I wish make this too, thank's

Il giorno 03 aprile 2012 10:23, msahiner4408 <msahiner4408@...> ha
scritto:

> **
>
>
>
> Thanks for reply , Lorenzo ;
>
> Can we configure DG as a man-in-the-midle and filtering content for https
> requests.(Regardless security problems)
>
> if it is posible, How ?
> --- In dansguardian@yahoogroups.com, "Internavigare S.r.l. - Assistenza
> Hotspot" <hotspot@...> wrote:
> >
> > > Has someone achived filtering https request via DG 2.12 ?
> > >
> > > I am looking for instructions of ssl filtering with DG but could not
> > > find any article which explain what I should do.
> >
> > it depends on what you want to achieve.
> > DG cannot filter page content because data is encrypted (ssl).
> > you can only filter domains and url, and to do that you MUST have your
> users to configure the proxy in their browser, or set up automatic proxy
> config using WPAD.
> >
> > --
> > Lorenzo Milesi
> > Assistenza HotSpot
> > Internavigare S.r.l.
> > Tel. +39 031 890624
> >
>
>
>



--
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.
******************************************
Ing. Matteo Cazzador
Email: mcazzador@...
******************************************


[Non-text portions of this message have been removed]

I've been working on creating a lightweight Linux distribution with built-in web
filtering.  After installing and configuring Squid and DansGuardian on Bodhi
Linux, I tested it with Playboy.com.  That site used to trigger DansGuardian,
but I'll be darned if those turds at Playboy have altered the site so that it
gets around web filters -- and it got past DansGuardian!

Someone who develops DansGuardian needs to see what they've done and alter
DansGuardian accordingly.  Until then, of course, this can be fixed by adding
playboy.com to the DansGuardian's bannedsiteslist.

Fred in St. Louis

Hello,

Squid + SSLBump + ICAP or eCAP would be of huge help.
But I am not aware if DG is able to act as ICAP server?

Best regards,
sich

Il giorno 03 aprile 2012 18:05, Fred <fredmck@...> ha scritto:

> **
>
> Someone who develops DansGuardian needs to see what they've done and alter
> DansGuardian accordingly. Until then, of course, this can be fixed by
> adding playboy.com to the DansGuardian's bannedsiteslist.
>

I believe that a proper configuration will block playboy. If you add
playboy.com to the banned site list it MUST be blocked, unless for example
you don't use dansguardian for https and your users are accessing the site
via ssl (which I checked now is not possible).
So I believe there's something wrong in your configuration.
If you cannot find a solution pastebin somewhere your config files.


[Non-text portions of this message have been removed]

I have same problem.How can we do?
--- In dansguardian@yahoogroups.com, Deniz Eren <dee.116@...> wrote:
>
> Hi;
>
> I had problems about enabling MITM with dansguardian 2.12.0.0. . As I
> read there is no ./configure option for this and so I wasn't able to
> enable this option. Can you give me information about how to enable
> it?
>
> Good day to you..
>
> --
> Deniz Eren
>

Hi all,
i just setup dans+squid with basic-authentication successfully. I am wondering
if there's a way to exempt specific sites from authentication. Access to our
public websites, or google.com should not require authentication in our
scenario.

Any ideas?

Cheers,
zab

Are you using Squid for your proxy?

-----Original Message-----
From: dansguardian@yahoogroups.com [mailto:dansguardian@yahoogroups.com] On
Behalf Of zab_crypto
Sent: Monday, April 16, 2012 8:18 AM
To: dansguardian@yahoogroups.com
Subject: [dansguardian] How to exempt specific sites from
Basic-Authentication

Hi all,
i just setup dans+squid with basic-authentication successfully. I am
wondering if there's a way to exempt specific sites from authentication.
Access to our public websites, or google.com should not require
authentication in our scenario.

Any ideas?

Cheers,
zab



------------------------------------

For unsubscribing, mailing list rules and posting guidelines please see:
http://dansguardian.org/?page=mailinglistYahoo! Groups Links

Hi John!
Yes, i use squid (listening on TCP 3128), DG (listening on TCP 8080), clam and
bind9 (see ver. below if required). The basic authentication scheme is
configured in squid and DG and it's working fine.

