Squid + Dans Guardian (configuração simples)

1

Eu apenas criei um novo servidor proxy e compilei as versões mais recentes do squid e do dansguardian. Usamos a autenticação básica para selecionar quais usuários são permitidos fora de nossa rede. Parece squid está funcionando muito bem e aceita meu nome de usuário e senha e me deixa sair.

Mas se eu me conectar ao dans guardian, ele solicitará o nome de usuário e a senha e, em seguida, exibirá uma mensagem informando que meu nome de usuário não tem permissão para acessar a Internet. É puxar meu nome de usuário para a mensagem de erro, então eu sei que sabe quem eu sou. A parte em que me confundo é que pensei que a parte era manuseada por lula e a lula estava funcionando perfeitamente.

Alguém pode, por favor, checar meus arquivos de configuração e dizer se estou perdendo alguma coisa ou se há alguma nova opção que devo definir para que isso funcione.

dansguardian.conf

# Web Access Denied Reporting (does not affect logging)
#
# -1 = log, but do not block - Stealth mode
#  0 = just say 'Access Denied'
#  1 = report why but not what denied phrase
#  2 = report fully
#  3 = use HTML template file (accessdeniedaddress ignored) - recommended
# reportinglevel = 3

# Language dir where languages are stored for internationalisation.
# The HTML template within this dir is only used when reportinglevel
# is set to 3. When used, DansGuardian will display the HTML file instead of
# using the perl cgi script.  This option is faster, cleaner
# and easier to customise the access denied page.
# The language file is used no matter what setting however.
# languagedir = '/etc/dansguardian/languages'

# language to use from languagedir. language = 'ukenglish'

# Logging Settings
#
# 0 = none  1 = just denied  2 = all text based  3 = all requests loglevel
= 3

# Log Exception Hits
# Log if an exception (user, ip, URL, phrase) is matched and so
# the page gets let through.  Can be useful for diagnosing
# why a site gets through the filter.  on | off logexceptionhits = on

# Log File Format
# 1 = DansGuardian format        2 = CSV-style format
# 3 = Squid Log File Format      4 = Tab delimited logfileformat = 1


# Log file location
# 
# Defines the log directory and filename.
#loglocation = '/var/log/dansguardian/access.log'


# Network Settings
# 
# the IP that DansGuardian listens on.  If left blank DansGuardian will
# listen on all IPs.  That would include all NICs, loopback, modem, etc.
# Normally you would have your firewall protecting this, but if you want
# you can limit it to only 1 IP.  Yes only one. filterip =

# the port that DansGuardian listens to. filterport = 8080

# the ip of the proxy (default is the loopback - i.e. this server) proxyip =
127.0.0.1

# the port DansGuardian connects to proxy on proxyport = 3128

# accessdeniedaddress is the address of your web server to which the cgi
# dansguardian reporting script was copied
# Do NOT change from the default if you are not using the cgi.
# accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'

# Non standard delimiter (only used with accessdeniedaddress)
# Default is enabled but to go back to the original standard mode dissable it. nonstandarddelimiter = on



# Banned image replacement
# Images that are banned due to domain/url/etc reasons including those
# in the adverts blacklists can be replaced by an image.  This will,
# for example, hide images from advert sites and remove broken image
# icons from banned domains.
# 0 = off
# 1 = on (default) usecustombannedimage = 1 custombannedimagefile = '/etc/dansguardian/transparent1x1.gif'



# Filter groups options
# filtergroups sets the number of filter groups. A filter group is a set of content
# filtering options you can apply to a group of users.  The value must be 1 or more.
# DansGuardian will automatically look for dansguardianfN.conf where N is the filter
# group.  To assign users to groups use the filtergroupslist option.  All users default
# to filter group 1.  You must have some sort of authentication to be able to map users
# to a group.  The more filter groups the more copies of the lists will be in RAM so
# use as few as possible. filtergroups = 1 filtergroupslist = '/etc/dansguardian/filtergroupslist'



# Authentication files location bannediplist = '/etc/dansguardian/bannediplist' exceptioniplist = '/etc/dansguardian/exceptioniplist' banneduserlist = '/etc/dansguardian/banneduserlist' exceptionuserlist = '/etc/dansguardian/exceptionuserlist'



# Show weighted phrases found
# If enabled then the phrases found that made up the total which excedes
# the naughtyness limit will be logged and, if the reporting level is
# high enough, reported. on | off showweightedfound = on

# Weighted phrase mode
# There are 3 possible modes of operation:
# 0 = off = do not use the weighted phrase feature.
# 1 = on, normal = normal weighted phrase operation.
# 2 = on, singular = each weighted phrase found only counts once on a page.
# weightedphrasemode = 2



