The pfSense Store

Author Topic: 2 issues related to dansguardian (ssl content filtering & xforwardedfor + squid)  (Read 1655 times)

0 Members and 1 Guest are viewing this topic.

Offline elemay

  • Jr. Member
  • **
  • Posts: 32
  • Karma: +0/-0
    • View Profile
Hi,

i've got dansguardian running forwarding to squid on pfSense 2.0.1 amd 64

dansguardian = LAN
squid = loop

i've 2 problems now :)

1. if i want to enable ssl filtering i only got an error message like: sec_error_invalid_time

i created the certs with cert manager in pfsense, all default options. one internal ca and one user cert.

2. if i look at my lightsquid proxy report i only see localhost as the user requesting sites, i enabled use xforwardedfor in dansguardian (also tried use forwardedfor)

any hints?

thanks.

Offline elemay

  • Jr. Member
  • **
  • Posts: 32
  • Karma: +0/-0
    • View Profile

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9995
  • Karma: +3/-0
    • View Profile
You need to change squid log format to change real ip to xforward ip.

The ssl is a issue I could not fix yet.

Offline elemay

  • Jr. Member
  • **
  • Posts: 32
  • Karma: +0/-0
    • View Profile
Hi,

and thanks to your fast reply :)

How do i change the log behaviour?

i couldn't find it on the webgui.

is it right to use xforwardedfor in dansguardian?

thanks again :)

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9995
  • Karma: +3/-0
    • View Profile
This is the way to pass client real ip.

I'm not sure if this log change can be done via squid gui.

Offline elemay

  • Jr. Member
  • **
  • Posts: 32
  • Karma: +0/-0
    • View Profile
if i use the example method from squid-cache.org, edited to my needs


acl localhost src 127.0.0.1;acl my_other_proxy srcdomain .workgroup.local;follow_x_forwarded_for allow localhost;follow_x_forwarded_for allow my_other_proxy;log_uses_indirect_client on;

i can't access the internet anymore. squid tells me access denied.

if anyone has an idea, i would be glad to hear :)



Offline elemay

  • Jr. Member
  • **
  • Posts: 32
  • Karma: +0/-0
    • View Profile
Hi,

found the solution.

add to squid custom options

log_uses_indirect_client on;follow_x_forwarded_for allow localhost;

and in dansguardian choose:

General -> useforwardedfor

if you have more subents using dansguardian and squid only listening to loop then add them to allowed subnets under access control in squid config tab.

have a nice day!