How to make dansguardian first proxy, then squid? (it's faster this way)

  • I see that by default, the Dansguardian / Squid configuration is set up like this:

    LAN ==>> Dansguardian (Filter)  ==>> Squid (Cache) ==>> WAN(Internet)

    This means that every time I browse, the dansguardian service has to re-filter (re-evaluate) the data coming from the Squid Cache.

    it would be faster to have it set up this way;

    LAN ==>> Squid (Cache) ==>> Dansguardian (Filter) ==>> WAN(Internet)

    This way, the cache would only contain filtered data and Dansguardian would have to work less.

    Am I missing something?

    I would also like to have all this be transparent to the users.

  • burnsl,

    Check dansguardian faq to undestand why dansguardian need a proxy after it.

    General#5. Why does DansGuardian use some other backend proxy (Squid, Oops!, Tinyproxy, etc.)?
    So DansGuardian does not have to re-implement web fetching, network timeouts, retrying, caching, password checking, etc. (The DansGuardian half of a DansGuardian/backend-proxy system is not really a proxy itself, it's more of a filtering pass-though.)

    Few versions ago, dansguardian wan unable to redirect auth to squid. This way the setup was:

    squid with auth and no cache -> dansguardian -> another squid with cache enabled.

    with dansguardian auth plugins, dansguardian forward auth to squid and filter the result.

    dansguardian -> squid

    General#2b. Is a “sandwich” configuration necessary (or even recommended)?
    Some earlier versions of DansGuardian provided NTLM and Digest authentication only via a “sandwich” configuration: User↔Squid↔DansGuardian↔Squid↔Internet (DansGuardian “meat” between two Squid “breads”, get it?). Such configurations are not necessary for either NTLM or Digest authentication with DansGuardian 2.10. Because they are more difficult to configure (disabling caching in the first copy of Squid, etc.), they are seldom even suggested.

    Transparent mode does only filter http traffic, a simple for example "jumps" proxy restriction.

    I prefer using wpad/pac to use browse auto proxy detection function instead of transparent proxy.

    With rdr nat rule you can forward traffic to port 80 to dansguardian port on

  • I tried to follow that…

    I don't fully understand what you're saying I should / can do.

    Can you be more rudimentary in your explanation for me?

  • to use wpad/pac,

    follow this tutorial skipping active directory configuration

  • Okay, so…  i REALLLLY HATE using auto proxy detection stuff, it is a needless delay at each browser start-up.

    I'm likely to forgo using dansguardian...  from your explanation i can tell that this is just too convoluted for an evenings work.

    I do want to cache though.  I guess i'll just use Squid.

    I did want to block crap traffic though.  Using a sandwich also seems like it will slow by whole browsing experience too much over just using a cache.

    Any thoughts?

  • @burnsl:

    Okay, so…  i REALLLLY HATE using auto proxy detection stuff, it is a needless delay at each browser start-up.

    It's not needless if you want to secure https

    squid + squidguard is a good option too but with transparent proxy it will filter only http.

    If you want to filter web content, then you probably need dansguardian.

    check performance with


    See what offers better performance and filtering options.