Squid + Dansguardian issue
-
Repost from general help.
Hi
I have a problem with my Dansguardian + Squid Setup. At the moment I have the most basic of Adblocking + Url filtering setup but I have a problem. I have a NAT rule to send anything is not a Lan Subnet on Port 80 to 192.168.1.1:3128 (Dansguardian).
Most things seem to be working but if I head over to google.co.uk, I'm redirected to https://www.google.co.uk (fine), I search for 'pfsense' the results are displayed as usual but every link I click times out. The top result is pfsense.org (acutal link www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDEQFjAA&url=http%3A%2F%2Fwww.pfsense.org%2F&ei=yhmfUr60A9Ly7AaYrIDQBA&usg=AFQjCNFmdoam9UPDzW72Y1FjKVDI2Vd47Q&bvm=bv.57155469,d.d2k&cad=rja). If I go direct to pfsense.org the page loads as normal.
Pfsense-2.1 Release (amd64) is running on an i3 with 4gb of RAM installed onto a 250GB HDD.
Any help would be much appreciated.
-
Anyone?
Do I need to provide more info? If so, what?
-
12-10-2013 09:19:03 User.Info 192.168.1.1 Dec 10 09:18:53 dansguardian[73148]: 2013.12.10 9:18:53 - 192.168.1.15 http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0CC4QFjAA&url=http%3A%2F%2Fwww.pfsense.org%2F&ei=ddymUqfrCYWp7AbG-IGgDQ&usg=AFQjCNFmdoam9UPDzW72Y1FjKVDI2Vd47Q&bvm=bv.57799294,d.d2k CONTENTMOD GET 385 0 1 200 text/html Default - -
12-10-2013 09:19:03 User.Info 192.168.1.1 Dec 10 09:18:53 dansguardian[73148]: 2013.12.10 9:18:53 - 192.168.1.15 http://clients1.google.com/ocsp CONTENTMOD POST 3605 0 1 503 text/html Default - - application/ocsp-request,,107,0,,0;
12-10-2013 09:19:03 User.Info 192.168.1.1 Dec 10 09:18:53 dansguardian[73148]: 2013.12.10 9:18:53 - 192.168.1.15 http://clients1.google.com/ocsp CONTENTMOD POST 3605 0 1 503 text/html Default - - application/ocsp-request,,107,0,,0;Copy of 3 entries from syslog server when going to gloogle.co.uk, searching for pfsesne and then clicking the link.
-
12-10-2013 09:19:03 User.Info 192.168.1.1 Dec 10 09:18:53 dansguardian[73148]: 2013.12.10 9:18:53 - 192.168.1.15 http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0CC4QFjAA&url=http%3A%2F%2Fwww.pfsense.org%2F&ei=ddymUqfrCYWp7AbG-IGgDQ&usg=AFQjCNFmdoam9UPDzW72Y1FjKVDI2Vd47Q&bvm=bv.57799294,d.d2k CONTENTMOD GET 385 0 1 200 text/html Default - -
12-10-2013 09:19:03 User.Info 192.168.1.1 Dec 10 09:18:53 dansguardian[73148]: 2013.12.10 9:18:53 - 192.168.1.15 http://clients1.google.com/ocsp CONTENTMOD POST 3605 0 1 503 text/html Default - - application/ocsp-request,,107,0,,0;
12-10-2013 09:19:03 User.Info 192.168.1.1 Dec 10 09:18:53 dansguardian[73148]: 2013.12.10 9:18:53 - 192.168.1.15 http://clients1.google.com/ocsp CONTENTMOD POST 3605 0 1 503 text/html Default - - application/ocsp-request,,107,0,,0;Copy of 3 entries from syslog server when going to gloogle.co.uk, searching for pfsesne and then clicking the link.
1384976437.027 13244 127.0.0.1 TCP_MISS/503 0 CONNECT www.google.com:443 - DIRECT/2a00:1450:4009:807::1011 -
1384976437.027 12965 127.0.0.1 TCP_MISS/503 0 CONNECT www.google.com:443 - DIRECT/2a00:1450:4009:807::1011 -
1384976484.611 59615 127.0.0.1 TCP_MISS/503 0 CONNECT www.google.com:443 - DIRECT/2a00:1450:4009:807::1011 -Copy from Squid Log.
-
I tried this on my squid/dg setup and didn't have any issue…
From this site -http://contentfilter.futuragts.com/wiki/doku.php?id=the_access.log_files it appears that perhaps you have something in your content regular expression list that is modifying the returned content?
-
I've added the following http://forum.pfsense.org/index.php?topic=68975.0 to ACl' >URL Lists > Default Url Access List > Modify Section, Enable is ticked.
-
I will look at my rewrite rules when I get home… The difference in how I'm setup vs. what you are doing is that I force non-SSL google search using DNS overrides.
