Dansguardian #
Nachdem ich schon viel in eurem Wiki gelesen habe, muß ich auch mal etwas zurück geben (habe ich schon viel zu lange vor mir her geschoben)
Was ist das eigentlich #
Dansguardian ist ein Tranparentproxy, der den Inhalt der Webseite und nicht nur - wie allgemein üblich - die URL nach Begriffen filtert.
zu bekommen ist er unter http://dansguardian.org/
Er steht unter GPL ist aber für den kommerziellen Einsatz gebürenpflichtig
Einrichten von Dansguardian auf Suse 8.1 #
Es reicht aus wenn ihr die Radhat rpm nehmt und auf der Maschine einspielt! Ihr könnt es auch selber Kompilieren. Der Befehl dazu steht in der Readme! Wenn ihr es als rpm installiert, müßt ihr noch das cgi von /var/www/cgi-bin/ nach /srv/www/cgi-bin/ verschieben .
Konfigurieren #
Die Konfiguration ist eigentlich soweit fertig. Es sind nur einige Anpassungen sind zu machen!
# Web Access Denied Reporting (does not affect logging) # # -1 = log, but do not block - Stealth mode # 0 = just say 'Access Denied' # 1 = report why but not what denied phrase # 2 = report fully # 3 = use HTML template file (accessdeniedaddress ignored) reportinglevel = 3
# HTML Template file path. # Only used when reportinglevel is set to 3. # When used, DansGuardian will display the HTML file instead of # using the perl cgi script. This option is faster, cleaner # and easier to customise the access denied page. htmltemplate = '/etc/dansguardian/template.html'
# Logging Settings # 0 = none 1 = just denied 2 = all text based 3 = all requests loglevel = 2
# Log Exception Hits # Log if an exception (user, ip, URL, phrase) is matched and so # the page gets let through. Can be useful for diagnosing # why a site gets through the filter. on | off logexceptionhits = on
# Log File Format # 1 = DansGuardian format 2 = CSV-style format # 3 = Squid Log File Format 4 = Tab delimited logfileformat = 1
# Network Settings # # the IP that DansGuardian listens on. If left blank DansGuardian will # listen on all IPs. That would include all NICs, loopback, modem, etc. # Normally you would have your firewall protecting this, but if you want # you can limit it to only 1 IP. Yes only one. filterip =
# the port that DansGuardian listens to # It needs to be greater than 1024 filterport = 8080
# the ip of the proxy (default is the loopback - i.e. this server) proxyip = 127.0.0.1
# the port DansGuardian connects to proxy on proxyport = 3128
# accessdeniedaddress is the address of your web server to which the cgi # dansguardian reporting script was copied accessdeniedaddress = 'http://192.168.2.1/cgi-bin/dansguardian.pl'
# Content filtering files location bannedphraselist = '/etc/dansguardian/bannedphraselist' exceptionphraselist = '/etc/dansguardian/exceptionphraselist' weightedphraselist = '/etc/dansguardian/weightedphraselist' bannedsitelist = '/etc/dansguardian/bannedsitelist' exceptionsitelist = '/etc/dansguardian/exceptionsitelist' exceptionurllist = '/etc/dansguardian/exceptionurllist' bannedurllist = '/etc/dansguardian/bannedurllist' bannedregexpurllist = '/etc/dansguardian/bannedregexpurllist' bannedextensionlist = '/etc/dansguardian/bannedextensionlist' bannedmimetypelist = '/etc/dansguardian/bannedmimetypelist' bannediplist = '/etc/dansguardian/bannediplist' exceptioniplist = '/etc/dansguardian/exceptioniplist' banneduserlist = '/etc/dansguardian/banneduserlist' exceptionuserlist = '/etc/dansguardian/exceptionuserlist' picsfile = '/etc/dansguardian/pics' contentregexplist = '/etc/dansguardian/contentregexplist'
# messages file for internationalisation. languagefile = '/etc/dansguardian/messages'
# Weighted phrase mode # There are 3 possible modes of operation: # 0 = off = do not use the weighted phrase feature. # 1 = on, normal = normal weighted phrase operation. # 2 = on, singular = each weighted phrase found only counts once on a page. weightedphrasemode = 2
# Naughtyness limit # This the limit over which the page will be blocked. Each weighted phrase is given # a value either positive or negative and the values added up. Phrases to do with # good subjects will have negative values, and bad subjects will have positive # values. See the weightedphraselist file for examples. # As a guide: # 50 is for young children, 100 for old children, 160 for young adults. naughtynesslimit = 50
# Show weighted phrases found # If enabled then the phrases found that made up the total which excedes # the naughtyness limit will be logged and, if the reporting level is # high enough, reported. on | off showweightedfound = on
# Positive result caching for text URLs # Caches good pages so they don't need to be scanned again # 0 = off (recommended for ISPs with users with disimilar browsing) # 100 = recommended for schools urlcachenumber = 100 # # Age before they are stale and should be ignored in seconds # 0 = never # 300 = reccomended urlcacheage = 300 # Reverse lookups for banned site and URLs. # If set to on, DansGuardian will look up the forward DNS for an IP URL # address and search for both in the banned site and URL lists. This would # prevent a user from simply entering the IP for a banned address. # It will reduce searching speed somewhat so unless you have a local caching # DNS server, leave it off and use the Blanket IP Block option in the # bannedsitelist file instead. reverseaddresslookups = off
# Build bannedsitelist and bannedurllist cache files. # This will compare the date