Dansguardian configuration issue
-
Hello everybody…
I have setup dansguardian + squid as described in this thread http://forum.pfsense.org/index.php/topic,47856.0.html.
I want to use the transparent proxy so I have set up the NAT rule to redirect all the HTTP traffic to the dansguardian port.
All works as expected, but i found one issue: as marcello explained here http://forum.pfsense.org/index.php/topic,57401.msg306746.html#msg306746 the traffic goes through users -> dansguardian -> squid -> internet, but if i set an url (not blocked by dansguardian) in the proxy blacklist the settings get ignored.
Seems to me that the NAT rule bypass the access control settings (and maybe other that i don't have discovered yet) in the proxy.
Any help?
Thank you! -
Hello everybody…
I have setup dansguardian + squid as described in this thread http://forum.pfsense.org/index.php/topic,47856.0.html.
I want to use the transparent proxy so I have set up the NAT rule to redirect all the HTTP traffic to the dansguardian port.
All works as expected, but i found one issue: as marcello explained here http://forum.pfsense.org/index.php/topic,57401.msg306746.html#msg306746 the traffic goes through users -> dansguardian -> squid -> internet, but if i set an url (not blocked by dansguardian) in the proxy blacklist the settings get ignored.
Seems to me that the NAT rule bypass the access control settings (and maybe other that i don't have discovered yet) in the proxy.
Any help?
Thank you!Guess I'm not sure what you mean… the NAT rule should redirect outbound port 80 to the DG port on pfSense. Is that what you did? If so, any config you apply to squid or DG is valid.
Also not sure what you mean about the proxy blacklist. Why wouldn't you just block a URL in the DG config?
-
Don't use the proxy black list, and use Dansguardian's black list? There's no need for the transparent proxy, as you do not want squid catching requests from users, else you're avoiding dansguardian and traffic isn't getting filtered.
-
please help me and be a little patient, i'm a newbie…
@rjcrowder
yes, i've created the NAT rule to redirect the HTTP traffic (port 80) to the DG port (port 8080).just a bit of personal background: before pfsense i've used ipcop and currently i'm using endian (pfsense is in testing). On both ipcop and endian, i've been using the transparent proxy so i don't have to manually configure the proxy settings on the company's pc.
i googled a bit and I may found my answer(tell me if i'm wrong): in my case, with the NAT rule applied, all i need is SG and squid is redundant in some way. Am i correct?EDIT: i made some more test and seems that the squid package is necessary (even if the installation process of DG install the squid component). So, with the NAT rule applied, i keep squid bind to the loopback interface with the transparent proxy disabled and all seems to work. Con someone confirms it's all correct?
Thanks -
please help me and be a little patient, i'm a newbie…
@rjcrowder
yes, i've created the NAT rule to redirect the HTTP traffic (port 80) to the DG port (port 8080).just a bit of personal background: before pfsense i've used ipcop and currently i'm using endian (pfsense is in testing). On both ipcop and endian, i've been using the transparent proxy so i don't have to manually configure the proxy settings on the company's pc.
i googled a bit and I may found my answer(tell me if i'm wrong): in my case, with the NAT rule applied, all i need is SG and squid is redundant in some way. Am i correct?EDIT: i made some more test and seems that the squid package is necessary (even if the installation process of DG install the squid component). So, with the NAT rule applied, i keep squid bind to the loopback interface with the transparent proxy disabled and all seems to work. Con someone confirms it's all correct?
ThanksIf you set this up correctly, the transparent "checkbox" on the squid configuration page really does nothing. What you need is the NAT rule to redirect your lan HTTP outbound requests to port 8080. Set DG to listen to the LAN interface port 8080 and set the proxy IP to 127.0.0.1 port 3128. Then set Squid to bind to the loopback adapter port 3128.
Once all of this is done, go to the console and make sure everything is starting up OK - do "ps -ax | grep dans" and "ps -ax | grep squid" to make sure they are running. If they are not, try to manually start them using the scripts in /usr/local/etc/rc.d. For squid - squid.sh start. For dans - dansguardian-sh start. Note and fix any errors - I've had some odd errors at times such as rights on the squid log directory…
-
If you set this up correctly, the transparent "checkbox" on the squid configuration page really does nothing. What you need is the NAT rule to redirect your lan HTTP outbound requests to port 8080. Set DG to listen to the LAN interface port 8080 and set the proxy IP to 127.0.0.1 port 3128. Then set Squid to bind to the loopback adapter port 3128.
Once all of this is done, go to the console and make sure everything is starting up OK - do "ps -ax | grep dans" and "ps -ax | grep squid" to make sure they are running. If they are not, try to manually start them using the scripts in /usr/local/etc/rc.d. For squid - squid.sh start. For dans - dansguardian-sh start. Note and fix any errors - I've had some odd errors at times such as rights on the squid log directory…
Is all set as you explained.
Thank you very much!EDIT: just a question: in this configuration, the squid field "Bypass proxy for these destination IPs" is still active even if is binded to the loopback iterface or i have to set something in the DG config (i haven't find anything similiar)?
-
EDIT: just a question: in this configuration, the squid field "Bypass proxy for these destination IPs" is still active even if is binded to the loopback iterface or i have to set something in the DG config (i haven't find anything similiar)?
The setting will not have any effect. The way to bypass Dansguardian (and subsequently squid) is to change your firewall rule so that certain IP's are not redirected to port 8080. For example, I have my redirect rule set to not redirect the 192.168.5.208/28 range to port 8080. Then I can put devices such as the Xbox in that IP address range.
-
EDIT: just a question: in this configuration, the squid field "Bypass proxy for these destination IPs" is still active even if is binded to the loopback iterface or i have to set something in the DG config (i haven't find anything similiar)?
The setting will not have any effect. The way to bypass Dansguardian (and subsequently squid) is to change your firewall rule so that certain IP's are not redirected to port 8080. For example, I have my redirect rule set to not redirect the 192.168.5.208/28 range to port 8080. Then I can put devices such as the Xbox in that IP address range.
Perfect, thank you very much, you're the best ;)