Antwort: [suse-security] Still probs with DansGuardian and Squid2.4-Stable7
Hi again, here a part ot the log from Squid : 1029306401.296 1 localhost TCP_MISS/403 1091 GET http://www.linux-it.net/index.php user10 NONE/- - 1029306403.147 1 localhost TCP_MISS/403 1091 GET http://www.linux-it.net/index.php user10 NONE/- - 1029306408.216 1 localhost TCP_DENIED/407 1397 GET http://www.linux-it.net/index.php - NONE/- - 1029306413.925 1 localhost TCP_MISS/403 1091 GET http://www.linux-it.net/index.php user10 NONE/- - 1029308327.375 1 localhost TCP_DENIED/407 1397 GET http://www.linux-it.net/index.php - NONE/- - 1029308335.963 1 localhost TCP_MISS/403 1091 GET http://www.linux-it.net/index.php user10 NONE/- - 1029308527.158 1 localhost TCP_DENIED/407 1397 GET http://www.linux-it.net/index.php - NONE/- - 1029308531.888 20 localhost TCP_MISS/403 1091 GET http://www.linux-it.net/index.php user10 NONE/- - Hi, after prevent connections directly to port 3128 for all other ip's (with iptables) and configured DansGuardian to use 127.0.0.1 - I will get following message from Squid : ERROR The requested URL could not be retrieved While trying to retrieve the URL: http://www.linux-it.net/index.php The following error was encountered: Forwarding Denied. This cache will not forward your request because it is trying to enforce a sibling relationship. Perhaps the client at 127.0.0.1 is a cache which has been misconfigured. Your cache administrator is bleonhardt@analytek.de. Generated Wed, 14 Aug 2002 06:26:53 GMT by www-cache.analytek.de (Squid/2.4.STABLE7) ---------------------- Have added the configuration-files-entries from squid , squidguard and dansguardian , maybe anybody will see a "mssconfiguration" ... Following Squid-Configuration : http_port 3128 tcp_outgoing_address 192.168.x.x udp_incoming_address 0.0.0.0 udp_outgoing_address 0.0.0.0 cache_peer 127.0.0.1 sibling 8080 7 cache_peer 192.168.1.8 parent 3128 7 cache_mem 32 MB cache_swap_low 10 cache_swap_high 100 maximum_object_size 1024 KB minimum_object_size 0 KB ipcache_size 4096 ipcache_low 90 ipcache_high 95 fqdncache_size 1024 cache_dir ufs /var/squid/cache 100 16 256 cache_access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log /var/squid/logs/store.log pid_filename /var/run/squid.pid debug_options ALL,1 client_netmask 255.255.255.255 # SQUID-GUARD redirect_program /usr/bin/squidGuard redirect_children 5 authenticate_program /usr/sbin/pam_auth /etc/passwd authenticate_children 5 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 reference_age 1 week peer_connect_timeout 120 seconds client_lifetime 1 day half_closed_clients on pconn_timeout 360 seconds acl password proxy_auth REQUIRED acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 21 22 443 563 70 210 1025-65535 acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost all # I will replace "all" if everything is running :-) http_access allow password http_access deny CONNECT !SSL_ports http_access deny manager http_access deny test http_access deny all icp_access allow localhost all miss_access allow localhost manager all proxy_auth_realm Auth-Realm cache_mgr bleonhardt@analytek.de cache_effective_user squid cache_effective_group nogroup visible_hostname www-cache.analytek.de announce_period 0 day append_domain .analytek.de forwarded_for on log_icp_queries on icp_hit_stale on client_db on never_direct allow all ident_lookup_access allow all log_fqdn on -------------- Following SquidGuard - Rules : logdir /var/squidGuard/logs dbhome /var/squidGuard/db src kids { ip 192.168.x.x/24 } src local { ip 127.0.0.1/24 } dest blacklist { domainlist blacklist/domains urllist blacklist/urls } kids { pass !blacklist all } local { pass !blacklist all } default { pass none redirect http://192.168.1.13/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targe } } -------- Following DansGuardian - Config : reportinglevel = 3 htmltemplate = '/etc/dansguardian/template.html' loglevel = 3 logexceptionhits = on logfileformat = 1 filterip = 192.168.x.x filterport = 8080 proxyip = 127.0.0.1 proxyport = 3128 accessdeniedaddress = 'http://host-ip/cgi-bin/dansguardian.pl' bannedphraselist = '/etc/dansguardian/bannedphraselist' exceptionphraselist = '/etc/dansguardian/exceptionphraselist' weightedphraselist = '/etc/dansguardian/weightedphraselist' bannedsitelist = '/etc/dansguardian/bannedsitelist' exceptionsitelist = '/etc/dansguardian/exceptionsitelist' exceptionurllist = '/etc/dansguardian/exceptionurllist' bannedurllist = '/etc/dansguardian/bannedurllist' bannedregexpurllist = '/etc/dansguardian/bannedregexpurllist' bannedextensionlist = '/etc/dansguardian/bannedextensionlist' bannedmimetypelist = '/etc/dansguardian/bannedmimetypelist' bannediplist = '/etc/dansguardian/bannediplist' exceptioniplist = '/etc/dansguardian/exceptioniplist' banneduserlist = '/etc/dansguardian/banneduserlist' exceptionuserlist = '/etc/dansguardian/exceptionuserlist' picsfile = '/etc/dansguardian/pics' weightedphrasemode = 2 naughtynesslimit = 160 showweightedfound = on reverseaddresslookups = on createlistcachefiles = on maxuploadsize = -1 usernameidmethodproxyauth = off usernameidmethodntlm = off # **NOT IMPLEMENTED** usernameidmethodident = off forwardedfor = on maxchildren = 120 logconnectionhandlingerrors = on HOPE ANYBODY CAN HELP ME ! Regards / Gruß Bruno -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (1)
-
BLeonhardt@analytek.de