Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dansguardian package for 2.0

    Scheduled Pinned Locked Moved pfSense Packages
    492 Posts 51 Posters 472.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • marcellocM
      marcelloc
      last edited by

      The certs looks the same on both.

      On freebsd/pfsense the package installs a unique file with all certs with info and on your tar It's a file for each ca.

      I'm getting the same result here. with or without cert check enabled I can see all ssl sites not in blacklist.

      But when I enable ssl mitm log show all ssl as

      DENIED Certificate supplied by server was not valid: unable to get local issuer certificate CONNECT 0 0 SSL Site 1 200 -  Default

      Tried to copy pfsense created ca to /etc/ssl/certs/ with no success.

      If you can test this, edit /usr/local/pkg/dansguardian.conf.template file to fix sslcertificatepath from pfsense ca-root package
      #SSL certificate checking path
      #Path to CA certificates used to validate the certificates of https sites.
      sslcertificatepath = '/etc/ssl/certs/'

      After this file edit, apply conf on dansguardian gui.

      att,
      Marcello Coutinho

      Treinamentos de Elite: http://sys-squad.com

      Help a community developer! ;D

      1 Reply Last reply Reply Quote 0
      • D
        dig1234
        last edited by

        You also need to have symlinks to each of the pem files. The name of symlink will be the computed hash of the cert. Without the properly named symlinks, dansguardian will not see the pem files.
        See this site for a script to create a correct symlink: http://wiki.openwrt.org/doc/howto/wget-ssl-certs

        Or if you use the tars I sent they already have all the symlinks setup just do tar -xzf for both folders.

        @marcelloc:

        The certs looks the same on both.

        On freebsd/pfsense the package installs a unique file with all certs with info and on your tar It's a file for each ca.

        I'm getting the same result here. with or without cert check enabled I can see all ssl sites not in blacklist.

        But when I enable ssl mitm log show all ssl as

        DENIED Certificate supplied by server was not valid: unable to get local issuer certificate CONNECT 0 0 SSL Site 1 200 -  Default

        Tried to copy pfsense created ca to /etc/ssl/certs/ with no success.

        If you can test this, edit /usr/local/pkg/dansguardian.conf.template file to fix sslcertificatepath from pfsense ca-root package
        #SSL certificate checking path
        #Path to CA certificates used to validate the certificates of https sites.
        sslcertificatepath = '/etc/ssl/certs/'

        After this file edit, apply conf on dansguardian gui.

        att,
        Marcello Coutinho

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          No luck.  :(

          using tar or using ca-root package and linking pfsense ca created I always get the same error.

          using only cert check, all https that is not on blacklists goes with no erros
          using ssl mitm every https that is not on whitelist fails with

          The only thing that changed is that the error now says:
          DENIED Failed to negotiate ssl connection to client CONNECT 0 0 SSL Site 1 200

          I did removed all certs, including ca-root package and folders.

          I'll keep trying to identify how to reach each error.

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • D
            dig1234
            last edited by

            Your symlinks are probably not working. You should have in the /etc/ssl/certs folder about 180 symlinks that look like similar to these:
            f060240e.0
            f081611a.0
            f15719eb.0
            f3377b1b.0
            f387163d.0
            f39fc864.0
            f4996e82.0

            If you cat one of them you should see a certificate pem file.
            This has nothing to do with the generated pfsense CA certificate. This is for dansguardian to verify the CA's on the genuine certs it's receiving from websites.  It uses the symlinks to quickly locate the correct CA cert.
            That's what cert checking does it checks the website cert against a repository of vaild public CA certs. What's interesting is that dansguardian apparently always does the cert checking if mitm is ON.

            I wonder how we can get that cgi, from the source code it appears to be doing some cookie work. The file mitm.cgi does not appear in the dansguardian-2.12.0.0.tar.gz tarball is that what you're working with?

            1 Reply Last reply Reply Quote 0
            • marcellocM
              marcelloc
              last edited by

              I could not reproduce this file call, just errors or ssl sites normal access.

              Try to copy error template to this cgi script.

              The base folder is /usr/local/www

              I'll commit latest package code with some fixes I did.

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • M
                mkaishar
                last edited by

                dumb question…but how do i install this package? i am on 2.0.1 amd64 iso

                1 Reply Last reply Reply Quote 0
                • marcellocM
                  marcelloc
                  last edited by

                  It's on system -> packages  :)

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  1 Reply Last reply Reply Quote 0
                  • marcellocM
                    marcelloc
                    last edited by

                    Version 0.1.5 is out with some fixes and LDAP group based access lists.