stamp of the list file with the date stamp of # the cache file and will recreate as needed. # If a bsl or bul .processed file exists, then that will be used instead. # It will increase process start speed by 300%. On slow computers this will # be significant. Fast computers do not need this option. on | off createlistcachefiles = on
# POST protection (web upload and forms) # does not block forms without any file upload, i.e. this is just for # blocking or limiting uploads # measured in kilobytes after MIME encoding and header bumph # use 0 for a complete block # use higher (e.g. 512 = 512Kbytes) for limiting # use -1 for no blocking #maxuploadsize = 512 #maxuploadsize = 0 maxuploadsize = -1
# Max content filter page size # Sometimes web servers label binary files as text which can be very # large which causes a huge drain on memory and cpu resources. # To counter this, you can limit the size of the document to be # filtered and get it to just pass it straight through. # This setting also applies to content regular expression modification. # The size is in Megabytes - eg 2 = 2048Kb # use 0 for no limit maxcontentfiltersize = 1
# Username identification methods (used in logging) # You can have as many methods as you want and not just one. The first one # will be used then if no username is found, the next will be used. # * proxyauth is for when basic proxy authentication is used (no good for # transparent proxying). # * ntlm is for when the proxy supports the MS NTLM authentication # protocol. (Only works with IE5.5 sp1 and later). **NOT IMPLEMENTED** # * ident is for when the others don't work. It will contact the computer # that the connection came from and try to connect to an identd server # and query it for the user owner of the connection. usernameidmethodproxyauth = off usernameidmethodntlm = off # **NOT IMPLEMENTED** usernameidmethodident = off
# Misc settings
# if on it adds an X-Forwarded-For: <clientip> to the HTTP request # header. This may help solve some problem sites that need to know the # source ip. on | off forwardedfor = off
# if on it uses the X-Forwarded-For: <clientip> to determine the client # IP. This is for when you have squid between the clients and DansGuardian. # Warning - headers are easily spoofed. on | off usexforwardedfor = off
# sets the maximum number of processes to sporn to handle the incomming # connections. This will prevent DoS attacks killing the server with # too many spawned processes. # On large sites you might want to double or triple this number. maxchildren = 120
# if on it logs some debug info regarding fork()ing and accept()ing which # can usually be ignored. These are logged by syslog. It is safe to leave # it on or off logconnectionhandlingerrors = off
Iptables zum umleiten auf den Transparentproxy #
- Ändern der iptables Regeln (unter suse kann man das in die /etc/initd/boot.local eintragen)
iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j REDIRECT --to-port 8080 # Alle Anfragen von Port 80 zum Port 8080 (dort arbeitet DansGuardian) weiterleiten
- Speren von Squid Port
iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP # Dmit keiner direkt auf den Squid kann und somit DansGuardian umgeht
Ein Anfang #
1. Squid Kompilieren mit der Option "--enable-linux-netfilter" 2. Squid so einrichten, dass er läuft
Folgende Zeilen in der squid.conf ändern
httpd_accel_host virtual httpd_accel_port 80 httpd_accel_single_host off httpd_accel_with_proxy on httpd_accel_uses_host_header on
3a. Ändern der IpTables Regeln (unter suse kann man das in die /etc/initd/boot.local eintragen)
iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j REDIRECT --to-port 8080
Alle Anfragen von Port 80 zum Port 8080 dort arbeitet DansGuardian weiterleiten
Wenn man will, kann man DansGuardian auch auf einer anderen Maschine laufen lassen
iptables -t nat -A PREROUTING -m tcp -p tcp -s ! {DG's IP ADDRESS} --dport 80 -j DNAT --to {DG's IP ADDRESS}:8080
Die "!" sind wichtig weil man nicht wie normal vom loopback (127.0.0.1) aus geht
3b. Speren von Squid Port
iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP
Das ist nötig damit keiner direkt Squid als Proxy angeben kann und so mit DansGuardian umgehen würde!
4. Default Gateway Der Recher sollte als Standart-Gateway für den Intertnet-Zugang eigerichtet werden. Das kann im jedem Client eingestellt werden oder oder in der /etc/dhcp.conf
Das ist die Überbestzung mit einigen Anpassungen an suse von http://dansguardian.org/downloads/DGandTransparent.txt
Anmerkung #
Leider muß ich selber ersteinmal fertig werden. Aber ich hoffe, dass ich jetzt selber den Anfang gemacht habe und dass ich es auch fertig schreibe.
Schön. :-) Sieht ja gut aus bisher. Willkommen im Club! Das Ding kannte ich noch gar nicht, bin schon gespannt auf Deine Erfahrung. Übrigens könnte es eine gute Idee sein, wenn Du einen User-Login machen würdest. Dann kann man in RecentChanges besser sehen, wer was geändert hat. Außerdem ist es üblich, dass sich jeder Benutzer eine eigene Seite einrichtet, die den Usernamen als Titel hat. Meine ist ThomasBayen, Deine sollte AnsgarJazdzewski sein. Dort kannst Du dann was über Dich schreiben und andere können Dir Kommentare dort hinterlassen (So wie dieser Absatz hier, den Du von der DansGuardian-Seite wieder löschen solltest). -- ThomasBayen
Für Debian gibt es DansGuardian in Sarge und Etch als fertige Pakete. --PeterHormanns