Squid-Squidguard-DansGuardian Integration with SARG Request (oh and LDAP)

rad4Christ

I know, I know, I'm not asking for much.  ;D

I've been running Squid + Squidguard in an non-transparent proxy on my network for a while, and it's been doing great. I use WPAD to get the config out to my clients, and apart from the issue posted here (https://forum.pfsense.org/index.php?topic=99244.0) it's functional.

However, it's not optimal as I've struggled with things here and there.

• I've never been able to get c-icap/clamd functionality, even following the guides/suggestions on the forums.

• I've install SARG, and once it worked well, but now I get the infamous cannot find index. I've deleted and added the sym link to the pbi directory to no avail.

• I've never been able to get DansGuardian to work with Squid/SG, it always breaks the proxy completely.

• I'm about to push AD logins to all users, and I've no idea how to properly tie in LDAP, and where it needs to be set up (Squid AND Sarg need it, or just Squid?)

If there is some amazing step by step guide for this, please let me know. I'd even be willing to put one together, but I need help getting it all functional.

KOM

I've never been able to get c-icap/clamd functionality, even following the guides/suggestions on the forums.

Don't do it.  It really slows everything down.  Use a decent client AV solution.

I've install SARG, and once it worked well, but now I get the infamous cannot find index. I've deleted and added the sym link to the pbi directory to no avail.

Yup, me too.  I still rely on Lightsquid and the Squid3 realtime view.  I've gotten frustrated enough that I've spun up my own squid 3.5.8 server (compiled from source), with squidGuard & Lightsquid.  I have everything working perfectly with the exception of auto-downloading & processing the Shalla blacklists.  Otherwise it's ready to roll out to production.

I've never been able to get DansGuardian to work with Squid/SG, it always breaks the proxy completely.

I would think running DG and sG would be redundant.  DG has an URL filter as well as content filter, so I'm not sure what sG would get you that you can't get from DG.  having said that, I don't use DG at all.

I'm about to push AD logins to all users, and I've no idea how to properly tie in LDAP, and where it needs to be set up (Squid AND Sarg need it, or just Squid?)

No idea, I don't use authentication with my users.

Napi

Hi guys how are you !

i have installed a squid proxy server in transparent mode with squidguard on pfsense, and i realized that when i put "deny all" in common ACL, doesn't block https site, so how i can do to block all https site using squidguard or firewall.

please help me…!

KOM

First I'll help you by telling you to not hijack someone else's thread that's completely unrelated to your problem.  Start your own new thread.

rad4Christ

Thanks for the reply KOM.

I don't mind not using Clam integration, but man I wish I could hide the services so I don't see those two Xs.

SARG is a huge pain in the butt. Lightsquid isn't nearly as detailed though, unless someone knows of a better way to utilize it.

Dans, if I'm correct, can filter slightly more fine tuned than a simple blacklist. I'd like to catch the proxy servers, and other fun things students use to bypass filters. I'd be willing to sacrifice SG for it, granted it works. But man, I can't get it to work…

I'm sure I can sort out the AD part, but it'll be a bunch of Google-Fu.

chris4916

@rad4Christ:

I'm about to push AD logins to all users, and I've no idea how to properly tie in LDAP, and where it needs to be set up (Squid AND Sarg need it, or just Squid?)

I don't know about Sarg  :-[

For what concerns, e.g. Squid and SquidGuard, what matters here is to distinguish between authentication and authorisation/profiling.

Authentication is handled at Squid level. i.e., this means that Squid will send back to browser the HTTP 407 response that will trigger authentication request.
Next step is to retrieve, from successful authentication user account or group membership.
Both can be used by SquidGuard (potentially requiring additional LDAP request) in order to set-up profiling.

For what I understand, SquidGuard can't implement any authentication.

KOM

Lightsquid isn't nearly as detailed though, unless someone knows of a better way to utilize it.

It tells me who went where when, with byte totals and hit counts.  That's all I need.

Dans, if I'm correct, can filter slightly more fine tuned than a simple blacklist.

