I have problems with my Squidguard installation on LTSP 4.2 server. Attention: it's a long story with configs and logs!
opac-server:/ # cat /etc/squid/squid.conf http_port 192.168.0.254:3128 icp_port 0 visible_hostname OPAC client_netmask 255.255.255.255 offline_mode off acl all src 0.0.0.0/0 acl terminale src 192.168.0.0/24 acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl manager proto cache_object acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method CONNECT acl apache rep_header Server ^Apache broken_vary_encoding allow apache http_access allow terminale http_access deny all always_direct allow all icp_access deny all url_rewrite_program /usr/sbin/squidGuard -c /etc/squidGuard.conf url_rewrite_children 8 redirector_bypass off #cache_dir ufs /var/cache/squid/ 100 16 256 cache deny all cache_dir null /tmp ------------------------------------------------------------ opac-server:/ # cat /etc/squidGuard.conf logdir /var/log/squidGuard dbhome /var/lib/squidGuard/db # # Konfiguracja grup uzytkownikow (wedlug lokalizacji terminali) # Users groups (based on terminals' location) # src korytarz { ip 192.168.0.1 ip 192.168.0.2 ip 192.168.0.3 ip 192.168.0.4 ip 192.168.0.5 ip 192.168.0.6 ip 192.168.0.7 ip 192.168.0.8 ip 192.168.0.9 ip 192.168.0.10 } src osrodek { ip 192.168.0.11 ip 192.168.0.12 ip 192.168.0.13 ip 192.168.0.14 } # # Konfiguracja list dostepu (najpierw "fabryczne", na koncu wlasne) # Access lists ("factory" first, then my own - good, bad, biblioteka) # dest adv { domainlist adv/domains urllist adv/urls log adv-block.log } dest aggressive { domainlist aggressive/domains urllist aggressive/urls log aggressive-block.log } dest automobile { domainlist automobile/domains urllist automobile/urls log automobile-block.log } dest chat { domainlist chat/domains urllist chat/urls log chat-block.log } dest dating { domainlist dating/domains urllist dating/urls log dating-block.log } dest downloads { domainlist downloads/domains urllist downloads/urls log downloads-block.log } dest drugs { domainlist drugs/domains urllist drugs/urls log drugs-block.log } dest dynamic { domainlist dynamic/domains urllist dynamic/urls log dynamic-block.log } dest forum { domainlist forum/domains urllist forum/urls log forum-block.log } dest gamble { domainlist gamble/domains urllist gamble/urls log gamble-block.log } dest hacking { domainlist hacking/domains urllist hacking/urls log hacking-block.log } dest isp { domainlist isp/domains urllist isp/urls log isp-block.log } dest jobsearch { domainlist jobsearch/domains urllist jobsearch/urls log jobsearch-block.log } dest movies { domainlist movies/domains urllist movies/urls log movies-block.log } dest music { domainlist music/domains urllist music/urls log music-block.log } dest news { domainlist news/domains urllist news/urls log news-block.log } dest porn { domainlist porn/domains urllist porn/urls log porn-block.log } dest recreation { domainlist recreation/domains urllist recreation/urls log recreation-block.log } dest redirector { domainlist redirector/domains urllist redirector/urls log redirector-block.log } dest spyware { domainlist spyware/domains urllist spyware/urls log spyware-block.log } dest shopping { domainlist shopping/domains urllist shopping/urls log shopping-block.log } dest tracker { domainlist tracker/domains urllist tracker/urls log tracker-block.log } dest violence { domainlist violence/domains urllist violence/urls } dest warez { domainlist warez/domains urllist warez/urls log warez-block.log } dest webmail { domainlist webmail/domains urllist webmail/urls log webmail-block.log } dest webradio { domainlist webradio/domains urllist webradio/urls log webradio-block.log } dest webtv { domainlist webtv/domains urllist webtv/urls log webtv-block.log } dest good { domainlist custom/good/domains log custom-good.log } dest bad { domainlist custom/bad/domains log custom-bad.log } dest biblioteka { domainlist custom/biblioteka/domains log