+ Post New Thread
Page 1 of 5 12345 LastLast
Results 1 to 15 of 71
Internet Related/Filtering/Firewall Thread, Need a Dansguardian / Squid configuration expert in Technical; Following on from my previous thread. I've installed a Ubuntu server running Dansguardian and squid. I can't for the life ...
  1. #1
    Number6's Avatar
    Join Date
    Feb 2009
    Location
    Worcester, UK
    Posts
    457
    Thank Post
    2
    Thanked 9 Times in 8 Posts
    Rep Power
    13

    Need a Dansguardian / Squid configuration expert

    Following on from my previous thread.

    I've installed a Ubuntu server running Dansguardian and squid.

    I can't for the life of me work out how to authenticate AD users onto squid in order that I can set up different classes of filtering for different users.

    If there's anyone on here that knows this system and is available for a bit of consultancy / training work here in Worcester please PM me.

  2. #2

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,532
    Thank Post
    1,341
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    200
    have you considered Smoothwall Schoolguardian? Its very reasonably priced and has a very simple GUI and the main workings are dansguardian and squid.

  3. Thanks to RabbieBurns from:

    tom_newton (6th April 2010)

  4. #3
    Jamman960's Avatar
    Join Date
    Sep 2007
    Location
    London/Kent
    Posts
    1,001
    Thank Post
    190
    Thanked 199 Times in 159 Posts
    Rep Power
    48
    I found the following how-to very useful, it still took some tweaking but I got it working in the end - How To Install And Configure Dansguardian With Multi-Group Filtering And Squid With NTLM Auth On Debian Etch | HowtoForge - Linux Howtos and Tutorials - its mostly the same for ubuntu except having to use different package managers etc etc

    In the end I setup the 1st policy to block everything and then played around until NTLM auth worked and put me on the 2nd policy. If I remember correctly it came down to which port I connected to, I believe I had to connect directly to dansguardian which then went through squid to get it working.

  5. #4


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,507
    Thank Post
    871
    Thanked 862 Times in 681 Posts
    Rep Power
    199
    Thanks Mr Burns! Yes, we do offer the "package" way to content filtering nirvana

    Jamman - i think you have it about right there.

    It can get a bit trial and error with dg, and you'll probably find you need to ask more specific questions to get the right answers. I am afraid I don't do much on the dg config side, but I will throw my 2p's worth in where I can

  6. #5
    Number6's Avatar
    Join Date
    Feb 2009
    Location
    Worcester, UK
    Posts
    457
    Thank Post
    2
    Thanked 9 Times in 8 Posts
    Rep Power
    13
    Hello Mr Burns, Jamman and Tom.

    Unfortunately we cannot go down the Smoothwall route for two reasons; 1) we have nothing left in this years budget for new projects (and precious little for consumables even) and 2) we use a Sonicwall firewall, as do our other two sites and if I were to propose paying for a content filtering solution then questions would be asked about why I'm not paying for the Sonicwall integrated solution. I have my own reasons for not wanting to go down the Sonicwall route apart from cost.

    So, as you see, I'm between a rock and a hard place for the moment.

    My reasoning for going the Dansguardian route are 1) it might work well once set up and 2) it's free, apart from my time and 3) even if it doesn't prove to be manageable then I can put it forward as an argument for purchasing Smoothwall in 12 months time.

    In terms of being more specific about what I want DG + Squid to do then this is what I want:

    This site operates an SBS2003 controlled network. The SBS box is the DC, DNS server and runs WSUS. Obviously it also runs AD.

    There are two other servers, a NAS box running Storage Server 2003 and a Server 2008 box that runs Sophos, SIMS, DHCP and acts as the KM server for the workstations.

    There is a front-end Sonicwall hardware firewall.

    There are 70 PCs on the network.

    I have Dansguardian and squid running on a Ubuntu server box.

    I wish to set up four groups - One will be totally blocked from internet access, one will be strongly filtered, one will be less strongly filtered and one will be unfiltered.

    I want Squid to transparently read the AD user information passed by the client browser and for it to transparently authenticate the user into the appropriate group - users A, B and C will always be blocked, D, E and F will be always strongly filtered, users G, H and I will always be weakly filtered, IT Admin will always be unfiltered. Squid will pass the authority to Dansguardian and caching and filtering will then be handled according to group memberships.

