|
Trying to get a quick n dirty Dans Guardian/Squid install for client
I am trying to get a quick and dirty setup of Dans Gaurdian/Squid for content filtering for a client of mine. I am running Slack 10.2. I installed Dans Gaurdian 2.8 from source and Squid from package (tgz - slackware binary). The proxy server cannot be the default gateway (the default g/w must remain the way it is).
I tried using the steps outlined in this article: http://software.newsforge.com/softwa.../1521209.shtml but alot of the steps don't apply for what I am trying to do. I also get a lot of errors with permissions. I am trying to get Dans Guardian's content filtering to work with Squid the quickest way possible for demonstration purposes. Can anyone provide advice? |
basically you just need the gateway to forward any upstream tcp port 80 packets to the proxy (squid/dansguardian)... you do that with iptables on the gateway... as for the proxy, just have dansguardian listening on port 8080 on the LAN interface, and squid listening locally on port 3128... dansguardian takes very little configuration, and with squid it's just a matter of setting the proper ACLs and a few other options... sounds like your permissions issues could be ACL issues (could you be more specific?)... maybe post your squid.conf (without the commented lines)...
Code:
cat /etc/squid/squid.conf | grep -v ^# | grep -v ^$ |
Thanks for the help. I set up a slack box at home and am playing with it before I get back to the client. Right now I have squid configured to not cache and accept all connections from the local network. Now I need to get Dans Guardian up and running. The errors were due to me following that tutorial I mentioned too closely. That article had dans and squid running on a 1 machine home PC setup and would only allow connections from the loopback address. I was trying to throw the setup together in the heat of battle and didn't pay attention to the commands the article was asking me to execute.
|
Okay, I have squid and dans guardian running. I started Dans Guardian. Now, EVERYTHING is blocked. Disney.com, google.com etc. How can I pull back the reigns of Dans Guardian? I looked thru the docs and everything says that while Dans Guardian should be prudent, it shouldn't block everything. Whats going on?
|
Okay, more info. Squid was giving me the access denied page, not dans guardian. I had the port set to 8080 for the proxy. If I set the port back to 3128, everything is allowed.
I looked at the Dans Guardian logs and I see all the sites I went to including some sites that should be blocked but weren't. What am I missing? |
okay, let's try and take it one step at a time... you can confirm that you have squid properly functioning if you use it on it's own?? please post the squid.conf with the above command either way...
now about dansguardian... you are saying it's blocking ALL the sites, right?? please post some of the logfile entries to see what they look like... also, post your two main dansguardian configuration files please... that would be dansguardian.conf and dansguardianf1.conf i think... i recommend you use the same greps from above on them so that you don't fill your post with commented lines... also, let's have a look at the iptables rules on the gateway and on the proxy itself please... Code:
iptables -LCode:
iptables -t nat -L |
Sorry for my confusing replies. Here is the current situation:
