2 issues related to dansguardian (ssl content filtering & xforwardedfor + squid)
-
Hi,
i've got dansguardian running forwarding to squid on pfSense 2.0.1 amd 64
dansguardian = LAN
squid = loopi've 2 problems now :)
1. if i want to enable ssl filtering i only got an error message like: sec_error_invalid_time
i created the certs with cert manager in pfsense, all default options. one internal ca and one user cert.
2. if i look at my lightsquid proxy report i only see localhost as the user requesting sites, i enabled use xforwardedfor in dansguardian (also tried use forwardedfor)
any hints?
thanks.
-
OK :)
SSL error seems related to http://forum.pfsense.org/index.php?topic=46207.0
-
You need to change squid log format to change real ip to xforward ip.
The ssl is a issue I could not fix yet.
-
Hi,
and thanks to your fast reply :)
How do i change the log behaviour?
i couldn't find it on the webgui.
is it right to use xforwardedfor in dansguardian?
thanks again :)
-
This is the way to pass client real ip.
I'm not sure if this log change can be done via squid gui.
-
if i use the example method from squid-cache.org, edited to my needs
acl localhost src 127.0.0.1;acl my_other_proxy srcdomain .workgroup.local;follow_x_forwarded_for allow localhost;follow_x_forwarded_for allow my_other_proxy;log_uses_indirect_client on;
i can't access the internet anymore. squid tells me access denied.
if anyone has an idea, i would be glad to hear :)
-
Hi,
found the solution.
add to squid custom options
log_uses_indirect_client on;follow_x_forwarded_for allow localhost;
and in dansguardian choose:
General -> useforwardedfor
if you have more subents using dansguardian and squid only listening to loop then add them to allowed subnets under access control in squid config tab.
have a nice day!