Hi! On Mon, Mar 1, 2010 at 4:52 AM, Bruno Santos <bvsantos@xxxxxxxxxxxxxxxx> wrote: > Hi ! > > Thanks for the reply. > > No! I've managed to sort it out. > > I've downloaded the source rpm for squid 3.1.0.16, of Fedora Core 14, and build an RPM from it. Installed, along with dansguardian 2.10.1.1, compiled from source with this options: > --enable-email --with-proxygroup=squid --with-proxyuser=squid --with-logdir=/var/log/ --enable-pcre (without the --original-ip: i guess this one only matters if squid is going to be transparent) > > Next, i've enabled the following options in squid.conf (along with others, but i think this ones are the important here): > > acl_uses_indirect_client on > > follow_x_forwarded_for allow localhost Exactly. > > > In dansguardian, i guess the important ones are: > > forwardedfor = on Yes, you need this one. > usexforwardedfor = on No... not this one.... from dansguardian.conf: # if on it uses the X-Forwarded-For: <clientip> to determine the client # IP. This is for when you have squid between the clients and DansGuardian. # Warning - headers are easily spoofed. on | off usexforwardedfor = off So, leave this one off, or somebody could cheat IP-based ACL by spoofing the headers (it is not so hard to do). > > > After this, everything went ok and i have now dansguardian with squid and LDAP authentication! And the authplugin thing is also important, I don't remember why, it actually works without it... I believe it had something to do with the logs. > > Cheers, > > Bruno Santos > > ----- Original Message ----- > From: "Jose Ildefonso Camargo Tolosa" <ildefonso.camargo@xxxxxxxxx> > To: "Bruno Santos" <bvsantos@xxxxxxxxxxxxxxxx> > Sent: Saturday, February 27, 2010 12:11:24 AM GMT +00:00 GMT Britain, Ireland, Portugal > Subject: Re: squid + dansguardian + auth > > Hi! > > Sorry about the delay, do you still have the problem? > > Ildefonso > > On Wed, Feb 17, 2010 at 5:19 AM, Bruno Santos <bvsantos@xxxxxxxxxxxxxxxx> wrote: >> X-Copyrighted-Material >> >> Hi ! >> >> No, i don't have those enabled. I'm using LDAP auth in squid (although i've enabled proxy-digest.conf in dansguardian) >> >> The problem here is the following: >> >> When the request reaches dansguardian, the machine IP who made the request is correct. >> When dansguardian passes the request to squid, it goes with the local machine IP (127.0.0.1) and squid denies the request.... >> I've been messing around with the following dansguardian options: >> forwardedfor, usexforwardedfor and originalip >> >> Any hints ? >> >> I have another squid + dansguardian installation with transparent proxy and everything is working just fine... >> >> Cheers, >> >> Bruno Santos >> >> >> ----- Mensagem original ----- >> De: "Jose Ildefonso Camargo Tolosa" <ildefonso.camargo@xxxxxxxxx> >> Para: "squid-users" <squid-users@xxxxxxxxxxxxxxx> >> Enviadas: Segunda-feira, 15 de Fevereiro de 2010 17:45:35 GMT +00:00 Hora de Greenwich, Irlanda, Portugal >> Assunto: Re: squid + dansguardian + auth >> >> Hi! >> >> I really don't understand why are you, people, so insistent on the >> "x-forwarded-for" thing..... it has nothing to do with authentication, >> unless you use IP as part of your ACLs, off course. >> >> Now, I repeat: >> >> authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf' >> authplugin = '/etc/dansguardian/authplugins/proxy-digest.conf' >> authplugin = '/etc/dansguardian/authplugins/proxy-ntlm.conf' >> >> That's and excerpt from the dansguardian.conf file. Do you have these enabled? >> >> I hope this helps, >> >> Ildefonso Camargo >> >> On Mon, Feb 15, 2010 at 5:47 AM, Bruno Santos <bvsantos@xxxxxxxxxxxxxxxx> wrote: >>> X-Copyrighted-Material >>> >>> Hi ! >>> >>> Yes, i was careful to check in the SPEC file to see if there was such option and it is present: >>> --enable-follow-x-forwarded-for >>> >>> The problem i guess is when dansguardian forwards the IP to squid, instead of giving the orinal IP, it goes with the local IP. >>> But, with other options enabled, i get an html response - 400 bad request.. >> >> -- >> >> Use OpenSource Software >> Human knowledge belongs to the world >> Bruno Santos >> bvsantos@xxxxxxxxxxxxxxxx >> Tel: +351 962 753 053 >> Divisão de Informática >> informatica@xxxxxxxxxxxxxxxx >> Tel: +351 272 000 155 >> Fax: +351 272 000 257 >> Unidade Local de Saúde de Castelo Branco, E.P.E. >> geral@xxxxxxxxxxxxxxxx >> Tel: +351 272 000 272 >> Fax: +351 272 000 257 >> >> Linux registered user #349448 >> >> LPIC-1 Certification >> ------------------------------------------------------------------------------------------- >> Esta mensagem e ficheiros em anexo são confidenciais e destinados somente ao conhecimento e utilização da(s) pessoa(s) ou entidade(s) a quem foram endereçados. >> Cabe ao destinatário verificar a existência de vírus ou erros, uma vez que a informação contida pode ser interceptada e/ou modificada. >> Se recebeu este e-mail por engano, ou a eles teve acesso não sendo o destinatário, por favor informe de imediato o seu administrador de sistemas >> e elimine-o sem o utilizar, divulgar ou reproduzir. >> >> Proteja o ambiente. Antes de imprimir este e-mail, verifique se realmente necessita. >> >> > > -- > > > Use Open Source Software > Human knowledge belongs to the world > Bruno Santos > bvsantos@xxxxxxxxxxxxxxxx > Tel: +351 962 753 053 > Divisão de Informática > informatica@xxxxxxxxxxxxxxxx > Tel: +351 272 000 155 > Fax: +351 272 000 257 > Unidade Local de Saúde de Castelo Branco, E.P.E. > geral@xxxxxxxxxxxxxxxx > Tel: +351 272 000 272 > Fax: +351 272 000 257 > > Linux registered user #349448 > > LPIC-1 Certification >
