Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
centos:dansg:install [15.11.2011 12:00. ] – [lists] link korrigiert und Bearbeitungsvermerk entfernt django | centos:dansg:install [22.07.2019 15:02. ] (aktuell) – Externe Bearbeitung 127.0.0.1 | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== Dansguardian Version 2.10.1.1 - Installation und Konfiguration unter CentOS 6.x ====== | ||
+ | {{: | ||
+ | |||
+ | Für die Zugriffsverwaltung und inhaltliche Bewertung der angewählten Internetseiten bedienen wir uns dem Proxy [[http:// | ||
+ | |||
+ | Bei dieser Konstellation arbeiten **// | ||
+ | * unerwünschte Seiten zu blocken (Pornographie) | ||
+ | * bestimmte Inhalte nur bestimmten Usern zur Verfügung zu stellen (Multimediainhalte des WWW) | ||
+ | * Seiten auf unerwünschten Inhalt zu überprüfen und ggf. zu blocken (Glücksspiel und politische Propaganda) oder | ||
+ | * eine Virenprüfung der übermittelten Daten vorzunehmen. | ||
+ | |||
+ | ===== Installation ===== | ||
+ | ==== Download ==== | ||
+ | Als erstes holen wir uns das RPM-Paket, welches für CentOS 6.x speziell mit der ClamAV-Unterstützung compiliert wurde, vom [[http:// | ||
+ | |||
+ | Je nach verwendeter Serverarchitektur wählen wir das zugehörige RPM-PAket aus: | ||
+ | * **i386/ | ||
+ | * **x86_64** < | ||
+ | |||
+ | Die Integrität des heruntergeladenen **RPMs** können wir an Hand des [[http:// | ||
+ | # rpm --import http:// | ||
+ | |||
+ | Anschließen überprüfen wir, ob mit dem zuvor heruntergeladenen RPM alles stimmt. | ||
+ | # rpm -K dansguardian-2.10.1.1-1.el6.x86_64.rpm | ||
+ | |||
+ | | ||
+ | |||
+ | ==== YUM Installation ==== | ||
+ | Das zuvor heruntergeladene RPM installieren wir, wie gewohnt mittels **yum**. | ||
+ | # yum install dansguardian-2.10.1.1-1.el6.x86_64.rpm -y | ||
+ | |||
+ | Das Paket [[http:// | ||
+ | # rpm -qil dansguardian | ||
+ | < | ||
+ | Version | ||
+ | Release | ||
+ | Install Date: Tue 15 Nov 2011 10:09:04 AM CET Build Host: vml010006.intra.nausch.org | ||
+ | Group : System Environment/ | ||
+ | Size : 1387134 | ||
+ | Signature | ||
+ | Packager | ||
+ | URL : http:// | ||
+ | Summary | ||
+ | Description : | ||
+ | DansGuardian is a web filtering engine that checks the content within | ||
+ | the page itself in addition to the more traditional URL filtering. | ||
+ | |||
+ | DansGuardian is a content filtering proxy. It filters using multiple methods, | ||
+ | including URL and domain filtering, content phrase filtering, PICS filtering, | ||
+ | MIME filtering, file extension filtering, POST filtering. | ||
+ | |||
+ | Compiled with ClamAV support. | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | <WRAP round important> | ||
+ | |||
+ | Wurde bei der Grundinstallation unseres vHOSTs das rpmforge-Repository eingebunden, | ||
+ | * **exclude = dansguardian* ** | ||
+ | |||
+ | </ | ||
+ | ===== Konfiguration ===== | ||
+ | Die Konfiguration unseres Contentscanners spielt sich im Wesentlichen unter dem Verezichnis **/ | ||
+ | # cd / | ||
+ | < | ||
+ | total 60 | ||
+ | drwxr-xr-x | ||
+ | drwxr-xr-x. 63 root root 4096 Nov 15 10:09 ../ | ||
+ | drwxr-xr-x | ||
+ | drwxr-xr-x | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | drwxr-xr-x | ||
+ | drwxr-xr-x | ||
+ | </ | ||
+ | |||
+ | Die beiden Konfigurationsdateien: | ||
+ | * **dansguardian.conf** | ||
+ | * **dansguardianf1.conf** | ||
+ | beinhalten die Hauptkonfigurations-Optionen des Filters. In den Unterverzeichnissen erfolgt dann die weitere meist stark individuelle Anpassung. | ||
+ | * **authplugins** | ||
+ | * **contentscanners** | ||
+ | * **downloadmanagers** | ||
+ | * **lists** | ||
+ | |||
+ | ==== dansguardian.conf ==== | ||
+ | Die Haupfkonfiguration des // | ||
+ | \\ | ||
+ | Mit dem Editor unserer Wahl - also **vim** - bearbeiten nun die erste der beiden Konfigurationsdateien. | ||
+ | # vim / | ||
+ | Als erstes passen wir die Internationalisierung in der Konfigurationsdatei an: | ||
+ | < | ||
+ | # Django 2011-11-15 | ||
+ | #Default: language = ' | ||
+ | language = ' | ||
+ | Die Einstellungen im Bezug auf unsere Netzwerkadressen un den zugehörigen Ports erfolgen im Bereich **Network Settings**. | ||
+ | < | ||
+ | # | ||
+ | # the IP that DansGuardian listens on. If left blank DansGuardian will | ||
+ | # listen on all IPs. That would include all NICs, loopback, modem, etc. | ||
+ | # Normally you would have your firewall protecting this, but if you want | ||
+ | # you can limit it to a certain IP. To bind to multiple interfaces, | ||
+ | # specify each IP on an individual filterip line. | ||
+ | filterip = | ||
+ | |||
+ | # the port that DansGuardian listens to. | ||
+ | filterport = 8080 | ||
+ | |||
+ | # the ip of the proxy (default is the loopback - i.e. this server) | ||
+ | proxyip = 127.0.0.1 | ||
+ | |||
+ | # the port DansGuardian connects to proxy on | ||
+ | proxyport = 3128 | ||
+ | </ | ||
+ | Zur Information der User bei anwahl von gesperrten Seiten bietet Dansguardian zwei Wege: | ||
+ | === dansguardian.pl === | ||
+ | Möchte man das // | ||
+ | \\ | ||
+ | {{ : | ||
+ | \\ | ||
+ | Der zugehörige Eintrag in der Konfigurationsdatei lautet: | ||
+ | < | ||
+ | # dansguardian reporting script was copied. Only used in reporting levels 1 and 2. | ||
+ | # | ||
+ | # This webserver must be either: | ||
+ | # 1. Non-proxied. Either a machine on the local network, or listed as an exception | ||
+ | # in your browser' | ||
+ | # 2. Added to the exceptionsitelist. Option 1 is preferable; this option is | ||
+ | # only for users using both transparent proxying and a non-local server | ||
+ | # to host this script. | ||
+ | # | ||
+ | # Individual filter groups can override this setting in their own configuration. | ||
+ | # | ||
+ | # Django 2011-11-15 | ||
+ | #Default: accessdeniedaddress = ' | ||
+ | accessdeniedaddress = ' | ||
+ | === HTML-Statuspage === | ||
+ | Alternativ dazu gibt es eine HTML-Seite mit den Hinweisen, warum die Seite gesperrt worden ist.\\ | ||
+ | \\ | ||
+ | {{ : | ||
+ | \\ | ||
+ | Hierzu deaktiviert man einfach die Option in der konfiguartionsdatei. | ||
+ | < | ||
+ | #Default: accessdeniedaddress = ' | ||
+ | # | ||
+ | In Summe ergibt sich also folgende __erste Gesamtkonfiguration__, | ||
+ | # egrep -v ' | ||
+ | |||
+ | Das komplette Konfigurationsfile lautet (inkl. der Kommentare) erst einmal: | ||
+ | <file bash / | ||
+ | # DansGuardian config file for version 2.10.1.1 | ||
+ | |||
+ | # **NOTE** as of version 2.7.5 most of the list files are now in dansguardianf1.conf | ||
+ | |||
+ | |||
+ | # Web Access Denied Reporting (does not affect logging) | ||
+ | # | ||
+ | # -1 = log, but do not block - Stealth mode | ||
+ | # 0 = just say ' | ||
+ | # 1 = report why but not what denied phrase | ||
+ | # 2 = report fully | ||
+ | # 3 = use HTML template file (accessdeniedaddress ignored) - recommended | ||
+ | # | ||
+ | reportinglevel = 3 | ||
+ | |||
+ | # Language dir where languages are stored for internationalisation. | ||
+ | # The HTML template within this dir is only used when reportinglevel | ||
+ | # is set to 3. When used, DansGuardian will display the HTML file instead of | ||
+ | # using the perl cgi script. | ||
+ | # and easier to customise the access denied page. | ||
