Squid + Dansguardian + filtro por ip [RESOLVIDO]

1. Squid + Dansguardian + filtro por ip [RESOLVIDO]

laket
(usa Ubuntu)

Enviado em 22/10/2009 - 21:51h

Boa Noite Pessoal,
A semanas estou procurando uma solução, lendo todos os possíveis howto's, mas ainda não consegui resolver o seguente problema:
Estou usando Debian Lenny + Dansguardian 2.9.9.4 + Squid 2.7. Eu configurei o Dansguardian para filtrar por ip sem LDAP ou outras opções de identificação.
Quando eu mudo no dansguardian.conf a opção forwardedfor de off para on, na hora o squid bloqueia tudo. Quando eu deixo em off o squid deixa navegar normal, mas o dansguardian fica somente com grupo de filtro f1 desconsiderando os f2 a f5 que eu criei. Eu acredito pelos testes que o problema ta na mau configuração do meu squid.
Alguem pode me ajudar? Por favor analisando os arquivos de .conf que estou postando abaixo? grato

*********Meu Dansguardian.conf:************
# DansGuardian config file for version 2.9.9.4

#
reportinglevel = 3
languagedir = '/etc/dansguardian/languages'
language = 'ptbrazilian'

loglevel = 2

logexceptionhits = 2
logfileformat = 1

loglocation = '/var/log/dansguardian/access.log'
statlocation = '/var/log/dansguardian/stats'

filterip =10.2.1.10
filterip =127.0.0.1

filterport = 8080

proxyip = 127.0.0.1

proxyport = 3128
accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'

nonstandarddelimiter = on

usecustombannedimage = on
custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'

filtergroups = 5
filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'

bannediplist = '/etc/dansguardian/lists/bannediplist'
exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'

showweightedfound = on

weightedphrasemode = 2

urlcachenumber = 5000
urlcacheage = 900

scancleancache = on

phrasefiltermode = 2

preservecase = 0

hexdecodecontent = off

forcequicksearch = off

reverseaddresslookups = off

reverseclientiplookups = on

logclienthostnames = off

createlistcachefiles = on

maxuploadsize = -1

maxcontentfiltersize = 2000

maxcontentramcachescansize = 2000

maxcontentfilecachescansize = 20000

filecachedir = '/tmp'

deletedownloadedtempfiles = on

initialtrickledelay = 20

trickledelay = 10

downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'
downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'
contentscanner = '/etc/dansguardian/contentscanners/clamav.conf'
contentscanner = '/etc/dansguardian/contentscanners/commandlinescan.conf'

contentscannertimeout = 60

contentscanexceptions = off

authplugin = '/etc/dansguardian/authplugins/ip.conf'

recheckreplacedurls = off

forwardedfor = off

usexforwardedfor = off

logconnectionhandlingerrors = on

logchildprocesshandling = off

maxchildren = 120

minchildren = 8

minsparechildren = 4
preforkchildren = 6

maxsparechildren = 32

maxagechildren = 500

maxips = 0

ipcfilename = '/tmp/.dguardianipc'

urlipcfilename = '/tmp/.dguardianurlipc'

ipipcfilename = '/tmp/.dguardianipipc'

nodaemon = off

nologger = off

logadblocks = off

loguseragent = off

daemonuser = 'dansguardian'
daemongroup = 'dansguardian'

softrestart = off

mailer = '/usr/sbin/sendmail -t'
****final do dansguardian.conf***********************************************************
*****************************************************************************************

******meu squid.conf*********************************************************************
*****************************************************************************************
# WELCOME TO SQUID 2.7.STABLE3

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access allow purge localhost
http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny to_localhost

http_access allow localhost

http_access deny all

icp_access allow localnet
icp_access deny all

follow_x_forwarded_for allow localhost
follow_x_forwarded_for allow all

http_port 127.0.0.1:3128 transparent

hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320

acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

extension_methods REPORT MERGE MKACTIVITY CHECKOUT

cache_effective_group proxy

visible_hostname ALGO_MEU

hosts_file /etc/hosts

# forwarded_for on
forwarded_for delete

coredump_dir /var/spool/squid

http_port 3128 transparent

0 0

Quote

2. http_acces

laket
(usa Ubuntu)

Enviado em 22/10/2009 - 23:01h

Eu sei que o http_acces deny all esta la, coloquei antes dele agora o http_acces allow all, e o squid deixa passar!
MAS
1. agora o squid deixa vc navegar sem que vc usa o proxy do dansguardian no navegador!!! :( como eu desativo que pessoal passa sem o proxy?
2. pelo menos meu ip interno não passa para fora, mas os sites como whatismyip.com reconhecem que eu tenho o squid na porta 3128 e o nome que eu coloquei no visible_hostname! como eu posso evitar isto?

0 0

Quote

3. Squid + Dansguardian + filtro por ip

laket
(usa Ubuntu)

Enviado em 23/10/2009 - 13:48h

Bom, desde que a questão do meu primeiro post, eu mesmo resolvi, vou tentar postar de novo desta vez reformulando as questões da minha própria resposta.

0 0

Quote