However, i exempted some sites from authentication in squid's ACL, to enable the
users to browse these sites without the need to authenticate (example):

acl google_website dstdomain .google.com
acl my_websites dstdomain "/etc/squid3/my_websites.conf"
acl my_network src 192.168.1.0/24
acl authenticated proxy_auth REQUIRED src my_network

http_access allow my_network google_website
http_access allow my_network my_websites
http_access allow authenticated
http_access deny all

I expected that if squid doesn't ask for auth neither DG would, but that's not
the case.

If i configure my browser to use proxy: proxysrv:3128, then i can browse the
google_website and my_websites without authentication. As soon as i open for
example www.amazon.com i am asked for authentication. If i authenticate
www.amazon.com is loaded.

If i point my browser's proxy-configuration to proxy:8080, then i am asked for
authentication for every website (always). If i authenticate the requested
website loads.

Basically, i am looking for a way to tell DG not to use the authplugin
proxy-basic.conf for specific websites. Since i'm new to DG i don't know how to
accomplish this. And i couldn't find any documentation or examples on this
specific subject.

cheers,
zab

root@proxysrv:/etc/squid3# dpkg -l | egrep '(bind9|clamav|dans|squid)' | tr -s "
"
ii bind9 1:9.8.1.dfsg.P1-2 Internet Domain Name Server
ii bind9-doc 1:9.8.1.dfsg.P1-2 Documentation for BIND
ii bind9-host 1:9.8.1.dfsg.P1-2 Version of 'host' bundled with BIND 9.X
ii bind9utils 1:9.8.1.dfsg.P1-2 Utilities for BIND
ii clamav 0.97.3+dfsg-2.1ubuntu1 anti-virus utility for Unix - command-line
interface
ii clamav-base 0.97.3+dfsg-2.1ubuntu1 anti-virus utility for Unix - base package
ii clamav-daemon 0.97.3+dfsg-2.1ubuntu1 anti-virus utility for Unix - scanner
daemon
ii clamav-docs 0.97.3+dfsg-2.1ubuntu1 anti-virus utility for Unix -
documentation
ii clamav-freshclam 0.97.3+dfsg-2.1ubuntu1 anti-virus utility for Unix - virus
database update utility
ii dansguardian 2.10.1.1-4 Web content filtering
ii libbind9-80 1:9.8.1.dfsg.P1-2 BIND9 Shared Library used by BIND
ii libclamav6 0.97.3+dfsg-2.1ubuntu1 anti-virus utility for Unix - library
ii libdansguardian-perl 0.6-2 Simple module for administer dansguardian's
control files
ii squid-langpack 20111114-1 Localized error pages for Squid
ii squid3 3.1.19-1ubuntu1 Full featured Web Proxy cache (HTTP proxy)
ii squid3-common 3.1.19-1ubuntu1 Full featured Web Proxy cache (HTTP proxy) -
common files
ii squidview 0.79-1build1 monitors and analyses squid access.log files


--- In dansguardian@yahoogroups.com, "John D. Spinuzzi" <jd@...> wrote:
>
> Are you using Squid for your proxy?
>
> -----Original Message-----
> From: dansguardian@yahoogroups.com [mailto:dansguardian@yahoogroups.com] On
> Behalf Of zab_crypto
> Sent: Monday, April 16, 2012 8:18 AM
> To: dansguardian@yahoogroups.com
> Subject: [dansguardian] How to exempt specific sites from
> Basic-Authentication
>
> Hi all,
> i just setup dans+squid with basic-authentication successfully. I am
> wondering if there's a way to exempt specific sites from authentication.
> Access to our public websites, or google.com should not require
> authentication in our scenario.
>
> Any ideas?
>
> Cheers,
> zab
>
>
>
> ------------------------------------
>
> For unsubscribing, mailing list rules and posting guidelines please see:
> http://dansguardian.org/?page=mailinglistYahoo! Groups Links
>

On 4/17/2012 11:07 AM, zab_crypto wrote:
> <skip..>
>
> http_access allow my_network google_website
> http_access allow my_network my_websites
> http_access allow authenticated
> http_access deny all
>
> I expected that if squid doesn't ask for auth neither DG would, but that's not
the case.
>
> If i configure my browser to use proxy: proxysrv:3128, then i can browse the
google_website and my_websites without authentication. As soon as i open for
example www.amazon.com i am asked for authentication. If i authenticate
www.amazon.com is loaded.
>
> If i point my browser's proxy-configuration to proxy:8080, then i am asked for
authentication for every website (always). If i authenticate the requested
website loads.
>
> Basically, i am looking for a way to tell DG not to use the authplugin
proxy-basic.conf for specific websites. Since i'm new to DG i don't know how to
accomplish this. And i couldn't find any documentation or examples on this
specific subject.
>


Hello zab_crypto,

What do you use in DG that is not present in Squid to completely exclude
DG from the equation?

sich

Thanks, for helping!!!