+ | # The language file is used no matter what setting however. | ||
+ | # | ||
+ | languagedir = '/ | ||
+ | |||
+ | # language to use from languagedir. | ||
+ | # Django 2011-11-15 | ||
+ | # Default: language = ' | ||
+ | language = ' | ||
+ | |||
+ | # Logging Settings | ||
+ | # | ||
+ | # 0 = none 1 = just denied | ||
+ | loglevel = 2 | ||
+ | |||
+ | # Log Exception Hits | ||
+ | # Log if an exception (user, ip, URL, phrase) is matched and so | ||
+ | # the page gets let through. | ||
+ | # why a site gets through the filter. | ||
+ | # 0 = never log exceptions | ||
+ | # 1 = log exceptions, but do not explicitly mark them as such | ||
+ | # 2 = always log & mark exceptions (default) | ||
+ | logexceptionhits = 2 | ||
+ | |||
+ | # Log File Format | ||
+ | # 1 = DansGuardian format (space delimited) | ||
+ | # 2 = CSV-style format | ||
+ | # 3 = Squid Log File Format | ||
+ | # 4 = Tab delimited | ||
+ | logfileformat = 1 | ||
+ | |||
+ | # truncate large items in log lines | ||
+ | # | ||
+ | |||
+ | # anonymize logs (blank out usernames & IPs) | ||
+ | # | ||
+ | |||
+ | |||
+ | # Syslog logging | ||
+ | # | ||
+ | # Use syslog for access logging instead of logging to the file | ||
+ | # at the defined or built-in " | ||
+ | #syslog = on | ||
+ | |||
+ | # Log file location | ||
+ | # | ||
+ | # Defines the log directory and filename. | ||
+ | # | ||
+ | |||
+ | |||
+ | # Statistics log file location | ||
+ | # | ||
+ | # Defines the stat file directory and filename. | ||
+ | # Only used in conjunction with maxips > 0 | ||
+ | # Once every 3 minutes, the current number of IPs in the cache, and the most | ||
+ | # that have been in the cache since the daemon was started, are written to this | ||
+ | # file. IPs persist in the cache for 7 days. | ||
+ | # | ||
+ | |||
+ | |||
+ | # Network Settings | ||
+ | # | ||
+ | # the IP that DansGuardian listens on. If left blank DansGuardian will | ||
+ | # listen on all IPs. That would include all NICs, loopback, modem, etc. | ||
+ | # Normally you would have your firewall protecting this, but if you want | ||
+ | # you can limit it to a certain IP. To bind to multiple interfaces, | ||
+ | # specify each IP on an individual filterip line. | ||
+ | filterip = | ||
+ | |||
+ | # the port that DansGuardian listens to. | ||
+ | filterport = 8080 | ||
+ | |||
+ | # the ip of the proxy (default is the loopback - i.e. this server) | ||
+ | proxyip = 127.0.0.1 | ||
+ | |||
+ | # the port DansGuardian connects to proxy on | ||
+ | proxyport = 3128 | ||
+ | |||
+ | # Whether to retrieve the original destination IP in transparent proxy | ||
+ | # setups and check it against the domain pulled from the HTTP headers. | ||
+ | # | ||
+ | # Be aware that when visiting sites which use a certain type of round-robin | ||
+ | # DNS for load balancing, DG may mark requests as invalid unless DG gets | ||
+ | # exactly the same answers to its DNS requests as clients. | ||
+ | # this happening can be increased if all clients and servers on the same LAN | ||
+ | # make use of a local, caching DNS server instead of using upstream DNS | ||
+ | # directly. | ||
+ | # | ||
+ | # See http:// | ||
+ | # on (default) | off | ||
+ | #!! Not compiled !! originalip = on | ||
+ | |||
+ | # accessdeniedaddress is the address of your web server to which the cgi | ||
+ | # dansguardian reporting script was copied. Only used in reporting levels 1 and 2. | ||
+ | # | ||
+ | # This webserver must be either: | ||
+ | # 1. Non-proxied. Either a machine on the local network, or listed as an exception | ||
+ | # in your browser' | ||
+ | # 2. Added to the exceptionsitelist. Option 1 is preferable; this option is | ||
+ | # only for users using both transparent proxying and a non-local server | ||
+ | # to host this script. | ||
+ | # | ||
+ | # Individual filter groups can override this setting in their own configuration. | ||
+ | # | ||
+ | # Django 2011-11-15 | ||
+ | # default : accessdeniedaddress = ' | ||
+ | # accessdeniedaddress = ' | ||
+ | |||
+ | |||
+ | # Non standard delimiter (only used with accessdeniedaddress) | ||
+ | # To help preserve the full banned URL, including parameters, the variables | ||
+ | # passed into the access denied CGI are separated using non-standard | ||
+ | # delimiters. This can be useful to ensure correct operation of the filter | ||
+ | # bypass modes. Parameters are split using "::" | ||
+ | # place of " | ||
+ | # Default is enabled, but to go back to the standard mode, disable it. | ||
+ | nonstandarddelimiter = on | ||
+ | |||
+ | |||
+ | |||
+ | # Banned image replacement | ||
+ | # Images that are banned due to domain/ | ||
+ | # in the adverts blacklists can be replaced by an image. | ||
+ | # for example, hide images from advert sites and remove broken image | ||
+ | # icons from banned domains. | ||
+ | # on (default) | off | ||
+ | usecustombannedimage = on | ||
+ | custombannedimagefile = '/ | ||
+ | |||
+ | |||
+ | |||
+ | # Filter groups options | ||
+ | # filtergroups sets the number of filter groups. A filter group is a set of content | ||
+ | # filtering options you can apply to a group of users. | ||
+ | # DansGuardian will automatically look for dansguardianfN.conf where N is the filter | ||
+ | # group. | ||
+ | # to filter group 1. You must have some sort of authentication to be able to map users | ||
+ | # to a group. | ||
+ | # use as few as possible. | ||
+ | filtergroups = 1 | ||
+ | filtergroupslist = '/ | ||
+ | |||
+ | |||
+ | |||
+ | # Authentication files location | ||
+ | bannediplist = '/ | ||
+ | exceptioniplist = '/ | ||
+ | |||
+ | |||
+ | |||
+ | # Show weighted phrases found | ||
+ | # If enabled then the phrases found that made up the total which excedes | ||
+ | # the naughtyness limit will be logged and, if the reporting level is | ||
+ | # high enough, reported. on | off | ||
+ | showweightedfound = on | ||
+ | |||
+ | # Weighted phrase mode | ||
+ | # There are 3 possible modes of operation: | ||
+ | # 0 = off = do not use the weighted phrase feature. | ||
+ | # 1 = on, normal = normal weighted phrase operation. | ||
+ | # 2 = on, singular = each weighted phrase found only counts once on a page. | ||
+ | # | ||
+ | weightedphrasemode = 2 | ||
+ | |||
+ | |||
+ | |||
+ | # Positive (clean) result caching for URLs | ||
+ | # Caches good pages so they don't need to be scanned again. | ||
+ | # It also works with AV plugins. | ||
+ | # 0 = off (recommended for ISPs with users with disimilar browsing) | ||
+ | # 1000 = recommended for most users | ||
+ | # 5000 = suggested max upper limit | ||
+ | # If you're using an AV plugin then use at least 5000. | ||
+ | urlcachenumber = 1000 | ||
+ | # | ||
+ | # Age before they are stale and should be ignored in seconds | ||
+ | # 0 = never | ||
+ | # 900 = recommended = 15 mins | ||
+ | urlcacheage = 900 | ||
+ | |||
+ | |||
+ | |||
+ | # Clean cache for content (AV) scan results | ||
+ | # By default, to save CPU, files scanned and found to be | ||
+ | # clean are inserted into the clean cache and NOT scanned | ||
+ | # again for a while. | ||
+ | # to disable it. | ||
+ | # (on|off) default = on. | ||
+ | scancleancache = on | ||
+ | |||
+ | |||
+ | |||