Yes, like I said it has an URL filter as well as a content filter.  You only need an URL filter if you're trying to stop them from going to 3rd-party web proxies.

For what I understand, SquidGuard can't implement any authentication.

squidGUard is a helper app (not a service/daemon) that gets called by squid for each URL being processed in realtime for every user.  If you need user auth, you do it at the squid level.

rad4Christ

Gotcha. We're int he midst of our Ad/other apps integrations, so I'll be working on the AD connectivity soon, but any ideas outside of the symbolic link on SARG? I'd really like to use it.

KOM

It was working for me in 2.2.2, but after I upgraded to 2.2.4 it broke and the usual symlink fix didn't fix it.  That's pretty much my only beef with pfSense, that you can't trust the packages to work consistently, and upgrading is always a crapshoot.  I have a working squid3 0.2.8 and when I tried to upgrade to 0.2.9 two weeks ago, everything died.  I had to rollback to my snapshot just to recover quickly.  I just now noticed that there is a Sarg update.  Maybe I'll try it and see if it fixes the problem or introduces a new one.

Edit: OK, I removed Sarg, manually deleted any leftover folders such as /usr/local/sarg-reports and /usr/pbi/sarg-amd64/local/sarg-reports and then reinstalled.  After forcing a report, I looked and, as expected, the /usr/local/sarg-reports folder was empty with the real contents in /usr/pbi/sarg-amd64/local/sarg-reports, so I did the symlink hack and Sarg was working once again.

Symlink hack for Sarg:

rm -r /usr/local/sarg-reports
ln -s /usr/pbi/sarg-amd64/local/sarg-reports /usr/local/sarg-reports

rad4Christ

@KOM:

Edit: OK, I removed Sarg, manually deleted any leftover folders such as /usr/local/sarg-reports and /usr/pbi/sarg-amd64/local/sarg-reports and then reinstalled.  After forcing a report, I looked and, as expected, the /usr/local/sarg-reports folder was empty with the real contents in /usr/pbi/sarg-amd64/local/sarg-reports, so I did the symlink hack and Sarg was working once again.

Holy crap, it works! thanks a lot!

doktornotor

@KOM:

I have a working squid3 0.2.8 and when I tried to upgrade to 0.2.9 two weeks ago, everything died.  I had to rollback to my snapshot just to recover quickly.  I just now noticed that there is a Sarg update.  Maybe I'll try it and see if it fixes the problem or introduces a new one.

Upgrading doesn't work. Because, when you design something in a way that the upgrade code is ignored, you get crappy results. To get something "upgraded", you need to uninstall and reinstall the package. Only after that, the new code will get used. Or, you can "upgrade" twice. This is the deal with anything that sticks the functions to an include file that's referenced in the .xml <include_file>. Certainly rocks.  ::) >:(</include_file>

KOM

There are updated versions of squid3 and squidguard, and I'm afraid to touch them at this point after the last failure.  My own-rolled squid/squidguard/lightsquid/sarg server is running fine, and I will likely drop the pfSense proxy packages once I get time to script grabbing the Shalla list daily and processing it.

doktornotor

Frankly, the Squid* stuff is beyond repair. Perhaps, if someone makes a decision what's gonna be the deal with 2.3 packages, people can start reworking those from scratch, without the tons of legacy, buggy and messy code bloat.

Regarding the changes you mentioned, the only stuff touched there were completely broken cronjobs handling and boot checks. Finally, there's been a change regarding the pinger helper permissions that didn't work due to idiotic chmod() implementation in PHP and - mainly - couldn't have broken anything because it never worked in the first place, due to permissions being screwed by the package code from the very beginning. (https://github.com/pfsense/pfsense-packages/pull/1056).

I cannot see how's that causing any other breakage anywhere, except that the whole package is just bunch of badly broken code that only works when the moon phase is right and the butterflies wave their wings carefully enough, plus the generic issues with upgrades mentioned above plus the generic issues with the PBI idiocy well known by anyone who touched the packages code.

I've requested input regarding the cron changes from marcelloc on GitHub. Received absolutely none. Assume he's just dropped the ball due to all that PBI shit. Not surprised and don't blame him.