Loading ...
Sorry, an error occurred while loading the content.

How can I set up authentication for multiple filter groups?

Expand Messages
  • John Zoidberg
    Hi, How can I set up authentication for multiple filter groups? I m currently using a simple dansguardian+tinyproxy+firehol setup, but would like to use
    Message 1 of 5 , Apr 15 12:51 PM
    View Source
    • 0 Attachment
      Hi,

      How can I set up authentication for multiple filter groups?

      I'm currently using a simple dansguardian+tinyproxy+firehol setup, but would
      like to use multiple filter groups.

      I don't mind switching to squid (altough I would of course prefer a method
      using tinyproxy) or what authentication method is used, but the setup should
      work for a single PC (OS: Ubuntu 8.10) without any network setup (i.e. no
      LAN, server, etc) .



      --
      Unlock your computing: http://www.getgnulinux.org/


      [Non-text portions of this message have been removed]
    • John Zoidberg
      I managed to get it working thanks to this tutorial: http://likwarjo.web.id/blog/2006/10/18/squid-authentication-dansguardian-sarg-howto/ However, I have to
      Message 2 of 5 , Apr 15 2:02 PM
      View Source
      • 0 Attachment
        I managed to get it working thanks to this tutorial:
        http://likwarjo.web.id/blog/2006/10/18/squid-authentication-dansguardian-sarg-howto/

        However, I have to set up the browser to use port 8080 manually now.
        Here's my firehol.conf:
        ===========
        version 5
        iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp --dport 3128 -m owner !
        --uid-owner dansguardian -j DROP
        transparent_squid 8080 "proxy root"

        # Accept all client traffic on any interface
        interface any world
        policy drop
        protection strong
        client all accept
        server cups accept
        ===========

        Setting the browser proxy to localhost:3128 leads to a connection timeout.
        Setting the browser proxy to localhost:8080 leads to correct user-specific
        filtering.
        Setting the browser proxy to "no proxy" leads to a "Cache access denied
        error" and says I have to authenticate myself, but not giving me the
        possibility to do so.

        Is there a way to make it display the authentication dialog in this last
        case?

        Also, is there a way to reauthenticate as another user without closing the
        browser window?

        P.S:
        My configuration files:



        On Wed, Apr 15, 2009 at 9:51 PM, John Zoidberg <zohn.joidberg@...>wrote:

        > Hi,
        >
        > How can I set up authentication for multiple filter groups?
        >
        > I'm currently using a simple dansguardian+tinyproxy+firehol setup, but
        > would like to use multiple filter groups.
        >
        > I don't mind switching to squid (altough I would of course prefer a method
        > using tinyproxy) or what authentication method is used, but the setup should
        > work for a single PC (OS: Ubuntu 8.10) without any network setup (i.e. no
        > LAN, server, etc) .
        >
        >
        >
        >
        > --
        > Unlock your computing: http://www.getgnulinux.org/
        >
        >


        --
        Unlock your computing: http://www.getgnulinux.org/


        [Non-text portions of this message have been removed]
      • John Zoidberg
        Since text attachments don t seem to be allowed on this list and squid.conf is huge, here are the diffs between the original files (Ubuntu 8.10 packages) and
        Message 3 of 5 , Apr 15 2:26 PM
        View Source
        • 0 Attachment
          Since text attachments don't seem to be allowed on this list and squid.conf
          is huge, here are the diffs between the original files (Ubuntu 8.10
          packages) and mine configured for multiple filter groups:


          [105][~/superconfig]$ diff /etc/dansguardian/dansguardian.conf
          dansguardian.conf
          5c5
          < UNCONFIGURED - Please remove this line after configuration
          ---
          > #UNCONFIGURED - Please remove this line after configuration
          109c109,110
          < accessdeniedaddress = '
          http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'
          ---
          > #accessdeniedaddress = 'http://localhost/cgi-bin/dansguardian.pl'
          > accessdeniedaddress = 'http://localhost/template.html'
          141c142
          < filtergroups = 1
          ---
          > filtergroups = 2
          457c458
          < #authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'
          ---
          > authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'
          599,600c600,601
          < #daemonuser = 'dansguardian'
          < #daemongroup = 'dansguardian'
          ---
          > daemonuser = 'dansguardian'
          > daemongroup = 'dansguardian'

          [106][~/superconfig]$ diff /etc/squid3/squid.conf squid.conf
          277a278,298
          > #/usr/lib/squid3/ncsa_auth
          >
          > #auth_param basic program <uncomment and complete this line>
          > #auth_param basic children 5
          > #auth_param basic realm Squid proxy-caching web server
          > #auth_param basic credentialsttl 2 hours
          >
          > #auth_param ntlm program /usr/lib/squid3/ntlm_auth
          --helper-protocol=squid-2.5-ntlmssp
          > #auth_param basic program /usr/lib/squid3/ntlm_auth
          --helper-protocol=squid-2.5-basic
          > #auth_param basic program /usr/lib/squid3/ncsa_auth /usr/etc/passwd
          > #auth_param basic children 5
          > #auth_param basic realm Squid proxy-caching web server
          > #auth_param basic credentialsttl 2 hours
          >
          > auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
          > auth_param basic children 5
          > auth_param basic realm Squid proxy-caching web server
          > auth_param basic credentialsttl 2 hours
          > auth_param basic casesensitive off
          >
          > acl auth_users proxy_auth REQUIRED
          640a662,668
          > #acl ntlm_users proxy_auth REQUIRED
          > #http_access allow ntlm_users
          > #http_access deny all
          >
          > http_access allow auth_users
          > http_access deny all
          >

