Dansguardian package for 2.0
-
its not the same error as I was having… I wasn't getting an error at all... Nothing in my logs.
What port did you setup dansguardian on?
Is squid setup to run on loopback or LAN interface?
Dansguardian is on 8080 and squid on LAN interface 3128 default port.
-
This seems to indicate that other have this working. I'm wondering if it has to do with that multiple authplugin bug… I'll see what I can dig up.
Try to run dansguardian on console to see if there is any running time/config erros
/usr/local/etc/rc.d/dansguardian start
/usr/local/etc/rc.d/dansguardian start
kern.ipc.somaxconn: 16384 -> 16384
kern.maxfiles: 131072 -> 131072
kern.maxfilesperproc: 104856 -> 104856
kern.threads.max_threads_per_proc: 4096 -> 4096
dansguardian already running? (pid=6485).There is no problem with it running, it seems stable, just not working.
-
The way I use is squid on loopback interface port 3128 and dansguardian on 8080 sending to 127.0.0.1 port 3128.
Check squid cache log to see if there's errors or warnings.
-
its not the same error as I was having… I wasn't getting an error at all... Nothing in my logs.
What port did you setup dansguardian on?
Is squid setup to run on loopback or LAN interface?
Dansguardian is on 8080 and squid on LAN interface 3128 default port.
I think the problem I have, dansguardian is starting before squid. I have squid listening to LAN(IPv4 and IPv6) and loopback. Dansguardian is on LAN 8080 and directs its traffic to squid loopback 3128
-
SUCCESS!! ;D After much trial and error I now have SSO ntlm authentication working with squid and dansguardian on pfsense (kerberos wasn't the issue). User names are now showing up in the access.log (for both). Once I can sort through the process again and document it I will post it for everyone's benefit.
Before I do that though I would like to have it resolving AD groups to map users to filtering groups working. Right now I have an ldap configuration defined as such (the names have been changed to protect the innocent):
Hostname: dc1.domain.local
Domain: dc=domain,dc=local
Username: cn=pfsense01ldap,ou=Services,ou=myOU
Password: **********
mask: USERI also created a test filtering group named "pfsenseUsers" which is the same name as a group in AD and pointed it to the ldap configuration above with a 2m update frequency. However a user in the pfsenseUsers group still get the "Default" filter group in the logs. Do I have the mask wrong (I wasn't sure what I needed there)? or is there something else I missed?
-
Great news wheelz! :D
Do I have the mask wrong (I wasn't sure what I needed there)? or is there something else I missed?
check how users are listed on dansguardian log and try to set it on groups.
-
Great news wheelz! :D
Do I have the mask wrong (I wasn't sure what I needed there)? or is there something else I missed?
check how users are listed on dansguardian log and try to set it on groups.
It just shows the user name and that's it. What config files contain the ldap connection settings and the mapping of the filter groups to ldap connections? I can see them in the GUI but couldn't find them in the backend files like dansguardian.conf…
-
The ldap fetch is done by dansguardian_ldap.PHP
It's not from dansguardian configuration.
How users are listed on dansguardian user tab?
-
The way I use is squid on loopback interface port 3128 and dansguardian on 8080 sending to 127.0.0.1 port 3128.
Check squid cache log to see if there's errors or warnings.
feel like a dufus, I was sending dansguardian to loopback, but squid was listening on LAN NIC.
FYI, default config finds this innapropriate ;D
Thanks guys, really helpful forum here. -
The ldap fetch is done by dansguardian_ldap.PHP
It's not from dansguardian configuration.
How users are listed on dansguardian user tab?
That tab just has the user name as well. Interestingly enough there is a user there that I did not put in. In my AD group I have two users. The one I was testing with and another one. The other one is listed. I'm guessing that maybe it was working at one point and now is not updating since I think I added the second user (the one I was testing with) to it later… Is there a log for the ldap fetch?
-
Is there a log for the ldap fetch?
No but you can run it on console/ssh and see the output.
php /usr/local/www/dansguardian_ldap.php
-
Here is my output:
Content-type: text/html
Group : pfsenseUsers
Warning: ldap_search(): Search: Bad search filter in /usr/local/www/dansguardian_ldap.php on line 77
Warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in /usr/local/www/dansguardian_ldap.php on line 78
-
Clean your pfsenseUsers list on dansguardian config and run it again.
