[GTER] Ajuda com dansguardian
Leandro Moreira
leandro at leandromoreira.eti.br
Thu Nov 19 17:47:05 -02 2009
Marcelo,
Testei a sua sugestão funcionou em partes, funcionou pois nao pegava ip's da
minha rede interna nem nos logs do dansguardian nem nos logs do proxy e isso
ja passou a acontecer.
Mas a internet ficou extremamente lenta.
Estou verificando as configurações pra ver se descubro o q pode ser, se por
acaso tiver mais alguma sugestão, fico agradecido.
Att.
Leandro Moreira
2009/11/19 Marcelo <msalavee at gmail.com>
> Leandro,
>
> Faz um teste rápido,
>
> altera:
> proxyip = 127.0.0.1
> para
> proxyip = sua placa interna por exemplo 192.168.0.1
>
> Abraços,
> Marcelo
>
>
> Leandro Moreira wrote:
> > Caros,
> > Segue abaixo o meu dansguardian.conf:
> >
> > # comente esta linha para dizer que já o configuramos
> > #UNCONFIGURED - Please remove this line after configuration
> >
> > # 3 = usar HTML template para acessos negados
> > reportinglevel = 3
> >
> > # Diretório de Linguagens
> > languagedir = '/etc/dansguardian/languages'
> >
> > # Linguagem usada:
> > language = 'portuguese'
> >
> > #Nível de log 0 = nenhum 1 = somente negado 2 = todos acessados 3 =
> > Todos requisições
> > loglevel = 3
> >
> > # 2 = always log & mark exceptions (default)
> > logexceptionhits = 2
> >
> > # Formato do log, 1 = Formato default.
> > logfileformat = 1
> >
> > # Localização do arquivo de log
> > loglocation = '/var/log/dansguardian/access.log'
> >
> > # Ips filtrados individualmente
> > filterip =
> >
> > # Porta de escuta do Dansguardian
> > filterport = 8080
> >
> > # Ip do proxy, onde está o squid
> > proxyip = 127.0.0.1
> >
> > # porta do squid
> > proxyport = 3128
> >
> > # url de acesso negado
> > accessdeniedaddress =
> > 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'
> >
> > # Default is enabled, but to go back to the standard mode, disable it.
> > nonstandarddelimiter = on
> >
> > # Usar banner do dansguardian on (default) | off
> > usecustombannedimage = on
> > custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'
> >
> > # Quantidade de grupos existente, pode ser criado até 9
> > filtergroups = 1
> >
> > # Onde fica o arquivo onde são atribuídos os grupos aos usuários ou ips.
> > # agora podemos também atribuir faixas de ips
> > filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'
> >
> > # Ips sem acesso
> > bannediplist = '/etc/dansguardian/lists/bannediplist'
> > # Ips com acesso total
> > exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'
> >
> > # high enough, reported. on | off
> > showweightedfound = on
> >
> > # 2 = on, singular = each weighted phrase found only counts once on a
> > page.
> > weightedphrasemode = 2
> >
> > urlcachenumber = 1000
> > urlcacheage = 900
> > scancleancache = on
> >
> > # 2 = both of the above (default)
> > phrasefiltermode = 2
> >
> > # 0 = force lower case (default)
> > preservecase = 0
> >
> > # off = disabled (default)
> > # on = enabled
> > hexdecodecontent = off
> >
> > # off (default) | on (Big5 compatible)
> > forcequicksearch = off
> >
> > # bannedsitelist file instead.
> > reverseaddresslookups = off
> >
> > # leave it off.
> > reverseclientiplookups = off
> >
> > # is, enabling this option does not incur any additional forward DNS
> > requests.
> > logclienthostnames = off
> >
> > # be significant. Fast computers do not need this option. on | off
> > createlistcachefiles = on
> >
> > # use -1 for no blocking
> > #maxuploadsize = 512
> > #maxuploadsize = 0
> > maxuploadsize = -1
> >
> > # The size is in Kibibytes - eg 2048 = 2Mb
> > # use 0 to set it to maxcontentramcachescansize
> > maxcontentfiltersize = 256
> >
> > # use 0 to set it to maxcontentfilecachescansize
> > # This option may be ignored by the configured download manager.
> > maxcontentramcachescansize = 2000
> >
> > # The size is in Kibibytes - eg 10240 = 10Mb
> > maxcontentfilecachescansize = 20000
> >
> > # RAM cache.
> > filecachedir = '/tmp'
> >
> > # on|off (defaults to on)
> > deletedownloadedtempfiles = on
> >
> > # This may be ignored by the configured download manager.
> > initialtrickledelay = 20
> >
> > # This may be ignored by the configured download manager.
> > trickledelay = 10
> >
> > # Controle dobre gerenciador de Downloads
> > downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'
> > downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'
> >
> > # The default of 60 seconds is probably reasonable.
> > contentscannertimeout = 60
> >
> > # (on|off) default = off
> > contentscanexceptions = off
> >
> > # Este plugin deve ser habilitado para aparecer os usuários no log do
> > Dansguardian
> > authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'
> >
> >
> > # Defaults to off.
> > recheckreplacedurls = off
> >
> > # Importante, deve ser habilitado para repassar os ips clientes ao squid.