Dans Guaridan is not blocking anything. I see the sites I have visited on one of the PCs in the network in the DansGuardian access log, but even sites that should be blocked aren't being blocked. The PCs don't have the default gateway as the proxy. Proxy settings being controlled thru the browser. When I thought everything was being blocked, I had the port setting on my browser set to 8080 not 3128. It was Squid saying access denied, not Dans Guardian. Here are the config files: squid.conf: hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 no_cache deny all acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_networks src 192.168.111.0/24 192.168.2.0/24 http_access allow our_networks http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/lib/squid/cache dansguardian.conf reportinglevel = 3 languagedir = '/etc/dansguardian/languages' language = 'ukenglish' loglevel = 2 logexceptionhits = on logfileformat = 1 filterip = filterport = 8080 proxyip = 127.0.0.1 proxyport = 3128 nonstandarddelimiter = on usecustombannedimage = 1 custombannedimagefile = '/etc/dansguardian/transparent1x1.gif' filtergroups = 1 filtergroupslist = '/etc/dansguardian/filtergroupslist' bannediplist = '/etc/dansguardian/bannediplist' exceptioniplist = '/etc/dansguardian/exceptioniplist' banneduserlist = '/etc/dansguardian/banneduserlist' exceptionuserlist = '/etc/dansguardian/exceptionuserlist' showweightedfound = on weightedphrasemode = 2 urlcachenumber = 1000 urlcacheage = 900 phrasefiltermode = 2 preservecase = 0 hexdecodecontent = 0 forcequicksearch = 0 reverseaddresslookups = off reverseclientiplookups = off createlistcachefiles = on maxuploadsize = -1 maxcontentfiltersize = 256 usernameidmethodproxyauth = on usernameidmethodntlm = off # **NOT IMPLEMENTED** usernameidmethodident = off preemptivebanning = on forwardedfor = off usexforwardedfor = off logconnectionhandlingerrors = on maxchildren = 120 minchildren = 8 minsparechildren = 4 preforkchildren = 6 maxsparechildren = 32 maxagechildren = 500 ipcfilename = '/tmp/.dguardianipc' urlipcfilename = '/tmp/.dguardianurlipc' nodaemon = off nologger = off softrestart = off dansguardianf1.conf bannedphraselist = '/etc/dansguardian/bannedphraselist' weightedphraselist = '/etc/dansguardian/weightedphraselist' exceptionphraselist = '/etc/dansguardian/exceptionphraselist' bannedsitelist = '/etc/dansguardian/bannedsitelist' greysitelist = '/etc/dansguardian/greysitelist' exceptionsitelist = '/etc/dansguardian/exceptionsitelist' bannedurllist = '/etc/dansguardian/bannedurllist' greyurllist = '/etc/dansguardian/greyurllist' exceptionurllist = '/etc/dansguardian/exceptionurllist' bannedregexpurllist = '/etc/dansguardian/bannedregexpurllist' bannedextensionlist = '/etc/dansguardian/bannedextensionlist' bannedmimetypelist = '/etc/dansguardian/bannedmimetypelist' picsfile = '/etc/dansguardian/pics' contentregexplist = '/etc/dansguardian/contentregexplist' naughtynesslimit = 50 bypass = 0 bypasskey = '' |
hmmm... weird... well, let's have a look at what the dansguardian logfile entries look like when you go to a site that should be blocked...
i think the reason good sites are being logged is because of this: Quote:
|
Here is the log. Obviously one of the sites listed should be blocked. Nothing is being blocked at all.
