Dansguardian: Difference between revisions
Jump to navigation
Jump to search
Line 139: | Line 139: | ||
;Advanced troubleshooting |
;Advanced troubleshooting |
||
* See [http://contentfilter.futuragts.com/wiki/doku.php?id=general_troubleshooting_strategies] |
* See [http://contentfilter.futuragts.com/wiki/doku.php?id=general_troubleshooting_strategies] |
||
== To do and issues == |
|||
* Add DNS filtering as first layer (see opendns or similar) ? |
|||
* What about '''HTTPS''' filtering? Filter based on host only (via dns filtering). How can we also filter the URL / content? |
|||
:Requires intercepting proxy and adding a CA certificate to browsers. |
|||
* Redirect all Google queries to http://safesearchkids.com? |
|||
* Add extensions / plugins in the browser |
|||
* Add filters in ADSL router? (url filter, dns filter) |
Revision as of 12:19, 31 March 2014
Reference
- Documentation
- Install tutorials
- Web content filtering made easy - Shadows of epiphany
- dansguardian (on contribs.org)
- DansGuardian (ubuntu.com)
Install
- See http://blog.bodhizazen.net/linux/web-content-filtering-made-easy/
- Install dansguardian along with privoxy
sudo apt-get install dansguardian privoxy
- Edit /etc/privoxy/config:
-listen-address localhost:8118
+listen-address 127.0.0.1:8118
- Restart privoxy
sudo service privoxy force-reload
- Edit /etc/dansguardian/dansguardian.conf
-UNCONFIGURED - Please remove this line after configuration
-
-proxyport = 3128
+proxyport = 8118
- Start dansguardian
sudo service dansguardian start
- Enable ufw
sudo ufw enable
- Edit iptable (using ufw). Edit /etc/ufw/before.rules:
-A ufw-before-output -o lo -j ACCEPT
+#-A ufw-before-output -o lo -j ACCEPT
+# Rules for Dansguardian
+
+-A ufw-before-output -m owner --uid-owner root -j ACCEPT
+-A ufw-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
+-A ufw-before-output -p tcp -m multiport --dports 80,443 -j DROP
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner baddreams -j ACCEPT
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -j DROP
+-A ufw-before-output -o lo -j ACCEPT
# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT
- Edit iptable (using ufw). Edit /etc/ufw/before6.rules:
-A ufw6-before-output -o lo -j ACCEPT
+#-A ufw6-before-output -o lo -j ACCEPT
+# Rules for Dansguardian
+
+-A ufw6-before-output -m owner --uid-owner root -j ACCEPT
+-A ufw6-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
+-A ufw6-before-output -p tcp -m multiport --dports 80,443 -j DROP
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner baddreams -j ACCEPT
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -j DROP
+-A ufw6-before-output -o lo -j ACCEPT
# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT
- Reload rules
sudo ufw reload
- Configure the proxies (note that root does not need this)
export http_proxy=’localhost:8080′ # For children (apply as children user proxy, firefox proxy, etc)
export http_proxy=’localhost:8118′ # For parents
Configuration
To reload dansguardian configuration:
sudo service dansguardian force-reload
- Fix banned url regex. Edit /etc/dansguardian/lists/bannedregexpurllist
-(sex|fuck|boob|...)+.*(\.jpg|\.wmv|\.mpg|\.mpeg|\.gif|\.mov)
+(sex|fuck|boob|...)+.*(\.jpg|\.wmv|\.mpg|\.mpeg|\.gif|\.mov)$
- Hide error message when blocked. Edit file /etc/dansguardian/languages/ukenglish/template.html (or any other language in use)
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.2.22 Server</address>
</body></html>
- Disable anti-virus
- In dansguardian.conf, uncomment
#contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'
- In dansguardianf1.conf, adapt line as follow:
disablecontentscan = off
- To disable it, do the opposite, i.e., comment first line, and set
disablecontentscan = on
.
- Adapt
naughtyness_limit
if necessary
- See [3]
- White-list some sites
- Add them to /etc/dansguardian/lists/exceptionsitelist (see[4])
- Site to white-list:
mail.yahoo.com mail.yimg.com
- ... or grey-list some sites
- There are sites that are still keyword filtered
- Add them to /etc/dansguardian/lists/greysitelist
- Fetch up-to-date black-list
- From urlblacklist.com
- Requires to explicit allow / forbid some categories (see [5])
- ... note that even though list can be easily downloaded, urlblacklist.com is a commercial service (and quite expensive in fact).
Troubleshooting
- See log files
- View /var/log/dansguardian/access.log
- Search for keywords like
*DENIED*
— these explains in detail why a page is denied access. - More information here
- Advanced troubleshooting
- See [6]
To do and issues
- Add DNS filtering as first layer (see opendns or similar) ?
- What about HTTPS filtering? Filter based on host only (via dns filtering). How can we also filter the URL / content?
- Requires intercepting proxy and adding a CA certificate to browsers.
- Redirect all Google queries to http://safesearchkids.com?
- Add extensions / plugins in the browser
- Add filters in ADSL router? (url filter, dns filter)