I have problems with my Squidguard installation on LTSP 4.2 server. Attention: it's a long story with configs and logs!
opac-server:/ # cat /etc/squid/squid.conf
http_port 192.168.0.254:3128
icp_port 0
visible_hostname OPAC
client_netmask 255.255.255.255
offline_mode off
acl all src 0.0.0.0/0
acl terminale src 192.168.0.0/24
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl manager proto cache_object
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
http_access allow terminale
http_access deny all
always_direct allow all
icp_access deny all
url_rewrite_program /usr/sbin/squidGuard -c /etc/squidGuard.conf
url_rewrite_children 8
redirector_bypass off
#cache_dir ufs /var/cache/squid/ 100 16 256
cache deny all
cache_dir null /tmp
------------------------------------------------------------
opac-server:/ # cat /etc/squidGuard.conf
logdir /var/log/squidGuard
dbhome /var/lib/squidGuard/db
#
# Konfiguracja grup uzytkownikow (wedlug lokalizacji terminali)
# Users groups (based on terminals' location)
#
src korytarz {
ip 192.168.0.1
ip 192.168.0.2
ip 192.168.0.3
ip 192.168.0.4
ip 192.168.0.5
ip 192.168.0.6
ip 192.168.0.7
ip 192.168.0.8
ip 192.168.0.9
ip 192.168.0.10
}
src osrodek {
ip 192.168.0.11
ip 192.168.0.12
ip 192.168.0.13
ip 192.168.0.14
}
#
# Konfiguracja list dostepu (najpierw "fabryczne", na koncu wlasne)
# Access lists ("factory" first, then my own - good, bad, biblioteka)
#
dest adv {
domainlist adv/domains
urllist adv/urls
log adv-block.log
}
dest aggressive {
domainlist aggressive/domains
urllist aggressive/urls
log aggressive-block.log
}
dest automobile {
domainlist automobile/domains
urllist automobile/urls
log automobile-block.log
}
dest chat {
domainlist chat/domains
urllist chat/urls
log chat-block.log
}
dest dating {
domainlist dating/domains
urllist dating/urls
log dating-block.log
}
dest downloads {
domainlist downloads/domains
urllist downloads/urls
log downloads-block.log
}
dest drugs {
domainlist drugs/domains
urllist drugs/urls
log drugs-block.log
}
dest dynamic {
domainlist dynamic/domains
urllist dynamic/urls
log dynamic-block.log
}
dest forum {
domainlist forum/domains
urllist forum/urls
log forum-block.log
}
dest gamble {
domainlist gamble/domains
urllist gamble/urls
log gamble-block.log
}
dest hacking {
domainlist hacking/domains
urllist hacking/urls
log hacking-block.log
}
dest isp {
domainlist isp/domains
urllist isp/urls
log isp-block.log
}
dest jobsearch {
domainlist jobsearch/domains
urllist jobsearch/urls
log jobsearch-block.log
}
dest movies {
domainlist movies/domains
urllist movies/urls
log movies-block.log
}
dest music {
domainlist music/domains
urllist music/urls
log music-block.log
}
dest news {
domainlist news/domains
urllist news/urls
log news-block.log
}
dest porn {
domainlist porn/domains
urllist porn/urls
log porn-block.log
}
dest recreation {
domainlist recreation/domains
urllist recreation/urls
log recreation-block.log
}
dest redirector {
domainlist redirector/domains
urllist redirector/urls
log redirector-block.log
}
dest spyware {
domainlist spyware/domains
urllist spyware/urls
log spyware-block.log
}
dest shopping {
domainlist shopping/domains
urllist shopping/urls
log shopping-block.log
}
dest tracker {
domainlist tracker/domains
urllist tracker/urls
log tracker-block.log
}
dest violence {
domainlist violence/domains
urllist violence/urls
}
dest warez {
domainlist warez/domains
urllist warez/urls
log warez-block.log
}
dest webmail {
domainlist webmail/domains
urllist webmail/urls
log webmail-block.log
}
dest webradio {
domainlist webradio/domains
urllist webradio/urls
log webradio-block.log
}
dest webtv {
domainlist webtv/domains
urllist webtv/urls
log webtv-block.log
}
dest good {
domainlist custom/good/domains
log custom-good.log
}
dest bad {
domainlist custom/bad/domains
log custom-bad.log
}
dest biblioteka {
domainlist custom/biblioteka/domains
log custom-biblioteka.log
}
#
# Konfiguracja polityki dostepu
# Access policy
#
acl {
opac {
pass biblioteka none
redirect 302:http://localhost/access-denied-OPAC.html
}
osrodek {
pass
good !bad !adv !aggressive !automobile !chat !dating !downloads !drugs !dynamic
!forum !gamble !hacking !isp !jobsearch !movies !music !news !porn !recreation
!redirector !spyware !shopping !tracker !violence !warez !webmail !webradio
!webtv
all
redirect 302:http://localhost/access-denied-OIN.html
}
default {
pass biblioteka none
redirect 302:http://localhost/access-denied-other.html
}
}
------------------------------------------------------------
------------------------------------------------------------
So, I want to block all traffic for 'opac' except adressess defined
in 'biblioteka' whitelist. 'osrodek' group should have access to all domains
including 'good' list and excluding 'bad' and all "factory" lists. Then
comes 'default' section - same as 'opac' section. When I change default
policy to "pass none", no website can be accessed (excluding no-proxy sites).