INSERT A NAUGHTY URL HERE 2006.1.5 15:15:53 - 192.168.111.2 http://google.com GET 1054 2006.1.5 15:15:53 - 192.168.111.2 http://google.com/favicon.ico GET 1076 2006.1.5 15:19:02 - 192.168.111.2 http://yahoo.com GET 1052 2006.1.5 15:19:02 - 192.168.111.2 http://yahoo.com/favicon.ico GET 1074 2006.1.5 15:19:12 - 192.168.111.2 http://aol.com GET 1048 2006.1.5 15:19:12 - 192.168.111.2 http://aol.com/favicon.ico GET 1070 2006.1.5 15:37:29 - 192.168.111.2 http://google.com GET 1054 2006.1.5 15:37:29 - 192.168.111.2 http://google.com/favicon.ico GET 1076 2006.1.5 15:37:34 - 192.168.111.2 http://disney.com GET 1054 2006.1.5 15:37:34 - 192.168.111.2 http://disney.com/favicon.ico GET 1076 2006.1.5 15:37:42 - 192.168.111.2 http://ehg-comcast.hitbox.com/HG?hc=&hb=DM5409 24GGEM&cd=1&hv=6&n=/INDEX&con=&vcon=/&tt=none&ja=y&dt=15&zo=360&lm=1123152934000 &bn=Netscape&ce=y&ss=1600*1200&sc=32&sv=13&cy=u&hp=u&ln=en-US&vpc=HBX0100u&vjs=H BX0141.01u&hec=0&pec=&cmp=&gp=&dcmp=&dcmpe=&dcmpre=&cp=null&fnl=&seg=&epg=&cv=&g n=&ld=&la=&c1=&c2=&c3=&c4=&customerid=&lv.id=&lv.pos=&ttt=lid,lpos&ra=&rf=http%3 A//comcast.net/&pl=QuickTime%20Plug-in%207.0.3%3AQuickTime%20Plug-in%207.0.3%3AQ uickTime%20Plug-in%207.0.3%3AQuickTime%20Plug-in%207.0.3%3AQuickTime%20Plug-in%2 07.0.3%3AQuickTime%20Plug-in%207.0.3%3AQuickTime%20Plug-in%207.0.3%3AAdobe%20Acr obat%3AShockwave%20Flash%3AMozilla%20Default%20Plug-in%3AShockwave%20for%20Direc tor%3AJava%28TM%29%202%20Platform%20Standard%20Edition%205.0%20Update%206%3AJava %28TM%29%202%20Platform%20Standard%20Edition%205.0%20Update%206%3AJava%28TM%29%2 02%20Platform%20Standard%20Edition%205.0%20Update%206%3AJava%28TM%29%202%20Platf orm%20Standard%20Edition%205.0%20Update%206%3AJava%28TM%29%202%20Platform%20Stan dard%20Edition%205.0%20Update%206%3AJava%28TM%29%202%20Platform%20Standard%20Edi tion%205.0%20Update%206%3AJava%28TM%29%202%20Platform%20Standard%20Edition%205.0 %20Update%206%3AMicrosoft%AE%20DRM%3AWindows%20Media%20Player%20Plug-in%20Dynami c%20Link%20Library%3AMicrosoft%AE%20DRM%3A&hid=0.43603107889753 GET 1084 2006.1.5 15:37:42 - 192.168.111.2 http://www.comcast.net/home.html GET 1082 2006.1.5 15:37:42 - 192.168.111.2 http://www.comcast.net/favicon.ico GET 1086 2006.1.5 15:38:34 - 192.168.111.2 http://www.linuxquestions.org/questions/search .php?searchid=85594 GET 1120 2006.1.5 15:39:12 - 192.168.111.2 http://www.linuxquestions.org/questions/newrep ly.php POST 1122 2006.1.5 15:39:17 - 192.168.111.2 http://www.linuxquestions.org/questions/newrep ly.php POST 1122 |
you don't have any of these client IPs in your /etc/dansguardian/exceptioniplist file, right?? just making sure... i'm still trying to figure this out...
PS: you can go ahead and remove the two xxx links from the post above (to avoid any conflict with the LQ rules), as it's clear that they appear in the logs just as the non-xxx ones... |
Actually, I haven't touched any of the Dans Guardian config files at all. Thank you for your help, it is much appreciated!! I promised a low cost web filtering solution to my client and I am trying desperately to deliver.
|
what ownership does your dansguardian binary have??
Code:
ls -l /usr/sbin/dansguardianCode:
ls -l /etc/ | grep dansguardianCode:
ls -l /etc/dansguardian/ |
root:root owns it. All the squid/dans guardian stuff is installed and ran as root. I know there should be a seperate user running this stuff for security purposes but this will not be a production server, just a demo.
|
the binary should be owned by root:bin, not root:root... change that, re-start dansguardian, and see if it helps...
Code:
chown root:bin /usr/sbin/dansguardianCode:
daemonuser = 'dansguardian'Code:
groupadd dansguardian |
Will that conflict with anything in my squid configuration?
|
not at all, in fact you should actually be doing the same thing with squid...