custom-biblioteka.log } # # Konfiguracja polityki dostepu # Access policy # acl { opac { pass biblioteka none redirect 302:http://localhost/access-denied-OPAC.html } osrodek { pass good !bad !adv !aggressive !automobile !chat !dating !downloads !drugs !dynamic !forum !gamble !hacking !isp !jobsearch !movies !music !news !porn !recreation !redirector !spyware !shopping !tracker !violence !warez !webmail !webradio !webtv all redirect 302:http://localhost/access-denied-OIN.html } default { pass biblioteka none redirect 302:http://localhost/access-denied-other.html } } ------------------------------------------------------------ ------------------------------------------------------------ So, I want to block all traffic for 'opac' except adressess defined in 'biblioteka' whitelist. 'osrodek' group should have access to all domains including 'good' list and excluding 'bad' and all "factory" lists. Then comes 'default' section - same as 'opac' section. When I change default policy to "pass none", no website can be accessed (excluding no-proxy sites). I made three different pages with information about block policy for different groups: access-denied-OPAC.html for 'opac' group, access-denied-OIN.html for 'osrodek' group and access-denied-other.html for 'default' group. 'opac' has IP range 192.168.0.1-192.168.0.10, 'osrodek' - 192.168.0.11-192.168.0.14. It's time for some tests. When I test SG with echo "http://wrzuta.pl 192.168.0.1/ - - GET" | squidGuard -d I get (output truncated): 2007-11-16 13:31:19 [4414] squidGuard 1.2.1 started (1195216278.818) 2007-11-16 13:31:19 [4414] squidGuard ready for requests (1195216279.065) 302:http://localhost/access-denied-OPAC.html 192.168.0.1/- - - 2007-11-16 13:31:19 [4414] squidGuard stopped (1195216279.066) Explanation: wrzuta.pl is in 'bad' domains file and should be blocked for 'opac' group. Additionally, SG displays proper "Access denied" file - so it's OK. Next case: echo "http://wrzuta.pl 192.168.0.12/ - - GET" | squidGuard -d 2007-11-16 13:34:32 [4602] squidGuard ready for requests (1195216472.713) 2007-11-16 13:34:32 [4602] Request(osrodek/bad/-) http://wrzuta.pl 192.168.0.12/- - - REDIRECT 302:http://localhost/access-denied-OIN.html 192.168.0.12/- - - 2007-11-16 13:34:32 [4602] squidGuard stopped (1195216472.713) As above, but for IP from 'osrodek' group. Address is blocked and proper information is displayed - OK. Last case: echo "http://wrzuta.pl 192.168.0.200/ - - GET" | squidGuard -d 2007-11-16 13:36:30 [4743] squidGuard 1.2.1 started (1195216589.800) 2007-11-16 13:36:30 [4743] squidGuard ready for requests (1195216590.141) 302:http://localhost/access-denied-other.html 192.168.0.200/- - - 2007-11-16 13:36:30 [4743] squidGuard stopped (1195216590.142) As above, but for IP 192.168.0.200. Address is blocked and proper information is displayed - OK. But if I open browser on the terminal itself, it behaves in other way - all ACLs are ignored and 'default' ACL is applied ("pass biblioteka none"). If I remove 'biblioteka' list from this ACL, _none_ can access any webpage, so ACL is for all clients "pass none". In SG logs I have for example: 2007-11-08 10:58:37 [28883] Request(default/bad/-) http://wrzuta.pl/ 192.168.0.254/opac-server.site - GET REDIRECT. In all of log files repeats the same IP: 192.168.0.254 - this is IP of server which runs Squid and SG. Shouldn't it be IP of blocked client? I simply don't understand this behaviour. Is it some mistake in SG config or Squid config? Or maybe in other place? I'm sure that some of you guys have working SG on your LTSP servers, because I feel quite helpless now :/ Can anybody explain this weird behaviour...? PS. Some infos about my installation: openSUSE 10.2 x86_64, squidGuard 1.2.1, Squid 2.6STABLE6 (both installed from RPMs), LTSP 4.2u4. -- Tomasz Lewicki PGP key: http://stalker.republika.pl/stalker.asc
signature.asc
Description: This is a digitally signed message part.
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net