Dansguardian: Difference between revisions
Jump to navigation
Jump to search
(dansguardian - first version) |
|||
| (5 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
* [http://wiki.contribs.org/Dansguardian/ConfigFiles Config Files] |
* [http://wiki.contribs.org/Dansguardian/ConfigFiles Config Files] |
||
;Install tutorials |
|||
* [http://blog.bodhizazen.net/linux/web-content-filtering-made-easy/ Web content filtering made easy - Shadows of epiphany] |
* [http://blog.bodhizazen.net/linux/web-content-filtering-made-easy/ Web content filtering made easy - Shadows of epiphany] |
||
* [http://wiki.contribs.org/Dansguardian dansguardian (on contribs.org)] |
* [http://wiki.contribs.org/Dansguardian dansguardian (on contribs.org)] |
||
* [https://help.ubuntu.com/community/DansGuardian DansGuardian (ubuntu.com)] |
* [https://help.ubuntu.com/community/DansGuardian DansGuardian (ubuntu.com)] |
||
== Install == |
== Install == |
||
* |
* See http://blog.bodhizazen.net/linux/web-content-filtering-made-easy/ |
||
* Install {{deb|dansguardian}} along with {{deb|privoxy}} |
|||
sudo apt-get install dansguardian privoxy |
|||
* Edit {{file|/etc/privoxy/config}}: |
|||
<source lang=diff> |
|||
-listen-address localhost:8118 |
|||
+listen-address 127.0.0.1:8118 |
|||
</source> |
|||
* Restart {{deb|privoxy}} |
|||
sudo service privoxy force-reload |
|||
* Edit {{file|/etc/dansguardian/dansguardian.conf}} |
|||
<source lang=diff> |
|||
-UNCONFIGURED - Please remove this line after configuration |
|||
- |
|||
-proxyport = 3128 |
|||
+proxyport = 8118 |
|||
</source> |
|||
* Start {{deb|dansguardian}} |
|||
sudo service dansguardian start |
|||
* Enable ufw |
|||
sudo ufw enable |
|||
* Edit iptables (using ufw). Edit {{file|/etc/ufw/before.rules}}: |
|||
<source lang=diff> |
|||
-A ufw-before-output -o lo -j ACCEPT |
|||
+#-A ufw-before-output -o lo -j ACCEPT |
|||
+# Rules for Dansguardian |
|||
+ |
|||
+-A ufw-before-output -m owner --uid-owner root -j ACCEPT |
|||
+-A ufw-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT |
|||
+-A ufw-before-output -p tcp -m multiport --dports 80,443 -j DROP |
|||
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT |
|||
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner baddreams -j ACCEPT |
|||
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -j DROP |
|||
+-A ufw-before-output -o lo -j ACCEPT |
|||
# don’t delete the ‘COMMIT’ line or these rules won’t be processed |
|||
COMMIT |
|||
</source> |
|||
* Edit iptable (using ufw). Edit {{file|/etc/ufw/before6.rules}}: |
|||
<source lang=diff> |
|||
-A ufw6-before-output -o lo -j ACCEPT |
|||
+#-A ufw6-before-output -o lo -j ACCEPT |
|||
+# Rules for Dansguardian |
|||
+ |
|||
+-A ufw6-before-output -m owner --uid-owner root -j ACCEPT |
|||
+-A ufw6-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT |
|||
+-A ufw6-before-output -p tcp -m multiport --dports 80,443 -j DROP |
|||
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT |
|||
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner baddreams -j ACCEPT |
|||
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -j DROP |
|||
+-A ufw6-before-output -o lo -j ACCEPT |
|||
# don’t delete the ‘COMMIT’ line or these rules won’t be processed |
|||
COMMIT |
|||
</source> |
|||
* Reload rules |
|||
sudo ufw reload |
|||
* Configure the proxies (note that root does not need this) |
|||
<source lang=bash> |
|||
export http_proxy=’localhost:8080′ # For children (apply as children user proxy, firefox proxy, etc) |
|||
export http_proxy=’localhost:8118′ # For parents |
|||
</source> |
|||
== Configuration == |
== Configuration == |
||
| Line 61: | Line 129: | ||
* From [http://urlblacklist.com/?sec=download urlblacklist.com] |
* From [http://urlblacklist.com/?sec=download urlblacklist.com] |
||
* Requires to explicit allow / forbid some categories (see [https://help.ubuntu.com/community/DansGuardian]) |
* Requires to explicit allow / forbid some categories (see [https://help.ubuntu.com/community/DansGuardian]) |
||
* ... note that even though list can be easily downloaded, urlblacklist.com is a commercial service (and quite expensive in fact). |
|||
== Troubleshooting == |
== Troubleshooting == |
||
| Line 70: | Line 139: | ||
;Advanced troubleshooting |
;Advanced troubleshooting |
||
* See [http://contentfilter.futuragts.com/wiki/doku.php?id=general_troubleshooting_strategies] |
* See [http://contentfilter.futuragts.com/wiki/doku.php?id=general_troubleshooting_strategies] |
||
== To do and issues == |
|||
* Add DNS filtering as first layer (see opendns or similar) ? |
