This page (revision-4) was last changed on 25-Jan-2008 12:17 by ThomasBayen 

This page was created on 03-Oct-2006 21:29 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note
4 25-Jan-2008 12:17 11 KB ThomasBayen to previous Tagging
3 10-Feb-2007 11:52 11 KB PeterHormanns to previous | to last Debian Paket
2 14-Nov-2006 13:38 11 KB MarkusMonderkamp to previous | to last für JSPWiki mit Thomas' und Peter's Filter formatiert
1 03-Oct-2006 21:29 11 KB UnknownAuthor to last

Page References

Incoming links Outgoing links
DansGuardian
DansGuardian

Version management

Difference between version and

View first change
Dies ist eine AlteSeite aus unserem UseModWiki bei Sourceforge.>>
<<
Bitte überarbeite die Seite, passe die Formatierung für das JSPWiki an
und entferne diesen Text.

Vielen Dank!

{{{
= Dansguardian =

Nach dem ich schon viel in eurem Winki gelesen habe, muß ich auch
mal etwas zurük geben (habe ich schon viel zu lange vor mir her
geschoben)

=== Was ist das eigendlich ===

Dansguardian ist ein Tranparentproxy der, den inhalt der Webseite,
nicht nur wie algemein üblich die URL nach begriffen filtert.

zu bekommen ist er unter
http://dansguardian.org/
Er steht unter GPL ist aber für den Kommerziellen einsatz
gebürenpflichtig


=== Einrichten von Dansguardian auf Suse 8.1 ===

Es reicht aus wenn ihr die Radhat rpm nehmt und auf der maschine
einspielt! ihr könnt es auch selber Kompeliren der befehl dazu
steht in der Readme!, wenn ihr es als rpm installirt damm müßt ihr
noch das cgi von /var/www/cgi-bin/ nach /srv/www/cgi-bin/
verschieben

=== Konfiguriren ===

Din Konfiguration ist eigendlich soweit fertig nurnoch einige
anpassungen sind zu machen!

 # Web Access Denied Reporting (does not affect logging)
 #
 # -1 = log, but do not block - Stealth mode
 #  0 = just say 'Access Denied'
 #  1 = report why but not what denied phrase
 #  2 = report fully
 #  3 = use HTML template file (accessdeniedaddress ignored)
 reportinglevel = 3


 # HTML Template file path.
 # Only used when reportinglevel is set to 3.
 # When used, DansGuardian will display the HTML file instead of
 # using the perl cgi script.  This option is faster, cleaner
 # and easier to customise the access denied page.

 htmltemplate = '/etc/dansguardian/template.html'


 # Logging Settings
 # 0 = none  1 = just denied  2 = all text based  3 = all requests
 loglevel = 2


 # Log Exception Hits
 # Log if an exception (user, ip, URL, phrase) is matched and so
 # the page gets let through.  Can be useful for diagnosing
 # why a site gets through the filter.  on | off
 logexceptionhits = on


 # Log File Format
 # 1 = DansGuardian format        2 = CSV-style format
 # 3 = Squid Log File Format      4 = Tab delimited
 logfileformat = 1


 # Network Settings
 #
 # the IP that DansGuardian listens on.  If left blank
DansGuardian will
 # listen on all IPs.  That would include all NICs, loopback,
modem, etc.
 # Normally you would have your firewall protecting this, but if
you want
 # you can limit it to only 1 IP.  Yes only one.
 filterip =


 # the port that DansGuardian listens to
 # It needs to be greater than 1024
 filterport = 8080


 # the ip of the proxy (default is the loopback - i.e. this
server)
 proxyip = 127.0.0.1


 # the port DansGuardian connects to proxy on
 proxyport = 3128


 # accessdeniedaddress is the address of your web server to which
the cgi
 # dansguardian reporting script was copied
 accessdeniedaddress =
'http://192.168.2.1/cgi-bin/dansguardian.pl'


