Dansguardian package for 2.0

Cino

thanks for the update.. I've give it a try in a bit

burton78

Thanks for all your hard work marcelloc!  This is a great addition to pfsense!  Was wondering if adding a "transparent proxy mode" could be an option as well?

Also I caught a typo for ya too under Daemon -> Parent proxy Settings -> Proxy Port: Sets port number "fro" proxy server.

marcelloc

@burton78:

Thanks for all your hard work marcelloc!  This is a great addition to pfsense!  Was wondering if adding a "transparent proxy mode" could be an option as well?

I'll include PAC configuration to dansguardian package first.

When you enable trasparente proxy, you are not able to authenticate or filter ssl.

I'ts not that good for security at all.

Search for WPAD, PAC proxy.js or proxy.pac to see how auto detecproxy works.

Also I caught a typo for ya too under Daemon -> Parent proxy Settings -> Proxy Port: Sets port number "fro" proxy server.

Thanks.

Cino

here is example of mine that i've been using with squid.

function FindProxyForURL(url, host) {

// If IP address is internal or hostname resolves to internal IP, send direct.

	if (
          isInNet(host, "10.0.0.0", "255.0.0.0") ||
          isInNet(host, "172.16.0.0", "255.240.0.0") ||
          isInNet(host, "192.168.0.0", "255.255.0.0") ||
		  isInNet(host, "127.0.0.0", "255.255.255.0") ||
		  isInNet(host, "192.168.0.100", "255.255.255.255") ||
		  isPlainHostName(host) ||
		  localHostOrDomainIs(host, "127.0.0.1") ||
		  dnsDomainIs(host, ".xxxx.net")
		)

		return "DIRECT";

return "PROXY 192.168.0.1:3128; DIRECT";
}

this is probably more to do with squid then danguardian. i've enabled forwardfor and/or xforwardfor but it always seem to get the IP address of the squid interface in the squid logs… Any ideas? I read there was a patch for squid but this patch is pretty old and you would think it was already built into squid2 and squid3..... i am using squid3 so it could be that...

Any ideas?

marcelloc

@Cino:

return "PROXY 192.168.0.1:3128; DIRECT";

Change this to dansguardian port and enable Auth Plugin on dansguardian general tab, this will log users.

to log x-forwarded ips you need to inlcude this x-forwarder no squid.conf log directive.

I did not found what to change but as you are using version 3.x, this doc can help
http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/

EDIT
Try ip address authentication mode on dansguardian general tab.
This may log ip as a user on your squid.

You can also disable squid log and change dansguardian style to squid.

itoxygen

PfSense 2.0.1 install Dansguardian v.0.1.2
error code
php: /pkg_edit.php: The command '/usr/local/etc/rc.d/dansguardian stop' returned exit code '1', the output was 'dansguardian not running? (check /var/run/dansguardian.pid).'
Jan 30 22:13:19 dansguardian[38774]: Error reading custom image file.

where is problem?

marcelloc

@itoxygen:

PfSense 2.0.1 install Dansguardian v.0.1.2
error code
php: /pkg_edit.php: The command '/usr/local/etc/rc.d/dansguardian stop' returned exit code '1', the output was 'dansguardian not running? (check /var/run/dansguardian.pid).'
Jan 30 22:13:19 dansguardian[38774]: Error reading custom image file.

where is problem?

try to start on console:
/usr/local/etc/rc.d/dansguardian start

itoxygen

Dansguardian service status is running, but system logs error message

Jan 30 22:36:57 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/dansguardian stop' returned exit code '1', the output was 'dansguardian not running? (check /var/run/dansguardian.pid).'
Jan 30 22:36:57 dansguardian[50366]: Error reading custom image file.

Content filter not working

marcelloc

Are you configuring client browser to use squid port or dansguardian port?