                    • Create group acl based on LDAP group name you want to filter

                    • Define userlist frequency update

                    • Apply ldap config

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    1 Reply Last reply Reply Quote 0
                    • A
                      asterix
                      last edited by

                      How do I see the logs and reports of whats blocked and what was searched from my network?

                      1 Reply Last reply Reply Quote 0
                      • marcellocM
                        marcelloc
                        last edited by

                        The dansguardian log file is /var/log/dansguardian/access.log

                        The sarg package will do it on gui but only when dansguardian report is set to squid format.

                        Treinamentos de Elite: http://sys-squad.com

                        Help a community developer! ;D

                        1 Reply Last reply Reply Quote 0
                        • W
                          wheelz
                          last edited by

                          I just came across this and this is great news!  I've been hoping for this to be added so I can give pfsense a full try.  Is this compatible with squid-reverse?  If so, would I load squid-reverse first or vice versa?

                          1 Reply Last reply Reply Quote 0
                          • marcellocM
                            marcelloc
                            last edited by

                            @wheelz:

                            I just came across this and this is great news!  I've been hoping for this to be added so I can give pfsense a full try.  Is this compatible with squid-reverse?  If so, would I load squid-reverse first or vice versa?

                            I'ts compatible with any squid version on pfsense.

                            Install squid package first and then dansguardian.

                            Treinamentos de Elite: http://sys-squad.com

                            Help a community developer! ;D

                            1 Reply Last reply Reply Quote 0
                            • W
                              wheelz
                              last edited by

                              I originally got a little install-happy when I saw it and just started loading stuff.  For some reason the dansguardian menu never showed up so I removed all packages and started again - this time slower.  So I installed the squid-reverse package and made sure I could use the proxy first.  That was working after I added the firewall rule to allow 3128.  Then I loaded the dansguardian package (menu showed up this time) and added firewall rule to allow 8080 (I removed the 3128 rule).  I can telnet into port 8080 but it isn't passing web pages back.  Is there another firewall rule I am missing or something else I need to get basic default functionality up?

                              Also, how do you donate towards a package?

                              1 Reply Last reply Reply Quote 0
                              • marcellocM
                                marcelloc
                                last edited by

                                Did you configured squid ip and port on dansguardian daemon settings?

                                Treinamentos de Elite: http://sys-squad.com

                                Help a community developer! ;D

                                1 Reply Last reply Reply Quote 0
                                • W
                                  wheelz
                                  last edited by

                                  yea, 127.0.0.1 and port 3128.  I tried to keep a lot of defaults just to get it working and then I'll tweak the things I want afterwards.  Still no go though.

                                  1 Reply Last reply Reply Quote 0
                                  • marcellocM
                                    marcelloc
                                    last edited by

                                    try to run it on console/ssh

                                    /usr/local/etc/rc.d/dansguardian start

                                    Treinamentos de Elite: http://sys-squad.com

                                    Help a community developer! ;D

                                    1 Reply Last reply Reply Quote 0
                                    • W
                                      wheelz
                                      last edited by

                                      I think it is already started.  Both squid and dansguardian services show as being started.  I can open a connection to port 8080 so I know it is listening.  Perhaps dansguardian and squid just aren't talking yet?  I have squid listening on loopback.  Do I need a firewall rule to allow loopback traffic?

                                      1 Reply Last reply Reply Quote 0
                                      • marcellocM
                                        marcelloc
                                        last edited by

                                        No, loopback traffic is Allowed by default.

                                        What do you see in dansguardian logs?

                                        Treinamentos de Elite: http://sys-squad.com

                                        Help a community developer! ;D

                                        1 Reply Last reply Reply Quote 0
                                        • W
                                          wheelz
                                          last edited by

                                          Hmm… I restarted the services and now squid won't start.  This is actually what I had happening the first time I set it up.  I get the following when I try to start it from the command line:

                                          2012/03/26 20:52:00| parseConfigFile: squid.conf:18 unrecognized: 'sslcrtd_children'
                                          2012/03/26 20:52:00| ACL name 'all' not defined!
                                          FATAL: Bungled (null) line 182: http_reply_access allow all
                                          Squid Cache (Version 2.7.STABLE9): Terminated abnormally.

                                          1 Reply Last reply Reply Quote 0
                                          • marcellocM
                                            marcelloc
                                            last edited by

                                            Dansguardian package does not force a squid install if you have squid already installed. Try to reinstall squid package.

                                            Treinamentos de Elite: http://sys-squad.com

                                            Help a community developer! ;D

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.