+ | # Smart, Raw and Meta/Title phrase content filtering options | ||
+ | # Smart is where the multiple spaces and HTML are removed before phrase filtering | ||
+ | # Raw is where the raw HTML including meta tags are phrase filtered | ||
+ | # Meta/Title is where only meta and title tags are phrase filtered (v. quick) | ||
+ | # CPU usage can be effectively halved by using setting 0 or 1 compared to 2 | ||
+ | # 0 = raw only | ||
+ | # 1 = smart only | ||
+ | # 2 = both of the above (default) | ||
+ | # 3 = meta/title | ||
+ | phrasefiltermode = 2 | ||
+ | |||
+ | # Lower casing options | ||
+ | # When a document is scanned the uppercase letters are converted to lower case | ||
+ | # in order to compare them with the phrases. | ||
+ | # other 16-bit texts. | ||
+ | # characters are supported. | ||
+ | # 0 = force lower case (default) | ||
+ | # 1 = do not change case | ||
+ | # 2 = scan first in lower case, then in original case | ||
+ | preservecase = 0 | ||
+ | |||
+ | # Note: | ||
+ | # If phrasefiltermode and preserve case are both 2, this equates to 4 phrase | ||
+ | # filtering passes. If you have a large enough userbase for this to be a | ||
+ | # worry, and need to filter pages in exotic character encodings, it may be | ||
+ | # better to run two instances on separate servers: one with preservecase 1 | ||
+ | # (and possibly forcequicksearch 1) and non ASCII/UTF-8 phrase lists, and one | ||
+ | # with preservecase 0 and ASCII/UTF-8 lists. | ||
+ | |||
+ | |||
+ | |||
+ | # Hex decoding options | ||
+ | # When a document is scanned it can optionally convert %XX to chars. | ||
+ | # If you find documents are getting past the phrase filtering due to encoding | ||
+ | # then enable. | ||
+ | # off = disabled (default) | ||
+ | # on = enabled | ||
+ | hexdecodecontent = off | ||
+ | |||
+ | |||
+ | |||
+ | # Force Quick Search rather than DFA search algorithm | ||
+ | # The current DFA implementation is not totally 16-bit character compatible | ||
+ | # but is used by default as it handles large phrase lists much faster. | ||
+ | # If you wish to use a large number of 16-bit character phrases then | ||
+ | # enable this option. | ||
+ | # off (default) | on (Big5 compatible) | ||
+ | forcequicksearch = off | ||
+ | |||
+ | |||
+ | |||
+ | # Reverse lookups for banned site and URLs. | ||
+ | # If set to on, DansGuardian will look up the forward DNS for an IP URL | ||
+ | # address and search for both in the banned site and URL lists. | ||
+ | # prevent a user from simply entering the IP for a banned address. | ||
+ | # It will reduce searching speed somewhat so unless you have a local caching | ||
+ | # DNS server, leave it off and use the Blanket IP Block option in the | ||
+ | # bannedsitelist file instead. | ||
+ | reverseaddresslookups = off | ||
+ | |||
+ | |||
+ | |||
+ | # Reverse lookups for banned and exception IP lists. | ||
+ | # If set to on, DansGuardian will look up the forward DNS for the IP | ||
+ | # of the connecting computer. | ||
+ | # the exceptioniplist and bannediplist. | ||
+ | # If a client computer is matched against an IP given in the lists, then the | ||
+ | # IP will be recorded in any log entries; if forward DNS is successful and a | ||
+ | # match occurs against a hostname, the hostname will be logged instead. | ||
+ | # It will reduce searching speed somewhat so unless you have a local DNS server, | ||
+ | # leave it off. | ||
+ | reverseclientiplookups = off | ||
+ | |||
+ | |||
+ | # Perform reverse lookups on client IPs for successful requests. | ||
+ | # If set to on, DansGuardian will look up the forward DNS for the IP | ||
+ | # of the connecting computer, and log host names (where available) rather than | ||
+ | # IPs against requests. | ||
+ | # This is not dependent on reverseclientiplookups being enabled; however, if it | ||
+ | # is, enabling this option does not incur any additional forward DNS requests. | ||
+ | logclienthostnames = off | ||
+ | |||
+ | |||
+ | # Build bannedsitelist and bannedurllist cache files. | ||
+ | # This will compare the date stamp of the list file with the date stamp of | ||
+ | # the cache file and will recreate as needed. | ||
+ | # If a bsl or bul .processed file exists, then that will be used instead. | ||
+ | # It will increase process start speed by 300%. On slow computers this will | ||
+ | # be significant. | ||
+ | createlistcachefiles = on | ||
+ | |||
+ | |||
+ | |||
+ | # POST protection (web upload and forms) | ||
+ | # does not block forms without any file upload, i.e. this is just for | ||
+ | # blocking or limiting uploads | ||
+ | # measured in kibibytes after MIME encoding and header bumph | ||
+ | # use 0 for a complete block | ||
+ | # use higher (e.g. 512 = 512Kbytes) for limiting | ||
+ | # use -1 for no blocking | ||
+ | # | ||
+ | # | ||
+ | maxuploadsize = -1 | ||
+ | |||
+ | |||
+ | |||
+ | # Max content filter size | ||
+ | # Sometimes web servers label binary files as text which can be very | ||
+ | # large which causes a huge drain on memory and cpu resources. | ||
+ | # To counter this, you can limit the size of the document to be | ||
+ | # filtered and get it to just pass it straight through. | ||
+ | # This setting also applies to content regular expression modification. | ||
+ | # The value must not be higher than maxcontentramcachescansize | ||
+ | # The size is in Kibibytes - eg 2048 = 2Mb | ||
+ | # use 0 to set it to maxcontentramcachescansize | ||
+ | maxcontentfiltersize = 256 | ||
+ | |||
+ | |||
+ | |||
+ | # Max content ram cache scan size | ||
+ | # This is only used if you use a content scanner plugin such as AV | ||
+ | # This is the max size of file that DG will download and cache | ||
+ | # in RAM. After this limit is reached it will cache to disk | ||
+ | # This value must be less than or equal to maxcontentfilecachescansize. | ||
+ | # The size is in Kibibytes - eg 10240 = 10Mb | ||
+ | # use 0 to set it to maxcontentfilecachescansize | ||
+ | # This option may be ignored by the configured download manager. | ||
+ | maxcontentramcachescansize = 2000 | ||
+ | |||
+ | |||
+ | |||
+ | # Max content file cache scan size | ||
+ | # This is only used if you use a content scanner plugin such as AV | ||
+ | # This is the max size file that DG will download | ||
+ | # so that it can be scanned or virus checked. | ||
+ | # This value must be greater or equal to maxcontentramcachescansize. | ||
+ | # The size is in Kibibytes - eg 10240 = 10Mb | ||
+ | maxcontentfilecachescansize = 20000 | ||
+ | |||
+ | |||
+ | |||
+ | # File cache dir | ||
+ | # Where DG will download files to be scanned if too large for the | ||
+ | # RAM cache. | ||
+ | filecachedir = '/ | ||
+ | |||
+ | |||
+ | |||
+ | # Delete file cache after user completes download | ||
+ | # When a file gets save to temp it stays there until it is deleted. | ||
+ | # You can choose to have the file deleted when the user makes a sucessful | ||
+ | # download. | ||
+ | # the temp store a second time it will give a 404 error. | ||
+ | # You should configure something to delete old files in temp to stop it filling up. | ||
+ | # on|off (defaults to on) | ||
+ | deletedownloadedtempfiles = on | ||
+ | |||
+ | |||
+ | |||
+ | # Initial Trickle delay | ||
