Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid-Squidguard-DansGuardian Integration with SARG Request (oh and LDAP)

    Scheduled Pinned Locked Moved Cache/Proxy
    13 Posts 5 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rad4Christ
      last edited by

      I know, I know, I'm not asking for much.  ;D

      I've been running Squid + Squidguard in an non-transparent proxy on my network for a while, and it's been doing great. I use WPAD to get the config out to my clients, and apart from the issue posted here (https://forum.pfsense.org/index.php?topic=99244.0) it's functional.

      However, it's not optimal as I've struggled with things here and there.

      • I've never been able to get c-icap/clamd functionality, even following the guides/suggestions on the forums.

      • I've install SARG, and once it worked well, but now I get the infamous cannot find index. I've deleted and added the sym link to the pbi directory to no avail.

      • I've never been able to get DansGuardian to work with Squid/SG, it always breaks the proxy completely.

      • I'm about to push AD logins to all users, and I've no idea how to properly tie in LDAP, and where it needs to be set up (Squid AND Sarg need it, or just Squid?)

      If there is some amazing step by step guide for this, please let me know. I'd even be willing to put one together, but I need help getting it all functional.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        I've never been able to get c-icap/clamd functionality, even following the guides/suggestions on the forums.

        Don't do it.  It really slows everything down.  Use a decent client AV solution.

        I've install SARG, and once it worked well, but now I get the infamous cannot find index. I've deleted and added the sym link to the pbi directory to no avail.

        Yup, me too.  I still rely on Lightsquid and the Squid3 realtime view.  I've gotten frustrated enough that I've spun up my own squid 3.5.8 server (compiled from source), with squidGuard & Lightsquid.  I have everything working perfectly with the exception of auto-downloading & processing the Shalla blacklists.  Otherwise it's ready to roll out to production.

        I've never been able to get DansGuardian to work with Squid/SG, it always breaks the proxy completely.

        I would think running DG and sG would be redundant.  DG has an URL filter as well as content filter, so I'm not sure what sG would get you that you can't get from DG.  having said that, I don't use DG at all.

        I'm about to push AD logins to all users, and I've no idea how to properly tie in LDAP, and where it needs to be set up (Squid AND Sarg need it, or just Squid?)

        No idea, I don't use authentication with my users.

        1 Reply Last reply Reply Quote 0
        • N
          Napi
          last edited by

          Hi guys how are you !

          i have installed a squid proxy server in transparent mode with squidguard on pfsense, and i realized that when i put "deny all" in common ACL, doesn't block https site, so how i can do to block all https site using squidguard or firewall.

          please help me…!

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            First I'll help you by telling you to not hijack someone else's thread that's completely unrelated to your problem.  Start your own new thread.

            1 Reply Last reply Reply Quote 0
            • R
              rad4Christ
              last edited by

              Thanks for the reply KOM.

              I don't mind not using Clam integration, but man I wish I could hide the services so I don't see those two Xs.

              SARG is a huge pain in the butt. Lightsquid isn't nearly as detailed though, unless someone knows of a better way to utilize it.

              Dans, if I'm correct, can filter slightly more fine tuned than a simple blacklist. I'd like to catch the proxy servers, and other fun things students use to bypass filters. I'd be willing to sacrifice SG for it, granted it works. But man, I can't get it to work…

              I'm sure I can sort out the AD part, but it'll be a bunch of Google-Fu.

              1 Reply Last reply Reply Quote 0
              • C
                chris4916
                last edited by

                @rad4Christ:

                I'm about to push AD logins to all users, and I've no idea how to properly tie in LDAP, and where it needs to be set up (Squid AND Sarg need it, or just Squid?)

                I don't know about Sarg  :-[

                For what concerns, e.g. Squid and SquidGuard, what matters here is to distinguish between authentication and authorisation/profiling.

                Authentication is handled at Squid level. i.e., this means that Squid will send back to browser the HTTP 407 response that will trigger authentication request.
                Next step is to retrieve, from successful authentication user account or group membership.
                Both can be used by SquidGuard (potentially requiring additional LDAP request) in order to set-up profiling.

                For what I understand, SquidGuard can't implement any authentication.

                Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  Lightsquid isn't nearly as detailed though, unless someone knows of a better way to utilize it.

                  It tells me who went where when, with byte totals and hit counts.  That's all I need.

                  Dans, if I'm correct, can filter slightly more fine tuned than a simple blacklist.

                  Yes, like I said it has an URL filter as well as a content filter.  You only need an URL filter if you're trying to stop them from going to 3rd-party web proxies.

