DansGuardian, new black lists and user grouping per IP address

How DG is set up and configured, you can see in my older post.
New black lists can be found here. They can be used for both DG and SG (SquidGuard).

How to deploy new BL in DanseGuardian :
1. Download tar.gz file, and untar it, copy lists to the deployment location /etc/dansguardian/blacklists.
Ownership and rights for folder on location should be /etc/dansguardian/blacklists/ :
drwxr-xr-x 2 root root 4096 Aug 18 23:19 webradio
Ownership for files :
-rwxr-xr-x 1 root root 20373 Aug 28 13:29 domains
-rwxr-xr-x 1 root root 2114 Aug 28 13:29 urls
2. How to activate new lists :
In file /etc/dansguardian/lists/bannedsitelist unhash relevant lines (if they do not exist, add them) :
.Include (for some mysterious reason it will not publish the rest of the line…..)
.Include (for some mysterious reason it will not publish the rest of the line…..)
…..
Also in file /etc/dansguardian/lists/bannedurllist :
.Include (for some mysterious reason it will not publish the rest of the line…..)
…..
Good link for explanation of BL and DG configuration.

How to set up different groups of BL for different groups of user IPs
1. IP which will have no filtering of Internet content are in file /etc/dansguardian/lists/exceptioniplist
2. And if we want one set of BL for IP1 and another set of rules for IP2, that is done like this : dansguardian.conf file :
Hash the following :
# filtergroups = 1
# filtergroupslist = ‘/etc/dansguardian/lists/filtergroupslist’
Unhash/write the following :
usexforwardedfor = on
authplugin = ‘/etc/dansguardian/authplugins/ip.conf’
filtergroups = 4
Number of groups depends on your plans, but group 1 ALWAYS exists, and it serves for all the IPs that are not in one of the other groups!
3. Copy file dansguardianf1.conf in dansguardianf2.conf, dansguardianf3.conf and dansguardianf4.conf (since I have 4 filter grups), and in each of new files change the following :
groupname = ‘filterN’
where N is NOT 1
…..
weightedphraselist = ‘/etc/dansguardian/lists/weightedphraselist’
exceptionphraselist = ‘/etc/dansguardian/lists/exceptionphraselist’
bannedsitelist = ‘/etc/dansguardian/lists/bannedsitelistf3’
exceptionsitelist = ‘/etc/dansguardian/lists/exceptionsitelist’
Some of the lists are original, some are different, because I have changed them, and given them new names
Important notice : all files dansguardianfN.conf MUST have enabled the same lists (files to which list are pointed may be different), otherwise you will get some REALLY strange errors, like this :
# dansguardian -Q
No DansGuardian process found.
Error reading file : No such file or directory
Error reading file : No such file or directory
Error opening greysitelist
Error opening filter group config: /etc/dansguardian/dansguardianf2.conf
Error reading filter group conf file(s).
Error parsing the dansguardian.conf file or other DansGuardian configuration files
…..
naughtynesslimit = 160
This is about the naughty points, and for young children limit is 50
accessdeniedaddress = ‘site-for-naughty-people’
4. In file /etc/dansguardian/lists/authplugins/ipgroups you define the list of IP addresses.
Every IP address that is not explicity named here wil use the group1/filter1 settings!
Example (and yes, even they do go in a same filter every IP goes into a new line, also classes must be defined using 255 etc) :
10.10.10.210 = filter2
10.10.10.55 = filter2
10.11.11.0/255.255.255.0 = filter3
10.12.12.70 = filter4
5. DansGuardian must read new configuration :
# dansguardian -Q
Lokk up log /var/log/messages, where you should get this :
Dec 11 12:56:50 proxy-2013 dansguardian[23985]: Started sucessfully.
5. Testing is mandatory!!!

Problems
DG can not stop facebook.com, because it automatically redirects to https.
************
Yes, a direct https connection just starts with pure SSL. The client opens a TCP socket and starts negotiating SSL cipher specs and the likes. So it’s not until this secure channel, which could be used to carry *ANY* traffic at all, that a web page is requested with the conventional HTTP protocols, which the proxy has no chance of seeing.

************
There is a way. Define facebook in ACL of Squid itself, and it will work 😉

Excellent link!
Another good link.

This entry was posted in Linux and tagged , , . Bookmark the permalink.

Comments are closed.