Koozali.org: home of the SME Server
Obsolete Releases => SME 7.x Contribs => Topic started by: bas on February 02, 2009, 11:25:05 PM
-
I've got dansguardian configured by the DG contrib.
Somehow I can't seem to get all settings right.
Port 80 redirect to 8080 doesn't function, so browsers configured to autodetect the proxy find the proxy on port 80 and passes by the DG filter.
Port 3128 is blocked, personaly i don't care about this but colleuges use this frequently to do what they shouldn't.
Can someone post which db setting i'll have to check or set?
I've worked around this problem by setting a policy to use the proxy.
This works for all our own workstations/servers. I can't force policies for 3rd parties that do maintainance therefore i'v chanced the default gateway so they will have to ask for settings in order to download software.
Good thing about this is that i know who uses the internet and they can only download work related files. Bad thing about this is that other SME servers can't download their updates. Because they haven't got a gateway.
Is there a way to set a proxy and port for an SME server to use?
thanks, Bas
-
Is there a way to set a proxy and port for an SME server to use?
I use http://wiki.contribs.org/Firewall#Bypass_Proxy
another way would be to configure yum on the client server to use the proxy
http://bugs.contribs.org/show_bug.cgi?id=542
-
From the dansguardian wiki:
1) Configure your SME Server to use Transparent Proxy port 8080 and to block direct access to the squid proxy port 3128 & redirect port 80 to port 8080
Note the functionality to create the required custom firewall rules using iptables is built in to the smeserver-dansguardian and is configured with the following commands
config setprop squid TransparentPort 8080
config setprop dansguardian portblocking yes
signal-event post-upgrade; signal-event reboot
2) Configure your workstation web browser to auto detect proxy port
Go to your workstation and open your browser eg Internet Explorer or Firefox or your preferred browser
Change the settings for Connections to LAN
Select Auto detect proxy
Or alternatively use the server IP 192.168.1.1 (or whatever yours is) and use a port of 8080
-
Just installed DG and it seems to work just fine as long as I configure the browser to auto-detect proxy. I would like to ensure that despite what is configured in the individual browsers all go through DG. Going through DG must not be bypassed by a smart guy in the office. So how do I ensure that all port 80 (HTTP) requests all redirected via DG?
Obviously I have already do as the Wiki states:
config setprop squid TransparentPort 8080
config setprop dansguardian portblocking yes
signal-event post-upgrade; signal-event reboot
I do not run with authentication right now.
Suggestions?
-
Knuddi
Just installed DG and it seems to work just fine as long as I configure the browser to auto-detect proxy....... So how do I ensure that all port 80 (HTTP) requests all redirected via DG?
config setprop squid TransparentPort 8080
config setprop dansguardian portblocking yes
signal-event post-upgrade; signal-event reboot
Those commands should have forced all access to the proxy via port 8080.
Are you saying that you can still get unfiltered access via port 80 or 3128 ?
Have you made other changes that can affect functionality eg
disabled Transparent Proxy using these commands
config setprop squid Transparent no
expand-template /etc/squid/squid.conf
sv t /service/squid
I believe I read that with the Transparent Proxy disabled, users can bypass DG (thus the implied need for one form of authentiation).
ie as per this note in the Howto
If you disable the Transparent Proxy feature of SME Server, Dansguardian can be bypassed at will by your users. You should keep the Transparent Proxy enabled (but configured as above) for filtering to work.
http://wiki.contribs.org/Dansguardian
Search the forums for details.
-
Yes, I am saying that I can get unfiltered access via port 80. I have not disabled the transparency but when checking the Wiki I can see that its never actively enabled either..See output from DB:
09:36:15 root@mail ~@Home]config show dansguardian
dansguardian=service
portblocking=yes
status=enabled
09:36:26 root@mail ~@Home]config show squid
squid=service
EnforceSafePorts=no
SafePorts=21,70,80,81,119,210,443,563,980,1024-65535
TCPPort=3128
TCPProxyPort=80:3128
Transparent=no
TransparentPort=8080
access=private
status=enabled
The Wiki states the following is needed:
config setprop squid TransparentPort 8080
config setprop dansguardian portblocking yes
signal-event post-upgrade; signal-event reboot
But I guess a:
config setprop squid Transparent yes
expand-template /etc/squid/squid.conf
sv t /service/squid
is also needed. I will give that a go when I get home later today.
-
Knuddi
The dansguardian settings look normal.
Keep in mind that the default value is set (as determined by the code in the templates) when there is no db entry.
config show squid
squid=service
Transparent=no
As I anticipated your setting in wrong.
Change it to yes as per db commands already referred to ie
config setprop squid Transparent yes
expand-template /etc/squid/squid.conf
sv t /service/squid
-
Unfortunately this didn't do the job. My firefox which has been configured with "no proxy" goes right through unfiltered.
21:07:32 root@mail ~@Home]config setprop squid Transparent yes
21:07:49 root@mail ~@Home]expand-template /etc/squid/squid.conf
21:07:57 root@mail ~@Home]sv t /service/squid
21:08:02 root@mail ~@Home]config show dansguardian
dansguardian=service
portblocking=yes
status=enabled
21:24:59 root@mail ~@Home]config show squid
squid=service
EnforceSafePorts=no
SafePorts=21,70,80,81,119,210,443,563,980,1024-65535
TCPPort=3128
TCPProxyPort=80:3128
Transparent=yes
TransparentPort=8080
access=private
status=enabled
21:25:07 root@mail ~@Home]/etc/init.d/dansguardian restart
Shutting down dansguardian: [ OK ]
Starting dansguardian: [ OK ]
Any other good suggestions I can try? To me this looks like a IPTables issue where port 80 is not redirected to 8080 where DG resides.
-
Knuddi
What is your general network arrangement ?
Are you only using one sme server and is it in server gateway mode ?
Is it the proxy server for your network ?
Do you have other "adjustments" made to firewall rules or anything else that may affect the issue ?
What versions of the dansguardian rpms are you using ?
-
Are you going through 8080 but filtering just hasn't been enabled
check /var/log/dansguardian/access
-
I have two browsers installed on same PC (IE and FF). I check filtering via the log you propose only and see that IE (which uses proxy) is filtered and FF which goes direct is not.
ex.
2009.4.16 7:50:14 - 192.168.212.244 http://forums.contribs.org/index.php?action=post;topic=43235.0;num_replies=9 *SCANNED* GET 62834
-
My suspicion seemed correct - port 80 outgoing was not sent to DG (port 8080). Using this iptables command I got all data via DG (my LAN is 212.x/24).
iptables -t nat -I PREROUTING ! -i eth1 -p tcp -s 192.168.212.0/24 --dport 80 -j REDIRECT --to-ports 8080
I thought this was a part of the smeserver-dansguardian package to set this up?
-
Knuddi
I thought this was a part of the smeserver-dansguardian package to set this up?
What version rpms are you using ?
-
smeserver-dansguardian-2.9-5.el4.sme
dansguardian-2.10.0.3-4.el4.sme
Which were the latest I got from smecontribs repository
-
I can see that I am not the only one seeing this problem..
http://bugs.contribs.org/show_bug.cgi?id=4820
Wonder whether Mr. Noble has plan to fix the package?