# Positive result caching for text URLs
# Caches good pages so they don't need to be scanned again
# 0 = off (recommended for ISPs with users with disimilar browsing)
# 1000 = recommended for most users
# 5000 = suggested max upper limit urlcachenumber = 
#
# Age before they are stale and should be ignored in seconds
# 0 = never
# 900 = recommended = 15 mins urlcacheage = 



# Smart and Raw phrase content filtering options
# Smart is where the multiple spaces and HTML are removed before phrase filtering
# Raw is where the raw HTML including meta tags are phrase filtered
# CPU usage can be effectively halved by using setting 0 or 1
# 0 = raw only
# 1 = smart only
# 2 = both (default) phrasefiltermode = 2



# Lower casing options
# When a document is scanned the uppercase letters are converted to lower case
# in order to compare them with the phrases.  However this can break Big5 and
# other 16-bit texts.  If needed preserve the case.  As of version
2.7.0 accented
# characters are supported.
# 0 = force lower case (default)
# 1 = do not change case preservecase = 0



# Hex decoding options
# When a document is scanned it can optionally convert %XX to chars.
# If you find documents are getting past the phrase filtering due to encoding
# then enable.  However this can break Big5 and other 16-bit texts.
# 0 = disabled (default)
# 1 = enabled hexdecodecontent = 0



# Force Quick Search rather than DFA search algorithm
# The current DFA implementation is not totally 16-bit character compatible
# but is used by default as it handles large phrase lists much faster.
# If you wish to use a large number of 16-bit character phrases then
# enable this option.
# 0 = off (default)
# 1 = on (Big5 compatible) forcequicksearch = 0



# Reverse lookups for banned site and URLs.
# If set to on, DansGuardian will look up the forward DNS for an IP URL
# address and search for both in the banned site and URL lists.  This would
# prevent a user from simply entering the IP for a banned address.
# It will reduce searching speed somewhat so unless you have a local caching
# DNS server, leave it off and use the Blanket IP Block option in the
# bannedsitelist file instead. reverseaddresslookups = off



# Reverse lookups for banned and exception IP lists.
# If set to on, DansGuardian will look up the forward DNS for the IP
# of the connecting computer.  This means you can put in hostnames in
# the exceptioniplist and bannediplist.
# It will reduce searching speed somewhat so unless you have a local DNS server, 
# leave it off. reverseclientiplookups = off



# Build bannedsitelist and bannedurllist cache files.
# This will compare the date stamp of the list file with the date stamp of
# the cache file and will recreate as needed.
# If a bsl or bul .processed file exists, then that will be used instead.
# It will increase process start speed by 300%.  On slow computers this will
# be significant.  Fast computers do not need this option. on | off createlistcachefiles = on



# POST protection (web upload and forms)
# does not block forms without any file upload, i.e. this is just for
# blocking or limiting uploads
# measured in kibibytes after MIME encoding and header bumph
# use 0 for a complete block
# use higher (e.g. 512 = 512Kbytes) for limiting
# use -1 for no blocking
#maxuploadsize = 512
#maxuploadsize = 0 maxuploadsize = -1



# Max content filter page size
# Sometimes web servers label binary files as text which can be very
# large which causes a huge drain on memory and cpu resources.
# To counter this, you can limit the size of the document to be
# filtered and get it to just pass it straight through.
# This setting also applies to content regular expression modification.
# The size is in Kibibytes - eg 2048 = 2Mb
# use 0 for no limit maxcontentfiltersize = 



# Username identification methods (used in logging)
# You can have as many methods as you want and not just one.  The first one
# will be used then if no username is found, the next will be used.
# * proxyauth is for when basic proxy authentication is used (no good for
#   transparent proxying).
# * ntlm is for when the proxy supports the MS NTLM authentication
#   protocol.  (Only works with IE5.5 sp1 and later).  **NOT IMPLEMENTED**
# * ident is for when the others don't work.  It will contact the computer
#   that the connection came from and try to connect to an identd server
#   and query it for the user owner of the connection. usernameidmethodproxyauth = on usernameidmethodntlm = off # **NOT IMPLEMENTED** usernameidmethodident = off



# Preemptive banning - this means that if you have proxy auth enabled and a user accesses
# a site banned by URL for example they will be denied straight away without a request
# for their user and pass.  This has the effect of requiring the user to visit a clean
# site first before it knows who they are and thus maybe an admin user.
# This is how DansGuardian has always worked but in some situations it is less than
# ideal.  So you can optionally disable it.  Default is on.
# As a side effect disabling this makes AD image replacement work better as the mime
# type is know. preemptivebanning = on



# Misc settings

# if on it adds an X-Forwarded-For: <clientip> to the HTTP request
# header.  This may help solve some problem sites that need to know the
# source ip. on | off forwardedfor = on


# if on it uses the X-Forwarded-For: <clientip> to determine the client
# IP. This is for when you have squid between the clients and DansGuardian.
# Warning - headers are easily spoofed. on | off usexforwardedfor = off