    Obviously all the authentication must be username / password based rather than IP based.

    And that's it in a nutshell. If I can can get this framework running then it should simply be a case of keeping the filtering lists and config files up to date.

    So if anyone would like to:

    A) Give me advice how to do this

    Or

    B) Set it all up for me, either here or remotely.

    then please get in touch.

    I'm fairly sure we could find a reasonable consultancy fee if someone wishes to come here and do the setup for us.

    Thanks in anticipation.

  7. #6
    Number6's Avatar
    Join Date
    Feb 2009
    Location
    Worcester, UK
    Posts
    457
    Thank Post
    2
    Thanked 9 Times in 8 Posts
    Rep Power
    13
    OK, I have made great strides forward but am now stuck at the final hurdle and wonder if anyone can help?

    I have now got the Ubuntu box configured as a member of the domain via winbind and all of the tests show that it is seeing all of the network. The box can ping the DC by name and IP and vice-versa so DNS is all OK.

    BUT.....

    Now that I have all this working no browser can see the proxy, e.g. Chrome returns Error 102 Connection refused and IE simply refuses to display the page. This is the same whatever port I try to use for the proxy (8080, 8081 or 3128). It's not a browser problem as, with no proxy selected it's fine.

    I've gone over and over the squid.conf file until I'm seeing it in my sleep but I can see no reason for connections being refused.

    Squid and Dansguardian both start OK from the console, they both return "OK" when restarted. I could connect OK before I joined the box to the domain.

    Anyone have any ideas where I can go from here?

  8. #7

    Join Date
    Dec 2005
    Posts
    548
    Thank Post
    38
    Thanked 90 Times in 80 Posts
    Rep Power
    40
    What do your log files show?

    You should often get a "not authenticated certain domain/username due to issue" error message somewhere in your log files - if not that it should hopefully show an access denied for another reason.

    Have you configured your squid/dg for ntlm authentication?

  9. #8


    Join Date
    Oct 2006
    Posts
    3,414
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    Theres plenty of guides out there. I haven't got time to run through this completely but it looks about right Setting up Squid NTLM DansGuardian Sarg - openSUSE

    The way ive got it setup (in a nutshell) is;

    Install squid, dg, winbind, (iirc) krb5, and samba.

    Bind the server to your domain and make sure krb5 and samba is setup correctly.
    Change the squid config to include the ntlm helper. This allows squid to authenticate without having to do the old "2 squids" hack or by using samba.
    Use this script to pull usernames from AD http://dansguardian.org/downloads/ch...wonger/usermap
    Now you configure DG for multigroups. Configure each group to read the appropriate phrase/badword lists. (dansguardianf1.conf ,dansguardianf2.conf etc)


    To answer your question. You point your browser at the DG port (8080 by default iirc), and DG passes that onto squid on port (3128 iirc)

    And iirc you have to make sure ntlm is in the dansguardian plugins folder if it isnt by default.
    Last edited by j17sparky; 8th April 2010 at 12:52 PM.

  10. #9
    Number6's Avatar
    Join Date
    Feb 2009
    Location
    Worcester, UK
    Posts
    457
    Thank Post
    2
    Thanked 9 Times in 8 Posts
    Rep Power
    13
    Everything seems to be configured OK. All the winbind tests and kinit give the properly expected responses.

    Browser is pointed at DG:8080

    proxy-ntlm.conf is in the DG authplugins folder with the content of:

    # Proxy-NTLM auth plugin
    # Identifies usernames in "Proxy-Authorization: NTLM" headers;
    # relies on the upstream proxy (squid) to perform the actual password check.

    plugname = 'proxy-ntlm'


    The squid log files are very confusing and I'm still trying to make head or tail of them.

  11. #10
    Number6's Avatar
    Join Date
    Feb 2009
    Location
    Worcester, UK
    Posts
    457
    Thank Post
    2
    Thanked 9 Times in 8 Posts
    Rep Power
    13
    OK, I'm not now sure that squid is even running properly, or at all.

