Changes

Jump to navigation Jump to search
5,081 bytes added ,  09:46, 19 September 2023
no edit summary
Line 2: Line 2:  
== Dansguardian web content filtering ==
 
== Dansguardian web content filtering ==
 
{{Level|Medium}}
 
{{Level|Medium}}
 +
 +
{{Warning box| Dansguardian is deprecated and not available on Koozali SME v10.
 +
There is a fork called e2guardian http://e2guardian.org/cms/index.php and https://github.com/e2guardian }}
 +
 +
=== Version ===
 +
{{ #smeversion: dansguardian}}
 +
{{ #smeversion: smeserver-dansguardian}}
 +
 +
Also see:
 +
https://wiki.koozali.org/index.php?title=Dansguardian-panel
 +
{{ #smeversion: smeserver-dansguardian-panel}}
    
=== Description ===
 
=== Description ===
Line 33: Line 44:     
Optional, download and install a set of blacklists from http://urlblacklist.com/
 
Optional, download and install a set of blacklists from http://urlblacklist.com/
 +
alternatively you can choose ftp://ftp.ut-capitole.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz from http://dsi.ut-capitole.fr/blacklists/
    
{{Note box|It is not sufficient to simply install the package, the appropriate manual configuration is an integral part of getting Dansguardian working on your system. A minimal installation requires all the configuration steps listed below to be carried out, ie from the "Modifying Firewall and Proxy" section up to "Filter Groups and Auth login". Filter Group configuration is only required if you wish to control access on a per user basis.}}
 
{{Note box|It is not sufficient to simply install the package, the appropriate manual configuration is an integral part of getting Dansguardian working on your system. A minimal installation requires all the configuration steps listed below to be carried out, ie from the "Modifying Firewall and Proxy" section up to "Filter Groups and Auth login". Filter Group configuration is only required if you wish to control access on a per user basis.}}
 
   
 
   
 +
{{Tip box|If you would like to have a graphical and web based overview of what dansguardian has analyzed then take a look at http://wiki.contribs.org/Dansguardian-stats}}
    
====Upgrading====
 
====Upgrading====
Line 59: Line 72:  
Dansguardian uses port 8080 for web proxy requests. If your browser does not use port 8080 then Dansguardian filtering will be bypassed. To force this usage & prevent users bypassing filtering you should do ALL the following steps:
 
Dansguardian uses port 8080 for web proxy requests. If your browser does not use port 8080 then Dansguardian filtering will be bypassed. To force this usage & prevent users bypassing filtering you should do ALL the following steps:
   −
'''1) Configure your sme server to use Transparent Proxy port 8080 and to block direct access to the squid proxy port 3128 & redirect port 80 to port 8080'''
+
'''1) Configure your SME Server to use Transparent Proxy port 8080 and to block direct access to the squid proxy port 3128 & redirect port 80 to port 8080'''
   −
Note the functionality to create the required custom firewall rules using iptables is built in to the smeserver-dansguardian and is configured with the following commands
+
Note the functionality to create the required custom firewall rules using iptables is built in to the smeserver-dansguardian and is configured with the following commands. The Transparent proxy must also be enabled (which is the sme default) to prevent users bypassing Dansguardian filtering.
    
  config setprop squid TransparentPort 8080
 
  config setprop squid TransparentPort 8080
 +
config setprop squid Transparent yes
 
  config setprop dansguardian portblocking yes
 
  config setprop dansguardian portblocking yes
 
  signal-event post-upgrade; signal-event reboot
 
  signal-event post-upgrade; signal-event reboot
   −
To return Transparent Proxy port to default value and to disable portblocking
+
To return Transparent Proxy port to default value and to disable portblocking and to enable the Transparent proxy (which is the sme default)
    
  config setprop squid TransparentPort 3128
 
  config setprop squid TransparentPort 3128
 +
config setprop squid Transparent yes
 
  config delprop dansguardian portblocking
 
  config delprop dansguardian portblocking
 
  signal-event post-upgrade; signal-event reboot  
 
  signal-event post-upgrade; signal-event reboot  
 +
 +
{{Note box|If you disable the Transparent Proxy feature of SME Server, Dansguardian can be bypassed at will by your users. You should keep the Transparent Proxy enabled (configured as above) for filtering to work.}}
 
   
 
   
 
'''2) Configure your workstation web browser to auto detect proxy port'''
 
'''2) Configure your workstation web browser to auto detect proxy port'''
Line 82: Line 99:     
Or alternatively use the server IP 192.168.1.1 (or whatever yours is) and use a port of 8080
 
Or alternatively use the server IP 192.168.1.1 (or whatever yours is) and use a port of 8080
 +
 +
====Bypass Proxy====
 +
Allow individual PC's or selected sites to bypass the proxy (and dansguardian) entirely see [[Firewall#Bypass_Proxy]].
 +
 +
====Workstation IP allocation====
 +
Control of workstation access to the web (when using dansguardian), is implemented by nominating the workstation IP in the various dansguardian configuration files (ie the local LAN IP address). To apply consistent filtering rules or allow proxy bypass (see section above), the workstation IP must remain the same throughout restarts & DHCP IP refreshes or allocations. Configuring your workstations to have a consistent IP is a fundamental & important step when configuring your whole computer system.
 +
 +
This can be achieved by manually specifying a fixed IP address when each workstation is configured, but requires every workstation to be setup individually. Alternatively the workstation can be configured for auto allocation of an IP, and the Hostnames and Addresses panel in server manager can then be used to force the allocation of a specified IP by the SME DHCP server, based on the workstation NIC mac address. See the SME Manual for further details at http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter13#Reserving_IP_Addresses_Through_DHCP
 +
The basic steps are to determine the mac address of your workstation NIC and then create a hostname eg station5 and enter the mac address and the required "forced or fixed" IP eg 192.168.1.5
 +
 +
Any reference to the filtering of station5 then uses the IP 192.168.1.5, which will always stay the same, unless the NIC is changed. Remember to re-enter the mac address details into server manager, in the event the workstation NIC or motherboard is changed.
    
====Configuring Proxy to use Auth login====
 
====Configuring Proxy to use Auth login====
Line 131: Line 159:  
* '''TCP'''
 
* '''TCP'''
   −
===Modifying Dansguardian configuration===
+
===Modifying Dansguardian Configuration Files===
 +
 
 +
====Modifying Dansguardian dansguardian.conf & dansguardianf1.conf files====
    
You need to manually modify various configuration files.
 
You need to manually modify various configuration files.
Line 164: Line 194:  
  Ctrl x
 
  Ctrl x
    +
Additional Options can be found here, http://wiki.contribs.org/Dansguardian/ConfigFiles under the topic dansguardian.conf & dansguardianf1.conf
    
If you have additional filter groups, then additional configuration files will need to be created and modified. See section on "Filter Groups and Auth login" below.
 
If you have additional filter groups, then additional configuration files will need to be created and modified. See section on "Filter Groups and Auth login" below.
      
====Modifying other Dansguardian configuration files====
 
====Modifying other Dansguardian configuration files====
Line 176: Line 206:  
These are located in  
 
These are located in  
 
  /etc/dansguardian/lists...   
 
  /etc/dansguardian/lists...   
  /etc/dansguardian/lists/f1/...   
+
  /etc/dansguardian/lists/f2/...   
 
& so on and subfolders  
 
& so on and subfolders  
    
eg
 
eg
  pico -w /etc/dansguardian/lists/f1/bannedextensionlist
+
  pico -w /etc/dansguardian/lists/f2/bannedextensionlist
 
make the required changes
 
make the required changes
 
  Ctrl o
 
  Ctrl o
Line 193: Line 223:  
You should review ALL the dansguardian config files in /etc/dansguardian/lists and subfolders  as part of your initial Dansguardian setup.  
 
You should review ALL the dansguardian config files in /etc/dansguardian/lists and subfolders  as part of your initial Dansguardian setup.  
   −
Some of the default settings in these files will prevent access to certain web sites and file types, which may conflict with your site requirements. See more details on the [[:Dansguardian/ConfigFiles]]  page of this Howto or at http://dansguardian.org
+
Some of the default settings in these files will prevent access to certain web sites and file types, which may conflict with your site requirements.  
    +
For many more details and descriptions on the configuration files see [[:Dansguardian/ConfigFiles]]  page of this Howto or at http://dansguardian.org
    
====Modifying the default html error message page====
 
====Modifying the default html error message page====
Line 200: Line 231:  
You may also want to tailor the html template for the error message displayed when Dansguardian blocks a site, see
 
You may also want to tailor the html template for the error message displayed when Dansguardian blocks a site, see
 
  /etc/dansguardian/languages/(languagename)/template.html
 
  /etc/dansguardian/languages/(languagename)/template.html
eg
+
or in some newer versions
 +
/usr/share/dansguardian/languages/(languagename)/template.html
 +
 
 +
e.g.
 
  pico -w /etc/dansguardian/languages/ukenglish/template.html
 
  pico -w /etc/dansguardian/languages/ukenglish/template.html
 
+
After you make any changes to the template.html you will need to run the command,
 +
/etc/init.d/dansguardian restart
 +
for the changes to take effect.
    
====Filter Groups and Auth login====
 
====Filter Groups and Auth login====
Line 393: Line 429:     
also edit /etc/dansguardian/contentscanners/clamdscan.conf and uncomment
 
also edit /etc/dansguardian/contentscanners/clamdscan.conf and uncomment
  clamdudsfile = '/var/clamav/clamd.socket'
+
  + clamdudsfile = '/var/clamav/clamd.socket'
 
+
- #clamdudsfile = '/var/run/clamav/clamd.socket'
    
If you also want to be warned each time a bad page is blocked, edit /etc/dansguardian/dansguardianf1.conf and modify default settings:
 
If you also want to be warned each time a bad page is blocked, edit /etc/dansguardian/dansguardianf1.conf and modify default settings:
Line 407: Line 443:     
DansGuardian should block the download!
 
DansGuardian should block the download!
 +
 +
=====ClamAV & Dansguardian on SME 9+=====
 +
The path to clamd.socket changed with SME 9, and [https://forums.contribs.org/index.php/topic,52519.msg269937.html#msg269937 users report] file access rights issues between dansguardian and clamav.
 +
 +
After installing DansGuardian and completing the clamav setup instructions above, there are 3 extra steps to take on SME9:
 +
 +
1. The path to clamd.socket must match the path given in /etc/clamd.conf
 +
* edit <span style="color:blue;">/etc/dansguardian/contentscanners/clamdscan.conf</span> and set clamdudsfile to:
 +
  clamdudsfile = '/var/clamav/clamd.socket'
 +
 +
2. Dansguardian and Clamav must run as the same user for clamav scanning to work.  Set Dansguardian to run as 'clamav' as follows:
 +
* edit <span style="color:blue;">/etc/dansguardian/dansguardian.conf</span>
 +
** uncomment 'daemonuser' and 'daemongroup'
 +
** set 'daemonuser' to 'clamav':
 +
  daemonuser = 'clamav'
 +
  daemongroup = 'dansguardian
 +
 +
3. Correct the ownership on existing files and folders that belong to the original dansguardian user account.
 +
* Execute the commands below
 +
  chown clamav /var/log/dansguardian/access.log
 +
  'rm' -rf /tmp/.dguardianipc
 +
  'rm' -rf /tmp/.dguardianurlipc
 +
 +
 +
Restart dansguardian and test
 +
  /etc/init.d/dansguardian restart
    
====Other Dansguardian Config Files====
 
====Other Dansguardian Config Files====
Line 412: Line 474:  
There are many other config files, including but not limited to the ones in this appendix
 
There are many other config files, including but not limited to the ones in this appendix
   −
 
+
See [[:Dansguardian/ConfigFiles]]
[[:Dansguardian/ConfigFiles]]
      
===Starting Dansguardian===
 
===Starting Dansguardian===
Line 488: Line 549:  
=== Bugs ===
 
=== Bugs ===
 
Please raise bugs under the SME-Contribs section in {{BugzillaFileBug|product=|component=|title=bugzilla}}and select the smeserver-dansguardian component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-dansguardian|title=this link}}.
 
Please raise bugs under the SME-Contribs section in {{BugzillaFileBug|product=|component=|title=bugzilla}}and select the smeserver-dansguardian component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-dansguardian|title=this link}}.
 +
 +
{{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-dansguardian|noresultsmessage="No open bugs found."}}
 +
 +
 +
===Changelog===
 +
Only versions released in smecontrib are listed here.
 +
 +
{{ #smechangelog: smeserver-dansguardian}}
 +
      Line 493: Line 563:  
[[Category:Contrib]]
 
[[Category:Contrib]]
 
[[Category:Dungog]]
 
[[Category:Dungog]]
[[Category:Administration]]
+
[[Category:Administration:Content Spam Virus Blocking]]
 +
[[Category:Security]]
 +
[[Category:Contrib:webfiltering]]

Navigation menu