Dansguardian package for 2.0

marcelloc

No luck.  :(

using tar or using ca-root package and linking pfsense ca created I always get the same error.

using only cert check, all https that is not on blacklists goes with no erros
using ssl mitm every https that is not on whitelist fails with

The only thing that changed is that the error now says:
DENIED Failed to negotiate ssl connection to client CONNECT 0 0 SSL Site 1 200

I did removed all certs, including ca-root package and folders.

I'll keep trying to identify how to reach each error.

dig1234

Your symlinks are probably not working. You should have in the /etc/ssl/certs folder about 180 symlinks that look like similar to these:
f060240e.0
f081611a.0
f15719eb.0
f3377b1b.0
f387163d.0
f39fc864.0
f4996e82.0

If you cat one of them you should see a certificate pem file.
This has nothing to do with the generated pfsense CA certificate. This is for dansguardian to verify the CA's on the genuine certs it's receiving from websites.  It uses the symlinks to quickly locate the correct CA cert.
That's what cert checking does it checks the website cert against a repository of vaild public CA certs. What's interesting is that dansguardian apparently always does the cert checking if mitm is ON.

I wonder how we can get that cgi, from the source code it appears to be doing some cookie work. The file mitm.cgi does not appear in the dansguardian-2.12.0.0.tar.gz tarball is that what you're working with?

marcelloc

I could not reproduce this file call, just errors or ssl sites normal access.

Try to copy error template to this cgi script.

The base folder is /usr/local/www

I'll commit latest package code with some fixes I did.

mkaishar

dumb question…but how do i install this package? i am on 2.0.1 amd64 iso

marcelloc

It's on system -> packages  :)

marcelloc

Version 0.1.5 is out with some fixes and LDAP group based access lists.

• Create group acl based on LDAP group name you want to filter

• Define userlist frequency update

• Apply ldap config

asterix

How do I see the logs and reports of whats blocked and what was searched from my network?

marcelloc

The dansguardian log file is /var/log/dansguardian/access.log

The sarg package will do it on gui but only when dansguardian report is set to squid format.

wheelz

I just came across this and this is great news!  I've been hoping for this to be added so I can give pfsense a full try.  Is this compatible with squid-reverse?  If so, would I load squid-reverse first or vice versa?

marcelloc

@wheelz:

I just came across this and this is great news!  I've been hoping for this to be added so I can give pfsense a full try.  Is this compatible with squid-reverse?  If so, would I load squid-reverse first or vice versa?

I'ts compatible with any squid version on pfsense.

Install squid package first and then dansguardian.

wheelz

I originally got a little install-happy when I saw it and just started loading stuff.  For some reason the dansguardian menu never showed up so I removed all packages and started again - this time slower.  So I installed the squid-reverse package and made sure I could use the proxy first.  That was working after I added the firewall rule to allow 3128.  Then I loaded the dansguardian package (menu showed up this time) and added firewall rule to allow 8080 (I removed the 3128 rule).  I can telnet into port 8080 but it isn't passing web pages back.  Is there another firewall rule I am missing or something else I need to get basic default functionality up?

Also, how do you donate towards a package?

marcelloc

Did you configured squid ip and port on dansguardian daemon settings?

wheelz

yea, 127.0.0.1 and port 3128.  I tried to keep a lot of defaults just to get it working and then I'll tweak the things I want afterwards.  Still no go though.

marcelloc

try to run it on console/ssh

/usr/local/etc/rc.d/dansguardian start

wheelz

I think it is already started.  Both squid and dansguardian services show as being started.  I can open a connection to port 8080 so I know it is listening.  Perhaps dansguardian and squid just aren't talking yet?  I have squid listening on loopback.  Do I need a firewall rule to allow loopback traffic?

marcelloc

No, loopback traffic is Allowed by default.

What do you see in dansguardian logs?

wheelz

Hmm… I restarted the services and now squid won't start.  This is actually what I had happening the first time I set it up.  I get the following when I try to start it from the command line:

2012/03/26 20:52:00| parseConfigFile: squid.conf:18 unrecognized: 'sslcrtd_children'
2012/03/26 20:52:00| ACL name 'all' not defined!
FATAL: Bungled (null) line 182: http_reply_access allow all
Squid Cache (Version 2.7.STABLE9): Terminated abnormally.

marcelloc

Dansguardian package does not force a squid install if you have squid already installed. Try to reinstall squid package.

wheelz

I fixed it!  ;D  I guess somehow a line got removed from the squid conf.  I just added

acl all src 0.0.0.0/0.0.0.0

to the custom options and now both squid and dans is working.

wheelz

Is it possible to have Active Directory pass-through authentication so that users don't have to enter a user name and password to browse through squid/dans?