Topic: Dansguardian bypass for unauthed users

[ivan]

Hi all

I have dansguardian running on SME 7.3.
I am using NCSA auth-login
I need to allow unauthenticated uses to pass dans to a few site.
This is necessary as the antivirus software used cannot logon to a proxy thus it can get updates.

Is there a way to allow access to this update site without logging into the proxy?

Thanks
Ivan

[stephen noble]

added in response to your FAQ

http://wiki.contribs.org/Dansguardian#Bypass_Proxy

[ivan]

Hi

Thanks for the reply and help.
Can I use done names e.g update.antivirus.com instead of an IP address?

Regards
Ivan

[stephen noble]

No

You may have to use exceptionlists

[ivan]

Hi

Thanks
That's the 1st thing I did but they did not seem the work, still got cache access denied when trying to connect. I will try again and let you know.

Regards
Ivan

[David Harper]

Try changing the default mode from "banned" to "filtered" and then blocking all http, https and filetypes etc. Then use the exception list to allow your AV site to be accessed.

[ivan]

Sounds good will do thanks

[ivan]

Hi

Thanks for the help so far.
I must be missing something.
I looked in the wiki but can't find a note on have to change the default filter group, can you help?

I added the sites to the exception site list but auth is still required to access any site including the exceptions, It is the the fact that auth cannot be bypassed that is at issue as windows updates and the antivirus can't logon to the proxy. how is every one else using dans get passed this issue?

Regards
Ivan

[David Harper]

If you are new at this, I suggest you try the Dungog control panel. It makes life very easy.

snoble really can't sing his own praises, but I can

[ivan]

Hi all

Sorry still does not do it.

Even with expectionsitelist set the proxy still wants auth before allowing cache access
groupmode dansguardianf1.conf is set to one and exceptions are set e.g garmin.com
but if I cancel the auth request in the brower access is denied.

Thanks for the help so far
Regards
Ivan

[David Harper]

Set your browser up not to use the proxy, and then try to access the site. Does this help?

[ivan]

Hi

Thanks for the patience on this problem.

Yip tried that.
I think I have miss placed the problem. Dansguardian sits with squid, squid does the auth control dans filters. I don't need so much to change dans but the squid auth method. I used pam 1st time i setup Dans (not ncsa) it still let me though the proxy with out auth, then this  can be filtered by Dans.
What do you think?
I will try this and drop round again.

Regards
Ivan

[David Harper]

Give that a go and see what happens I guess.

If you think you have followed all the instructions, and Dansguardian is still not working as you believe it should be, you might have come across a bug. If that is the case, you can file a bug report and post the number in this thread for reference purposes.

[ivan]

Hi

I took a careful look at my configs as per the wiki. I cant see that I did any thing wrong.
I added the sites I want un-authenticated uses to be able to access into
/etc/dansguardian -exceptionsitelist, exceptionurllist, exceptionfilesitelist & exceptionfileurllist
but still if you cancel the authentication on the browser 'cache access denied' is returned.
I am not convinced this is a bug. How are others getting updates for software that can't authenticate to a proxy. Please advise.

Thanks for a great forum.

   

[janet]

ivan

If you are using a type of Auth to control access to the proxy server, then the issue is really that you need to bypass the proxy Auth requirement, and I'd assume that this means bypassing the proxy to gain access.

Using the various exception lists provided by dansguardian only specifies exceptions for authenticated (using Auth) or unauthenticated (not using Auth) users.
These lists will not help you bypass the Auth requirement.

I thought there was something in the Dansguardian wiki and forum posts and maybe even the FAQ (Firewall) about bypassing the proxy, so search more.

Maybe this is the answer
http://wiki.contribs.org/SME_Server:Documentation:FAQ#Bypass_Proxy

Also there was something posted some time ago about configuring access for AV updates ie in relation to AVG, so also search these forums on that.

[ivan]

Hi Mary

Thanks for the post.
I agree with all you say. This is an auth bypass issue not a dans issuse.
The proxy bypass will work only for IP address not DNS resolved URL's.
I looked at all the posts you pointed to but they are not really going to solve the issue.

I found that by disabling auth with the following:

config delprop squid RequireAuth
expand-template /etc/squid/squid.conf
sv t /service/squid

Dans still operates but no auth is required to squid

My approach to resolve this is will be to setup a cron job to disable auth after hours to allow updates and then redo the auth with the nessary commands  with a reboot before working hours. This will be acceptable in my environment. I hope there is a better solution as mine may have unforeseen consequences. Input here would be appreciated.

Just a note: this problem is not a short coming with SME by rather software that does not take into account that proxy auth might be required to get services or updates. 

Thanks to all for all the input.

Regards
Ivan