MOVED: Want to have squid local authentication AND dansguardian filtering



  • This is for a school setting. (I moved this from Documentation - I think this is the right place.)

    2.1.4-RELEASE (i386)
    Lan interface is: 192.168.0.1

    Firewall rules:
    IPv4 * LAN net * * * * none     Default allow LAN to any rule
    IPv6 * LAN net * * * * none     Default allow LAN IPv6 to any rule
    IPv4 TCP LAN net * 192.168.0.1 8080 * none NAT dg default rg

    NAT rule:
    LAN TCP LAN net * * 80 (HTTP) 192.168.0.1 8080 dg default rg

    I have squid setup with a proxy interface "LAN," (tried loopback too), port 3128, "allow users on interface" checked, and authentication set to "local."

    When the client browser is setup with 192.168.0.1:3128 users are prompted for authentication - but there's no filtering.

    I have dansguardian setup listening on interface "LAN" with parent proxy settings: IP 127.0.0.1, port:3128, but when the client browser is setup with 192.168.0.1:8080 it does not prompt for authentication, does not load pages, or obviously filter.

    Transparent proxy works fine and with filtering.

    I simply want to have users authenticate through squid (using local) AND be filtered. I know this can work, I'm just missing something simple and it's driving me crazy!

    I found this thread, https://forum.pfsense.org/index.php?topic=70903.0 but wasn't clear on how to implement the solution. Any explicit guidance would be very appreciated.

    Thanks.

    P.S. I do not want to use captive portal for numerous reasons; harder to log user activity, timeouts annoying, does not re-prompt when a browser is closed, and does not allow https connections.



  • So just to be clear, here's what I want:

    All user client proxy settings: 192.168.0.1:8080 Students open their browsers and get the "drop down" authentication, enter their user names and passwords. Web content is filtered and logs include usernames and websites visited.

    Also, they should have to reauthenticate when the browser is closed, and https traffic is also filtered – I think I get these "free" using squid authentication+dansguardian.

    I think my problem may be one (or more) of the following:

    Firewall rules, seems to be my #1 guess.
    I currently have NAT setup as: LAN TCP LAN net * * 80 (HTTP) 192.168.0.1 8080 but I feel like I need another rule somewhere?

    Authentication, I have squid authentication method set to "local," and dansguardian authentication set to "Proxy-Basic." I think this is correct?

    Listening interfaces, I have the squid interface set as "loopback" and the dansguardian interface set as "LAN." I did some experimenting and found:

    If I change the squid interface to LAN and the clients proxy settings to 192.168.0.1:2138 I get the login, but no filtering.
    If I change BOTH squid and DG to loopback - nothing works. :-(
    Both squid and DG to LAN - login but no filtering.
    If I change squid to LAN, and DG to loopback, and client to 192.168.0.1:2138 login works, but not filtering :-(
    As I said above with Squid as loopback, and DG as LAN, and client to 192.168.0.1:2138 nothing works, but with clients set to 192.168.0.1:8080 I get filtering without the login.

    Argh! I'm pulling my hair out here. LOL.






  • Dansguardian needs a proxy to fetch sites, so your setup need to be first dansguardian and then send it to squid.

    • Listen dansguardian on lan address

    • Do not create any nat to transparent proxy

    • Deny direct access to internet by allowing only services you know on lan(dansguardian port, dns server, etc)

    • Configure dansguardian to send traffic to squid on 127.0.0.1 or lan address.

    • Configure basic authentication on squid



  • @marcelloc:

    Dansguardian needs a proxy to fetch sites, so your setup need to be first dansguardian and then send it to squid.

    • Listen dansguardian on lan address

    • Do not create any nat to transparent proxy

    • Deny direct access to internet by allowing only services you know on lan(dansguardian port, dns server, etc)

    • Configure dansguardian to send traffic to squid on 127.0.0.1 or lan address.

    • Configure basic authentication on squid

    Thank you for responding. I've done the first step, DG is setup to listen on LAN. I have now deleted the NAT to the transparent proxy.

    "Deny direct access to internet by allowing only services you know on lan(dansguardian port, dns server, etc)." This makes sense, but I'm not sure how , do I need to create multiple firewall rules to do this? Can you give examples?

    "Configure dansguardian to send traffic to squid on 127.0.0.1 or lan address." Do I also do this by creating firewall rules or via the GUI? In the Gui I have, Dansguardian -> Daemon tab -> Parent proxy Settings -> Proxy IP = 127.0.0.1, Proxy Port = 3128, and timeout = 40 seconds.

    If I'm reading you correctly, it seems I just need to have the firewall rules sorted out. Thank you again for your help!



  • @ryanpg:

    Do I need to create multiple firewall rules to do this? Can you give examples?

    This is up to you. You can create a lot of block rules, or just a deny all rule after allow rules(this by port alias).

    @ryanpg:

    "Configure dansguardian to send traffic to squid on 127.0.0.1 or lan address." Do I also do this by creating firewall rules or via the GUI?

    No, just configure proxy on dansguardian gui.



  • Thanks again, but I think there's a bigger problem or something still missing. Even without blocking rules–and with clients correctly pointing to the proxy 192.168.0.1:8080--I should still get authentication and blocking, correct?

    I have dansguardian listening on lan (192.168.0.1:8080) and client's proxy connections pointing there.
    I have the squid interface on "localhost"
    I have configured dansguardian to send traffic to squid on 127.0.0.1:3128 (bottom of the dg page in the gui)

    But I still don't get authentication! I get blocked sites, but no drop-down.

    Squid authentication is set to "local" and dansguardian authentiaction is set to proxy_basic.

    In the thread I referenced earlier (https://forum.pfsense.org/index.php?topic=70903.0) the person had the same problem, his solution was:

    "You have to configure the proxy settings to point directly to dansguardian (port 8080) instead of port forwarding from 80 to 8080."

    But what does that mean?



  • @ryanpg:

    In the thread I referenced earlier (https://forum.pfsense.org/index.php?topic=70903.0) the person had the same problem, his solution was:

    "You have to configure the proxy settings to point directly to dansguardian (port 8080) instead of port forwarding from 80 to 8080."

    But what does that mean?

    He's saying you need to change the browser proxy settings to point to DG rather than transparently redirecting (from 80 to 8080)



  • OK, this is maddening. I did a fresh install. Installed squid (not squid3 this time) and dansguardian. Didn't touch the firewall/NAT settings.

    Squid settings:

    Proxy Interface = loopback
    Allow users on interface = checked
    Transparent proxy = NOT checked
    Proxy Port = 3128
    Authentication method = Local
    Created one test user: name=student password=student

    Dansguardian settings:

    Listen interface = LAN
    Listen port = 8080

    Parent proxy settings:
    Proxy IP = 127.0.0.1
    Proxy Port = 3128

    General tab:
    Auth-Plugins = Proxy-Basic

    Client browser proxy points to 192.168.0.1:8080

    There is NO drop-down for authentication. Why? What am I doing wrong? It just doesn't make sense.

    If I change squids proxy interface to LAN and change the client proxy setting to 192.168.0.1:3128, I get the drop-down but NO filtering.

    Is there a bug in the dansguardian package? I'm willing to paypal someone to help get this figured out.



  • Im having the same exact problem, did you finally got it working?