+ | # This is the number of seconds a browser connection is left waiting | ||
+ | # before first being sent *something* to keep it alive. | ||
+ | # *something* depends on the download manager chosen. | ||
+ | # Do not choose a value too low or normal web pages will be affected. | ||
+ | # A value between 20 and 110 would be sensible | ||
+ | # This may be ignored by the configured download manager. | ||
+ | initialtrickledelay = 20 | ||
+ | |||
+ | |||
+ | |||
+ | # Trickle delay | ||
+ | # This is the number of seconds a browser connection is left waiting | ||
+ | # before being sent more *something* to keep it alive. | ||
+ | # *something* depends on the download manager chosen. | ||
+ | # This may be ignored by the configured download manager. | ||
+ | trickledelay = 10 | ||
+ | |||
+ | |||
+ | |||
+ | # Download Managers | ||
+ | # These handle downloads of files to be filtered and scanned. | ||
+ | # They differ in the method they deal with large downloads. | ||
+ | # Files usually need to be downloaded 100% before they can be | ||
+ | # filtered and scanned before being sent on to the browser. | ||
+ | # Normally the browser can just wait, but with content scanning, | ||
+ | # for example to AV, the browser may timeout or the user may get | ||
+ | # confused so the download manager has to do some sort of | ||
+ | # 'keep alive' | ||
+ | # | ||
+ | # There are various methods possible but not all are included. | ||
+ | # The author does not have the time to write them all so I have | ||
+ | # included a plugin systam. | ||
+ | # browsers and clients. | ||
+ | # work with software that downloads updates. | ||
+ | # each plugin can support a regular expression for matching | ||
+ | # the client' | ||
+ | # and extensions it should manage. | ||
+ | # | ||
+ | # Note that these are the matching methods provided by the base plugin | ||
+ | # code, and individual plugins may override or add to them. | ||
+ | # See the individual plugin conf files for supported options. | ||
+ | # | ||
+ | # The plugins are matched in the order you specify and the last | ||
+ | # one is forced to match as the default, regardless of user agent | ||
+ | # and other matching mechanisms. | ||
+ | # | ||
+ | downloadmanager = '/ | ||
+ | # | ||
+ | downloadmanager = '/ | ||
+ | |||
+ | |||
+ | |||
+ | # Content Scanners (Also known as AV scanners) | ||
+ | # These are plugins that scan the content of all files your browser fetches | ||
+ | # for example to AV scan. The options are limitless. | ||
+ | # DansGuardian will be plugin based. | ||
+ | # scanner. The plugins are run in the order you specify. | ||
+ | # This is one of the few places you can have multiple options of the same name. | ||
+ | # | ||
+ | # Some of the scanner(s) require 3rd party software and libraries eg clamav. | ||
+ | # See the individual plugin conf file for more options (if any). | ||
+ | # | ||
+ | #!! Not compiled !! contentscanner = '/ | ||
+ | # | ||
+ | #!! Unimplemented !! contentscanner = '/ | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | |||
+ | |||
+ | # Content scanner timeout | ||
+ | # Some of the content scanners support using a timeout value to stop | ||
+ | # processing (eg AV scanning) the file if it takes too long. | ||
+ | # If supported this will be used. | ||
+ | # The default of 60 seconds is probably reasonable. | ||
+ | contentscannertimeout = 60 | ||
+ | |||
+ | |||
+ | |||
+ | # Content scan exceptions | ||
+ | # If ' | ||
+ | # This is probably not desirable behavour as exceptions are | ||
+ | # supposed to be trusted and will increase load. | ||
+ | # Correct use of grey lists are a better idea. | ||
+ | # (on|off) default = off | ||
+ | contentscanexceptions = off | ||
+ | |||
+ | |||
+ | |||
+ | # Auth plugins | ||
+ | # These replace the usernameidmethod* options in previous versions. They | ||
+ | # handle the extraction of client usernames from various sources, such as | ||
+ | # Proxy-Authorisation headers and ident servers, enabling requests to be | ||
+ | # handled according to the settings of the user's filter group. | ||
+ | # Multiple plugins can be specified, and will be queried in order until one | ||
+ | # of them either finds a username or throws an error. For example, if Squid | ||
+ | # is configured with both NTLM and Basic auth enabled, and both the ' | ||
+ | # and ' | ||
+ | # NTLM can fall back to Basic without sacrificing access rights. | ||
+ | # | ||
+ | # If you do not use multiple filter groups, you need not specify this option. | ||
+ | # | ||
+ | #authplugin = '/ | ||
+ | #authplugin = '/ | ||
+ | #authplugin = '/ | ||
+ | #authplugin = '/ | ||
+ | #authplugin = '/ | ||
+ | |||
+ | |||
+ | |||
+ | # Re-check replaced URLs | ||
+ | # As a matter of course, URLs undergo regular expression search/ | ||
+ | # *after* checking the exception site/ | ||
+ | # the banned site/URL lists, allowing certain requests that would be matched against the | ||
+ | # latter in their original state to effectively be converted into grey requests. | ||
+ | # With this option enabled, the exception site/ | ||
+ | # after replacement, | ||
+ | # on them. | ||
+ | # Defaults to off. | ||
+ | recheckreplacedurls = off | ||
+ | |||
+ | |||
+ | |||
+ | # Misc settings | ||
+ | |||
+ | # if on it adds an X-Forwarded-For: | ||
+ | # header. | ||
+ | # source ip. on | off | ||
+ | forwardedfor = off | ||
+ | |||
+ | |||
+ | # if on it uses the X-Forwarded-For: | ||
+ | # IP. This is for when you have squid between the clients and DansGuardian. | ||
+ | # Warning - headers are easily spoofed. on | off | ||
+ | usexforwardedfor = off | ||
+ | |||
+ | |||
+ | # if on it logs some debug info regarding fork()ing and accept()ing which | ||
+ | # can usually be ignored. | ||
+ | # it on or off | ||
+ | logconnectionhandlingerrors = on | ||
+ | |||
+ | |||
+ | |||
+ | # Fork pool options | ||
+ | |||
+ | # If on, this causes DG to write to the log file whenever child processes are | ||
+ | # created or destroyed (other than by crashes). This information can help in | ||
+ | # understanding and tuning the following parameters, but is not generally | ||
+ | # useful in production. | ||
+ | logchildprocesshandling = off | ||
+ | |||
+ | # sets the maximum number of processes to spawn to handle the incoming | ||
+ | # connections. | ||
+ | # On large sites you might want to try 180. | ||
+ | maxchildren = 120 | ||
+ | |||
+ | |||
+ | # sets the minimum number of processes to spawn to handle the incoming connections. | ||
+ | # On large sites you might want to try 32. | ||
+ | minchildren = 8 | ||
+ | |||
+ | |||
+ | # sets the minimum number of processes to be kept ready to handle connections. | ||
+ | # On large sites you might want to try 8. | ||
+ | minsparechildren = 4 | ||
+ | |||
+ | |||
+ | # sets the minimum number of processes to spawn when it runs out | ||
+ | # On large sites you might want to try 10. | ||
+ | preforkchildren = 6 | ||
+ | |||
+ | |||
+ | # sets the maximum number of processes to have doing nothing. | ||
+ | # When this many are spare it will cull some of them. | ||
+ | # On large sites you might want to try 64. | ||
+ | maxsparechildren = 32 | ||
+ | |||
+ | |||
