
Registered: May 2004
Posts: 24

Original Poster
Rep: Reputation: 15
Thanks for all your help. I will give this a try.
 
Old 08-30-2006, 01:17 PM   #9
jasboy
LQ Newbie
 
Registered: May 2004
Posts: 24

Original Poster
Rep: Reputation: 15
Well, I've done this
Code:
acl internet1 src 192.168.5.248
acl internet2 src 192.168.5.247
acl internet3 src 192.168.5.246
acl internet4 src 192.168.5.245
acl internet5 src 192.168.5.244
acl internet6 src 192.168.5.243
acl dansport myport 8080
acl whitelist dstdomain www.google.com www.tutor.com

#  TAG: http_access
#       Allowing or Denying access based on defined access lists
#
#       Access to the HTTP port:
#       http_access allow|deny [!]aclname ...
#
#       NOTE on default values:
#
#       If there are no "access" lines present, the default is to deny
#       the request.
#
#       If none of the "access" lines cause a match, the default is the
#       opposite of the last line in the list.  If the last line was
#       deny, the default is allow.  Conversely, if the last line
#       is allow, the default will be deny.  For these reasons, it is a
#       good idea to have an "deny all" or "allow all" entry at the end
#       of your access lists to avoid potential confusion.
#
#Default:
http_access allow internet1
http_access allow internet2
http_access allow internet3
http_access allow internet4
http_access allow internet5
http_access allow internet6
http_access allow dansport
http_access allow whitelist
http_access deny all
and that works great except for the acl "myport". The internets connect on port 8080 instead of port 3128. So basically squid denies them except for the whitelist. I thought by putting the acl "myport" in that it would fix it. But it hasn't. Of course if I change them to port 3128 they work like they're supposed to but they don't get filtered by dansguardian. Am I misuderstanding the usage of "myport"?

Thanks
 
Old 08-30-2006, 01:36 PM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982
myport is relative to squid, not the machine as a whole. if dans relays to squid on port 3128 then that's what squid sees as "myport" you would use this when squid is listening on multple ports itself, e.g. "http_port 8080 8081" if you're going from dans to squid then you would presumably see a localhost connection, so try using a localhost allow instead of permitting the original sources. as above you then would need dans to do the client ip filtering. alternatively read up on x-forwarded-for headers.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Dansguardian and Squid yeeha! Linux - Networking 4 08-21-2006 01:22 AM
dansguardian + squid shafey Linux - Security 2 12-31-2005 11:42 AM
Dansguardian/Squid HELP! Prizam Linux - Software 3 09-23-2005 06:30 PM
multiple instance of X satinet Linux - General 3 03-10-2005 01:05 PM
iptables, DansGuardian, and Squid. cth3 Linux - Networking 1 02-10-2005 09:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:22 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration