Topic: Dansguardian in Server-Only mode

[hollymcr]

I need to have a server-only installation with Dansguardian.

I have installed the Dungog contrib, and if I enable PAM authentication everything works (obviously with it being server-only I need to manually configure the clients to use the proxy on port 8080).

However, if I don't want the authentication step, the only option I have is "transparent", which if I select it disallows all web browsing when I turn on the proxy in IE (I'm using IE7 if that's relevant).
 Am I doing something wrong?

[Franco]

Whatever you are using as router needs to redirect all traffic destined to port 80 to your sme+dans server. This works fine.

[hollymcr]

Whatever you are using as router needs to redirect all traffic destined to port 80 to your sme+dans server. This works fine.

Sorry, I think one of us is missing the point.

I can force traffic through the box using IE's settings (yes I know it's easy to work around but its enough for my purposes).

The problem is that when the traffic gets there it is blocked by Dansguardian, unless I select (eg) PAM authentication. I want any connection to 8080 to be accepted (but filtered), which would be the case in transparent mode (if I was in gateway mode), but apparantly not in server-only mode.

If I select 3128 as the proxy port in IE it "works" (I can access the web, but without filtering).

I suspect this is only a problem in server-only mode as nobody else seems to be reporting it, but it could just as well be a problem with my config.

[Franco]

If I select 3128 as the proxy port in IE it "works" (I can access the web, but without filtering).

Right, that means that squid is working on that port.
You should block access to that.

Are you using the commercial version of Dungog, or did you follow Ray's instructions?
Both situations work in server-only or gateway mode.

[hollymcr]

Right, that means that squid is working on that port.
You should block access to that.

That seems to have worked on my local test install but not on the actual system causing the problem, but I guess that means something else is wrong and I'll go hunting to find out what.

I'm confused as to why blocking the ports is necessary, though; I assumed that this was to prevent people working around the filter, but it seems IE tries to work around the filter without help?

Are you using the commercial version of Dungog, or did you follow Ray's instructions?
Both situations work in server-only or gateway mode.

Commercial version.

[Franco]

If you're using the latest version then all you have to do is configure the panel properly, there's an option to block other ports.
When IE/Firefox is configured to connect automatically, then it finds the port 3128 (squid) bypassing the security.

[hollymcr]

If you're using the latest version then all you have to do is configure the panel properly, there's an option to block other ports.
When IE/Firefox is configured to connect automatically, then it finds the port 3128 (squid) bypassing the security.

I think I must be doing something wrong, then - I'll try a fresh install on a test box (or VMware virtual machine).

I have the browser set to use port 8080 - ie I'm not doing anything automatically, just giving it direct instructions. If I read you right, therefore, it should not be trying 3128 at all?

[Franco]

That's right: client request a page => dansguardian checks if it's OK (8080) => squid caches (3128) => client receives page
The dansguardian/squid proccess is done transparent to client, if he gets to 3128 before dans, no security.

[dsweet]

I have a fresh install on a gateway that I am watching closely as during the initial upgrade from 6.0 to 7.0 some things went aray. In the mean time I had configured a second SMESERVER in server only mode to protect the information in case the Gateway went down. I have Dans Guaddian intalled on that server only configuration and the Gateway machine is still a bare install. By follow the posts here and in the documantation for Dansguargian everything is working well.
At this point all clients did have to be configured to use the proxey address of the server only machine and are listening on port 8080. I have done nothing to the Server / Gateway as far as configuration towards the other machine. The server only seems to be doing a very good job of blocking things out. I just though a little confermation that it does work was in order.
My goal is to eliminate the server only machine as soon as I work out anything that could be incorrect on the Server/gateway machine - so far so good.
Thank you everyone that has put thier hat in the ring and to those that have done the tried and true work.

[aburg]

I was curious what the ultimate resolution was to Holly's issue with Dansguardian in server-only mode. I am having the same problem.

Thanks
Aaron

[Franco]

What is the issue you're having?
The only problem I have is with Dungog's paid package, which gives you a panel to manipulate Dansguardian. When in Server-only it has problems reloading Dansguardian:

Code: [Select]

signal-event dansguardian-reload manually fixes it.

[radbrad]

I have read so many posts going back 3+ years an have yet to see a solution. I have read the famous Ray's how to but I have to say it leave a whold bunch of holes....

But almost every post point to it.

Why is it so difficult to make the server redirect all the port 80 or port 3128 to 8080 where Dansguardian lives.

How about doing a port forwarding port 80 to localhost port 8080?

Has anyone fixed this problem?

radbrad

[mmccarn]

Looking at the template fragments it looks as though

Code: [Select]

config setprop squid TransparentPort 8080would force all traffic on port 80 to go through port 8080.

But -- does Dansguardian support transparent proxying?

If the above doesn't work, you may also be able to simply setup Dan's on 8080, then configure Squid to use localhost:8080 as the 'upstream' proxy server like this:

Code: [Select]

config set SquidParent localhost
config set SquidParentPort 8080

(These are both complete guesses...)

[radbrad]

Your litte fragment as you call it works perfectley.

Thank you mmccarn. Dansguardian now works transparenty. Apparently your little snipit, makes squid use 8080, which seems to be the default for dansguardian.

It works like a charm.

I will be posting a step by step on how to setup dansguardian in the next couple of days. This will be directed at the new guys like my self. New to linux that is.

I have been in the computer biz over 20+ years now. I am a CNE and a CNA. As well as a self proclaimed Microsoft guru. But Linux has put the fun back in to computing for me. I love it.

Cheers.
radbrad
Brad Kershaw

[raem]

See the revised Howto

http://wiki.contribs.org/Dansguardian