+ | # sets the maximum age of a child process before it croaks it. | ||
+ | # This is the number of connections they handle before exiting. | ||
+ | # On large sites you might want to try 10000. | ||
+ | maxagechildren = 500 | ||
+ | |||
+ | |||
+ | # Sets the maximum number client IP addresses allowed to connect at once. | ||
+ | # Use this to set a hard limit on the number of users allowed to concurrently | ||
+ | # browse the web. Set to 0 for no limit, and to disable the IP cache process. | ||
+ | maxips = 0 | ||
+ | |||
+ | |||
+ | |||
+ | # Process options | ||
+ | # (Change these only if you really know what you are doing). | ||
+ | # These options allow you to run multiple instances of DansGuardian on a single machine. | ||
+ | # Remember to edit the log file path above also if that is your intention. | ||
+ | |||
+ | # IPC filename | ||
+ | # | ||
+ | # Defines IPC server directory and filename used to communicate with the log process. | ||
+ | ipcfilename = '/ | ||
+ | |||
+ | # URL list IPC filename | ||
+ | # | ||
+ | # Defines URL list IPC server directory and filename used to communicate with the URL | ||
+ | # cache process. | ||
+ | urlipcfilename = '/ | ||
+ | |||
+ | # IP list IPC filename | ||
+ | # | ||
+ | # Defines IP list IPC server directory and filename, for communicating with the client | ||
+ | # IP cache process. | ||
+ | ipipcfilename = '/ | ||
+ | |||
+ | # PID filename | ||
+ | # | ||
+ | # Defines process id directory and filename. | ||
+ | # | ||
+ | |||
+ | # Disable daemoning | ||
+ | # If enabled the process will not fork into the background. | ||
+ | # It is not usually advantageous to do this. | ||
+ | # on|off (defaults to off) | ||
+ | nodaemon = off | ||
+ | |||
+ | # Disable logging process | ||
+ | # on|off (defaults to off) | ||
+ | nologger = off | ||
+ | |||
+ | # Enable logging of " | ||
+ | # on|off (defaults to off) | ||
+ | logadblocks = off | ||
+ | |||
+ | # Enable logging of client User-Agent | ||
+ | # Some browsers will cause a *lot* of extra information on each line! | ||
+ | # on|off (defaults to off) | ||
+ | loguseragent = off | ||
+ | |||
+ | # Daemon runas user and group | ||
+ | # This is the user that DansGuardian runs as. Normally the user/group nobody. | ||
+ | # Uncomment to use. Defaults to the user set at compile time. | ||
+ | # Temp files created during virus scanning are given owner and group read | ||
+ | # permissions; | ||
+ | # clamdscan, the two processes must run with either the same group or user ID. | ||
+ | #daemonuser = ' | ||
+ | # | ||
+ | |||
+ | # Soft restart | ||
+ | # When on this disables the forced killing off all processes in the process group. | ||
+ | # This is not to be confused with the -g run time option - they are not related. | ||
+ | # on|off (defaults to off) | ||
+ | softrestart = off | ||
+ | |||
+ | # Mail program | ||
+ | # Path (sendmail-compatible) email program, with options. | ||
+ | # Not used if usesmtp is disabled (filtergroup specific). | ||
+ | mailer = '/ | ||
+ | </ | ||
+ | |||
+ | === dansguardianf1.conf === | ||
+ | Die weitere Konfiguration des Dansguardian-Content-filters/ | ||
+ | \\ | ||
+ | Mit dem Editor unserer Wahl - also vim - bearbeiten nun die erste der beiden Konfigurationsdateien. | ||
+ | # vim / | ||
+ | Im ersten Schritt passen wir die Ansprechschwelle der gewichteten Seitenüberprüfung an. Mit einem **Naughtyness limit** von **//100//** liegt man schon mal in einem praktikablen Bereich. : | ||
+ | < | ||
+ | # This the limit over which the page will be blocked. | ||
+ | # a value either positive or negative and the values added up. Phrases to do with | ||
+ | # good subjects will have negative values, and bad subjects will have positive | ||
+ | # values. | ||
+ | # As a guide: | ||
+ | # 50 is for young children, | ||
+ | # Django 2011-11-15 | ||
+ | # default: naughtynesslimit = 50 | ||
+ | naughtynesslimit = 100</ | ||
+ | In Summe ergibt sich also folgende __erste Gesamtkonfiguration__, | ||
+ | # egrep -v ' | ||
+ | |||
+ | Die komplette zweite Konfigurationsdatei sieht somit wie folgt aus. | ||
+ | <file bash / | ||
+ | # DansGuardian filter group config file for version 2.10.1.1 | ||
+ | |||
+ | |||
+ | # Filter group mode | ||
+ | # This option determines whether members of this group have their web access | ||
+ | # unfiltered, filtered, or banned. This mechanism replaces the " | ||
+ | # and " | ||
+ | # | ||
+ | # 0 = banned | ||
+ | # 1 = filtered | ||
+ | # 2 = unfiltered (exception) | ||
+ | # | ||
+ | # Only filter groups with a mode of 1 need to define phrase, URL, site, extension, | ||
+ | # mimetype and PICS lists; in other modes, these options are ignored to conserve | ||
+ | # memory. | ||
+ | # | ||
+ | # Defaults to 0 if unspecified. | ||
+ | # Unauthenticated users are treated as being in the first filter group. | ||
+ | groupmode = 1 | ||
+ | |||
+ | # Filter group name | ||
+ | # Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to | ||
+ | # name the group in the access logs | ||
+ | # Defaults to empty string | ||
+ | #groupname = '' | ||
+ | |||
+ | # Content filtering files location | ||
+ | bannedphraselist = '/ | ||
+ | weightedphraselist = '/ | ||
+ | exceptionphraselist = '/ | ||
+ | bannedsitelist = '/ | ||
+ | greysitelist = '/ | ||
+ | exceptionsitelist = '/ | ||
+ | bannedurllist = '/ | ||
+ | greyurllist = '/ | ||
+ | exceptionurllist = '/ | ||
+ | exceptionregexpurllist = '/ | ||
+ | bannedregexpurllist = '/ | ||
+ | picsfile = '/ | ||
+ | contentregexplist = '/ | ||
+ | urlregexplist = '/ | ||
+ | |||
+ | # Filetype filtering | ||
+ | # | ||
+ | # Blanket download blocking | ||
+ | # If enabled, all files will be blocked, unless they match the | ||
+ | # exceptionextensionlist or exceptionmimetypelist. | ||
+ | # These lists do not override virus scanning. | ||
+ | # Exception lists defined above override all types of filtering, including | ||
+ | # the blanket download block. | ||
+ | # Defaults to disabled. | ||
+ | # (on | off) | ||
+ | # | ||
+ | blockdownloads = off | ||
+ | exceptionextensionlist = '/ | ||
+ | exceptionmimetypelist = '/ | ||
+ | # | ||
+ | # Use the following lists to block specific kinds of file downloads. | ||
+ | # The two exception lists above can be used to override these. | ||
+ | # | ||
+ | bannedextensionlist = '/ | ||
+ | bannedmimetypelist = '/ | ||
+ | # | ||
+ | # In either file filtering mode, the following list can be used to override | ||
+ | # MIME type & extension blocks for particular domains & URLs (trusted download sites). | ||
+ | # | ||
+ | exceptionfilesitelist = '/ | ||
+ | exceptionfileurllist = '/ | ||
+ | |||
+ | # Categorise without blocking: | ||
+ | # Supply categorised lists here and the category string shall be logged against | ||
+ | # matching requests, but matching these lists does not perform any filtering | ||
+ | # action. | ||
+ | # | ||
+ | #logurllist = '/ | ||
+ | # | ||
+ | |||
+ | # Outgoing HTTP header rules: | ||
+ | # Optional lists for blocking based on, and modification of, outgoing HTTP | ||
+ | # request headers. | ||
+ | # line, similar to content/URL modifications. | ||
+ | # bannedregexpheaderlist is one regular expression per line, with matching | ||