When script find new config it show a message.
-
I've done some testing and it seems like there might be a couple bugs… It works for the most part, however for some reason it never adds one user account (the one I was testing with). However, the total number of users (in the dansguardian group title over the user list, in parenthesis) does add one to the total count even though it doesn't show up in the list (except when no other users are in the group). But if I remove the problem account from the AD group, the total user account for for that group doesn't go down in pfsense. I have no idea what is different about this one account that would cause it to have a problem with it. Also the warnings only show up when the problem account is in the AD group.
Now all other accounts I have tried adding and removing works except if you remove all users from the AD group. As soon as the AD group is empty, the user list in dansguardian is frozen as it was before the AD group was empty (never removes them). In this case the command line never returns this message like it usually would with a change:
user list from LDAP is different from current group, applying new configuration…done
So sounds like 2 bugs possibly? One that only shows up for an account if there is a yet unknown specific circumstance. And another on that doesn't make the change if all users have been removed from the AD group.
-
I just figured out what was different on that one account. Apparently the script can't handle () characters in the distinguished name. After renaming without the () characters, it is working. Ideally all characters that AD supports should be handled but that could be MS diverging from LDAP standards too… so depending on if it is in the LDAP standards it may or may not make sense to fix that (of if you just want to avoid possible AD issues).
The other issue of not updating after the AD group is empty still happens though. Easy enough to work around (delete it from pfsense) but something to put on the list to fix.
-
I just figured out what was different on that one account. Apparently the script can't handle () characters in the distinguished name. After renaming without the () characters, it is working. Ideally all characters that AD supports should be handled but that could be MS diverging from LDAP standards too… so depending on if it is in the LDAP standards it may or may not make sense to fix that (of if you just want to avoid possible AD issues).
This script running for squidguard breaks xml with special characters. On dansguardian, the config filed for users are base64 encoded, so you can fetch it but will not apply correctly. My suggestion is to work around this limitation by do no use characters other then [a-z,A-Z,0-9].
The other issue of not updating after the AD group is empty still happens though. Easy enough to work around (delete it from pfsense) but something to put on the list to fix.
It makes sense. if there is no users on groups, then there is no loop to do. :P
-
It makes sense. if there is no users on groups, then there is no loop to do. Tongue
I don't think you got what I meant. So I add a user to the AD group; it adds a user in pfsense/dansguardian. I then remove that user from the AD group; it does nothing so the user still exists in pfsense/dansguardian. If I add 10 users, it adds 10. If I then remove all 10 users at once, all 10 users remain in pfsense/dansguardian. So you can never remove access for all users via an AD group. At best you can remove 9 first, but then you will always have that 1 left that won't get removed (unless you do it in the pfsense gui).
Like I said, easy work around but still a bug. ;)
-
I understood you, I was just explaining why there was no update on empty groups :)
-
So I was able to get the newer version of squid by loading the squid-reverse package after dansguardian however there are issues with this. For some reason squid then can't start on its own after boot up. I have to run /usr/local/etc/rc.d/squid.sh start and then it will start (doesn't work from the GUI). Also sarg can't find the dansguardian log (could before). Since there are issues with this way, it sounds like I'll have to wait until that is updated before I use this setup.
Also how is the dansguardian patch coming? That is the other thing I think I need to wait on as I will have both ntlm and IP authenticated users and can't use both authplugins at the moment. What are you running into with the patch? Perhaps I could help figure something out?
Thanks marcelloc for all the great work you are doing!
-
So I was able to get the newer version of squid by loading the squid-reverse package after dansguardian however there are issues with this. For some reason squid then can't start on its own after boot up. I have to run /usr/local/etc/rc.d/squid.sh start and then it will start (doesn't work from the GUI). Also sarg can't find the dansguardian log (could before). Since there are issues with this way, it sounds like I'll have to wait until that is updated before I use this setup.
It's working for me.
I did dansguardian install and then squid-reverse install.
something I've added was a cron job to check squid status. when offline, script runs /usr/local/sbin/squidAlso how is the dansguardian patch coming? That is the other thing I think I need to wait on as I will have both ntlm and IP authenticated users and can't use both authplugins at the moment. What are you running into with the patch? Perhaps I could help figure something out?
I'm still getting alloc erros on dansguardian while trying to compile it with squid3 and multi plugin patch.