I found the reason for the problem, today.

The problem was XFF related. Somehow, i managed to have XFF working in squid
without using the "follow_x_forwarded_for"-option in squid. DG was properly
configured for XFF, all the time.

Today, i noticed that nonauthenticated clients still appear with src IP
127.0.0.1 in squid's access.log, while authenticated clients appear with their
real IP address.

Thatfore my squid ACL's couldn't match. However, i fixed that by adding these
two lines and changing some ACLs:

acl dansguardian src 127.0.0.1/32
follow_x_forwarded_for allow dansguardian

-----------

The working squid ACL configuration looks like this, now:

acl_uses_indirect_client on    # XFF related
delay_pool_uses_indirect_client on    # XFF related
log_uses_indirect_client on    # XFF related

acl dansguardian src 127.0.0.1/32    # XFF related
follow_x_forwarded_for allow dansguardian    # XFF related

acl cache_manager proto cache_object   # cachemgr related
acl localhost src 127.0.0.1/32
acl nonauth_hosts src "/etc/squid3/nonauth_hosts"   # define clients w/o
authentication
acl our_networks src "/etc/squid3/our_networks"    # define client-networks
acl nonauth_sites dstdomain "/etc/squid3/nonauth_sites"    # define sites w/o
authentication
acl authenticated proxy_auth REQUIRED src "/etc/squid3/our_networks"

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 8443        # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow nonauth_hosts   # clients w/o authentication (not using DG)
http_access allow our_networks nonauth_sites   # sites w/o authentication (not
using DG)
http_access allow authenticated   # authenticated clients (with DG)
http_access deny cache_manager !localhost   # deny nonlocal cachemgr-access
http_access deny !Safe_ports   # deny non Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all   # deny everything else

-----------

cheers,
zab

--- In dansguardian@yahoogroups.com, sichent <sichent@...> wrote:
>
> On 4/17/2012 11:07 AM, zab_crypto wrote:
> > <skip..>
> >
> > http_access allow my_network google_website
> > http_access allow my_network my_websites
> > http_access allow authenticated
> > http_access deny all
> >
> > I expected that if squid doesn't ask for auth neither DG would, but that's
not the case.
> >
> > If i configure my browser to use proxy: proxysrv:3128, then i can browse the
google_website and my_websites without authentication. As soon as i open for
example www.amazon.com i am asked for authentication. If i authenticate
www.amazon.com is loaded.
> >
> > If i point my browser's proxy-configuration to proxy:8080, then i am asked
for authentication for every website (always). If i authenticate the requested
website loads.
> >
> > Basically, i am looking for a way to tell DG not to use the authplugin
proxy-basic.conf for specific websites. Since i'm new to DG i don't know how to
accomplish this. And i couldn't find any documentation or examples on this
specific subject.
> >
>
>
> Hello zab_crypto,
>
> What do you use in DG that is not present in Squid to completely exclude
> DG from the equation?
>
> sich
>

Do not want to make changes tp dansguardian, just want to upgrade installed
version of FIREFOX to newer version!

Just do the upgrade as usual. It should not have any effect on Dansguardian.

As always, make a backup before doing an upgrade.

Mark

>
>
> Do not want to make changes tp dansguardian, just want to upgrade
> installed version of FIREFOX to newer version!
>
>
>
>
>
> Reply to sender |
>
> Reply to group |
> Reply via web post |
> Start a New Topic
>
>
> Messages in this topic
> (1)
>
>
> Recent Activity:
>
>
> -

Hi,

I am using dansguardian. I've a problem in blocking facebook apps.
I've tried many ways of doing it,like adding the url in bannedurllist,
bannedsitelist etc.

Can anybody please help me?

check if the domain is written properly or check if the domain is not listed in
the exceptionsitelist.



________________________________
  De : Mukunda M <mmukundam@...>
À : dansguardian@yahoogroups.com
Envoyé le : Mercredi 25 avril 2012 13h37
Objet : [dansguardian] Blocking facebook apps


 
Hi,

I am using dansguardian. I've a problem in blocking facebook apps.
I've tried many ways of doing it,like adding the url in bannedurllist,
bannedsitelist etc.