# if on it logs some debug info regarding fork()ing and accept()ing which
# can usually be ignored.  These are logged by syslog.  It is safe to leave
# it on or off logconnectionhandlingerrors = on



# Fork pool options

# sets the maximum number of processes to sporn to handle the incomming
# connections.  Max value usually 250 depending on OS.
# On large sites you might want to try 180. maxchildren = 180


# sets the minimum number of processes to sporn to handle the incomming connections.
# On large sites you might want to try 32. minchildren = 32 


# sets the minimum number of processes to be kept ready to handle connections.
# On large sites you might want to try 8. minsparechildren = 8


# sets the minimum number of processes to sporn when it runs out
# On large sites you might want to try 10. preforkchildren = 10 


# sets the maximum number of processes to have doing nothing.
# When this many are spare it will cull some of them.
# On large sites you might want to try 64. maxsparechildren = 64 


# sets the maximum age of a child process before it croaks it.
# This is the number of connections they handle before exiting.
# On large sites you might want to try 10000. maxagechildren = 5000



# Process options
# (Change these only if you really know what you are doing).
# These options allow you to run multiple instances of DansGuardian on a single machine.
# Remember to edit the log file path above also if that is your intention.

# IPC filename
# 
# Defines IPC server directory and filename used to communicate with the log process. ipcfilename = '/tmp/.dguardianipc'

# URL list IPC filename
# 
# Defines URL list IPC server directory and filename used to communicate with the URL
# cache process. urlipcfilename = '/tmp/.dguardianurlipc'

# PID filename
# 
# Defines process id directory and filename.
#pidfilename = '/var/run/dansguardian.pid'

# Disable daemoning
# If enabled the process will not fork into the background.
# It is not usually advantageous to do this.
# on|off ( defaults to off ) nodaemon = off

# Disable logging process
# on|off ( defaults to off ) nologger = off

# Daemon runas user and group
# This is the user that DansGuardian runs as.  Normally the user/group nobody.
# Uncomment to use.  Defaults to the user set at compile time.
# daemonuser = 'nobody'
# daemongroup = 'nobody'

# Soft restart
# When on this disables the forced killing off all processes in the process group.
# This is not to be confused with the -g run time option - they are not related.
# on|off ( defaults to off ) softrestart = off

maxcontentramcachescansize = 2000 maxcontentfilecachescansize = 20000 downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf' authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'

Squid.conf

http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache

#broken_vary_encoding allow apache
access_log /squid/var/logs/access.log squid
hosts_file /etc/hosts
auth_param basic program /squid/libexec/ncsa_auth /squid/etc/userbasic.auth
auth_param basic children 5
auth_param basic realm proxy
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern .       0   20% 4320

acl NoAuthNec src <HIDDEN FOR SECURITY>
acl BrkRm src <HIDDEN FOR SECURITY>
acl Dials src <HIDDEN FOR SECURITY>
acl Comps src <HIDDEN FOR SECURITY>
acl whsws dstdom_regex -i .opensuse.org .novell.com .suse.com mirror.mcs.an1.gov mirrors.kernerl.org www.suse.de suse.mirrors.tds.net mirrros.usc.edu ftp.ale.org suse.cs.utah.edu mirrors.usc.edu mirror.usc.an1.gov linux.nssl.noaa.gov noaa.gov .kernel.org ftp.ale.org ftp.gwdg.de .medibuntu.org mirrors.xmission.com .canonical.com .ubuntu.
acl opensites dstdom_regex -i .mbsbooks.com .bowker.com .usps.com .usps.gov .ups.com .fedex.com go.microsoft.com .microsoft.com .apple.com toolbar.msn.com .contacts.msn.com update.services.openoffice.org fms2.pointroll.speedera.net services.wmdrm.windowsmedia.com windowsupdate.com .adobe.com .symantec.com .vitalbook.com vxn1.datawire.net vxn.datawire.net download.lavasoft.de .download.lavasoft.com .lavasoft.com updates.ls-servers.com .canadapost. .myyellow.com minirick symantecliveupdate.com wm.overdrive.com www.overdrive.com productactivation.one.microsoft.com www.update.microsoft.com testdrive.whoson.com www.columbia.k12.mo.us banners.wunderground.com .kofax.com .gotomeeting.com tools.google.com .dl.google.com .cache.googlevideo.com .gpdl.google.com .clients.google.com cache.pack.google.com kh.google.com maps.google.com auth.keyhole.com .contacts.msn.com .hrblock.com .taxcut.com .merchantadvantage.com .jtv.com .malwarebytes.org www.google-analytics.com dcs.support.xerox.com .dhl.com .webtrendslive.com javadl-esd.sun.com javadl-alt.sun.com .excelsior.edu .dhlglobalmail.com .nessus.org .foxitsoftware.com foxit.vo.llnwd.net installshield.com .mindjet.com .mediascouter.com media.us.elsevierhealth.com .xplana.com .govtrack.us sa.tulsacc.edu .omniture.com fpdownload.macromedia.com webservices.amazon.com
acl password proxy_auth REQUIRED
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 631 2001 2005 8731 9001 9080 10000
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port # https, snews 443 563
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port # unregistered ports 1936-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 10000
acl Safe_ports port 631
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl UTubeUsers proxy_auth "/squid/etc/utubeusers.list"
acl RestrictUTube dstdom_regex -i youtube.com
acl RestrictFacebook dstdom_regex -i facebook.com
acl FacebookUsers proxy_auth "/squid/etc/facebookusers.list"
acl BuemerKEC src 10.10.128.0/24
acl MBSsortnet src 10.10.128.0/26
acl MSNExplorer browser -i MSN
acl Printers src <HIDDEN FOR SECURITY>
acl SpecialFolks src <HIDDEN FOR SECURITY>
# streaming download
acl fails rep_mime_type ^.*mms.*
acl fails rep_mime_type ^.*ms-hdr.*
acl fails rep_mime_type ^.*x-fcs.*
acl fails rep_mime_type ^.*x-ms-asf.*
acl fails2 urlpath_regex dvrplayer mediastream mms://
acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$
acl deny_rep_mime_flashvideo rep_mime_type -i video/flv
acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-shockwave-flash$
acl x-type req_mime_type -i ^application/octet-stream$
acl x-type req_mime_type -i application/octet-stream
acl x-type req_mime_type -i ^application/x-mplayer2$
acl x-type req_mime_type -i application/x-mplayer2
acl x-type req_mime_type -i ^application/x-oleobject$
acl x-type req_mime_type -i application/x-oleobject
acl x-type req_mime_type -i application/x-pncmd
acl x-type req_mime_type -i ^video/x-ms-asf$

