Mailinglist Archive: opensuse-security (409 mails)
| < Previous | Next > |
Antwort: [suse-security] Still probs with DansGuardian and Squid2.4-Stable7
- From: BLeonhardt@xxxxxxxxxxx
- Date: Wed, 14 Aug 2002 09:16:02 +0200
- Message-id: <OF0CE89517.269C8B3C-ONC1256C15.0027DAD8-C1256C15.00276C9E@xxxxxxxxxxx>
Hi again,
here a part ot the log from Squid :
1029306401.296 1 localhost TCP_MISS/403 1091 GET
http://www.linux-it.net/index.php user10 NONE/- -
1029306403.147 1 localhost TCP_MISS/403 1091 GET
http://www.linux-it.net/index.php user10 NONE/- -
1029306408.216 1 localhost TCP_DENIED/407 1397 GET
http://www.linux-it.net/index.php - NONE/- -
1029306413.925 1 localhost TCP_MISS/403 1091 GET
http://www.linux-it.net/index.php user10 NONE/- -
1029308327.375 1 localhost TCP_DENIED/407 1397 GET
http://www.linux-it.net/index.php - NONE/- -
1029308335.963 1 localhost TCP_MISS/403 1091 GET
http://www.linux-it.net/index.php user10 NONE/- -
1029308527.158 1 localhost TCP_DENIED/407 1397 GET
http://www.linux-it.net/index.php - NONE/- -
1029308531.888 20 localhost TCP_MISS/403 1091 GET
http://www.linux-it.net/index.php user10 NONE/- -
Hi,
after prevent connections directly to port 3128 for all other ip's (with
iptables) and configured DansGuardian to use 127.0.0.1 - I will get
following
message from Squid :
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL: http://www.linux-it.net/index.php
The following error was encountered:
Forwarding Denied.
This cache will not forward your request because it is trying to enforce a
sibling relationship. Perhaps the client at 127.0.0.1 is a cache which has
been misconfigured.
Your cache administrator is bleonhardt@xxxxxxxxxxxx
Generated Wed, 14 Aug 2002 06:26:53 GMT by www-cache.analytek.de
(Squid/2.4.STABLE7)
----------------------
Have added the configuration-files-entries from squid , squidguard and
dansguardian , maybe anybody will see a "mssconfiguration" ...
Following Squid-Configuration :
http_port 3128
tcp_outgoing_address 192.168.x.x
udp_incoming_address 0.0.0.0
udp_outgoing_address 0.0.0.0
cache_peer 127.0.0.1 sibling 8080 7
cache_peer 192.168.1.8 parent 3128 7
cache_mem 32 MB
cache_swap_low 10
cache_swap_high 100
maximum_object_size 1024 KB
minimum_object_size 0 KB
ipcache_size 4096
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_dir ufs /var/squid/cache 100 16 256
cache_access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log /var/squid/logs/store.log
pid_filename /var/run/squid.pid
debug_options ALL,1
client_netmask 255.255.255.255
# SQUID-GUARD
redirect_program /usr/bin/squidGuard
redirect_children 5
authenticate_program /usr/sbin/pam_auth /etc/passwd
authenticate_children 5
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
reference_age 1 week
peer_connect_timeout 120 seconds
client_lifetime 1 day
half_closed_clients on
pconn_timeout 360 seconds
acl password proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 22 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost all # I will replace "all" if
everything is running :-)
http_access allow password
http_access deny CONNECT !SSL_ports
http_access deny manager
http_access deny test
http_access deny all
icp_access allow localhost all
miss_access allow localhost manager all
proxy_auth_realm Auth-Realm
cache_mgr bleonhardt@xxxxxxxxxxx
cache_effective_user squid
cache_effective_group nogroup
visible_hostname www-cache.analytek.de
announce_period 0 day
append_domain .analytek.de
forwarded_for on
log_icp_queries on
icp_hit_stale on
client_db on
never_direct allow all
ident_lookup_access allow all
log_fqdn on
--------------
Following SquidGuard - Rules :
logdir /var/squidGuard/logs
dbhome /var/squidGuard/db
src kids {
ip 192.168.x.x/24
}
src local {
ip 127.0.0.1/24
}
dest blacklist {
domainlist blacklist/domains
urllist blacklist/urls
}
kids {
pass !blacklist all
}
local {
pass !blacklist all
}
default {
pass none
redirect
http://192.168.1.13/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targe
}
}
--------
Following DansGuardian - Config :
reportinglevel = 3
htmltemplate = '/etc/dansguardian/template.html'
loglevel = 3
logexceptionhits = on
logfileformat = 1
filterip = 192.168.x.x
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128
accessdeniedaddress = 'http://host-ip/cgi-bin/dansguardian.pl'
bannedphraselist = '/etc/dansguardian/bannedphraselist'
exceptionphraselist = '/etc/dansguardian/exceptionphraselist'
weightedphraselist = '/etc/dansguardian/weightedphraselist'
bannedsitelist = '/etc/dansguardian/bannedsitelist'
exceptionsitelist = '/etc/dansguardian/exceptionsitelist'
exceptionurllist = '/etc/dansguardian/exceptionurllist'
bannedurllist = '/etc/dansguardian/bannedurllist'
bannedregexpurllist = '/etc/dansguardian/bannedregexpurllist'
bannedextensionlist = '/etc/dansguardian/bannedextensionlist'
bannedmimetypelist = '/etc/dansguardian/bannedmimetypelist'
bannediplist = '/etc/dansguardian/bannediplist'
exceptioniplist = '/etc/dansguardian/exceptioniplist'
banneduserlist = '/etc/dansguardian/banneduserlist'
exceptionuserlist = '/etc/dansguardian/exceptionuserlist'
picsfile = '/etc/dansguardian/pics'
weightedphrasemode = 2
naughtynesslimit = 160
showweightedfound = on
reverseaddresslookups = on
createlistcachefiles = on
maxuploadsize = -1
usernameidmethodproxyauth = off
usernameidmethodntlm = off # **NOT IMPLEMENTED**
usernameidmethodident = off
forwardedfor = on
maxchildren = 120
logconnectionhandlingerrors = on
HOPE ANYBODY CAN HELP ME !
Regards / Gruß
Bruno
--
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here
here a part ot the log from Squid :
1029306401.296 1 localhost TCP_MISS/403 1091 GET
http://www.linux-it.net/index.php user10 NONE/- -
1029306403.147 1 localhost TCP_MISS/403 1091 GET
http://www.linux-it.net/index.php user10 NONE/- -
1029306408.216 1 localhost TCP_DENIED/407 1397 GET
http://www.linux-it.net/index.php - NONE/- -
1029306413.925 1 localhost TCP_MISS/403 1091 GET
http://www.linux-it.net/index.php user10 NONE/- -
1029308327.375 1 localhost TCP_DENIED/407 1397 GET
http://www.linux-it.net/index.php - NONE/- -
1029308335.963 1 localhost TCP_MISS/403 1091 GET
http://www.linux-it.net/index.php user10 NONE/- -
1029308527.158 1 localhost TCP_DENIED/407 1397 GET
http://www.linux-it.net/index.php - NONE/- -
1029308531.888 20 localhost TCP_MISS/403 1091 GET
http://www.linux-it.net/index.php user10 NONE/- -
Hi,
after prevent connections directly to port 3128 for all other ip's (with
iptables) and configured DansGuardian to use 127.0.0.1 - I will get
following
message from Squid :
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL: http://www.linux-it.net/index.php
The following error was encountered:
Forwarding Denied.
This cache will not forward your request because it is trying to enforce a
sibling relationship. Perhaps the client at 127.0.0.1 is a cache which has
been misconfigured.
Your cache administrator is bleonhardt@xxxxxxxxxxxx
Generated Wed, 14 Aug 2002 06:26:53 GMT by www-cache.analytek.de
(Squid/2.4.STABLE7)
----------------------
Have added the configuration-files-entries from squid , squidguard and
dansguardian , maybe anybody will see a "mssconfiguration" ...
Following Squid-Configuration :
http_port 3128
tcp_outgoing_address 192.168.x.x
udp_incoming_address 0.0.0.0
udp_outgoing_address 0.0.0.0
cache_peer 127.0.0.1 sibling 8080 7
cache_peer 192.168.1.8 parent 3128 7
cache_mem 32 MB
cache_swap_low 10
cache_swap_high 100
maximum_object_size 1024 KB
minimum_object_size 0 KB
ipcache_size 4096
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
cache_dir ufs /var/squid/cache 100 16 256
cache_access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log /var/squid/logs/store.log
pid_filename /var/run/squid.pid
debug_options ALL,1
client_netmask 255.255.255.255
# SQUID-GUARD
redirect_program /usr/bin/squidGuard
redirect_children 5
authenticate_program /usr/sbin/pam_auth /etc/passwd
authenticate_children 5
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
reference_age 1 week
peer_connect_timeout 120 seconds
client_lifetime 1 day
half_closed_clients on
pconn_timeout 360 seconds
acl password proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 22 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost all # I will replace "all" if
everything is running :-)
http_access allow password
http_access deny CONNECT !SSL_ports
http_access deny manager
http_access deny test
http_access deny all
icp_access allow localhost all
miss_access allow localhost manager all
proxy_auth_realm Auth-Realm
cache_mgr bleonhardt@xxxxxxxxxxx
cache_effective_user squid
cache_effective_group nogroup
visible_hostname www-cache.analytek.de
announce_period 0 day
append_domain .analytek.de
forwarded_for on
log_icp_queries on
icp_hit_stale on
client_db on
never_direct allow all
ident_lookup_access allow all
log_fqdn on
--------------
Following SquidGuard - Rules :
logdir /var/squidGuard/logs
dbhome /var/squidGuard/db
src kids {
ip 192.168.x.x/24
}
src local {
ip 127.0.0.1/24
}
dest blacklist {
domainlist blacklist/domains
urllist blacklist/urls
}
kids {
pass !blacklist all
}
local {
pass !blacklist all
}
default {
pass none
redirect
http://192.168.1.13/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targe
}
}
--------
Following DansGuardian - Config :
reportinglevel = 3
htmltemplate = '/etc/dansguardian/template.html'
loglevel = 3
logexceptionhits = on
logfileformat = 1
filterip = 192.168.x.x
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128
accessdeniedaddress = 'http://host-ip/cgi-bin/dansguardian.pl'
bannedphraselist = '/etc/dansguardian/bannedphraselist'
exceptionphraselist = '/etc/dansguardian/exceptionphraselist'
weightedphraselist = '/etc/dansguardian/weightedphraselist'
bannedsitelist = '/etc/dansguardian/bannedsitelist'
exceptionsitelist = '/etc/dansguardian/exceptionsitelist'
exceptionurllist = '/etc/dansguardian/exceptionurllist'
bannedurllist = '/etc/dansguardian/bannedurllist'
bannedregexpurllist = '/etc/dansguardian/bannedregexpurllist'
bannedextensionlist = '/etc/dansguardian/bannedextensionlist'
bannedmimetypelist = '/etc/dansguardian/bannedmimetypelist'
bannediplist = '/etc/dansguardian/bannediplist'
exceptioniplist = '/etc/dansguardian/exceptioniplist'
banneduserlist = '/etc/dansguardian/banneduserlist'
exceptionuserlist = '/etc/dansguardian/exceptionuserlist'
picsfile = '/etc/dansguardian/pics'
weightedphrasemode = 2
naughtynesslimit = 160
showweightedfound = on
reverseaddresslookups = on
createlistcachefiles = on
maxuploadsize = -1
usernameidmethodproxyauth = off
usernameidmethodntlm = off # **NOT IMPLEMENTED**
usernameidmethodident = off
forwardedfor = on
maxchildren = 120
logconnectionhandlingerrors = on
HOPE ANYBODY CAN HELP ME !
Regards / Gruß
Bruno
--
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here
| < Previous | Next > |