|||
* What about '''HTTPS''' filtering? Filter based on host only (via dns filtering). How can we also filter the URL / content? |
|||
:Requires intercepting proxy and adding a CA certificate to browsers. |
|||
* Redirect all Google queries to http://safesearchkids.com? |
|||
* Add extensions / plugins in the browser |
|||
* Add filters in ADSL router? (url filter, dns filter) |
|||
Latest revision as of 13:19, 5 August 2014
Reference
- Documentation
- Install tutorials
- Web content filtering made easy - Shadows of epiphany
- dansguardian (on contribs.org)
- DansGuardian (ubuntu.com)
Install
- See http://blog.bodhizazen.net/linux/web-content-filtering-made-easy/
- Install dansguardian along with privoxy
sudo apt-get install dansguardian privoxy
- Edit /etc/privoxy/config:
-listen-address localhost:8118
+listen-address 127.0.0.1:8118
- Restart privoxy
sudo service privoxy force-reload
- Edit /etc/dansguardian/dansguardian.conf
-UNCONFIGURED - Please remove this line after configuration
-
-proxyport = 3128
+proxyport = 8118
- Start dansguardian
sudo service dansguardian start
- Enable ufw
sudo ufw enable
- Edit iptables (using ufw). Edit /etc/ufw/before.rules:
-A ufw-before-output -o lo -j ACCEPT
+#-A ufw-before-output -o lo -j ACCEPT
+# Rules for Dansguardian
+
+-A ufw-before-output -m owner --uid-owner root -j ACCEPT
+-A ufw-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
+-A ufw-before-output -p tcp -m multiport --dports 80,443 -j DROP
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner baddreams -j ACCEPT
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -j DROP
+-A ufw-before-output -o lo -j ACCEPT
# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT
- Edit iptable (using ufw). Edit /etc/ufw/before6.rules:
-A ufw6-before-output -o lo -j ACCEPT
+#-A ufw6-before-output -o lo -j ACCEPT
+# Rules for Dansguardian
+
+-A ufw6-before-output -m owner --uid-owner root -j ACCEPT
+-A ufw6-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
+-A ufw6-before-output -p tcp -m multiport --dports 80,443 -j DROP
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner baddreams -j ACCEPT
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -j DROP
+-A ufw6-before-output -o lo -j ACCEPT
# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT
- Reload rules
sudo ufw reload
- Configure the proxies (note that root does not need this)
export http_proxy=’localhost:8080′ # For children (apply as children user proxy, firefox proxy, etc)
export http_proxy=’localhost:8118′ # For parents
Configuration
To reload dansguardian configuration:
sudo service dansguardian force-reload
- Fix banned url regex. Edit /etc/dansguardian/lists/bannedregexpurllist
-(sex|fuck|boob|...)+.*(\.jpg|\.wmv|\.mpg|\.mpeg|\.gif|\.mov)
+(sex|fuck|boob|...)+.*(\.jpg|\.wmv|\.mpg|\.mpeg|\.gif|\.mov)$
- Hide error message when blocked. Edit file /etc/dansguardian/languages/ukenglish/template.html (or any other language in use)
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.2.22 Server</address>
</body></html>
- Disable anti-virus
- In dansguardian.conf, uncomment
#contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'
- In dansguardianf1.conf, adapt line as follow:
disablecontentscan = off
- To disable it, do the opposite, i.e., comment first line, and set
disablecontentscan = on.
- Adapt
naughtyness_limitif necessary
- See [3]
- White-list some sites
- Add them to /etc/dansguardian/lists/exceptionsitelist (see[4])
- Site to white-list:
mail.yahoo.com mail.yimg.com
- ... or grey-list some sites
- There are sites that are still keyword filtered
- Add them to /etc/dansguardian/lists/greysitelist
- Fetch up-to-date black-list
- From urlblacklist.com
- Requires to explicit allow / forbid some categories (see [5])
- ... note that even though list can be easily downloaded, urlblacklist.com is a commercial service (and quite expensive in fact).
Troubleshooting
- See log files
- View /var/log/dansguardian/access.log
- Search for keywords like
*DENIED*— these explains in detail why a page is denied access. - More information here
- Advanced troubleshooting
- See [6]
To do and issues
- Add DNS filtering as first layer (see opendns or similar) ?
- What about HTTPS filtering? Filter based on host only (via dns filtering). How can we also filter the URL / content?
- Requires intercepting proxy and adding a CA certificate to browsers.
- Redirect all Google queries to http://safesearchkids.com?
- Add extensions / plugins in the browser
- Add filters in ADSL router? (url filter, dns filter)