Regardless... it seems that the rewrite stuff is what is messing you up. Can you disable it and test that things work?
-
I've just gone in and unchecked the Enable tick box, restarted Dansguardian Server and tried again.
12-11-2013 08:19:04 User.Info 192.168.1.1 Dec 11 08:18:51 dansguardian[79155]: 2013.12.11 8:18:51 - 192.168.1.15 http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDAQFjAA&url=http%3A%2F%2Fwww.joules.com%2F&ei=6R-oUpH4GfLQ7Aa6tIDIAQ&usg=AFQjCNGogxNmwosX9d770DUhTMpRsazJXQ&bvm=bv.57799294,d.ZGU CONTENTMOD GET 383 0 1 200 text/html Default - -
12-11-2013 08:18:51 Local0.Info 192.168.1.1 Dec 11 08:18:38 pf: 192.168.1.15 > 224.0.0.252: igmp v2 report 224.0.0.252
12-11-2013 08:18:51 Local0.Info 192.168.1.1 Dec 11 08:18:38 pf: 00:00:04.898251 rule 80/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13621, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
12-11-2013 08:18:48 User.Info 192.168.1.1 Dec 11 08:18:36 dansguardian[79155]: 2013.12.11 8:18:36 - 192.168.1.15 http://clients1.google.com/ocsp CONTENTMOD POST 3613 0 1 504 text/html Default - - application/ocsp-request,,107,0,,0;
12-11-2013 08:18:47 Local0.Info 192.168.1.1 Dec 11 08:18:34 pf: 0.0.0.0 > 224.0.0.1: igmp query v2
12-11-2013 08:18:47 Local0.Info 192.168.1.1 Dec 11 08:18:34 pf: 00:02:02.601002 rule 3/0(match): block in on re0: (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
12-11-2013 08:18:37 User.Info 192.168.1.1 Dec 11 08:18:24 dansguardian[79155]: 2013.12.11 8:18:24 - 192.168.1.15 http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDAQFjAA&url=http%3A%2F%2Fwww.joules.com%2F&ei=oB-oUpCiEYr17Ab-x4GQBw&usg=AFQjCNGogxNmwosX9d770DUhTMpRsazJXQ&bvm=bv.57799294,d.ZGU CONTENTMOD GET 383 0 1 200 text/html Default - -From the sys log it looks like the content mod is still being picked up but I cant find where….
-
Can anyone offer any more advice?
-
Apologize that I cannot be of more help on this but I can't replicate the problem. As a matter of fact, I can't seem to get anything to show up as "CONTENTMOD" in my logs… It makes me question whether my rules are even working!
I posted in the thread you referenced previously and asked if others were seeing these log entries and got no response...
-
Does your relevant dansguardianfX.conf file look correct? If not, please try this fix, re-save your ACLs, and try again. Make absolutely sure you re-save your rules. Really, it should not need this fix since it was merged before release - but you never know.
-
I'll check the conf file when I get home… pretty sure it is right though because I remember viewing the thread you reference and also remember checking that it was fixed...
However... can you confirm - should I be seeing "CONTENTMOD" (or something similar) in my DG access log? Are you seeing them for situations where the query string is being modified? Thanks!
-
Does your relevant dansguardianfX.conf file look correct? If not, please try this fix, re-save your ACLs, and try again. Make absolutely sure you re-save your rules. Really, it should not need this fix since it was merged before release - but you never know.
Hi
I had a quick look into that fix and my /usr/local/pkg/dansguardian.inc file already looks like the one that's been 'fixed'.
Any more ideas?
-
Please post screens of your ACLs that you're using, or the configuration files for them. It sounds like something is still enabled that shouldn't be.
-
I'll upload the logs, where about's can they be found?
-
Er, the logs aren't as important as your actual configs. Screenshots of your ACLs in your GUI config would suffice.
-
Hi
I've attached a zip file of all the ACL lists (there are about 30), I hope these are not overlay complicated to follow. I can upload specific screen shots if needed.
https://www.dropbox.com/s/8lb8w4g7do853bm/ScreenShots.rar
Thanks
-
Could you post your $dansguardian_dir/etc/dansguardian/lists/contentregexplist.* files, and your $dansguardian_dir/etc/dansguardian/dansguardianf*.conf files? This is definitely a case of something getting mangled by something in the "Content Lists" ACL.
-
I've only just seen this reply!
I have done some work, I removed DG and reinstalled it, removed all the config files, ACL's and blocked lists and started again. I have been through all the files that have regex in the file name and turned everything off but the problem still persists. I have just tried google.com and got the below in my syslog.
2014-01-11 08:51:31 User.Info 192.168.1.1 Jan 11 08:51:29 dansguardian[16727]: 2014.1.11 8:51:29 - 192.168.1.37 http://google.com CONTENTMOD GET 219 0 1 301 - Default - -
I'll try and post the files later.
-