acl x-type2 rep_mime_type -i ^application/octet-stream$
acl x-type2 rep_mime_type -i application/octet-stream
acl x-type2 rep_mime_type -i ^application/x-mplayer2$
acl x-type2 rep_mime_type -i application/x-mplayer2
acl x-type2 rep_mime_type -i ^application/x-oleobject$
acl x-type2 rep_mime_type -i application/x-oleobject
acl x-type2 rep_mime_type -i application/x-pncmd
acl x-type2 rep_mime_type -i ^video/x-ms-asf$
acl RestrictHulu dstdom_regex -i hulu.com
acl broken dstdomain cms.montgomerycollege.edu events.columbiamochamber.com members.columbiamochamber.com public.genexusserver.com
acl RestrictVimeo dstdom_regex -i vimeo.com
acl http_port port 80

#http_reply_access deny deny_rep_mime_flashvideo
#http_reply_access deny deny_rep_mime_shockwave

#streaming files
#http_access deny fails
#http_reply_access deny fails
#http_access deny fails2
#http_reply_access deny fails2
#http_access deny x-type
#http_reply_access deny x-type
#http_access deny x-type2
#http_reply_access deny x-type2

follow_x_forwarded_for allow localhost
acl_uses_indirect_client on
log_uses_indirect_client on

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow SpecialFolks
http_access deny CONNECT !SSL_ports
http_access allow whsws
http_access allow opensites
http_access deny BuemerKEC !MBSsortnet
http_access deny BrkRm RestrictUTube RestrictFacebook RestrictVimeo
http_access allow RestrictUTube UTubeUsers
http_access deny RestrictUTube
http_access allow RestrictFacebook FacebookUsers
http_access deny RestrictFacebook
http_access deny RestrictHulu
http_access allow NoAuthNec
http_access allow BrkRm
http_access allow FacebookUsers RestrictVimeo
http_access deny RestrictVimeo
http_access allow Comps
http_access allow Dials
http_access allow Printers
http_access allow password
http_access deny !Safe_ports
http_access deny SSL_ports !CONNECT
http_access allow http_port
http_access deny all
http_reply_access allow all

icp_access allow all

access_log /squid/var/logs/access.log squid
visible_hostname proxy.site.com
forwarded_for off
coredump_dir /squid/cache/
#header_access Accept-Encoding deny broken

#acl snmppublic snmp_community mysecretcommunity
#snmp_port 3401
#snmp_access allow snmppublic all

cache_mem 3 GB

#acl snmppublic snmp_community mbssquid
#snmp_port 3401
#snmp_access allow snmppublic all
    
por The Digital Ninja 27.10.2010 / 23:53

1 resposta

1

Você tem a autenticação ativada para o Squid e o DansGuardian? Porque parece que sim. Desative a autenticação no Squid e tente conectar-se novamente através do DansGuardian.

    
por 23.07.2011 / 22:20

Tags