2 issues related to dansguardian (ssl content filtering & xforwardedfor + squid)



  • Hi,

    i’ve got dansguardian running forwarding to squid on pfSense 2.0.1 amd 64

    dansguardian = LAN
    squid = loop

    i’ve 2 problems now 🙂

    1. if i want to enable ssl filtering i only got an error message like: sec_error_invalid_time

    i created the certs with cert manager in pfsense, all default options. one internal ca and one user cert.

    2. if i look at my lightsquid proxy report i only see localhost as the user requesting sites, i enabled use xforwardedfor in dansguardian (also tried use forwardedfor)

    any hints?

    thanks.



  • OK 🙂

    SSL error seems related to http://forum.pfsense.org/index.php?topic=46207.0



  • You need to change squid log format to change real ip to xforward ip.

    The ssl is a issue I could not fix yet.



  • Hi,

    and thanks to your fast reply 🙂

    How do i change the log behaviour?

    i couldn’t find it on the webgui.

    is it right to use xforwardedfor in dansguardian?

    thanks again 🙂



  • This is the way to pass client real ip.

    I’m not sure if this log change can be done via squid gui.



  • if i use the example method from squid-cache.org, edited to my needs

    acl localhost src 127.0.0.1;acl my_other_proxy srcdomain .workgroup.local;follow_x_forwarded_for allow localhost;follow_x_forwarded_for allow my_other_proxy;log_uses_indirect_client on;

    i can’t access the internet anymore. squid tells me access denied.

    if anyone has an idea, i would be glad to hear 🙂



  • Hi,

    found the solution.

    add to squid custom options

    log_uses_indirect_client on;follow_x_forwarded_for allow localhost;

    and in dansguardian choose:

    General -> useforwardedfor

    if you have more subents using dansguardian and squid only listening to loop then add them to allowed subnets under access control in squid config tab.

    have a nice day!


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy