Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Still probs with DansGuardian and Squid2.4-Stable7 (HELP NEEDED!)
  • From: BLeonhardt@xxxxxxxxxxx
  • Date: Wed, 14 Aug 2002 13:27:04 +0200
  • Message-id: <OFE5F712A6.2077F2B2-ONC1256C15.003EAA82-C1256C15.003E6818@xxxxxxxxxxx>
HI,

please help with following problem :



Versions :

DansGuardian 2.4.5-2
Squid Cache: Version 2.4.STABLE7
SquidGuard: 1.1.4 Sleepycat Software: Berkeley DB 2.7.7: (08/20/99)

Here a part ot the log from Squid :

1029306401.296 1 localhost TCP_MISS/403 1091 GET
http://www.linux-it.net/index.php user10 NONE/- -
1029306403.147 1 localhost TCP_MISS/403 1091 GET
http://www.linux-it.net/index.php user10 NONE/- -
1029306408.216 1 localhost TCP_DENIED/407 1397 GET
http://www.linux-it.net/index.php - NONE/- -
1029306413.925 1 localhost TCP_MISS/403 1091 GET
http://www.linux-it.net/index.php user10 NONE/- -
1029308327.375 1 localhost TCP_DENIED/407 1397 GET
http://www.linux-it.net/index.php - NONE/- -
1029308335.963 1 localhost TCP_MISS/403 1091 GET
http://www.linux-it.net/index.php user10 NONE/- -
1029308527.158 1 localhost TCP_DENIED/407 1397 GET
http://www.linux-it.net/index.php - NONE/- -
1029308531.888 20 localhost TCP_MISS/403 1091 GET
http://www.linux-it.net/index.php user10 NONE/- -

Problem :
After prevent connections directly to port 3128 for all other ip's (with
iptables) and configured DansGuardian to use 127.0.0.1 - I will get
following
message from Squid :

ERROR
The requested URL could not be retrieved
While trying to retrieve the URL: http://www.linux-it.net/index.php
The following error was encountered:
Forwarding Denied.
This cache will not forward your request because it is trying to enforce a

sibling relationship. Perhaps the client at 127.0.0.1 is a cache which has

been misconfigured.

Your cache administrator is bleonhardt@xxxxxxxxxxxx
Generated Wed, 14 Aug 2002 06:26:53 GMT by www-cache.analytek.de
(Squid/2.4.STABLE7)


Have added the configuration-files-entries from squid , squidguard and
dansguardian , maybe anybody will see a "mssconfiguration" ...

Following Squid-Configuration :
---------------------------------------------
http_port 3128
tcp_outgoing_address 192.168.x.x
udp_incoming_address 0.0.0.0
udp_outgoing_address 0.0.0.0

cache_peer 127.0.0.1 sibling 8080 7
cache_peer 192.168.1.8 parent 3128 7

cache_mem 32 MB

cache_swap_low 10
cache_swap_high 100

maximum_object_size 1024 KB
minimum_object_size 0 KB

ipcache_size 4096
ipcache_low 90
ipcache_high 95

fqdncache_size 1024

cache_dir ufs /var/squid/cache 100 16 256
cache_access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log /var/squid/logs/store.log

pid_filename /var/run/squid.pid

debug_options ALL,1

client_netmask 255.255.255.255

# SQUID-GUARD
redirect_program /usr/bin/squidGuard
redirect_children 5

authenticate_program /usr/sbin/pam_auth /etc/passwd
authenticate_children 5

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

reference_age 1 week

peer_connect_timeout 120 seconds
client_lifetime 1 day
half_closed_clients on
pconn_timeout 360 seconds

acl password proxy_auth REQUIRED

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 22 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost all # I will replace "all" if
everything is running :-)
http_access allow password

http_access deny CONNECT !SSL_ports

http_access deny manager
http_access deny test
http_access deny all

icp_access allow localhost all

miss_access allow localhost manager all

proxy_auth_realm Auth-Realm

cache_mgr bleonhardt@xxxxxxxxxxx

cache_effective_user squid
cache_effective_group nogroup

visible_hostname www-cache.analytek.de
announce_period 0 day
append_domain .analytek.de
forwarded_for on
log_icp_queries on
icp_hit_stale on
client_db on

never_direct allow all
ident_lookup_access allow all
log_fqdn on



Following SquidGuard - Rules :
--------------------------------------------
logdir /var/squidGuard/logs
dbhome /var/squidGuard/db

src kids {
ip 192.168.x.x/24
}

src local {
ip 127.0.0.1/24
}

dest blacklist {
domainlist blacklist/domains
urllist blacklist/urls
}

kids {
pass !blacklist all
}

local {
pass !blacklist all
}

default {
pass none
redirect
http://192.168.1.13/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targe
}
}



Following DansGuardian - Config :
-------------------------------------------------
reportinglevel = 3
htmltemplate = '/etc/dansguardian/template.html'
loglevel = 3
logexceptionhits = on
logfileformat = 1
filterip = 192.168.x.x
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128
accessdeniedaddress = 'http://host-ip/cgi-bin/dansguardian.pl'
bannedphraselist = '/etc/dansguardian/bannedphraselist'
exceptionphraselist = '/etc/dansguardian/exceptionphraselist'
weightedphraselist = '/etc/dansguardian/weightedphraselist'
bannedsitelist = '/etc/dansguardian/bannedsitelist'
exceptionsitelist = '/etc/dansguardian/exceptionsitelist'
exceptionurllist = '/etc/dansguardian/exceptionurllist'
bannedurllist = '/etc/dansguardian/bannedurllist'
bannedregexpurllist = '/etc/dansguardian/bannedregexpurllist'
bannedextensionlist = '/etc/dansguardian/bannedextensionlist'
bannedmimetypelist = '/etc/dansguardian/bannedmimetypelist'
bannediplist = '/etc/dansguardian/bannediplist'
exceptioniplist = '/etc/dansguardian/exceptioniplist'
banneduserlist = '/etc/dansguardian/banneduserlist'
exceptionuserlist = '/etc/dansguardian/exceptionuserlist'
picsfile = '/etc/dansguardian/pics'
weightedphrasemode = 2
naughtynesslimit = 160
showweightedfound = on
reverseaddresslookups = on
createlistcachefiles = on
maxuploadsize = -1
usernameidmethodproxyauth = off
usernameidmethodntlm = off # **NOT IMPLEMENTED**
usernameidmethodident = off
forwardedfor = on
maxchildren = 120
logconnectionhandlingerrors = on

HOPE ANYBODY CAN HELP ME ?!?

Regards / Gruß
Bruno




< Previous Next >
This Thread
  • No further messages