Dansguardian: Difference between revisions

From miki
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 11: Line 11:


== Install ==
== Install ==
* To install {{deb|dansguardian}} along with {{deb|privoxy}}, see http://blog.bodhizazen.net/linux/web-content-filtering-made-easy/
* See http://blog.bodhizazen.net/linux/web-content-filtering-made-easy/
* Install {{deb|dansguardian}} along with {{deb|privoxy}}
sudo apt-get install dansguardian privoxy
* Edit {{file|/etc/privoxy/config}}:
<source lang=diff>
-listen-address localhost:8118
+listen-address 127.0.0.1:8118
</source>
* Restart {{deb|privoxy}}
sudo service privoxy force-reload
* Edit {{file|/etc/dansguardian/dansguardian.conf}}
<source lang=diff>
-UNCONFIGURED - Please remove this line after configuration
-

-proxyport = 3128
+proxyport = 8118
</source>
* Start {{deb|dansguardian}}
sudo service dansguardian start

* Enable ufw
sudo ufw enable

* Edit iptables (using ufw). Edit {{file|/etc/ufw/before.rules}}:
<source lang=diff>
-A ufw-before-output -o lo -j ACCEPT
+#-A ufw-before-output -o lo -j ACCEPT

+# Rules for Dansguardian
+
+-A ufw-before-output -m owner --uid-owner root -j ACCEPT
+-A ufw-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
+-A ufw-before-output -p tcp -m multiport --dports 80,443 -j DROP
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner baddreams -j ACCEPT
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -j DROP
+-A ufw-before-output -o lo -j ACCEPT

# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT
</source>

* Edit iptable (using ufw). Edit {{file|/etc/ufw/before6.rules}}:
<source lang=diff>
-A ufw6-before-output -o lo -j ACCEPT
+#-A ufw6-before-output -o lo -j ACCEPT

+# Rules for Dansguardian
+
+-A ufw6-before-output -m owner --uid-owner root -j ACCEPT
+-A ufw6-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
+-A ufw6-before-output -p tcp -m multiport --dports 80,443 -j DROP
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner baddreams -j ACCEPT
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -j DROP
+-A ufw6-before-output -o lo -j ACCEPT

# don’t delete the ‘COMMIT’ line or these rules won’t be processed
COMMIT
</source>

* Reload rules
sudo ufw reload

* Configure the proxies (note that root does not need this)
<source lang=bash>
export http_proxy=’localhost:8080′ # For children (apply as children user proxy, firefox proxy, etc)
export http_proxy=’localhost:8118′ # For parents
</source>


== Configuration ==
== Configuration ==
Line 70: Line 139:
;Advanced troubleshooting
;Advanced troubleshooting
* See [http://contentfilter.futuragts.com/wiki/doku.php?id=general_troubleshooting_strategies]
* See [http://contentfilter.futuragts.com/wiki/doku.php?id=general_troubleshooting_strategies]

== To do and issues ==
* Add DNS filtering as first layer (see opendns or similar) ?
* What about '''HTTPS''' filtering? Filter based on host only (via dns filtering). How can we also filter the URL / content?
:Requires intercepting proxy and adding a CA certificate to browsers.
* Redirect all Google queries to http://safesearchkids.com?
* Add extensions / plugins in the browser
* Add filters in ADSL router? (url filter, dns filter)

Latest revision as of 13:19, 5 August 2014

Reference

Documentation
Install tutorials

Install

sudo apt-get install dansguardian privoxy
  • Edit /etc/privoxy/config:
-listen-address localhost:8118
+listen-address 127.0.0.1:8118
  • Restart privoxy
sudo service privoxy force-reload
  • Edit /etc/dansguardian/dansguardian.conf
-UNCONFIGURED - Please remove this line after configuration
-

-proxyport = 3128
+proxyport = 8118
  • Start dansguardian
sudo service dansguardian start
  • Enable ufw
sudo ufw enable
  • Edit iptables (using ufw). Edit /etc/ufw/before.rules:
-A ufw-before-output -o lo -j ACCEPT
+#-A ufw-before-output -o lo -j ACCEPT

+# Rules for Dansguardian
+
+-A ufw-before-output -m owner --uid-owner root -j ACCEPT
+-A ufw-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
+-A ufw-before-output -p tcp -m multiport --dports 80,443 -j DROP
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner baddreams -j ACCEPT
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -j DROP
+-A ufw-before-output -o lo -j ACCEPT

# don’t delete the ‘COMMIT’ line or these rules won’t be processed
 COMMIT
  • Edit iptable (using ufw). Edit /etc/ufw/before6.rules:
-A ufw6-before-output -o lo -j ACCEPT
+#-A ufw6-before-output -o lo -j ACCEPT

+# Rules for Dansguardian
+
+-A ufw6-before-output -m owner --uid-owner root -j ACCEPT
+-A ufw6-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
+-A ufw6-before-output -p tcp -m multiport --dports 80,443 -j DROP
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner baddreams -j ACCEPT
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -j DROP
+-A ufw6-before-output -o lo -j ACCEPT

# don’t delete the ‘COMMIT’ line or these rules won’t be processed
 COMMIT
  • Reload rules
sudo ufw reload
  • Configure the proxies (note that root does not need this)
 export http_proxy=’localhost:8080′  # For children (apply as children user proxy, firefox proxy, etc)
 export http_proxy=’localhost:8118′  # For parents

Configuration

To reload dansguardian configuration:

sudo service dansguardian force-reload


Fix banned url regex. Edit /etc/dansguardian/lists/bannedregexpurllist
-(sex|fuck|boob|...)+.*(\.jpg|\.wmv|\.mpg|\.mpeg|\.gif|\.mov)
+(sex|fuck|boob|...)+.*(\.jpg|\.wmv|\.mpg|\.mpeg|\.gif|\.mov)$
Hide error message when blocked. Edit file /etc/dansguardian/languages/ukenglish/template.html (or any other language in use)
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.2.22 Server</address>
</body></html>
Disable anti-virus
  • dansguardian can filter content for viruses using clamav.To enable it (see [1], [2])
In dansguardian.conf, uncomment
#contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'
In dansguardianf1.conf, adapt line as follow:
disablecontentscan = off
  • To disable it, do the opposite, i.e., comment first line, and set disablecontentscan = on.
Adapt naughtyness_limit if necessary
White-list some sites
  • Add them to /etc/dansguardian/lists/exceptionsitelist (see[4])
  • Site to white-list:
mail.yahoo.com 
mail.yimg.com
... or grey-list some sites
  • There are sites that are still keyword filtered
  • Add them to /etc/dansguardian/lists/greysitelist
Fetch up-to-date black-list
  • From urlblacklist.com
  • Requires to explicit allow / forbid some categories (see [5])
  • ... note that even though list can be easily downloaded, urlblacklist.com is a commercial service (and quite expensive in fact).

Troubleshooting

See log files
  • View /var/log/dansguardian/access.log
  • Search for keywords like *DENIED* — these explains in detail why a page is denied access.
  • More information here
Advanced troubleshooting

To do and issues

  • Add DNS filtering as first layer (see opendns or similar) ?
  • What about HTTPS filtering? Filter based on host only (via dns filtering). How can we also filter the URL / content?
Requires intercepting proxy and adding a CA certificate to browsers.
  • Redirect all Google queries to http://safesearchkids.com?
  • Add extensions / plugins in the browser
  • Add filters in ADSL router? (url filter, dns filter)