+ | # headers causing a request to be blocked. | ||
+ | # Headers are matched/ | ||
+ | # block. | ||
+ | # Use for example, to remove cookies or prevent certain user-agents. | ||
+ | headerregexplist = '/ | ||
+ | bannedregexpheaderlist = '/ | ||
+ | |||
+ | # Naughtyness limit | ||
+ | # This the limit over which the page will be blocked. | ||
+ | # a value either positive or negative and the values added up. Phrases to do with | ||
+ | # good subjects will have negative values, and bad subjects will have positive | ||
+ | # values. | ||
+ | # As a guide: | ||
+ | # 50 is for young children, | ||
+ | # Django 2011-11-15 | ||
+ | # default : naughtynesslimit = 50 | ||
+ | naughtynesslimit = 100 | ||
+ | |||
+ | # Category display threshold | ||
+ | # This option only applies to pages blocked by weighted phrase filtering. | ||
+ | # Defines the minimum score that must be accumulated within a particular | ||
+ | # category in order for it to show up on the block pages' category list. | ||
+ | # All categories under which the page scores positively will be logged; those | ||
+ | # that were not displayed to the user appear in brackets. | ||
+ | # | ||
+ | # -1 = display only the highest scoring category | ||
+ | # 0 = display all categories (default) | ||
+ | # > 0 = minimum score for a category to be displayed | ||
+ | categorydisplaythreshold = 0 | ||
+ | |||
+ | # Embedded URL weighting | ||
+ | # When set to something greater than zero, this option causes URLs embedded within a | ||
+ | # page's HTML (from links, image tags, etc.) to be extracted and checked against the | ||
+ | # bannedsitelist and bannedurllist. Each link to a banned page causes the amount set | ||
+ | # here to be added to the page's weighting. | ||
+ | # The behaviour of this option with regards to multiple occurrences of a site/URL is | ||
+ | # affected by the weightedphrasemode setting. | ||
+ | # | ||
+ | # NB: Currently, this feature uses regular expressions that require the PCRE library. | ||
+ | # As such, it is only available if you compiled DansGuardian with ' | ||
+ | # You can check compile-time options by running ' | ||
+ | # | ||
+ | # Set to 0 to disable. | ||
+ | # Defaults to 0. | ||
+ | # WARNING: This option is highly CPU intensive! | ||
+ | embeddedurlweight = 0 | ||
+ | |||
+ | # Enable PICS rating support | ||
+ | # | ||
+ | # Defaults to disabled | ||
+ | # (on | off) | ||
+ | enablepics = off | ||
+ | |||
+ | # Temporary Denied Page Bypass | ||
+ | # This provides a link on the denied page to bypass the ban for a few minutes. | ||
+ | # secure it uses a random hashed secret generated at daemon startup. | ||
+ | # number of seconds the bypass will function for before the deny will appear again. | ||
+ | # To allow the link on the denied page to appear you will need to edit the template.html | ||
+ | # or dansguardian.pl file for your language. | ||
+ | # 300 = enable for 5 minutes | ||
+ | # 0 = disable ( defaults to 0 ) | ||
+ | # -1 = enable but you require a separate program/CGI to generate a valid link | ||
+ | bypass = 0 | ||
+ | |||
+ | # Temporary Denied Page Bypass Secret Key | ||
+ | # Rather than generating a random key you can specify one. It must be more than 8 chars. | ||
+ | # '' | ||
+ | # 'Mary had a little lamb.' = an example | ||
+ | # ' | ||
+ | bypasskey = '' | ||
+ | |||
+ | # Infection/ | ||
+ | # Similar to the ' | ||
+ | # to be infected, or files that trigger scanner errors - for example, archive types with | ||
+ | # recognised but unsupported compression schemes, or corrupt archives. | ||
+ | # The option specifies the number of seconds for which the bypass link will be valid. | ||
+ | # 300 = enable for 5 minutes | ||
+ | # 0 = disable (default) | ||
+ | # -1 = enable, but require a separate program/CGI to generate a valid link | ||
+ | infectionbypass = 0 | ||
+ | |||
+ | # Infection/ | ||
+ | # Same as the ' | ||
+ | infectionbypasskey = '' | ||
+ | |||
+ | # Infection/ | ||
+ | # Enable this option to allow infectionbypass links only when virus scanning fails, | ||
+ | # not when a file is found to contain a virus. | ||
+ | # on = enable (default and highly recommended) | ||
+ | # off = disable | ||
+ | infectionbypasserrorsonly = on | ||
+ | |||
+ | # Disable content scanning | ||
+ | # If you enable this option you will disable content scanning for this group. | ||
+ | # Content scanning primarily is AV scanning (if enabled) but could include | ||
+ | # other types. | ||
+ | # (on|off) default = off. | ||
+ | disablecontentscan = off | ||
+ | |||
+ | # Enable Deep URL Analysis | ||
+ | # When enabled, DG looks for URLs within URLs, checking against the bannedsitelist and | ||
+ | # bannedurllist. This can be used, for example, to block images originating from banned | ||
+ | # sites from appearing in Google Images search results, as the original URLs are | ||
+ | # embedded in the thumbnail GET requests. | ||
+ | # (on|off) default = off | ||
+ | deepurlanalysis = off | ||
+ | |||
+ | # reportinglevel | ||
+ | # | ||
+ | # -1 = log, but do not block - Stealth mode | ||
+ | # 0 = just say ' | ||
+ | # 1 = report why but not what denied phrase | ||
+ | # 2 = report fully | ||
+ | # 3 = use HTML template file (accessdeniedaddress ignored) - recommended | ||
+ | # | ||
+ | # If defined, this overrides the global setting in dansguardian.conf for | ||
+ | # members of this filter group. | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # accessdeniedaddress is the address of your web server to which the cgi | ||
+ | # dansguardian reporting script was copied. Only used in reporting levels | ||
+ | # 1 and 2. | ||
+ | # | ||
+ | # This webserver must be either: | ||
+ | # 1. Non-proxied. Either a machine on the local network, or listed as an | ||
+ | # | ||
+ | # 2. Added to the exceptionsitelist. Option 1 is preferable; this option is | ||
+ | # only for users using both transparent proxying and a non-local server | ||
+ | # to host this script. | ||
+ | # | ||
+ | # If defined, this overrides the global setting in dansguardian.conf for | ||
+ | # members of this filter group. | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # HTML Template override | ||
+ | # If defined, this specifies a custom HTML template file for members of this | ||
+ | # filter group, overriding the global setting in dansguardian.conf. This is | ||
+ | # only used in reporting level 3. | ||
+ | # | ||
+ | # The default template file path is < | ||
+ | # e.g. / | ||
+ | # language. | ||
+ | # | ||
+ | # This option generates a file path of the form: | ||
+ | # < | ||
+ | # e.g. / | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Email reporting - original patch by J. Gauthier | ||
+ | |||
+ | # Use SMTP | ||
+ | # If on, will enable system wide events to be reported by email. | ||
+ | # need to configure mail program (see ' | ||
+ | # and email recipients | ||
+ | # default usesmtp = off | ||
+ | usesmtp = off | ||
+ | |||
+ | # mailfrom | ||
+ | # who the email would come from | ||
+ | # example: mailfrom = ' | ||
+ | mailfrom = '' | ||
+ | |||
+ | # avadmin | ||
+ | # who the virus emails go to (if notify av is on) | ||
+ | # example: avadmin = ' | ||
+ | avadmin = '' | ||
+ | |||
+ | # contentdmin | ||
