How to install squid, dansguardian, and webmin on Arch

The purpose of this guide is to show how to setup an Arch linux server that inspects the contents of any incoming http request coming through port 80 and filters out any content that may be harmful to kids.

Web sites filtering works via black list of known bad urls, white list of known good urls, filtering via url regular expressions match, and filtering via weighted phrase list.  All the filtering is done via Dansguardian.
 
Dansguardian requires the installation of a proxy server so that it can interface with web content before it gets delivered to the client/request machine. For a proxy server, we will use squid.
 

How to install squid?

1) Install squid package by running the following command in a terminal
pacman -S squid
2) Edit  /etc/squid/squid.conf
 
       a) make sure http_port 3128 is not commented out
 
       b) change http_access from http_access deny all to the following
           #acl ip_acl1 src 192.168.0.1-192.168.0.50
           #acl ip_acl2 src 127.0.0.1 192.168.2.100-192.168.2.149
           #http_access allow ip_acl1
           #http_access allow ip_acl2
           acl localhost src 127.0.0.1
           http_access allow localhost
           http_access deny all
   
      Explanation:
            # src 
            Used to define the client IP address. There are three ways to define source IP address.
               (1) single IP address.
               (2) IP address with netmask.
               (3) Range of IP address.
 
          For example:
           acl singleip src 192.168.12.21
           acl netmaskip src 192.168.1.0/24
           acl rangeip src 192.168.11.10-192.168.11.50
 
       c) Increase squid cache memory from 8 MB to 64 MB (search for cache_mem uncomment line if necessary)
 
       d) Increase squid maximum object size from 256KB MB to 10 MB (search for maximum_object_size uncomment line if necessary)
 
       e) Search for http_port 3128 and change this line so that it looks like this:
            http_port 3128 transparent
           This will configure squid as a transient proxy.  This means that squid will not change the tcp package headers and the headers will contain the ip address of the source that made the request when leaving squid
 
       f) Search for Safe in squid.conf and add the following line to later allow access to webmin application
       acl SSL_ports port 10000  #webmin
 
       g) Make sure that always_direct allow all is commented out otherwise it will not pass requests up the chain the parent proxy like havp
 
       h) Change cache_dir size to 2048
          cache_dir ufs /var/cache/squid 2048 16 256
 
        i) Validate squid.conf file has no error/warnings by running
squid -k check
       
2)  Run squid -z to create cache diretories 
       
3) Start squid by running
/etc/rc.d/squid start
 
4) Add squid to the DAEMONS=(squid) section of /etc/rc.conf so that it starts on boot
    
5) You can remove all the comments from squid.conf then run the following (please make sure to backup your config file first)
sed -i "/^#/d;/^ *$/d" /etc/squid/squid.conf
 
6) If you nedd to clear squid cache
etc/rc.d/squid stop

rm -fr /var/cache/squid/*

squid -z

/etc/rc.d/squid start
 

How to install DansGuardian?

1) Download and install the dansguardian package by running the following in a terminal window
pacman -S dansguardian
2) Configure where to send email for violation on /etc/dansguardian/dansguardianf1.conf 
 
3) Set the proxyip in dansguardian to match the ip address that the router assigned to the proxy server.  
       vim /etc/dansguardian/dansguardian.conf replace 127.0.0.1 with 192.168.0.XX
       Note: this only needs to get change if you forgot to add 127.0.0.1 to the acl rule above in squid.
 
4) Set anonymizelogs=off in /etc/dansguardian/dansguardian.conf
 
5) Set naughtynesslimit to 100 - old children.  This setting can be found in/etc/dansguardian/dansguardianf1.conf
 
6) Start dansguardian by running /etc/rc.d/dansguardian start     
 
7) Add @dansguardian to the DAEMONS=( @dansguardian) section of /etc/rc.conf after squid the @ causes it to start in background
 

Dansguardian troubleshooting

1) DansGuardian 2.10.1.1-3 does not work with pcre 8.30-1(https://bugs.archlinux.org/task/28459)
           The following work around fixes this issue:
su -   

pacman -U /var/cache/pacman/pkg/pcre-8.21-1-x86_64.pkg.tar.xz

mkdir ~/pcre-old

cp -a /usr/lib/libpcre* ~/pcre-old

cp -a /lib/libpcre* ~/pcre-old

ln -sf libpcre.so.0 ~/pcre-old/libpcre.so

pacman -S pcre

/etc/rc.d/dansguardian stop
 
   Simply edit /etc/rc.d/dansguardian script to add the LD_LIBRARY_PATH variable. 
            It'll get overwritten when dansguardian is next updated, at which point it'll hopefully be working again anyway :)   
    LD_LIBRARY_PATH=/root/pcre-old /usr/sbin/dansguardian
 