-
SSL filtering working now?
-
- 12 days later
-
SSL filtering working now?
I am able to get past the Invalid Server Certificate error message by dropping all the recognized public CA certs in the /etc/ssl folder (along with the appropriate symlinks named with the hash value of each cert) but I'm stuck on a missing cgi script called mitm.cgi.
Daniel Barron over on the dansguardian-dev list informed me that this script has not been open sourced by smoothwall and that we would have to reverse engineer/rewrite it based on the dansguardian mitm source code.If you want more details on how to install those certs let me know.
-
If you want more details on how to install those certs let me know.
dig1234,
I've already included the ca-root package as well links to ca folder, can you test on a virtual machine if this patch results on the same point you got?
-
dig1234,
I've already included the ca-root package as well links to ca folder, can you test on a virtual machine if this patch results on the same point you got?
Hi I tried this, fresh pfsense install on vmware, installed dans and squid, turned on cert check & mitm. Now I just get connection refused when trying https sites. Also in the logs I see dansguardian[17654]: error opening new certificate. So, no I am not at the same place.
One thing I noticed is that you have added the 150 public certs to /etc/ssl but they are all in one file called cert.pem. Dans wants each one to be in a separate. Also they need to be named with the hash value of the cert (or symlinks by that name). They should look something like this:
ef2f636c.0
f060240e.0
f081611a.0
f15719eb.0
f3377b1b.0UPDATE:
I turned off mitm and left cert checking turned on and didn't get any errors so maybe it is finding the certs. The problem now is with creation of the 'forged' certs.. Is there a way to get more verbose logging from dansguardian? -
I had issues and uninstalled DG, Squid, HAVP, reinstalled Dansguardian –--> HAVP ----> WWW, so no more squid.
I now get in the system logs: Dans Guardian [xxxx} "Error connecting via IPC socket to log: No such file or directory"
After a reboot Dansguardian doesnt start, it starts from web configurator fine, workd fine, just using ram I think and get this in the log quite frequently. Any one seen this?
-
After a reboot Dansguardian doesnt start, it starts from web configurator fine, workd fine, just using ram I think and get this in the log quite frequently. Any one seen this?
I experienced the same, dans not starting on reboot but starts fine from webgui later. I attributed it to squid taking a longer time to start, but I could be wrong…
-
I experienced the same, dans not starting on reboot but starts fine from webgui later. I attributed it to squid taking a longer time to start, but I could be wrong…
I've just installed a clean 2.0.1 install with dansguardian and squid3 package and I still had no luck on reproducing this issue.
Can you check what happens during your boot process?
-
After a reboot Dansguardian doesnt start, it starts from web configurator fine, workd fine, just using ram I think and get this in the log quite frequently. Any one seen this?
I experienced the same, dans not starting on reboot but starts fine from webgui later. I attributed it to squid taking a longer time to start, but I could be wrong…
Same issue here and I tend to thing dig1234 is correct… has to be a timing issue - which would be different depending on the machine. That said, doesn't it make sense that DG should start after Squid anyway? DG is dependent on Squid to proxy...
Also, haven't been able to find anywhere that DG gives an error message as to why it won't start. Let me know if you have any idea where I should look.
-
Also, haven't been able to find anywhere that DG gives an error message as to why it won't start. Let me know if you have any idea where I should look.
Can you check boot process just like I've posted?
-
Also, haven't been able to find anywhere that DG gives an error message as to why it won't start. Let me know if you have any idea where I should look.
Can you check boot process just like I've posted?
I couldn't figure out how you got VirtualBox bigger - so I couldn't take a screenshot showing everything… However, the boot looks the exact same as the one you posted with the exception of dansguardian not running... in other words, the ps grepping for dans does not show anything.
BTW. I noted that if you install the old version of squid, it starts before dans.
-
I couldn't figure out how you got VirtualBox bigger
printscreens and paint/gimp ;)
In other words, the ps grepping for dans does not show anything.
BTW. I noted that if you install the old version of squid, it starts before dans.
I'm checking dansguardian boot process. I've fixed clamav startup error when enabled on dansguardian but I'll do more tests before publishing and I still have no idea why some systems are getting issues on boot and other don't.
-
I couldn't figure out how you got VirtualBox bigger
printscreens and paint/gimp ;)
In other words, the ps grepping for dans does not show anything.
