Squid + Dansguardian issue
-
Anyone?
Do I need to provide more info? If so, what?
-
12-10-2013 09:19:03 User.Info 192.168.1.1 Dec 10 09:18:53 dansguardian[73148]: 2013.12.10 9:18:53 - 192.168.1.15 http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0CC4QFjAA&url=http%3A%2F%2Fwww.pfsense.org%2F&ei=ddymUqfrCYWp7AbG-IGgDQ&usg=AFQjCNFmdoam9UPDzW72Y1FjKVDI2Vd47Q&bvm=bv.57799294,d.d2k CONTENTMOD GET 385 0 1 200 text/html Default - -
12-10-2013 09:19:03 User.Info 192.168.1.1 Dec 10 09:18:53 dansguardian[73148]: 2013.12.10 9:18:53 - 192.168.1.15 http://clients1.google.com/ocsp CONTENTMOD POST 3605 0 1 503 text/html Default - - application/ocsp-request,,107,0,,0;
12-10-2013 09:19:03 User.Info 192.168.1.1 Dec 10 09:18:53 dansguardian[73148]: 2013.12.10 9:18:53 - 192.168.1.15 http://clients1.google.com/ocsp CONTENTMOD POST 3605 0 1 503 text/html Default - - application/ocsp-request,,107,0,,0;Copy of 3 entries from syslog server when going to gloogle.co.uk, searching for pfsesne and then clicking the link.
-
12-10-2013 09:19:03 User.Info 192.168.1.1 Dec 10 09:18:53 dansguardian[73148]: 2013.12.10 9:18:53 - 192.168.1.15 http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0CC4QFjAA&url=http%3A%2F%2Fwww.pfsense.org%2F&ei=ddymUqfrCYWp7AbG-IGgDQ&usg=AFQjCNFmdoam9UPDzW72Y1FjKVDI2Vd47Q&bvm=bv.57799294,d.d2k CONTENTMOD GET 385 0 1 200 text/html Default - -
12-10-2013 09:19:03 User.Info 192.168.1.1 Dec 10 09:18:53 dansguardian[73148]: 2013.12.10 9:18:53 - 192.168.1.15 http://clients1.google.com/ocsp CONTENTMOD POST 3605 0 1 503 text/html Default - - application/ocsp-request,,107,0,,0;
12-10-2013 09:19:03 User.Info 192.168.1.1 Dec 10 09:18:53 dansguardian[73148]: 2013.12.10 9:18:53 - 192.168.1.15 http://clients1.google.com/ocsp CONTENTMOD POST 3605 0 1 503 text/html Default - - application/ocsp-request,,107,0,,0;Copy of 3 entries from syslog server when going to gloogle.co.uk, searching for pfsesne and then clicking the link.
1384976437.027 13244 127.0.0.1 TCP_MISS/503 0 CONNECT www.google.com:443 - DIRECT/2a00:1450:4009:807::1011 -
1384976437.027 12965 127.0.0.1 TCP_MISS/503 0 CONNECT www.google.com:443 - DIRECT/2a00:1450:4009:807::1011 -
1384976484.611 59615 127.0.0.1 TCP_MISS/503 0 CONNECT www.google.com:443 - DIRECT/2a00:1450:4009:807::1011 -Copy from Squid Log.
-
I tried this on my squid/dg setup and didn't have any issue…
From this site -http://contentfilter.futuragts.com/wiki/doku.php?id=the_access.log_files it appears that perhaps you have something in your content regular expression list that is modifying the returned content?
-
I've added the following http://forum.pfsense.org/index.php?topic=68975.0 to ACl' >URL Lists > Default Url Access List > Modify Section, Enable is ticked.
-
I will look at my rewrite rules when I get home… The difference in how I'm setup vs. what you are doing is that I force non-SSL google search using DNS overrides.
Regardless... it seems that the rewrite stuff is what is messing you up. Can you disable it and test that things work?
-
I've just gone in and unchecked the Enable tick box, restarted Dansguardian Server and tried again.