 # Content filtering files location
 bannedphraselist = '/etc/dansguardian/bannedphraselist'
 exceptionphraselist = '/etc/dansguardian/exceptionphraselist'
 weightedphraselist = '/etc/dansguardian/weightedphraselist'
 bannedsitelist = '/etc/dansguardian/bannedsitelist'
 exceptionsitelist = '/etc/dansguardian/exceptionsitelist'
 exceptionurllist = '/etc/dansguardian/exceptionurllist'
 bannedurllist = '/etc/dansguardian/bannedurllist'
 bannedregexpurllist = '/etc/dansguardian/bannedregexpurllist'
 bannedextensionlist = '/etc/dansguardian/bannedextensionlist'
 bannedmimetypelist = '/etc/dansguardian/bannedmimetypelist'
 bannediplist = '/etc/dansguardian/bannediplist'
 exceptioniplist = '/etc/dansguardian/exceptioniplist'
 banneduserlist = '/etc/dansguardian/banneduserlist'
 exceptionuserlist = '/etc/dansguardian/exceptionuserlist'
 picsfile = '/etc/dansguardian/pics'
 contentregexplist = '/etc/dansguardian/contentregexplist'


 # messages file for internationalisation.
 languagefile = '/etc/dansguardian/messages'


 # Weighted phrase mode
 # There are 3 possible modes of operation:
 # 0 = off = do not use the weighted phrase feature.
 # 1 = on, normal = normal weighted phrase operation.
 # 2 = on, singular = each weighted phrase found only counts once
on a page.
 weightedphrasemode = 2


 # Naughtyness limit
 # This the limit over which the page will be blocked.  Each
weighted phrase is given
 # a value either positive or negative and the values added up.
Phrases to do with
 # good subjects will have negative values, and bad subjects will
have positive
 # values.  See the weightedphraselist file for examples.
 # As a guide:
 # 50 is for young children,  100 for old children,  160 for young
adults.
 naughtynesslimit = 50


 # Show weighted phrases found
 # If enabled then the phrases found that made up the total which
excedes
 # the naughtyness limit will be logged and, if the reporting
level is
 # high enough, reported. on | off
 showweightedfound = on


 # Positive result caching for text URLs
 # Caches good pages so they don't need to be scanned again
 # 0 = off (recommended for ISPs with users with disimilar
browsing)
 # 100 = recommended for schools
 urlcachenumber = 100
 #
 # Age before they are stale and should be ignored in seconds
 # 0 = never
 # 300 = reccomended
 urlcacheage = 300
 # Reverse lookups for banned site and URLs.
 # If set to on, DansGuardian will look up the forward DNS for an
IP URL
 # address and search for both in the banned site and URL lists.
This would
 # prevent a user from simply entering the IP for a banned
address.
 # It will reduce searching speed somewhat so unless you have a
local caching
 # DNS server, leave it off and use the Blanket IP Block option in
the
 # bannedsitelist file instead.
 reverseaddresslookups = off


 # Build bannedsitelist and bannedurllist cache files.
 # This will compare the date stamp of the list file with the date
stamp of
 # the cache file and will recreate as needed.
 # If a bsl or bul .processed file exists, then that will be used
instead.
 # It will increase process start speed by 300%.  On slow
computers this will
 # be significant.  Fast computers do not need this option. on |
off
 createlistcachefiles = on


 # POST protection (web upload and forms)
 # does not block forms without any file upload, i.e. this is just
for
 # blocking or limiting uploads
 # measured in kilobytes after MIME encoding and header bumph
 # use 0 for a complete block
 # use higher (e.g. 512 = 512Kbytes) for limiting
 # use -1 for no blocking
 #maxuploadsize = 512
 #maxuploadsize = 0
 maxuploadsize = -1


 # Max content filter page size
 # Sometimes web servers label binary files as text which can be
very
 # large which causes a huge drain on memory and cpu resources.
 # To counter this, you can limit the size of the document to be
 # filtered and get it to just pass it straight through.
 # This setting also applies to content regular expression
modification.
 # The size is in Megabytes - eg 2 = 2048Kb
 # use 0 for no limit
 maxcontentfiltersize = 1


 # Username identification methods (used in logging)
 # You can have as many methods as you want and not just one.  The
first one
 # will be used then if no username is found, the next will be
used.
 # * proxyauth is for when basic proxy authentication is used (no
good for
 #   transparent proxying).
 # * ntlm is for when the proxy supports the MS NTLM
authentication
 #   protocol.  (Only works with IE5.5 sp1 and later).  **NOT
IMPLEMENTED**
 # * ident is for when the others don't work.  It will contact the
computer
 #   that the connection came from and try to connect to an identd
server
 #   and query it for the user owner of the connection.
 usernameidmethodproxyauth = off
 usernameidmethodntlm = off # **NOT IMPLEMENTED**
 usernameidmethodident = off