I made three different pages with information about block policy for different
groups: access-denied-OPAC.html for 'opac' group, access-denied-OIN.html
for 'osrodek' group and access-denied-other.html for 'default' group. 'opac'
has IP range 192.168.0.1-192.168.0.10, 'osrodek' - 192.168.0.11-192.168.0.14.
It's time for some tests. When I test SG with
echo "http://wrzuta.pl 192.168.0.1/ - - GET" | squidGuard -d
I get (output truncated):
2007-11-16 13:31:19 [4414] squidGuard 1.2.1 started (1195216278.818)
2007-11-16 13:31:19 [4414] squidGuard ready for requests (1195216279.065)
302:http://localhost/access-denied-OPAC.html 192.168.0.1/- - -
2007-11-16 13:31:19 [4414] squidGuard stopped (1195216279.066)
Explanation: wrzuta.pl is in 'bad' domains file and should be blocked
for 'opac' group. Additionally, SG displays proper "Access denied" file - so
it's OK.
Next case:
echo "http://wrzuta.pl 192.168.0.12/ - - GET" | squidGuard -d
2007-11-16 13:34:32 [4602] squidGuard ready for requests (1195216472.713)
2007-11-16 13:34:32 [4602] Request(osrodek/bad/-) http://wrzuta.pl
192.168.0.12/- - - REDIRECT
302:http://localhost/access-denied-OIN.html 192.168.0.12/- - -
2007-11-16 13:34:32 [4602] squidGuard stopped (1195216472.713)
As above, but for IP from 'osrodek' group. Address is blocked and proper
information is displayed - OK.
Last case:
echo "http://wrzuta.pl 192.168.0.200/ - - GET" | squidGuard -d
2007-11-16 13:36:30 [4743] squidGuard 1.2.1 started (1195216589.800)
2007-11-16 13:36:30 [4743] squidGuard ready for requests (1195216590.141)
302:http://localhost/access-denied-other.html 192.168.0.200/- - -
2007-11-16 13:36:30 [4743] squidGuard stopped (1195216590.142)
As above, but for IP 192.168.0.200. Address is blocked and proper information
is displayed - OK.
But if I open browser on the terminal itself, it behaves in other way - all
ACLs are ignored and 'default' ACL is applied ("pass biblioteka none"). If I
remove 'biblioteka' list from this ACL, _none_ can access any webpage, so ACL
is for all clients "pass none".
In SG logs I have for example: 2007-11-08 10:58:37 [28883]
Request(default/bad/-) http://wrzuta.pl/ 192.168.0.254/opac-server.site - GET
REDIRECT. In all of log files repeats the same IP: 192.168.0.254 - this is IP
of server which runs Squid and SG. Shouldn't it be IP of blocked client?
I simply don't understand this behaviour. Is it some mistake in SG config or
Squid config? Or maybe in other place? I'm sure that some of you guys have
working SG on your LTSP servers, because I feel quite helpless now :/ Can
anybody explain this weird behaviour...?
PS. Some infos about my installation: openSUSE 10.2 x86_64, squidGuard 1.2.1,
Squid 2.6STABLE6 (both installed from RPMs), LTSP 4.2u4.
--
Tomasz Lewicki
PGP key: http://stalker.republika.pl/stalker.asc
signature.asc
Description: This is a digitally signed message part.
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.freenode.net