          [107][~/superconfig]$ diff /etc/firehol/firehol.conf firehol.conf
          13a14,15
          > iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp --dport 3128 -m owner !
          --uid-owner dansguardian -j DROP
          > transparent_squid 8080 "proxy root"
          16a19,20
          > policy drop
          > protection strong
          17a22
          > server cups accept


          [Non-text portions of this message have been removed]
        • Chuck Kollars
          ... There are two different _major_ families of DansGuardian configurations, each with its own pros and cons
          Message 4 of 5 , Apr 15 4:14 PM
          View Source
          • 0 Attachment
            > ... However, I have to set up the browser to use port 8080
            > manually now. ...

            There are two different _major_ families of DansGuardian configurations, each with its own pros and cons (http://contentfilter.futuragts.com/wiki/doku.php?id=two_configuration_families). If I understand correctly, your configuration has changed from one family to the other as an "unintended side effect" of another change.

            In that case all I can offer is the following several points (please excuse my loquaciousness, it's the beer talking:-)--

            1) It's probably better to thoroughly understand what you're asking, because the consequences of switching from one configuration family to the other are so far-reaching.

            2) One of the "cons" of the 'transparent-intercepting' family is it's _impossible_ to do any proxy-assisted auth, which generally means you can't meaningfully do 'multiple filter groups'. Attempting to "fix" this is just banging your head against the wall.

            3) No matter what configuration you end up with, you can always prevent "skipping around" DansGuardian (http://contentfilter.futuragts.com/wiki/doku.php?id=preventing_skipping_around), so having to set the browser proxy configuration shouldn't be a big deal. You can always offer the user the reasonable choice between simply "filtered" or "nothing".

            4) It's indeed largely true that you can't do 'multiple filter groups' with Tinyproxy, no matter how you configure things.

            5) The Ubuntu configuration focusses on either single-user or SOHO networks, and is of questionable appropriateness for both larger installations and 'multiple filter groups'.

            6) Although I'm generally a strong proponent of 'multiple filter groups', I must say that they may not be the best way to go starting from what Ubuntu provides. There's a way with IPtables to have a rule apply only to specific users (but only local users, not network users), that may be more appropriate.

            thanks! -Chuck Kollars (retired computer geek and longtime DG user)
          • John Zoidberg
            Thanks. I guess I should read the wiki a bit more (altough it lacks concrete setup tutorials). :) If explicit proxy is necessary, then so be it. But is there a
            Message 5 of 5 , Apr 15 8:38 PM
            View Source
            • 0 Attachment
              Thanks. I guess I should read the wiki a bit more (altough it lacks concrete
              setup tutorials). :)

              If explicit proxy is necessary, then so be it.

              But is there a way to authenticate with the proxy after desktop login so a
              user doesn't have to always enter a password?


              On Thu, Apr 16, 2009 at 1:14 AM, Chuck Kollars <ckollars9@...> wrote:

              >
              >
              > > ... However, I have to set up the browser to use port 8080
              > > manually now. ...
              >
              > There are two different _major_ families of DansGuardian configurations,
              > each with its own pros and cons (
              > http://contentfilter.futuragts.com/wiki/doku.php?id=two_configuration_families).
              > If I understand correctly, your configuration has changed from one family to
              > the other as an "unintended side effect" of another change.
              >
              > In that case all I can offer is the following several points (please excuse
              > my loquaciousness, it's the beer talking:-)--
              >
              > 1) It's probably better to thoroughly understand what you're asking,
              > because the consequences of switching from one configuration family to the
              > other are so far-reaching.
              >
              > 2) One of the "cons" of the 'transparent-intercepting' family is it's
              > _impossible_ to do any proxy-assisted auth, which generally means you can't
              > meaningfully do 'multiple filter groups'. Attempting to "fix" this is just
              > banging your head against the wall.
              >
              > 3) No matter what configuration you end up with, you can always prevent
              > "skipping around" DansGuardian (
              > http://contentfilter.futuragts.com/wiki/doku.php?id=preventing_skipping_around),
              > so having to set the browser proxy configuration shouldn't be a big deal.
              > You can always offer the user the reasonable choice between simply
              > "filtered" or "nothing".
              >
              > 4) It's indeed largely true that you can't do 'multiple filter groups' with
              > Tinyproxy, no matter how you configure things.
              >
              > 5) The Ubuntu configuration focusses on either single-user or SOHO
              > networks, and is of questionable appropriateness for both larger
              > installations and 'multiple filter groups'.
              >
              > 6) Although I'm generally a strong proponent of 'multiple filter groups', I
              > must say that they may not be the best way to go starting from what Ubuntu
              > provides. There's a way with IPtables to have a rule apply only to specific
              > users (but only local users, not network users), that may be more
              > appropriate.
              >
              > thanks! -Chuck Kollars (retired computer geek and longtime DG user)
              >
              >
              >



              --
              Unlock your computing: http://www.getgnulinux.org/


              [Non-text portions of this message have been removed]
            Your message has been successfully submitted and would be delivered to recipients shortly.