Code:
chown root:bin /usr/sbin/squidCode:
cache_effective_user squid |
Once I did the daemonuser and group commands, and created that user and group, I get an error when I try to restart the dansguardian daemon. It gives me this:
./dansguardian restart Shutting down dansguardian: [ FAILED ] Starting dansguardian: Error opening/creating log file. (check ownership and access rights). I am running as dansguardian and I am trying to open /var/log/dansguardian/access.log [ FAILED ] It also happens if I su to dansguardian first. |
Code:
chown dansguardian:dansguardian /var/log/dansguardian/access.log |
oh yeah, and the same would go for squid, you'd need to change the ownership of the cache and log directories... depending on where you have them, it would go kinda like:
Code:
chown -R squid:squid /var/lib/squid |
Still no good...
|
basically, my main concern is/was the ownership of your dansguardian binary and the fact you are/were running it as root... like, cuz it might be what's causing the odd non-filtering behavior... of course it's just a shot in the dark... i'm actually quite dumbfounded about this dansguardian issue... :confused:
|
Quote:
does the same problem occur if you use dansguardian from the local machine?? |
I do appreciate your help. I have run all of your commands verbatim and have restarted the daemons. This there any ls -l information that you would like to see to straighten out the possible ownership issue? Should I reinstall anything? Reboot?
|
Same issue exists when I put the local machine on the proxy.
|
i mean, like, using a browser on the same machine which DG and squid are running on... like, telling the browser to use proxy 127.0.0.1:8080 and stuff...??
|
I put the "server" itself on the proxy. I actually used the public address 192.168.111.46 as when I tried the loopback, squid gave me an access denied page. I never put the loopback address in the ACL in squid. Also, I am using port 3128. If I use 8080, squid gives me an access denied page.
|
basically you just need to have an ACL for 127.0.0.1 in your squid.conf... this is due to the fact that all requests to squid will be coming from the dansguardian which is running on the same box... so squid in this case won't care about your LAN IPs... an ACL like this in your squid.conf should suffice:
Code:
acl localhost src 127.0.0.1/255.255.255.255Code:
http_access allow localhosthaving said that, squid should be listening on port 3128, while dansguardian listens on port 8080... so since squid's ACL's only allow connections from 127.0.0.1 (localhost) then trying to connect directly to 3128 from a client will fail, which is a good thing in this case... they are forced to use port 8080 which will be the content-filter... |
Okay, we are making progress. Now if I point the browser to port 3128, squid will give me an access denied page, while is I point it to 8080 everything is allowed. I had the 192.168.111.0 subnet allowed in squid and the localhost disallowed. I reversed that now. Since I had the whole port thing messed up (and in effect the relationship btwn squid and dansguardian) perhaps that is the root of the problem. Is there any thing else I should look at regarding ports and how dansguardian and squid communicate?
|
Quote:
Code:
filterport = 8080 |
ok. Perhaps a reinstall of the software is called for?
|
how did it go with this??
|
I am going to do the reinstall after work today. Any tips? I am installing squid from tgz and dansguardian from source. Should I compile/install the software as any specific user?
|
you can compile as any user you like, but you'll need to be root to do the install and adjust the permissions, etc... BTW, if you are on slackware 10.2 like me, i can give you copies of some known-good squid and dansguardian slackpacks which i built myself if you want... they have all the permissions and stuff set already, so you wouldn't need to worry about that part... that would be later tonight, though... i'm kinda in the middle of something... but let me know if you're interested and i'll try and upload them for you...
either way, i don't really expect the reinstall to change much, if anything... unless there was a problem with the actual build and stuff... the ownership/permissions issues as well as the configuration issues are all fixable post-install so a reinstall isn't really necessary if that was the issue... |
I am on Slack 10.2 and I would LOVE for you to get me those pkgs. I would offer my FTP server's services but I just moved and the DNS change hasn't propegated yet.
|
Don't mean to seem antsey but you didn't happen to upload those packges did you? I want to see that client tommarrow if possible.
