[GTER] Ajuda com dansguardian
Egberto Monteiro
servidores at futuro.usp.br
Thu Nov 19 17:49:58 -02 2009
Qual a configuração (HW) do servidor que está com o dansguardian e
quantos clientes vc possui.
Meus clientes nem notam a diferença aqui.
Leandro Moreira wrote:
> Marcelo,
> Testei a sua sugestão funcionou em partes, funcionou pois nao pegava ip's da
> minha rede interna nem nos logs do dansguardian nem nos logs do proxy e isso
> ja passou a acontecer.
> Mas a internet ficou extremamente lenta.
> Estou verificando as configurações pra ver se descubro o q pode ser, se por
> acaso tiver mais alguma sugestão, fico agradecido.
>
> Att.
>
> Leandro Moreira
>
>
>
>
> 2009/11/19 Marcelo <msalavee at gmail.com>
>
>
>> Leandro,
>>
>> Faz um teste rápido,
>>
>> altera:
>> proxyip = 127.0.0.1
>> para
>> proxyip = sua placa interna por exemplo 192.168.0.1
>>
>> Abraços,
>> Marcelo
>>
>>
>> Leandro Moreira wrote:
>>
>>> Caros,
>>> Segue abaixo o meu dansguardian.conf:
>>>
>>> # comente esta linha para dizer que já o configuramos
>>> #UNCONFIGURED - Please remove this line after configuration
>>>
>>> # 3 = usar HTML template para acessos negados
>>> reportinglevel = 3
>>>
>>> # Diretório de Linguagens
>>> languagedir = '/etc/dansguardian/languages'
>>>
>>> # Linguagem usada:
>>> language = 'portuguese'
>>>
>>> #Nível de log 0 = nenhum 1 = somente negado 2 = todos acessados 3 =
>>> Todos requisições
>>> loglevel = 3
>>>
>>> # 2 = always log & mark exceptions (default)
>>> logexceptionhits = 2
>>>
>>> # Formato do log, 1 = Formato default.
>>> logfileformat = 1
>>>
>>> # Localização do arquivo de log
>>> loglocation = '/var/log/dansguardian/access.log'
>>>
>>> # Ips filtrados individualmente
>>> filterip =
>>>
>>> # Porta de escuta do Dansguardian
>>> filterport = 8080
>>>
>>> # Ip do proxy, onde está o squid
>>> proxyip = 127.0.0.1
>>>
>>> # porta do squid
>>> proxyport = 3128
>>>
>>> # url de acesso negado
>>> accessdeniedaddress =
>>> 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'
>>>
>>> # Default is enabled, but to go back to the standard mode, disable it.
>>> nonstandarddelimiter = on
>>>
>>> # Usar banner do dansguardian on (default) | off
>>> usecustombannedimage = on
>>> custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'
>>>
>>> # Quantidade de grupos existente, pode ser criado até 9
>>> filtergroups = 1
>>>
>>> # Onde fica o arquivo onde são atribuídos os grupos aos usuários ou ips.
>>> # agora podemos também atribuir faixas de ips
>>> filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'
>>>
>>> # Ips sem acesso
>>> bannediplist = '/etc/dansguardian/lists/bannediplist'
>>> # Ips com acesso total
>>> exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'
>>>
>>> # high enough, reported. on | off
>>> showweightedfound = on
>>>
>>> # 2 = on, singular = each weighted phrase found only counts once on a
>>> page.
>>> weightedphrasemode = 2
>>>
>>> urlcachenumber = 1000
>>> urlcacheage = 900
>>> scancleancache = on
>>>
>>> # 2 = both of the above (default)
>>> phrasefiltermode = 2
>>>
>>> # 0 = force lower case (default)
>>> preservecase = 0
>>>
>>> # off = disabled (default)
>>> # on = enabled
>>> hexdecodecontent = off
>>>
>>> # off (default) | on (Big5 compatible)
>>> forcequicksearch = off
>>>
>>> # bannedsitelist file instead.
>>> reverseaddresslookups = off
>>>
>>> # leave it off.
>>> reverseclientiplookups = off
>>>
>>> # is, enabling this option does not incur any additional forward DNS
>>> requests.
>>> logclienthostnames = off
>>>
>>> # be significant. Fast computers do not need this option. on | off
>>> createlistcachefiles = on
>>>
>>> # use -1 for no blocking
>>> #maxuploadsize = 512
>>> #maxuploadsize = 0
>>> maxuploadsize = -1
>>>
>>> # The size is in Kibibytes - eg 2048 = 2Mb
>>> # use 0 to set it to maxcontentramcachescansize
>>> maxcontentfiltersize = 256
>>>
>>> # use 0 to set it to maxcontentfilecachescansize
>>> # This option may be ignored by the configured download manager.
>>> maxcontentramcachescansize = 2000
>>>
>>> # The size is in Kibibytes - eg 10240 = 10Mb
>>> maxcontentfilecachescansize = 20000
>>>
>>> # RAM cache.
>>> filecachedir = '/tmp'
>>>
>>> # on|off (defaults to on)
>>> deletedownloadedtempfiles = on
>>>
>>> # This may be ignored by the configured download manager.
>>> initialtrickledelay = 20
>>>
>>> # This may be ignored by the configured download manager.
>>> trickledelay = 10
>>>
>>> # Controle dobre gerenciador de Downloads
>>> downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'
>>> downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'
>>>
>>> # The default of 60 seconds is probably reasonable.
>>> contentscannertimeout = 60
>>>
>>> # (on|off) default = off
>>> contentscanexceptions = off
>>>
>>> # Este plugin deve ser habilitado para aparecer os usuários no log do
>>> Dansguardian
>>> authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'
>>>
>>>
>>> # Defaults to off.
