Advertisment

Filtering Web Content 

author-image
PCQ Bureau
New Update

Agreed that the content-filtering capabilities of Squid (a popular Linux proxy server) are reasonable. But, defining Squid's ACLs (Access Control List) for gigantic filtering requirements is tedious. 

Advertisment

That is where Dansguardian comes to the rescue. Dansguardian allows you to block sites by names, URLs, IP addresses, phrases and so on. You can block certain file downloads by extensions. All this can be archived by just appending a one-line entry to one of the Dansguardian configuration files. So, append an entry .mp3 to a file named bannedextensionlist and you network users will not be able to download MP3s. What's more, you can further ease the configuration by using Webmin, a Web-based configuration tool for

PCQLinux 2004. So, let's get started with using Dansguardian with the assumption that you have an up and running machine with PCQLinux 2004 installed (given out with PCQuest in March 2004). 

Install packages



Dansguardian works in conjunction with a  Web proxy server, such as Squid. Though PCQLinux 2004 already bundles Squid, we require a patched Squid for Dansguardian (read the box Why a patched Squid? on the following page). 

Install the RPM named squid-2.5.STABLE3-1.i386.rpm found in the directory on this month's PCQ Essential CD. Use the following command to install it:






rpm -Uvh squid-2.5.STABLE3-1.i386.rpm







In the same directory you will find an RPM named Dansguardian-2.6.1-12.i386.rpm. Install it as:





rpm -Uvh Dansguardian-2.6.1-12.i386.rpm


Advertisment

Configure packages

Open the file named squid.conf found in the directory /etc/squid in a text editor. Scroll to the section called 'ACCESS CONTROLS'. Add the following line in this section.






acl localnet src 192.168.0.0/255.255.255.0







Substitute 192.168.0.0/255.255.255.0 with your organization's network address. Scroll a little further to lines starting with http_access and add the following line in place.





http_access allow localnet







Save the file. Start the proxy server by issuing the following command.





service squid start




By default Squid listens on port 3128 for incoming requests.  

Advertisment

Next, we set up Dansguardian. Open the file named dansguardian.conf from the directory /etc/dansguardian using a text editor. Change the line:

accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'

to the following:

Advertisment

accessdeniedaddress = 'http://192.168.0.1/cgi-bin/dansguardian.pl'

Substitute 192.168.0.1 with the IP address or name of your PCQLinux 2004 machine. Scroll (almost towards the end of the file) to the line that says:

forwardedfor = on

Advertisment

Change off to on. Save the file. Launch Dansguardian using the following command.

service dansguardian start

Direct Hit!
Applies to:

Network and system administrators
USP:

Saves Internet bandwidth by blocking sites by names, URLs, IP addresses, phrases and extensions
Links:

www.dansguardian.org 
Code on CD:

system/cdrom/software/dansguardian
Advertisment

Dansguardian uses port 8080 by default and communicates with Squid on port 3128. If you want to change the former, change the value for filterport and to change the latter, change the value for proxyport in dansguardian.conf. You need to restart Dansguardian after making any such changes to the configuration file using the following command.

service dansguardian restart

Web-based configuration



To set up Web-based configuration for Dansguardian, copy the file named dg-0.3.6.wbm found on the PCQ Essential CD to /opt. Start Webmin as:

Advertisment

service webmin start

Type the following URL in the Web browser of your PCQLinux machine: https://127.0.0.1:10000



Log in using root and the corresponding password. Click on Webmin>Webmin Configuration>Webmin Modules. Select 'From local file'. Click on the button labeled '...'. Browse to /opt directory and select the file dg-0.3.6.wbm. Click on 'Install Module'. Skip out of Webmin to a Linux console. Go to the directory /usr/libexec/webmin/dansguardian and open the file named index.cgi in a text editor. Change the 11th line as follows:

if ($ver =~ /(2\.4\.\d)/) { to if ($ver =~ /(2\.6\.\d)/) {

Save the file. On Webmin, click on Servers>DansGuardian. 

Why a patched squid?
The Squid RPM given on this month's PCQ Essential CD includes the dans.patch from dansguardian.org website. Without this patch, the access.log of Squid will show all requests coming from the localhost. This is because all Web requests are first filtered by Dansguardian and then sent to Squid, both usually running on the same machine. Therefore, Squid analysis tools, such as Sarg and Squidalyzer, will not work as they use access.log for their functioning. 

To block sites and files, click on View/Edit Config. Click on the Edit button corresponding to the various options to filter the contents. Click on Save. Upon any change(s), click on Servers>DansGuardian>Restart the DansGuardian daemon, to make the change(s) effective. 

Set up browsers

Change the proxy server settings of all clients on your network to specify the IP address of the PCQLinux machine and port 8080. This will make all Web content requests go through Dansguardian. Alternatively, you can set up transparent proxying wherein you don't have to specify the proxy settings in each Web browser on your user's desktop. For this, open the file squid.conf and append the following lines to it:

httpd_accel_host virtual



httpd_accel_uses_host_header on

Restart Squid as:

service squid restart

Next, issue the following command.

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -dport 80 -j REDIRECT -to-port 8080

Substitute eth0 with the name of the interface connected to your private network. You may like to append the above command to the file rc.local found in /etc to make the settings persistent across reboots. 

For more information refer to www.dansguardian.org



Shekhar Govindarajan 



IT4Enterprise

Advertisment