12-11-2013 08:19:04 User.Info 192.168.1.1 Dec 11 08:18:51 dansguardian[79155]: 2013.12.11 8:18:51 - 192.168.1.15 http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDAQFjAA&url=http%3A%2F%2Fwww.joules.com%2F&ei=6R-oUpH4GfLQ7Aa6tIDIAQ&usg=AFQjCNGogxNmwosX9d770DUhTMpRsazJXQ&bvm=bv.57799294,d.ZGU CONTENTMOD GET 383 0 1 200 text/html Default - -
12-11-2013 08:18:51 Local0.Info 192.168.1.1 Dec 11 08:18:38 pf: 192.168.1.15 > 224.0.0.252: igmp v2 report 224.0.0.252
12-11-2013 08:18:51 Local0.Info 192.168.1.1 Dec 11 08:18:38 pf: 00:00:04.898251 rule 80/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13621, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
12-11-2013 08:18:48 User.Info 192.168.1.1 Dec 11 08:18:36 dansguardian[79155]: 2013.12.11 8:18:36 - 192.168.1.15 http://clients1.google.com/ocsp CONTENTMOD POST 3613 0 1 504 text/html Default - - application/ocsp-request,,107,0,,0;
12-11-2013 08:18:47 Local0.Info 192.168.1.1 Dec 11 08:18:34 pf: 0.0.0.0 > 224.0.0.1: igmp query v2
12-11-2013 08:18:47 Local0.Info 192.168.1.1 Dec 11 08:18:34 pf: 00:02:02.601002 rule 3/0(match): block in on re0: (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
12-11-2013 08:18:37 User.Info 192.168.1.1 Dec 11 08:18:24 dansguardian[79155]: 2013.12.11 8:18:24 - 192.168.1.15 http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDAQFjAA&url=http%3A%2F%2Fwww.joules.com%2F&ei=oB-oUpCiEYr17Ab-x4GQBw&usg=AFQjCNGogxNmwosX9d770DUhTMpRsazJXQ&bvm=bv.57799294,d.ZGU CONTENTMOD GET 383 0 1 200 text/html Default - -From the sys log it looks like the content mod is still being picked up but I cant find where….
-
Can anyone offer any more advice?
-
Apologize that I cannot be of more help on this but I can't replicate the problem. As a matter of fact, I can't seem to get anything to show up as "CONTENTMOD" in my logs… It makes me question whether my rules are even working!
I posted in the thread you referenced previously and asked if others were seeing these log entries and got no response...
-
Does your relevant dansguardianfX.conf file look correct? If not, please try this fix, re-save your ACLs, and try again. Make absolutely sure you re-save your rules. Really, it should not need this fix since it was merged before release - but you never know.
-
I'll check the conf file when I get home… pretty sure it is right though because I remember viewing the thread you reference and also remember checking that it was fixed...
However... can you confirm - should I be seeing "CONTENTMOD" (or something similar) in my DG access log? Are you seeing them for situations where the query string is being modified? Thanks!
-
Does your relevant dansguardianfX.conf file look correct? If not, please try this fix, re-save your ACLs, and try again. Make absolutely sure you re-save your rules. Really, it should not need this fix since it was merged before release - but you never know.
Hi
I had a quick look into that fix and my /usr/local/pkg/dansguardian.inc file already looks like the one that's been 'fixed'.
Any more ideas?
-
Please post screens of your ACLs that you're using, or the configuration files for them. It sounds like something is still enabled that shouldn't be.
-
I'll upload the logs, where about's can they be found?
-
Er, the logs aren't as important as your actual configs. Screenshots of your ACLs in your GUI config would suffice.
-
Hi
I've attached a zip file of all the ACL lists (there are about 30), I hope these are not overlay complicated to follow. I can upload specific screen shots if needed.
https://www.dropbox.com/s/8lb8w4g7do853bm/ScreenShots.rar
Thanks
-
Could you post your $dansguardian_dir/etc/dansguardian/lists/contentregexplist.* files, and your $dansguardian_dir/etc/dansguardian/dansguardianf*.conf files? This is definitely a case of something getting mangled by something in the "Content Lists" ACL.
-
I've only just seen this reply!
I have done some work, I removed DG and reinstalled it, removed all the config files, ACL's and blocked lists and started again. I have been through all the files that have regex in the file name and turned everything off but the problem still persists. I have just tried google.com and got the below in my syslog.
2014-01-11 08:51:31 User.Info 192.168.1.1 Jan 11 08:51:29 dansguardian[16727]: 2014.1.11 8:51:29 - 192.168.1.37 http://google.com CONTENTMOD GET 219 0 1 301 - Default - -
I'll try and post the files later.
-
-
So looking at your configs, you have a lot of uncommented lines. My first recommendation would be to completely empty your contentregexplist.Default list (cat /dev/null > /usr/pbi/dansguardian-xxx/etc/dansguardian/lists/contentregexplist.Default) and your contentregexplist.g_Default list. Reload DG, test. I don't necessarily see anything in the files that would be doing this, but for testing purposes it's best to just have blank files in general. Let me know what effect, if any, that has, and we can go from there.