                  For what I understand, SquidGuard can't implement any authentication.

                  squidGUard is a helper app (not a service/daemon) that gets called by squid for each URL being processed in realtime for every user.  If you need user auth, you do it at the squid level.

                  1 Reply Last reply Reply Quote 0
                  • R
                    rad4Christ
                    last edited by

                    Gotcha. We're int he midst of our Ad/other apps integrations, so I'll be working on the AD connectivity soon, but any ideas outside of the symbolic link on SARG? I'd really like to use it.

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      It was working for me in 2.2.2, but after I upgraded to 2.2.4 it broke and the usual symlink fix didn't fix it.  That's pretty much my only beef with pfSense, that you can't trust the packages to work consistently, and upgrading is always a crapshoot.  I have a working squid3 0.2.8 and when I tried to upgrade to 0.2.9 two weeks ago, everything died.  I had to rollback to my snapshot just to recover quickly.  I just now noticed that there is a Sarg update.  Maybe I'll try it and see if it fixes the problem or introduces a new one.

                      Edit: OK, I removed Sarg, manually deleted any leftover folders such as /usr/local/sarg-reports and /usr/pbi/sarg-amd64/local/sarg-reports and then reinstalled.  After forcing a report, I looked and, as expected, the /usr/local/sarg-reports folder was empty with the real contents in /usr/pbi/sarg-amd64/local/sarg-reports, so I did the symlink hack and Sarg was working once again.

                      Symlink hack for Sarg:

                      rm -r /usr/local/sarg-reports
                      ln -s /usr/pbi/sarg-amd64/local/sarg-reports /usr/local/sarg-reports
                      
                      1 Reply Last reply Reply Quote 0
                      • R
                        rad4Christ
                        last edited by

                        @KOM:

                        Edit: OK, I removed Sarg, manually deleted any leftover folders such as /usr/local/sarg-reports and /usr/pbi/sarg-amd64/local/sarg-reports and then reinstalled.  After forcing a report, I looked and, as expected, the /usr/local/sarg-reports folder was empty with the real contents in /usr/pbi/sarg-amd64/local/sarg-reports, so I did the symlink hack and Sarg was working once again.

                        Holy crap, it works! thanks a lot!

                        1 Reply Last reply Reply Quote 0
                        • D
                          doktornotor Banned
                          last edited by

                          @KOM:

                          I have a working squid3 0.2.8 and when I tried to upgrade to 0.2.9 two weeks ago, everything died.  I had to rollback to my snapshot just to recover quickly.  I just now noticed that there is a Sarg update.  Maybe I'll try it and see if it fixes the problem or introduces a new one.

                          Upgrading doesn't work. Because, when you design something in a way that the upgrade code is ignored, you get crappy results. To get something "upgraded", you need to uninstall and reinstall the package. Only after that, the new code will get used. Or, you can "upgrade" twice. This is the deal with anything that sticks the functions to an include file that's referenced in the .xml <include_file>. Certainly rocks.  ::) >:(</include_file>

                          1 Reply Last reply Reply Quote 0
                          • KOMK
                            KOM
                            last edited by

                            There are updated versions of squid3 and squidguard, and I'm afraid to touch them at this point after the last failure.  My own-rolled squid/squidguard/lightsquid/sarg server is running fine, and I will likely drop the pfSense proxy packages once I get time to script grabbing the Shalla list daily and processing it.

                            1 Reply Last reply Reply Quote 0
                            • D
                              doktornotor Banned
                              last edited by

                              Frankly, the Squid* stuff is beyond repair. Perhaps, if someone makes a decision what's gonna be the deal with 2.3 packages, people can start reworking those from scratch, without the tons of legacy, buggy and messy code bloat.

                              Regarding the changes you mentioned, the only stuff touched there were completely broken cronjobs handling and boot checks. Finally, there's been a change regarding the pinger helper permissions that didn't work due to idiotic chmod() implementation in PHP and - mainly - couldn't have broken anything because it never worked in the first place, due to permissions being screwed by the package code from the very beginning. (https://github.com/pfsense/pfsense-packages/pull/1056).

                              I cannot see how's that causing any other breakage anywhere, except that the whole package is just bunch of badly broken code that only works when the moon phase is right and the butterflies wave their wings carefully enough, plus the generic issues with upgrades mentioned above plus the generic issues with the PBI idiocy well known by anyone who touched the packages code.

                              I've requested input regarding the cron changes from marcelloc on GitHub. Received absolutely none. Assume he's just dropped the ball due to all that PBI shit. Not surprised and don't blame him.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.