Squid-Squidguard-DansGuardian Integration with SARG Request (oh and LDAP)
-
First I'll help you by telling you to not hijack someone else's thread that's completely unrelated to your problem. Start your own new thread.
-
Thanks for the reply KOM.
I don't mind not using Clam integration, but man I wish I could hide the services so I don't see those two Xs.
SARG is a huge pain in the butt. Lightsquid isn't nearly as detailed though, unless someone knows of a better way to utilize it.
Dans, if I'm correct, can filter slightly more fine tuned than a simple blacklist. I'd like to catch the proxy servers, and other fun things students use to bypass filters. I'd be willing to sacrifice SG for it, granted it works. But man, I can't get it to work…
I'm sure I can sort out the AD part, but it'll be a bunch of Google-Fu.
-
I'm about to push AD logins to all users, and I've no idea how to properly tie in LDAP, and where it needs to be set up (Squid AND Sarg need it, or just Squid?)
I don't know about Sarg :-[
For what concerns, e.g. Squid and SquidGuard, what matters here is to distinguish between authentication and authorisation/profiling.
Authentication is handled at Squid level. i.e., this means that Squid will send back to browser the HTTP 407 response that will trigger authentication request.
Next step is to retrieve, from successful authentication user account or group membership.
Both can be used by SquidGuard (potentially requiring additional LDAP request) in order to set-up profiling.For what I understand, SquidGuard can't implement any authentication.
-
Lightsquid isn't nearly as detailed though, unless someone knows of a better way to utilize it.
It tells me who went where when, with byte totals and hit counts. That's all I need.
Dans, if I'm correct, can filter slightly more fine tuned than a simple blacklist.
Yes, like I said it has an URL filter as well as a content filter. You only need an URL filter if you're trying to stop them from going to 3rd-party web proxies.
For what I understand, SquidGuard can't implement any authentication.
squidGUard is a helper app (not a service/daemon) that gets called by squid for each URL being processed in realtime for every user. If you need user auth, you do it at the squid level.
-
Gotcha. We're int he midst of our Ad/other apps integrations, so I'll be working on the AD connectivity soon, but any ideas outside of the symbolic link on SARG? I'd really like to use it.
-
It was working for me in 2.2.2, but after I upgraded to 2.2.4 it broke and the usual symlink fix didn't fix it. That's pretty much my only beef with pfSense, that you can't trust the packages to work consistently, and upgrading is always a crapshoot. I have a working squid3 0.2.8 and when I tried to upgrade to 0.2.9 two weeks ago, everything died. I had to rollback to my snapshot just to recover quickly. I just now noticed that there is a Sarg update. Maybe I'll try it and see if it fixes the problem or introduces a new one.
Edit: OK, I removed Sarg, manually deleted any leftover folders such as /usr/local/sarg-reports and /usr/pbi/sarg-amd64/local/sarg-reports and then reinstalled. After forcing a report, I looked and, as expected, the /usr/local/sarg-reports folder was empty with the real contents in /usr/pbi/sarg-amd64/local/sarg-reports, so I did the symlink hack and Sarg was working once again.
Symlink hack for Sarg:
rm -r /usr/local/sarg-reports ln -s /usr/pbi/sarg-amd64/local/sarg-reports /usr/local/sarg-reports -
@KOM:
Edit: OK, I removed Sarg, manually deleted any leftover folders such as /usr/local/sarg-reports and /usr/pbi/sarg-amd64/local/sarg-reports and then reinstalled. After forcing a report, I looked and, as expected, the /usr/local/sarg-reports folder was empty with the real contents in /usr/pbi/sarg-amd64/local/sarg-reports, so I did the symlink hack and Sarg was working once again.
Holy crap, it works! thanks a lot!
-
@KOM:
I have a working squid3 0.2.8 and when I tried to upgrade to 0.2.9 two weeks ago, everything died. I had to rollback to my snapshot just to recover quickly. I just now noticed that there is a Sarg update. Maybe I'll try it and see if it fixes the problem or introduces a new one.
Upgrading doesn't work. Because, when you design something in a way that the upgrade code is ignored, you get crappy results. To get something "upgraded", you need to uninstall and reinstall the package. Only after that, the new code will get used. Or, you can "upgrade" twice. This is the deal with anything that sticks the functions to an include file that's referenced in the .xml <include_file>. Certainly rocks. ::) >:(</include_file>
-
There are updated versions of squid3 and squidguard, and I'm afraid to touch them at this point after the last failure. My own-rolled squid/squidguard/lightsquid/sarg server is running fine, and I will likely drop the pfSense proxy packages once I get time to script grabbing the Shalla list daily and processing it.
-
Frankly, the Squid* stuff is beyond repair. Perhaps, if someone makes a decision what's gonna be the deal with 2.3 packages, people can start reworking those from scratch, without the tons of legacy, buggy and messy code bloat.
Regarding the changes you mentioned, the only stuff touched there were completely broken cronjobs handling and boot checks. Finally, there's been a change regarding the pinger helper permissions that didn't work due to idiotic chmod() implementation in PHP and - mainly - couldn't have broken anything because it never worked in the first place, due to permissions being screwed by the package code from the very beginning. (https://github.com/pfsense/pfsense-packages/pull/1056).
I cannot see how's that causing any other breakage anywhere, except that the whole package is just bunch of badly broken code that only works when the moon phase is right and the butterflies wave their wings carefully enough, plus the generic issues with upgrades mentioned above plus the generic issues with the PBI idiocy well known by anyone who touched the packages code.
I've requested input regarding the cron changes from marcelloc on GitHub. Received absolutely none. Assume he's just dropped the ball due to all that PBI shit. Not surprised and don't blame him.