>>> recheckreplacedurls = off
>>>
>>> # Importante, deve ser habilitado para repassar os ips clientes ao squid.
>>> forwardedfor = on
>>>
>>> # Warning - headers are easily spoofed. on | off
>>> usexforwardedfor = off
>>>
>>> # it on or off
>>> logconnectionhandlingerrors = on
>>>
>>> # useful in production.
>>> logchildprocesshandling = off
>>>
>>> # On large sites you might want to try 180.
>>> maxchildren = 120
>>>
>>> # On large sites you might want to try 32.
>>> minchildren = 8
>>>
>>> # sets the minimum number of processes to be kept ready to handle
>>> connections.
>>> # On large sites you might want to try 8.
>>> minsparechildren = 4
>>>
>>> # sets the minimum number of processes to spawn when it runs out
>>> # On large sites you might want to try 10.
>>> preforkchildren = 6
>>>
>>> # sets the maximum number of processes to have doing nothing.
>>> # When this many are spare it will cull some of them.
>>> # On large sites you might want to try 64.
>>> maxsparechildren = 32
>>>
>>> # On large sites you might want to try 10000.
>>> maxagechildren = 500
>>>
>>> # browse the web. Set to 0 for no limit, and to disable the IP cache
>>> process.
>>> maxips = 0
>>>
>>> # Defines IPC server directory and filename used to communicate with
>>> the log process.
>>> ipcfilename = '/tmp/.dguardianipc'
>>>
>>> # Defines URL list IPC server directory and filename used to
>>> communicate with the URL
>>> # cache process.
>>> urlipcfilename = '/tmp/.dguardianurlipc'
>>>
>>> # Defines IP list IPC server directory and filename, for communicating
>>> with the client
>>> # IP cache process.
>>> ipipcfilename = '/tmp/.dguardianipipc'
>>>
>>> # on|off (defaults to off)
>>> nodaemon = off
>>>
>>> # Disable logging process
>>> # on|off (defaults to off)
>>> nologger = off
>>>
>>> # Enable logging of "ADs" category blocks
>>> # on|off (defaults to off)
>>> logadblocks = off
>>>
>>> # Enable logging of client User-Agent
>>> # Some browsers will cause a *lot* of extra information on each line!
>>> # on|off (defaults to off)
>>> loguseragent = off
>>>
>>> # on|off (defaults to off)
>>> softrestart = off
>>>
>>> # Mail program
>>> # Path (sendmail-compatible) email program, with options.
>>> # Not used if usesmtp is disabled (filtergroup specific).
>>> mailer = '/usr/sbin/sendmail -t'
>>>
>>> Att.
>>>
>>> Leandro Moreira.
>>>
>>> 2009/11/19 Marcelo <msalavee at gmail.com <mailto:msalavee at gmail.com>>
>>>
>>> Leanddro,
>>>
>>> posta o seu dansguardian.conf
>>>
>>>
>>> Abraços,
>>> Marcelo
>>>
>>> Leandro Moreira wrote:
>>> > Caros,
>>> > A minha rede tem a seguinte topologia
>>> >
>>> > # --------- # # -------------- # #
>>> -------------------- #
>>> > # LAN # ----> # FW DMZ # -----> # FW BORDA #
>>> > # --------- # # --------------- # #
>>> -------------------- #
>>> > |
>>> > |
>>> > # --------------------------------------- #
>>> > # PROXY/DANSGUARDIAN #
>>> > # --------------------------------------- #
>>> >
>>> > Instalei e configurei o dansguardian, ao set-lo manualmente no
>>> > navegador, funciona sem problemas. Entao criei um NAT no firewall
>>>
>> de
>>
>>> > borda para enviar todas as requisições da porta 80 para o
>>> servidor com
>>> > o dansguardian:
>>> >
>>> > iptables -t nat -A PREROUTING -i ! eth0 -s ! 172.20.0.30 -p tcp -m
>>> > multiport --dport 80 -j DNAT --to-destination 172.20.0.30:8080
>>> <http://172.20.0.30:8080>
>>> > <http://172.20.0.30:8080>
>>> >
>>> > Ao ativar o nat a internet simplesmente para, entao fiz o mesmo nat
>>> > para o proxy que se encontra na mesma maquina e funcionou
>>> normalmente.
>>> > Ainda estou com o dansguardian basicao apenas com as blacklist
>>> padrões
>>> > dele, o que mais me intriga é que ao redirecionar o NAT acima pro
>>> > squid a navegação ficou norma.
>>> > Alguém ja passou por esse tipo de problemas, agradeço desde ja
>>> ajuda.
>>> >
>>> > PS.: 1- Não é problema de hardware, pois o servidor é um
>>> poweredge com
>>> > placa gigabit.
>>> > 2- Já discuti com o gerente de "projeto" pois queria fazer
>>> > essa solução usando bridge e ele não aprovou.
>>> >
>>> > Att.
>>> >
>>> > --
>>> > Leandro Moreira
>>> > Linux Administrator: LPIC-1
>>> > e-mail/msn: leandro at leandromoreira.eti.br
>>> <mailto:leandro at leandromoreira.eti.br>
>>> > <mailto:leandro at leandromoreira.eti.br
>>> <mailto:leandro at leandromoreira.eti.br>>
>>> > Tel.: + 55(32) 9906-5713
>>>
>>>
>>>
>>>
>>> --
>>> Leandro Moreira
>>> Linux Administrator: LPIC-1
>>> e-mail/msn: leandro at leandromoreira.eti.br
>>> <mailto:leandro at leandromoreira.eti.br>
>>> Tel.: + 55(32) 9906-5713
>>>
>
>
>
>
More information about the gter
mailing list