+ | # who the content emails go to (when thresholds are exceeded) | ||
+ | # and contentnotify is on | ||
+ | # example: contentadmin = ' | ||
+ | contentadmin = '' | ||
+ | |||
+ | # avsubject | ||
+ | # Subject of the email sent when a virus is caught. | ||
+ | # only applicable if notifyav is on | ||
+ | # default avsubject = ' | ||
+ | avsubject = ' | ||
+ | |||
+ | # content | ||
+ | # Subject of the email sent when violation thresholds are exceeded | ||
+ | # default contentsubject = ' | ||
+ | contentsubject = ' | ||
+ | |||
+ | # notifyAV | ||
+ | # This will send a notification, | ||
+ | # infection is found. | ||
+ | # Important: If this option is off, viruses will still be recorded like a | ||
+ | # content infraction. | ||
+ | notifyav = off | ||
+ | |||
+ | # notifycontent | ||
+ | # This will send a notification, | ||
+ | # below | ||
+ | notifycontent = off | ||
+ | |||
+ | # thresholdbyuser | ||
+ | # results are only predictable with user authenticated configs | ||
+ | # if enabled the violation/ | ||
+ | thresholdbyuser = off | ||
+ | |||
+ | #violations | ||
+ | # number of violations before notification | ||
+ | # setting to 0 will never trigger a notification | ||
+ | violations = 0 | ||
+ | |||
+ | #threshold | ||
+ | # this is in seconds. If ' | ||
+ | # a notification is made. | ||
+ | # if this is set to 0, then whenever the set number of violations are made a | ||
+ | # notifaction will be sent. | ||
+ | threshold = 0 | ||
+ | |||
+ | </ | ||
+ | |||
+ | === authplugins === | ||
+ | Benutzt man keine Authentifizierung im **Squid-Proxy**, | ||
+ | # ll / | ||
+ | < | ||
+ | -rw-r--r-- 1 root root 104 Oct 15 22:23 ident.conf | ||
+ | -rw-r--r-- 1 root root 323 Oct 15 22:23 ip.conf | ||
+ | -rw-r--r-- 1 root root 195 Oct 15 22:23 proxy-basic.conf | ||
+ | -rw-r--r-- 1 root root 257 Oct 15 22:23 proxy-digest.conf | ||
+ | -rw-r--r-- 1 root root 190 Oct 15 22:23 proxy-ntlm.conf</ | ||
+ | |||
+ | === contentscanners === | ||
+ | In der Konfigurationsdatei // | ||
+ | <file bash / | ||
+ | plugname = ' | ||
+ | |||
+ | # edit this to match the location of your ClamD UNIX domain socket | ||
+ | # | ||
+ | |||
+ | # If this string is set, the text it contains shall be removed from the | ||
+ | # beginning of filenames when passing them to ClamD. | ||
+ | # Use it to - for example - support a ClamD running inside a chroot jail: | ||
+ | # if DG's filecachedir is set to "/ | ||
+ | # is set to "/ | ||
+ | # form "/ | ||
+ | #pathprefix = '/ | ||
+ | |||
+ | exceptionvirusmimetypelist = '/ | ||
+ | exceptionvirusextensionlist = '/ | ||
+ | exceptionvirussitelist = '/ | ||
+ | exceptionvirusurllist = '/ | ||
+ | </ | ||
+ | |||
+ | Die Anpassung(en) dieser Konfigurationsdate erfolgt im nachfolgenden Kapitel [[centos: | ||
+ | |||
+ | === downloadmanagers === | ||
+ | Im Verzeichnis // | ||
+ | # ls -alf / | ||
+ | total 20 | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | == default.conf == | ||
+ | # vim / | ||
+ | |||
+ | <file bash / | ||
+ | # The default download manager. | ||
+ | # This is the safest option for unknown user-agents and content types, and | ||
+ | # hence a good one to include last. | ||
+ | |||
+ | # Which plugin should be loaded? | ||
+ | plugname = ' | ||
+ | |||
+ | # Regular expression for matching user agents | ||
+ | # When not defined, matches all agents. | ||
+ | # | ||
+ | |||
+ | # Lists of mime types and extensions to manage | ||
+ | # When not defined, matches everything. | ||
+ | # These can be enabled separately; when both enabled, | ||
+ | # a request may match either list. | ||
+ | # | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | == fancy.conf == | ||
+ | # vim / | ||
+ | <file bash / | ||
+ | # The ' | ||
+ | # This outputs a Javascript progress bar to the browser when a file is taking | ||
+ | # a long time to download, and hence is unsuitable for browsers without | ||
+ | # javascript support; also you may wish to enable it only for types/ | ||
+ | # that are usually downloaded individually, | ||
+ | # such as executables and archives. | ||
+ | |||
+ | # Which plugin should be loaded? | ||
+ | plugname = ' | ||
+ | |||
+ | # Regular expression for matching user agents | ||
+ | # When not defined, matches all agents. | ||
+ | # | ||
+ | # ' | ||
+ | useragentregexp = ' | ||
+ | |||
+ | # Lists of mime types and extensions to manage | ||
+ | # When not defined, matches everything. | ||
+ | # These can be enabled separately; when both enabled, | ||
+ | # a request may match either list. | ||
+ | # | ||
+ | managedextensionlist = '/ | ||
+ | |||
+ | # HTML/ | ||
+ | # The contents of this file determine what is presented to the user during | ||
+ | # and after downloading/ | ||
+ | # define certain JavaScript functions - called at various stages during | ||
+ | # the process - allowing the page to be modified to reflect current progress. | ||
+ | # This option generates a path of the form < | ||
+ | template = ' | ||
+ | |||
+ | # Maximum download size | ||
+ | # When a file with unknown content length gets handled by the fancy DM, | ||
+ | # something must be done in the case that the file is found to be too large | ||
+ | # to scan (i.e. larger than maxcontentfilecachescansize). | ||
+ | # As of 2.9.7.0, a warning will be issued to the user that the fancy DM may | ||
+ | # not be able to cache the entire file, and the file will continue to be | ||
+ | # downloaded to disk (but not scanned) until it reaches this size, at which | ||
+ | # point the user will simply have to re-download the file (the URL won't be | ||
+ | # scanned again). | ||
+ | # The size is in kibibytes (i.e. 10240 = 10Mb) | ||
+ | maxdownloadsize = 80000 | ||
+ | </ | ||
+ | |||
+ | == trickle.conf == | ||
+ | # vim / | ||
+ | <file bash / | ||
+ | # The trickle download manager. | ||
+ | # This is the least safe download manager, in that files which are/can be | ||
+ | # processed before they are complete - such as certain image formats, shell | ||
+ | # scripts, and multimedia files - MAY have a working, malicious portion sent | ||
+ | # to the browser before scanning is complete. | ||
+ | # However, this download manager works by sending bytes from the actual file | ||
+ | # to the client, and as such is the only manager which will indicate to all | ||
+ | # clients that a download is in progress in a completely standard manner. | ||
+ | # At least one kilobyte of the file will be kept back until scanning is | ||
+ | # complete. | ||
+ | |||
+ | # Which plugin should be loaded? | ||
+ | plugname = ' | ||
+ | |||
+ | # Regular expression for matching user agents | ||
+ | # When not defined, matches all agents. | ||
+ | # | ||
+ | |||
+ | # Lists of mime types and extensions to manage | ||
+ | # When not defined, matches everything. | ||
+ | # These can be enabled separately; when both enabled, | ||
+ | # a request may match etiher list. | ||
+ | # | ||
+ | # | ||
+ | </ | ||
+ | === lists === | ||
+ | Die feingranulare nutzungsindividuelle Einstellung unseres Dansguardian erfolgt über mehrere Black- und/oder White-Listen. Diese befinden sich im Verzeichnis // | ||
+ | # ll / | ||
+ | < | ||
+ | drwxr-xr-x | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | drwxr-xr-x | ||