> > forwardedfor = on
> >
> > # Warning - headers are easily spoofed. on | off
> > usexforwardedfor = off
> >
> > # it on or off
> > logconnectionhandlingerrors = on
> >
> > # useful in production.
> > logchildprocesshandling = off
> >
> > # On large sites you might want to try 180.
> > maxchildren = 120
> >
> > # On large sites you might want to try 32.
> > minchildren = 8
> >
> > # sets the minimum number of processes to be kept ready to handle
> > connections.
> > # On large sites you might want to try 8.
> > minsparechildren = 4
> >
> > # sets the minimum number of processes to spawn when it runs out
> > # On large sites you might want to try 10.
> > preforkchildren = 6
> >
> > # sets the maximum number of processes to have doing nothing.
> > # When this many are spare it will cull some of them.
> > # On large sites you might want to try 64.
> > maxsparechildren = 32
> >
> > # On large sites you might want to try 10000.
> > maxagechildren = 500
> >
> > # browse the web. Set to 0 for no limit, and to disable the IP cache
> > process.
> > maxips = 0
> >
> > # Defines IPC server directory and filename used to communicate with
> > the log process.
> > ipcfilename = '/tmp/.dguardianipc'
> >
> > # Defines URL list IPC server directory and filename used to
> > communicate with the URL
> > # cache process.
> > urlipcfilename = '/tmp/.dguardianurlipc'
> >
> > # Defines IP list IPC server directory and filename, for communicating
> > with the client
> > # IP cache process.
> > ipipcfilename = '/tmp/.dguardianipipc'
> >
> > # on|off (defaults to off)
> > nodaemon = off
> >
> > # Disable logging process
> > # on|off (defaults to off)
> > nologger = off
> >
> > # Enable logging of "ADs" category blocks
> > # on|off (defaults to off)
> > logadblocks = off
> >
> > # Enable logging of client User-Agent
> > # Some browsers will cause a *lot* of extra information on each line!
> > # on|off (defaults to off)
> > loguseragent = off
> >
> > # on|off (defaults to off)
> > softrestart = off
> >
> > # Mail program
> > # Path (sendmail-compatible) email program, with options.
> > # Not used if usesmtp is disabled (filtergroup specific).
> > mailer = '/usr/sbin/sendmail -t'
> >
> > Att.
> >
> > Leandro Moreira.
> >
> > 2009/11/19 Marcelo <msalavee at gmail.com <mailto:msalavee at gmail.com>>
> >
> > Leanddro,
> >
> > posta o seu dansguardian.conf
> >
> >
> > Abraços,
> > Marcelo
> >
> > Leandro Moreira wrote:
> > > Caros,
> > > A minha rede tem a seguinte topologia
> > >
> > > # --------- # # -------------- # #
> > -------------------- #
> > > # LAN # ----> # FW DMZ # -----> # FW BORDA #
> > > # --------- # # --------------- # #
> > -------------------- #
> > > |
> > > |
> > > # --------------------------------------- #
> > > # PROXY/DANSGUARDIAN #
> > > # --------------------------------------- #
> > >
> > > Instalei e configurei o dansguardian, ao set-lo manualmente no
> > > navegador, funciona sem problemas. Entao criei um NAT no firewall
> de
> > > borda para enviar todas as requisições da porta 80 para o
> > servidor com
> > > o dansguardian:
> > >
> > > iptables -t nat -A PREROUTING -i ! eth0 -s ! 172.20.0.30 -p tcp -m
> > > multiport --dport 80 -j DNAT --to-destination 172.20.0.30:8080
> > <http://172.20.0.30:8080>
> > > <http://172.20.0.30:8080>
> > >
> > > Ao ativar o nat a internet simplesmente para, entao fiz o mesmo nat
> > > para o proxy que se encontra na mesma maquina e funcionou
> > normalmente.
> > > Ainda estou com o dansguardian basicao apenas com as blacklist
> > padrões
> > > dele, o que mais me intriga é que ao redirecionar o NAT acima pro
> > > squid a navegação ficou norma.
> > > Alguém ja passou por esse tipo de problemas, agradeço desde ja
> > ajuda.
> > >
> > > PS.: 1- Não é problema de hardware, pois o servidor é um
> > poweredge com
> > > placa gigabit.
> > > 2- Já discuti com o gerente de "projeto" pois queria fazer
> > > essa solução usando bridge e ele não aprovou.
> > >
> > > Att.
> > >
> > > --
> > > Leandro Moreira
> > > Linux Administrator: LPIC-1
> > > e-mail/msn: leandro at leandromoreira.eti.br
> > <mailto:leandro at leandromoreira.eti.br>
> > > <mailto:leandro at leandromoreira.eti.br
> > <mailto:leandro at leandromoreira.eti.br>>
> > > Tel.: + 55(32) 9906-5713
> >
> >
> >
> >
> > --
> > Leandro Moreira
> > Linux Administrator: LPIC-1
> > e-mail/msn: leandro at leandromoreira.eti.br
> > <mailto:leandro at leandromoreira.eti.br>
> > Tel.: + 55(32) 9906-5713
>
--
Leandro Moreira
Linux Administrator: LPIC-1
e-mail/msn: leandro at leandromoreira.eti.br
Tel.: + 55(32) 9906-5713
More information about the gter
mailing list