Re: [squid-users] dansguardian, squid, shorewall

From: Richard Pyne <rpyne@dont-contact.us>
Date: Sat, 05 Jan 2008 09:21:21 -0700

Yes, yes and yes.

Linux neowall 2.6.23.12 #1 SMP PREEMPT Wed Jan 2 20:09:47 MST 2008 i686
pentium4 i386 GNU/Linux

It is running on a P4 3G cpu with 2 Gig of RAM

squid was configured with:

--sysconfdir=/etc/squid \
--localstatedir=/var/cache/squid \
--enable-async-io \
--enable-snmp \
--enable-gnuregex \
--enable-linux-netfilter

here is my squid.conf:

http_port 127.0.0.1:3128 transparent
visible_hostname neowall.neoharbor.com
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
access_log /var/cache/squid/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.0.0/16 10.1.0.0/16 127.0.0.1
http_access allow our_networks
http_access allow localhost
http_reply_access allow all
icp_access allow all
forwarded_for off
coredump_dir /var/cache/squid

and my dansquadian.conf:

reportinglevel = 3
languagedir = '/etc/dansguardian/languages'
language = 'ukenglish'
loglevel = 3
logexceptionhits = on
logfileformat = 1
filterip =
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128
accessdeniedaddress = 'http://neowall.neoharbor.com/cgi-
bin/dansguardian.pl'
nonstandarddelimiter = on
usecustombannedimage = 1
custombannedimagefile = '/etc/dansguardian/transparent1x1.gif'
filtergroups = 1
filtergroupslist = '/etc/dansguardian/filtergroupslist'
bannediplist = '/etc/dansguardian/bannediplist'
exceptioniplist = '/etc/dansguardian/exceptioniplist'
banneduserlist = '/etc/dansguardian/banneduserlist'
exceptionuserlist = '/etc/dansguardian/exceptionuserlist'
showweightedfound = on
weightedphrasemode = 2
urlcachenumber = 1000
urlcacheage = 900
phrasefiltermode = 2
preservecase = 0
hexdecodecontent = 0
forcequicksearch = 0
reverseaddresslookups = off
reverseclientiplookups = off
createlistcachefiles = on
maxuploadsize = -1
maxcontentfiltersize = 256
usernameidmethodproxyauth = on
usernameidmethodntlm = off # **NOT IMPLEMENTED**
usernameidmethodident = off
preemptivebanning = on
forwardedfor = on
usexforwardedfor = off
logconnectionhandlingerrors = on
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 6
maxsparechildren = 32
maxagechildren = 500
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
nodaemon = off
nologger = off
softrestart = off

Thank you for your reply.

--Richard

On 5 Jan 2008 at 19:17, Adrian Chadd wrote:

> Have you configured the http_port with 'transparent' ?
>
> Is it linux based? Did you compile --enable-linux-netfilter?
>
>
>
> Adrian
>
>
> On Sat, Jan 05, 2008, Richard Pyne wrote:
> > I am having a problem with getting this combination to work properly. Yes,
> > I have searched the docs, faq and the web for an answer. The only
> > solutions I can find are for much older versions and do not work with the
> > current versions.
> >
> > I am running squid 3.0STABLE1, shorewall 3.4.5 and dansguardian 2.8.0.6 on
> > my firewall machine.
> >
> > shorewall is configured to redirect through dansguardian as a transparent
> > proxy:
> >
> > REDIRECT loc 8080 tcp http
> > ACCEPT loc fw tcp 8080
> >
> > Watching the logs, requests to dansguardian look fine, but the requests
> > showing in the squid log are missing the domain portion of the request.
> >
> > The really strange part is that if the request comes to dansguardian from
> > the localhost (127.0.0.1) directly on port 8080 everything works fine and
> > the request in the squid log has the domain part of the request, but if
> > the request comes from a machine on the local net, the squid log shows
> > that the domain portion of the request is missing.
> >
> > If I change the shorewall rules do only redirect through squid, everything
> > works fine, I just don't get any content filtering.
> >
> > Please help, I have been tearing my hair out on this now for two days.
> >
> > --Richard
>
> --
> - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
> - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.516 / Virus Database: 269.17.13/1210 - Release Date: 1/5/2008 11:46 AM
>
Received on Sat Jan 05 2008 - 09:21:28 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:04 MST