2) To remove a site from being blocked do the following
 go to /etc/dansguardian/lists
 grep the website address    grep -r "youtube.com"
 remove the address from each file that shows up in the grep result list
 reload dansguardian rules by running dansguardian -r
        
3) To remove a regexpurl like proxy.php 
edit /etc/dansguardian/lists/bannedregexpurllist
         delete |proxy.php 
         save
         dansguaridan -r
 

How to test that proxy filtering is working?

Test that the proxy is working by changing a web browser proxy settings
  •     go to firefox and type tits.com on the address bar.  The site should display
  •     go to firefox menu Edit->Preferences->Advanced->Network and click on connection settings
  •     select manual proxy configuration and enter the following the ip address of the proxy server and direct to port 8080

How to re-direct http requests on port 80 to dansguardian on port 8080?

1) Install iptables on the VM so that all requests to port 80 can be redirected to port 8080 (DansGuardian) by  running the following:
pacman -S iptables
 
2) Run the following command to forward requests on port 80 to 8080
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 
3) Run the following to save the iptables rules to  /etc/iptables/iptables.rules
/etc/rc.d/iptables save
 
    Note: you can see where iptables rules gets saved by looking at the content of the configuration file at vi /etc/conf.d/iptables
 
4) Add iptables to DAEMONS in /etc/rc.conf so that the service runs on startup
   

How to install Webmin?

1) Install WebMin to manage the Linux box from any computer in the network through port 10000
 pacman -S webmin perl-net-ssleay
        
2) Edit /etc/webmin/miniserv.conf change allow=127.0.0.1 to allow=127.0.0.1 192.168.0.0 
        This will allow all computers on 192.168.0.0 network to access webmin
 
3) Start webmin by running /etc/rc.d/webmin start
 
4) Add webmin to DAEMONS=() in /etc/rc.conf files
 
5) To access webmin type https://192.168.1.XX:10000  on a web browser.  You will need to enter the root password for the server running webmin
 
6) DansGuardian webmin module
          
      a) Download DansGuardian webmin module from http://sourceforge.net/projects/dgwebminmodule/ and save it to local folder 
       
       b) Once you have downloaded a new module as a .wbm file, enter the Webmin Configuration module and click on the Webmin Modules button. Then use the form at the top of the page to install the module either from the local filesystem of the server Webmin is running on, or uploaded from the client your browser is on.
       
        WebMin Modules can not be installed via WebMin GUI in ARCH
         If you llok at the PKBUILDS file from AUR you will have this line .....
 
                    # remove modules add because we don't want files installed without pacman control
                   rm -f webmin/{install_mod.cgi,delete_mod.cgi} 
 
            So this functionaly has been disable ...
 
         Here's how i got it working...
         Share the download folder in the host to the guest by going to Devices menu in the VM and clicking shared folder.  Add the Download folder as a transient share (meaning as a temporary share)
 
         Run the following in the guest VM
            mkdir /mnt/share

            mount -t vboxsf Download /mnt/share

            cd ~

            mkdir download

            cd download

            cp /mnt/share/dgwebmin-0.7.0beta1b.wbm .             

            cd /opt/webmin

            ./install-module.pl ~/download/dgwebmin-0.7.0beta1b.wbm
 
         The module is found at Servers->Dansguardina Web Content Filter
 
        c) Go to dansguardian module config and change binary location for dansguardian webmin module from /sbin/dansguardian to /usr/sbin/dansguardian 
           vim /etc/webmin/dansguardian/config
             change /sbin/dansguardian to /usr/sbin/dansguardian
             change autorestart=0 to autorestart=1
             change rc.d/init.d  to rc.d
 
        d) Go into the webmin config and give yourself access to the module 
  • in webmin gui expand the webmin category and select webmin users
  • click on the user you want to grant the access
  • expand available webmin modules
  • check  DansGuardian Web Content Filter
  • click Save

 

Additional documentation:

 

 

Rate: 

0
No votes yet