|
Hold off on those packages. I did a reinstall with what I originally had (squid package from linuxpackages.net and dansguardian source). I downloaded 2.8.0.6 as opposed to 2.8.0.0 this time however. I did the reinstalls and everything worked out 100% fine! One question I do have for you (or anyone else reading). I do not want squid caching anything. I was instructed to add the line "no_cache deny all" in squid.conf but this time, it was already in the config file! I want to make sure it is not caching anything. I will post my squid.conf, can you judge if it will be caching? Thanks for all of your help!!
squid.conf hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 no_cache deny all acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow localhost http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all http_reply_access allow all icp_access allow all cache_effective_user squid cache_effective_group squid coredump_dir /var/lib/squid/cache |
i actually had assumed you were using the latest stable version of dansguardian (2.8.0.6 at the time of this post)... i should have confirmed...
yeah, i think that no_cache line should work fine... any reason in particular why you don't wanna do any caching?? if it's for security reasons you could disable caching to the hard disk while still allowing caching to happen in RAM... the caching gives you a nice speed boost... if you were able to start squid without having created a cache structure (squid -z) then it's fair to assume there's no cache being used i think... of course we all know what they say about assumption... |
Actually, I did the squid -z part because I didn't want any trouble. I am not caching because the proxy will be demo'ing infront of a fairly large network and has fairly crummy specs. Thanks again for all the help!!
|
Quote:
Code:
phrasefiltermode = 2Code:
phrasefiltermode = 1i'd also suggest you at least reconsider the RAM caching (no hard disk), as it will make a HUGE difference for you... even if you enable just, say, 8MB of RAM cache it's better than nothing... it will help provide a better impression to your client... if you want i can provide you with the lines you need to add to your squid.conf in order to achieve this... just gimme a holler, i'll be online all day... Quote:
|
Sure, could you post those lines from squid.conf from RAM cache?
Also, I am at the client's building now. They want to know if they can have different filter levels for different users (ip addresses). I have been hunting the forums for 15 minutes but couldn't find anything conclusive. |
Quote:
Quote:
|
Okay, I just needed confirmation that running 2 (or more) instances was the best way to do it. Thanks.
|
okay, for the RAM cache to work, you'd need to get rid of the "no_cache deny all" line, of course... then add options kinda like this:
Code:
cache_dir null /tmp |
Okay, now let me ask you the question that if I wasn't with the client now, I could probably find for myself...
The machine has 256 MB RAM and will be acting as a proxy for 10 machines. Its sole purpose is to act as a proxy. How much RAM should I designate for the cache? My swap is 256MB. Also, is the 32KB max object size a good place to start? Thanks again! |
i did a "dansguardian -h" and one of the options reads:
Quote:
THIS IS ALL SPECULATION ON MY PART, DON'T TAKE ANY OF THIS SERIOUSLY... i've actually seen some configs in dansguardian for GROUPS and stuff like that, which might cut it for you... i'll be back in 20 minutes... |
quick reply before i go: with 256MB of ram and stuff and doing nothing but squid and dansguardian, with 10 clients i'd say go for 64MB of cache with a maximum object size of 32K... you don't want the cache to ever need to touch the swap, as it would defeat the purpouse....
|
i'm back... how'd it go?? about the multiple instances thing, seems like it's not as simple as just starting another copy and using the "-c"... but i found this howto linked from the dansguardian website: http://www.filter.bz/dansguardian.htm
|
BTW, in the dansguardian.conf there's this:
Quote:
|
Thanks for all the help. My client loves the software so far. I am disappointed in the lack of filtering for sites that have video of people doing stupid things and pictures of people doing stupid things. Also, even with PICS levels adjusted, it doesn't do a great job of filtering gambling sites. I spent a long time choosing creative phrases often found on those sites to try and block them out. I would like to find a way to tighten the reigns even more via PICS and not rely on my keywords.
After 30 days, once we get everything fine tuned with the config files, my client will be purchasing the professional edition of dans guardian and a proper server that will support the 60 some PCs they have and will be able to handle multiple instances of DansGuardian for user groups. Thanks again for all of your help!! |
| All times are GMT -5. The time now is 08:12 PM. |