 # Misc settings


 # if on it adds an X-Forwarded-For: <clientip> to the HTTP
request
 # header.  This may help solve some problem sites that need to
know the
 # source ip. on | off
 forwardedfor = off


 # if on it uses the X-Forwarded-For: <clientip> to
determine the client
 # IP. This is for when you have squid between the clients and
DansGuardian.
 # Warning - headers are easily spoofed. on | off
 usexforwardedfor = off


 # sets the maximum number of processes to sporn to handle the
incomming
 # connections.  This will prevent DoS attacks killing the server
with
 # too many spawned processes.
 # On large sites you might want to double or triple this number.
 maxchildren = 120


 # if on it logs some debug info regarding fork()ing and
accept()ing which
 # can usually be ignored.  These are logged by syslog.  It is
safe to leave
 # it on or off
 logconnectionhandlingerrors = off

=== Iptables zum umleiten auf den Transparentproxy ===

* Ändern der IpTables Regeln (unter suse kann man das in die
/etc/initd/boot.local eintragen)
 
 iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j
REDIRECT --to-port 8080
 # Alle Anfragen von Port 80 zum Port 8080 dort arbeitet
DansGuardian weiterleiten


* Speren von Squid Port
 iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j
DROP
 # Dmit keiner direckt auf dem squid kann und somit DansGuardian
umgeht

=== Ein Anfang ===

1. Squid Kopeliren mit der option "--enable-linux-netfilter"
2. Squid so einrichten das er läuft

Folgende Zeilen in der squid.conf ändern

 httpd_accel_host virtual
 httpd_accel_port 80
 httpd_accel_single_host off
 httpd_accel_with_proxy on
 httpd_accel_uses_host_header on

3a. Ändern der IpTables Regeln (unter suse kann man das in die
/etc/initd/boot.local eintragen)

 iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j
REDIRECT --to-port 8080

Alle Anfragen von Port 80 zum Port 8080 dort arbeitet DansGuardian
weiterleiten

Wenn mall will kann mann DansGuardian auch auf einer Anderen
Maschine laufen lassen
 iptables -t nat -A PREROUTING -m tcp -p tcp -s ! {DG's IP
ADDRESS} --dport 80 -j DNAT --to {DG's IP ADDRESS}:8080

Die "!" sind wichtig weil man nicht wie normal vom looback
(127.0.0.1) aus geht

3b. Speren von Squid Port
 iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j
DROP

Das ist nötig damit keiner direckt Squid als Proxy angeben kann und
so mit DansGuardian umgehen würde!

4. Default Gateway
der recher solte als Standert server für den Intertnet zugang
eigerichtet werder das kann im jedem client eingestellt werden oder
oder in der /etc/dhcp.conf

Das ist die Überbestzung mit einigen anpassungen an suse von
http://dansguardian.org/downloads/DGandTransparent.txt

=== Anmerkung ===

Leider muß ich selber ersteinmal Fertig werden aber ich hoffe da
ich jetzt selber den Anfang gemacht habe das ich es auch fertig
schreibe.

AnsgarJazdzewski

----

Schön. :-) Sieht ja gut aus bisher. Willkommen im Club! Das Ding
kannte ich noch gar nicht, bin schon gespannt auf Deine Erfahrung.
Übrigens könnte es eine gute Idee sein, wenn Du einen User-Login
machen würdest. Dann kann man in RecentChanges besser sehen, wer
was geändert hat. Außerdem ist es üblich, dass sich jeder Benutzer
eine eigene Seite einrichtet, die den Usernamen als Titel hat.
Meine ist ThomasBayen, Deine sollte AnsgarJazdzewski sein. Dort
kannst Du dann was über Dich schreiben und andere können Dir
Kommentare dort hinterlassen (So wie dieser Absatz hier, den Du von
der DansGuardian-Seite wieder löschen solltest). -- ThomasBayen
<<}}}
This page (revision-4) was last changed on 25-Jan-2008 12:17 by ThomasBayen  Top