BTW. I noted that if you install the old version of squid, it starts before dans.
I'm checking dansguardian boot process. I've fixed clamav startup error when enabled on dansguardian but I'll do more tests before publishing and I still have no idea why some systems are getting issues on boot and other don't.
So… can't explain it, but DG seems to be starting up fine in the new virtual that I built. This is the first time I've seen it startup without needing to be restarted post-boot. All of that said, I do think that DG should start after squid and suspect that doing so would solve problems that people are having.
I was also wondering if you have given any thought to changing how the GUI handles the "denied" page? The thing that is stopping me from fully switching to PFsense is the fact that the GUI doesn't properly support using an access denied URL and both the GUI and the bootup process insist on overwriting my manual DG bypass changes (see this threadhttp://forum.pfsense.org/index.php/topic,47856.30.html. Obviously I can create a script to restore my changes, but that's a pretty inconvenient hack…
Just wondering... thanks!
-
So I did a little more playing around so that I could be specific about what is necessary to make the bypass feature work correctly (without any overwrite issues)…
1. In the "Report and Log" page...
- Add the ability to specify the "accessdeniedaddress" value instead of just the HTML form content2. In the "Groups" page...
- Add the ability to specify the "accessdeniedaddress"
- Add the ability to specify the "bypasskey"That would basically do it...
-
I've just pushed some fixes do improve dansguardian boot process and checks.
On my tests, dansguardian startup time during boot process reduced to 20 seconds.
Wait 15 minutes, reinstall the package, apply config and reboot.
-
I've just pushed some fixes do improve dansguardian boot process and checks.
On my tests, dansguardian startup time during boot process reduced to 20 seconds.
Wait 15 minutes, reinstall the package, apply config and reboot.
Thanks for the updates… BTW. I made the changes to include 'bypasskey' and 'accessdeniedaddress' on the groups page. Turns out this was all I had to do in order to make my changes work (since the settings in dansguardianf1.conf override those that are set in dansguardian.conf). It was a pretty simple change, but you can drop me an email at randyj.crowder@gmail.com if you want me to send you the three files I had to touch - they were dansguardian_groups.xml, dansguardian.conf.template, dansguardian.inc (in /usr/local/pkg).
-
I made the changes to include 'bypasskey' and 'accessdeniedaddress' on the groups page.
Push these changes via github https://github.com/bsdperimeter/pfsense-packages/tree/master/config/dansguardian.
This way I can check changes and commit to the code.
-
I made the changes to include 'bypasskey' and 'accessdeniedaddress' on the groups page.
Push these changes via github https://github.com/bsdperimeter/pfsense-packages/tree/master/config/dansguardian.
This way I can check changes and commit to the code.
OK…done.
BTW. I was looking at the main "report and log" page (dansguardian_log.xml). The way it really should work is if you pick reporting level 3, then it enables the editing of the html template in the text box. Otherwise, it should enable a field for entering the accessdeniedaddress... I was digging through the package directory and saw how to enable fields from a checkbox, but couldn't figure out how to enable/disable multiple fields based on the value selected from a list... Sorry for my ignorance.
-
OK…done.
I'm seeing only one push on github.
https://github.com/rjcrowder/pfsense-packages/commit/aa9fbaf910c0e1a3465826f9f5483646ab6b819e
What happen if user do not select any custom error page? Your code force this option on dansguardianfx.conf.template
accessdeniedaddress = '{$dansguardian_groups['accessdeniedaddress']}'
-
OK…done.
I'm seeing only one push on github.
https://github.com/rjcrowder/pfsense-packages/commit/aa9fbaf910c0e1a3465826f9f5483646ab6b819e
What happen if user do not select any custom error page? Your code force this option on dansguardianfx.conf.template
accessdeniedaddress = '{$dansguardian_groups['accessdeniedaddress']}'
K… I'll try to figure out what I did wrong on pushing to github - first time I've used it.
As far as the accessdeniedaddress, it should be fine to not specify a URL as long as the reportinglevel is 3. That's why I also "uncommented" the reportinglevel field in dansguardianfx.conf.template.
Like I said on the main page, the UI should only allow you to specify the template content if you choose level 3. Since the template file is global, there is no need to put it on the group page. However, the accessdeniedaddress field should be disabled on the group page if you pick reportinglevel 3 - since it would be ignored anyway.