    If I look at the squid config via webmin, on that page is a button "start Squid" - click it and it doesn't change to "stop Squid". How can I check definitively that squid is running, or otherwise

  12. #11
    Number6's Avatar
    Join Date
    Feb 2009
    Location
    Worcester, UK
    Posts
    457
    Thank Post
    2
    Thanked 9 Times in 8 Posts
    Rep Power
    13
    It isn't running and I don't know why.

    On running /usr/sbin/squid -NCd1 I get :

    /usr/sbin/squid -NCd1
    WARNING: Cannot write log file: /var/log/squid/cache.log
    /var/log/squid/cache.log: Permission denied
    messages will be sent to 'stderr'.
    2010/04/08 13:31:55| WARNING: Closing open FD 2
    2010/04/08 13:31:55| Starting Squid Cache version 2.7.STABLE6 for amd64-debian-linux-gnu...
    2010/04/08 13:31:55| Process ID 2664
    2010/04/08 13:31:55| With 1024 file descriptors available
    2010/04/08 13:31:55| Using epoll for the IO loop
    2010/04/08 13:31:55| Performing DNS Tests...
    FATAL: ipcache_init: DNS name lookup tests failed.
    Squid Cache (Version 2.7.STABLE6): Terminated abnormally.
    CPU Usage: 0.010 seconds = 0.000 user + 0.010 sys
    Maximum Resident Size: 0 KB
    Page faults with physical i/o: 0
    Aborted

  13. #12


    Join Date
    Oct 2006
    Posts
    3,414
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    To check status/start/stop;
    /etc/init.d/squid start/stop/restart/status


    Personally id start again. Somethings gone wrong as it shouldnt be throwing up errors for permissions. You should be able to fly through now you have an idea of what you are doing. Also i found Debian 5 (lenny) alot better for dansguardian, never did get things to work quite right on ubuntu.

  14. #13
    Number6's Avatar
    Join Date
    Feb 2009
    Location
    Worcester, UK
    Posts
    457
    Thank Post
    2
    Thanked 9 Times in 8 Posts
    Rep Power
    13
    I've removed and reinstalled squid.

    Without any modification squid runs and reports OK.

    BUT... as soon as I modify squid.conf to include ntlm_auth and restart squid it errors out as follows:

    /usr/sbin/squid -NCd1
    2010/04/08 14:04:31| Starting Squid Cache version 2.7.STABLE6 for amd64-debian-linux-gnu...
    2010/04/08 14:04:31| Process ID 2548
    2010/04/08 14:04:31| With 1024 file descriptors available
    2010/04/08 14:04:31| Using epoll for the IO loop
    2010/04/08 14:04:31| Performing DNS Tests...
    FATAL: ipcache_init: DNS name lookup tests failed.
    Aborted
    Again, all the winbind tests and kinit return OK, I can ping the nameserver by name and IP, it's in resolve.conf.

    What are the DNS name lookup tests? Does it just test to see if it can reach the nameserver or is it something else?

  15. #14
    Mcshammer_dj's Avatar
    Join Date
    Feb 2007
    Location
    Portsmouth
    Posts
    990
    Thank Post
    38
    Thanked 180 Times in 145 Posts
    Rep Power
    97
    try using an IP address for the DNS_nameservers

  16. #15
    Number6's Avatar
    Join Date
    Feb 2009
    Location
    Worcester, UK
    Posts
    457
    Thank Post
    2
    Thanked 9 Times in 8 Posts
    Rep Power
    13
    Quote Originally Posted by Mcshammer_dj View Post
    try using an IP address for the DNS_nameservers
    In resolve.conf? I already tried that, same result.



SHARE:
+ Post New Thread
Page 1 of 5 12345 LastLast

Similar Threads

  1. Replies: 11
    Last Post: 12th September 2014, 07:02 PM
  2. need your expert opinion
    By lionsl2005 in forum AV and Multimedia Related
    Replies: 11
    Last Post: 14th December 2009, 03:53 PM
  3. Squid configuration problem
    By Cragzman in forum *nix
    Replies: 3
    Last Post: 22nd October 2008, 03:59 PM
  4. ntlm_auth | Dansguardian | Squid
    By ahuxham in forum *nix
    Replies: 11
    Last Post: 24th July 2008, 08:24 PM
  5. DansGuardian without local Squid
    By NetworkGeezer in forum *nix
    Replies: 2
    Last Post: 13th February 2007, 03:07 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •