Dansguardian

From SME Server
Revision as of 02:23, 12 July 2007 by Snoble (talk | contribs) (squid fragment uses /etc/proxyusers ?)
Jump to navigationJump to search

Dansguardian web content filtering HOWTO install & configure on sme 7.x

Author: Ray Mitchell - mitchellcpa_AT_yahoo_dot_com_dot_au

Howto Release Date & Version: 11 July 2007 - v7.3

sme server version supported: 7.1.3


Contributors

Thanks to Stephen Noble at dungog.net for providing rpms & information generally. This HOWTO requires command line control to edit configuration files & restart the dansguardian service after configuration changes.

Dungog.net sells a commercial implementation of Dansguardian for sme server which adds a server manager panel to allow GUI control of all Dansguardian functionality & settings.


Information

To have a proper understanding of how Dansguardian works and the importance of certain configuration settings you should read the detailed installation notes and Manual at the Dansguardian web site http://dansguardian.org

An old version 2.4 installation notes are here: http://dansguardian.org/downloads/detailedinstallation2.4.html#further

The FAQ is here: http://sourceforge.net/docman/display_doc.php?docid=27215&group_id=131757

Information about group configuration is here: http://contentfilter.futuragts.com/wiki/index.php?title=Group_Configuration

Mailing list is here: http://tech.groups.yahoo.com/group/dansguardian/

The information on the Dansguardian website is of a generic nature and some of it is NOT applicable to sme server installations, refer to the instructions in this HOWTO in preference.

Installation instructions

Warning.png Warning:
Do not upgrade dansguardian v2.9 over previous v2.8 (or earlier) installations as there are substantial changes. (The recommendation from Dansguardian is to edit the new configuration files/lists rather than try to edit your old ones)



Important.png Note:
Please check the dungog.net web site for later versions http://sme.dungog.net/packages/smeserver/7.0/i386/html/index_dungog.html



Download the required rpms into an empty folder on your sme server using the Linux wget command

wget http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/contribs/dansguardian/rpms/2.9.8-2/dansguardian-2.9.8-2.noarch.rpm
wget http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/contribs/dansguardian/rpms/2.9.8-2/smeserver-dansguardian-2.9-3.el4.sme.noarch.rpm
wget http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/contribs/dansguardian/rpms/2.8.0.6/dungog-blacklists-1.0-20061002.noarch.rpm

Install the rpms

yum localinstall *.rpm


Alternatively you can add the dungog repository

The following command will configure the Dungog repository on SME Server. The dungog repository will no longer be updated. All the contribs from this repository have been moved to the smecontribs repository.

DungogMember contribs are still at http://www.dungog.net After adding it to the database we have to update the changes to the configuration file:

signal-event yum-modify
yum --enablerepo=dungog install smeserver-dansguardian dungog-blacklists

To view available updates

yum --enablerepo=dungog list updates

Modifying Firewall and Proxy

Configuring your system to force Dansguardian usage & prevent bypassing

Dansguardian uses port 8080 for web proxy requests. If your browser does not use port 8080 then Dansguardian filtering will be bypassed. To force this usage & prevent users bypassing filtering you should do the following steps:

1) Configure your sme server to use Transparent Proxy port 8080 and to block direct access to the squid proxy port 3128 & redirect port 80 to port 8080

Note the functionality to create custom firewall rules using iptables is built in to the rpms provided by http://www.dungog.net

config setprop squid TransparentPort 8080
config setprop dansguardian portblocking yes
signal-event post-upgrade; signal-event-reboot 

To return Transparent Proxy port to default value and to disable portblocking

config delprop squid TransparentPort 3128
config delprop dansguardian portblocking
signal-event post-upgrade; signal-event-reboot 

2) Configure your workstation web browser to auto detect proxy port

Go to your workstation and open your browser eg Internet Explorer or Firefox or your preferred browser

Change the settings for Connections to LAN

Select Auto detect proxy

Or alternatively use the server IP 192.168.1.1 (or whatever yours is) and use a port of 8080


Configuring Proxy to use Auth login

This functionality is built in to the rpms provided by http://www.dungog.net & requires enabling with a db command

Dansguardian supports different types of auth login ie nsca, pam & ident

Depending on your requirements, enable using the appropriate command. Most users of sme will probably use pam auth as that will authorise access against sme users and passwords.

For details regarding the various auth login methods & other configuration requirements, see http://dansguardian.org or Google, select one

config setprop squid RequireAuth pam
config setprop squid RequireAuth nsca
config setprop squid RequireAuth ident

To disable Auth login

config delprop squid RequireAuth

To enable any of the above setting changes you must follow the command with:

expand-template /etc/squid/squid.conf
sv t /service/squid

Using NCSA Auth login

If you are using nsca auth, create the user & password authentication list (you don't require users to be valid sme users)

touch /etc/proxyusers

Enter user names & password combinations one by one using this command

htpasswd -b /etc/proxyusers username password

You can test the authentication list using the following command

/usr/lib/squid/ncsa_auth /etc/proxyusers

Then enter the username & password when asked

You will see a ERR or OK response

Using Ident login

If you are using ident auth, you will require a ident client on your workstation. One windows ident client is available from:

https://sourceforge.net/projects/retinascan

Modifying Dansguardian configuration

You need to manually modify configuration files /etc/dansguardian/dansguardian.conf and /etc/dansguardian/dansguardianf1.conf and /etc/dansguardian/dansguardianf2.conf and /etc/dansguardian/dansguardianf3.conf and so on depending on the number of filter groups you wish to have.

pico -w /etc/dansguardian/dansguardian.conf

You will initially need to change:

accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'

for example to

accessdeniedaddress = 'http://www.mydomain.com/cgi-bin/dansguardian.pl'

Make any other required changes to suit your situation by carefully reviewing the other setting possibilities

Ctrl o (to save)

Ctrl x (to exit)

pico -w /etc/dansguardian/dansguardianf1.conf

You may initially need to change (to suit adult level of protection)

naughtynesslimit = 50

to

naughtynesslimit = 160 (or even 250 or 300 depending on your sensitivity/tolerance requirements)

Make any other required changes to suit your situation by carefully reviewing the other setting possibilities

Ctrl o and Ctrl x

If you wish to use additional filter groups then edit further configuration files.

pico -w /etc/dansguardian/dansguardianf2.conf

Make any required changes to suit your situation by carefully reviewing all the setting possibilities

Ctrl o and Ctrl x

pico -w /etc/dansguardian/dansguardianf3.conf

Make any required changes to suit your situation by carefully reviewing all the setting possibilities

Ctrl o and Ctrl x


Modifying other Dansguardian configuration files

You will need to change other config files to suit your site requirements:

You can read information in the beginning of each config file that explains usage & syntax

These are located in /etc/dansguardian/lists... /etc/dansguardian/lists/f1/... /etc/dansguardian/lists/f2/... & so on and subfolders

eg

pico -w /etc/dansguardian/lists/f1/bannedextensionlist

make the required changes

Ctrl o and Ctrl x

Most users will need to change these 4 files as a minimum

bannedextensionlist

bannedsitelist

bannedurllist

exceptionsitelist

You should review ALL the dansguardian config files in /etc/dansguardian/lists and subfolders as part of your initial Dansguardian setup.

Some of the default settings in these files will prevent access to certain web sites and file types, which may conflict with your site requirements. See details in the "Further customisation" section at the end of this Howto or at http://dansguardian.org


Modifying the default html error message page

You may also want to tailor the html template for the error message displayed when Dansguardian blocks a site, see

/etc/dansguardian/languages/(languagename)/template.html

eg

pico -w /etc/dansguardian/languages/ukenglish/template.html


Groups and Auth login

See http:/dansguardian.org re Group configuration functionality in relation to Auth login (ie filtering users access rights based on group membership)

The Group filter files are located in:

/etc/dansguardian/lists/f1/...

/etc/dansguardian/lists/f2/...

/etc/dansguardian/lists/f3/...

and so on depending on the number of groups you set up

Edit these to suit your site requirements

Other Dansguardian Config Files

Dansguardian/ConfigFiles

Starting Dansguardian

After install & initial configuration you must manually start Dansguardian to enable web content filtering

(Note that suitable links to start Dansguardian at startup/reboot are setup when the rpm is installed)

/etc/init.d/dansguardian start

Stopping Dansguardian

If you need to stop Dansguardian (ie to disable filtering or test your system without Dansguardian running)

/etc/init.d/dansguardian stop

Restarting Dansguardian

You will need to restart Dansguardian after making any configuration changes (so they can take effect)

/etc/init.d/dansguardian restart

Status check of Dansguardian

If you need to check that Dansguardian is running

/etc/init.d/dansguardian status