+ | -rw-r--r-- | ||
+ | drwxr-xr-x | ||
+ | drwxr-xr-x | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | drwxr-xr-x 36 root root 4096 Nov 15 10:09 phraselists | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | -rw-r--r-- | ||
+ | </ | ||
+ | |||
+ | Auf einzelnen spezielle Dateien wird im Kapitel [[centos: | ||
+ | |||
+ | ==== Starten von Dansguardian ==== | ||
+ | Nun starten wir das erste mal unsere neuen Dienst dansguardian: | ||
+ | # service dansguardian start | ||
+ | |||
+ | Web Content Filter (dansguardian) starten: | ||
+ | Im Syslog wird uns der erfolgreiche Start entsprechend dokumentiert: | ||
+ | Nov 15 11:10:51 vml000040 dansguardian[12815]: | ||
+ | Auf Port **8080** lauscht nun unser Dansguardian-Daemon, | ||
+ | # netstat -tulpen | grep dansguardian | ||
+ | |||
+ | | ||
+ | | ||
+ | In der Prozessliste sehen wir ferner die gestarteten Dansguardian-Prozesse: | ||
+ | # ps aux | grep dansguardian | ||
+ | < | ||
+ | 498 12816 0.0 1.2 129584 12296 ? S 11:10 0:00 dansguardian | ||
+ | 498 12817 0.0 1.1 130560 12156 ? S 11:10 0:00 dansguardian | ||
+ | 498 12818 0.0 1.1 129580 12192 ? S 11:10 0:00 dansguardian | ||
+ | 498 12819 0.0 1.1 129580 12200 ? S 11:10 0:00 dansguardian | ||
+ | 498 12821 0.0 1.1 129580 12200 ? S 11:10 0:00 dansguardian | ||
+ | 498 12822 0.0 1.1 129580 12200 ? S 11:10 0:00 dansguardian | ||
+ | 498 12823 0.0 1.1 129580 12200 ? S 11:10 0:00 dansguardian | ||
+ | 498 12824 0.0 1.1 129580 12200 ? S 11:10 0:00 dansguardian | ||
+ | 498 12825 0.0 1.1 129580 12200 ? S 11:10 0:00 dansguardian | ||
+ | 498 12826 0.0 1.1 129580 12200 ? S 11:10 0:00 dansguardian | ||
+ | root | ||
+ | |||
+ | ==== automatisches Starten von Dansguardian beim Systemstart ==== | ||
+ | Damit der Dansguardian-daemon automatisch bei jedem Systemstart startet, kann die Einrichtung des Start-Scriptes über folgenden Befehl erreicht werden: | ||
+ | # chkconfig dansguardian on | ||
+ | |||
+ | Die Überprüfungung ob der Dienst (Daemons) Dansguardian wirklich bei jedem Systemstart automatisch mit gestartet wird, kann durch folgenden Befehle erreicht werden: | ||
+ | # chkconfig --list | grep dansguardian | ||
+ | |||
+ | | ||
+ | Wichtig sind jeweils die Schalter **on** bzw. **Ein** bei den Runleveln - **2 3 4 5**. | ||
+ | ==== Dansguardian' | ||
+ | Das **// | ||
+ | # dansguardian -h | ||
+ | < | ||
+ | -v gives the version number and build options. | ||
+ | -h gives this message. | ||
+ | -c allows you to specify a different configuration file location. | ||
+ | -N Do not go into the background. | ||
+ | -q causes DansGuardian to kill any running copy. | ||
+ | -Q kill any running copy AND start a new one with current options. | ||
+ | -s shows the parent process PID and exits. | ||
+ | -r closes all connections and reloads config files by issuing a HUP, | ||
+ | but this does not reset the maxchildren option (amongst others). | ||
+ | -g gently restarts by not closing all current connections; | ||
+ | | ||
+ | </ | ||
+ | |||
+ | ==== Option -v ==== | ||
+ | Mit Hilfe der Option **-v** können wir uns die Programmversion anzeigen sowie die Option, die der Maintainer beim Erstellen des Programms mit angegeben hatte. | ||
+ | # dansguardian -v | ||
+ | |||
+ | < | ||
+ | |||
+ | Built with: ' | ||
+ | </ | ||
+ | ==== Option -g ==== | ||
+ | Hat man Änderungen an den Konfigurationsfiles vorgenommen so ist i.d.R. | ||
+ | # service dansguardian restart | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | Möchte man aber in einer Prodktionsumgebung mit vielen Verbindungen diese nicht unterbrechen, | ||
+ | # dansguardian -g | ||
+ | |||
+ | ==== Paketfilter anpassen ==== | ||
+ | |||
+ | Damit nun auf unserem Dansguardian Webcontentscanner Server auch Anfragen auf Port 8080 auch zugelassen werden, passen wir noch die iptables-Filterregeln auf unserem System an. | ||
+ | |||
+ | Wir überprüfen also erst einmal die Paketfiltereinstellungen | ||
+ | # iptables -L | ||
+ | <code bash> | ||
+ | Chain INPUT (policy ACCEPT) | ||
+ | target | ||
+ | ACCEPT | ||
+ | ACCEPT | ||
+ | ACCEPT | ||
+ | ACCEPT | ||
+ | ACCEPT | ||
+ | REJECT | ||
+ | |||
+ | Chain FORWARD (policy ACCEPT) | ||
+ | target | ||
+ | REJECT | ||
+ | |||
+ | Chain OUTPUT (policy ACCEPT) | ||
+ | target | ||
+ | </ | ||
+ | |||
+ | Für den Dansguardian Webcontent-Scanner, | ||
+ | # vim / | ||
+ | <file bash / | ||
+ | # Firewall configuration written by system-config-firewall | ||
+ | # Manual customization of this file is not recommended. | ||
+ | *filter | ||
+ | :INPUT ACCEPT [0:0] | ||
+ | :FORWARD ACCEPT [0:0] | ||
+ | :OUTPUT ACCEPT [0:0] | ||
+ | -A INPUT -m state --state ESTABLISHED, | ||
+ | -A INPUT -p icmp -j ACCEPT | ||
+ | -A INPUT -i lo -j ACCEPT | ||
+ | -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT | ||
+ | # Django : 2011-11-14 squid-proxy-Zugriff freigeschaltet | ||
+ | -A INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT | ||
+ | # | ||
+ | # Django : 2011-11-15 dansguardian web cointentfilter freigeschaltet | ||
+ | -A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT | ||
+ | # | ||
+ | -A INPUT -j REJECT --reject-with icmp-host-prohibited | ||
+ | -A FORWARD -j REJECT --reject-with icmp-host-prohibited | ||
+ | COMMIT | ||
+ | </ | ||
+ | Anschließend aktivieren wir die neue Regel, indem wir den Service **iptables** einmal durchstarten. | ||
+ | # service iptables restart | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | Eine erneute Abfrage der Paketfilterregeln zeigt uns nun die neue Einstellung. | ||
+ | # iptables -L | ||
+ | <code bash> | ||
+ | Chain INPUT (policy ACCEPT) | ||
+ | target | ||
+ | ACCEPT | ||
+ | ACCEPT | ||
+ | ACCEPT | ||
+ | ACCEPT | ||
+ | ACCEPT | ||
+ | ACCEPT | ||
+ | REJECT | ||
+ | |||
+ | Chain FORWARD (policy ACCEPT) | ||
+ | target | ||
+ | REJECT | ||
+ | |||
+ | Chain OUTPUT (policy ACCEPT) | ||
+ | target | ||
+ | </ | ||
+ | |||
+ | ===== Clienttest ===== | ||
+ | Bei einem ersten (Test-)Host in unserem Netzwerk werden wir nun bei unserem Browser als Proxy unseren neu definierten Squid-Proxyserver eintragen. Am Beispiel von Firefox finden wir die betreffenden Einstellungen auf dem Reiter **[Netzwerk]]** im Menüpunkt **[Einstellungen]**. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | Auf dem folgenden Einstellungsfenster tragen wir nun die IP-Adresse unseres Web-Content-Scanner-Servers, | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | Rufen wir nun eine vermutlich nicht ganz jugendfreie Seite auf, so wird uns nach der Benutzer-Authentifizierung, | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | Im Access-Log unseres Webcontentscanners wird der versuchte Zugriff auf die Seite protokolliert und in diesem Beispiel auch vermerkt, dass die Seite auf Grund einer **// | ||
+ | |||
+ | # less / | ||
+ | |||
+ | < | ||
+ | 2011.11.15 11:25:24 - 10.0.0.20 http:// | ||
+ | 2011.11.15 11:25:26 - 10.0.0.20 http:// | ||
+ | 2011.11.15 11:25:26 - 10.0.0.20 http:// | ||
+ | 2011.11.15 11:25:27 - 10.0.0.20 http:// | ||
+ | 2011.11.15 11:25:29 - 10.0.0.20 http:// | ||
+ | 2011.11.15 11:25:30 - 10.0.0.20 http:// | ||
+ | </ | ||
+ | |||
+ | |||
+ | ====== Links ====== | ||
+ | * **[[centos: | ||
+ | * **[[wiki: | ||
+ | * **[[http:// | ||
+ | |||