Can you paste return from:
ps ax | grep -i dansguardian

itoxygen

Squid transparent proxy mode port number 3128, I add the adress to the black list of squid, it works without problem

$ ps ax | grep -i dansguardian
  130  ??  I      0:00.00 /usr/local/sbin/dansguardian
  366  ??  I      0:00.00 /usr/local/sbin/dansguardian
  527  ??  I      0:00.00 /usr/local/sbin/dansguardian
  557  ??  I      0:00.00 /usr/local/sbin/dansguardian
  895  ??  I      0:00.00 /usr/local/sbin/dansguardian
1176  ??  I      0:00.00 /usr/local/sbin/dansguardian
1288  ??  I      0:00.00 /usr/local/sbin/dansguardian
1464  ??  I      0:00.00 /usr/local/sbin/dansguardian
1530  ??  I      0:00.00 /usr/local/sbin/dansguardian
48666  ??  S      0:00.00 sh -c ps ax | grep -i dansguardian
48931  ??  S      0:00.00 grep -i dansguardian
63558  ??  Is    0:00.02 /usr/local/sbin/dansguardian
63861  ??  I      0:00.01 /usr/local/sbin/dansguardian

marcelloc

@itoxygen:

Squid transparent proxy mode port number 3128, I add the adress to the black list of squid, it works without problem

Your dansguardian is running.

Instead of using squid on transparent mode, config your browser to use dansguardian ip and port.

If you want o improve your transparente setup, configure WPAD/PAC on your DHCP.

itoxygen

my system configurations was working without problem on the squidquard, I unistalled squidquard and i installed dansquardian but now filter function is not working

marcelloc

@itoxygen:

my system configurations was working without problem on the squidquard, I unistalled squidquard and i installed dansquardian but now filter function is not working

Try a simple https://facebook.com with squid transparent + squidguard to see how transparent proxy is a ilusion of web filtering.

Dansguardian must stays in front of squid and a proxy configuration must exist to filter https and authenticate users.

If you really need transparent squid, you will need to setup a squid -> dansguardian -> squid.

Dansguardian does not works like squidguard, take a look on dansguardian website do understand better how it works.

itoxygen

Can you inform me with a more detailed explanation? If it is possible an explanation step by step for the settings of dans guardian will be better for me. I really appreciate your help. Thank you very much.

marcelloc

@itoxygen:

Can you inform me with a more detailed explanation? If it is possible an explanation step by step for the settings of dans guardian will be better for me. I really appreciate your help. Thank you very much.

If you understand the transparent proxy limitation, follow these links to get how automatic proxy configuration works

WPAD/PAC info
http://www.davidpashley.com/articles/automatic-proxy.html

http://www.grape-info.com/doc/win2000srv/internet-gw/wpad/index.html

Cino

i'm going to keep my auto proxy config pointing directly to squid's port but on certain computers, manually enter the port for dansguardian.

For client ip logging from dansguard to squid, what i'm finding is there are 2 IPs, the client IP and 127.0.0.1. Going to http://checker.samair.ru/ show's this request when I have either forwardfor and/or usexforwardfor within dansguard and Disable X-Forward in squid unchecked.

squid logs only shows 127.0.0.1.. I'll have to do some more research and do some packet sniffing to verify whats going on…. Its been awhile, but i remember this work prefect when I was using 'client - hvap - squid'.. Squid reported the real client IP in its logs...

EDIT: I did a quick tcpdump and dansguard seems to sending the client IP under X-Forward-For within HTTP traffic.

marcelloc

If you change dansguardian log to squid format don't get the same result as squid log?

EDIT

If I have some time tomorrow I'll see if I can find how HAVP before squid don't affect squid log.

Cino

@marcelloc:

If you change dansguardian log to squid format don't get the same result as squid log?

true.. since i want to have the bulk of the clients going to squid directly and a couple going to dansguard then squid.. It would be nice to have it one log for lightsquid. No biggie right now as I think its a squid3 issue and not dansguardian…. i would downgrade to squid2 but need ipv6 for a certain setup i have..

i'll keep messing around with it but since dansguardian can out put a squid log, there is a workaround.

Cino

i got it to work… some how...lol

thanks again for all your help... I'm still going to mess around with the settings but squid3 is logging the client ip via dansguardian

I did add this to my squid options:
follow_x_forwarded_for allow localhost
forwarded_for delete

sqstat still shows the localhost when I do real-time monitoring but the log shows the client ip.. Which in away makes sense

marcelloc

package version 0.1.3 is out

main chages:

• cron updates for blacklist and clamav

• template field for custom error page

• fix some typos

still missing

• SSL men in the middle feature