Can anybody please help me?




[Non-text portions of this message have been removed]

The domain was not listed in the exceptionsitelist.

--- In dansguardian@yahoogroups.com, Raoul Ntirahageza <ntiraoul@...> wrote:
>
> check if the domain is written properly or check if the domain is not listed
in the exceptionsitelist.
>
>
>
> ________________________________
>  De : Mukunda M <mmukundam@...>
> À : dansguardian@yahoogroups.com
> Envoyé le : Mercredi 25 avril 2012 13h37
> Objet : [dansguardian] Blocking facebook apps
>
>
>  
> Hi,
>
> I am using dansguardian. I've a problem in blocking facebook apps.
> I've tried many ways of doing it,like adding the url in bannedurllist,
bannedsitelist etc.
>
> Can anybody please help me?
>
>
>
>
> [Non-text portions of this message have been removed]
>

If users using 443 port https links you can't do anything

2012/4/25 Mukunda M <mmukundam@...>

> **
>
>
> Hi,
>
> I am using dansguardian. I've a problem in blocking facebook apps.
> I've tried many ways of doing it,like adding the url in bannedurllist,
> bannedsitelist etc.
>
> Can anybody please help me?
>
>
>


[Non-text portions of this message have been removed]

Okay, I check my maximum number of dansguardian process i.e. "ps aux |
grep | dansguardian | wc" and I see more processes than I have
computers sometimes.  How is that possible?  I know I have asked this
before, but do multiple browsers open on the same machine each count
as a process?  Do multiple tabs count as separate processes?  Thanks.

--
Scott

On Thu, Apr 26, 2012 at 8:29 AM, Scott Mayo <scotgmayo@...> wrote:

> **
> Okay, I check my maximum number of dansguardian process i.e. "ps aux |
>
> grep | dansguardian | wc" and I see more processes than I have
>

A simpler command:  pgrep -lf dansguardian | wc -l


> computers sometimes. How is that possible? I know I have asked this
> before, but do multiple browsers open on the same machine each count
> as a process? Do multiple tabs count as separate processes? Thanks.
>

Web browsers will open multiple connections per page, in order to download
HTML, CSS, images, ads, etc in parallel.  The default for most browser is 8
connections per page.  Thus, you could see up to (num PCs * num pages
opened simultaneously * 8) dansguardian processes.

--
Freddie Cash
fjwcash@...


[Non-text portions of this message have been removed]

On Thu, Apr 26, 2012 at 10:33 AM, Freddie Cash <fjwcash@...> wrote:

> **
>
>
> On Thu, Apr 26, 2012 at 8:29 AM, Scott Mayo <scotgmayo@...> wrote:
>
> > **
>
> > Okay, I check my maximum number of dansguardian process i.e. "ps aux |
> >
> > grep | dansguardian | wc" and I see more processes than I have
> >
>
> A simpler command: pgrep -lf dansguardian | wc -l
>
>
> > computers sometimes. How is that possible? I know I have asked this
> > before, but do multiple browsers open on the same machine each count
> > as a process? Do multiple tabs count as separate processes? Thanks.
> >
>
> Web browsers will open multiple connections per page, in order to download
> HTML, CSS, images, ads, etc in parallel. The default for most browser is 8
> connections per page. Thus, you could see up to (num PCs * num pages
> opened simultaneously * 8) dansguardian processes.
>
>
Wow!  That is the thing then.  I need to get this re-installed so I can set
my maxchildren to more than 250.  I think I recall seeing that I can add
something in while installing to let me set it up a great deal more.

Thanks.

--
Scott


[Non-text portions of this message have been removed]

On Thu, Apr 26, 2012 at 10:33 AM, Freddie Cash <fjwcash@...> wrote:

> **
>
>
> On Thu, Apr 26, 2012 at 8:29 AM, Scott Mayo <scotgmayo@...> wrote:
>
> > **
>
> > Okay, I check my maximum number of dansguardian process i.e. "ps aux |
> >
> > grep | dansguardian | wc" and I see more processes than I have
> >
>
> A simpler command: pgrep -lf dansguardian | wc -l
>
>
> > computers sometimes. How is that possible? I know I have asked this
> > before, but do multiple browsers open on the same machine each count
> > as a process? Do multiple tabs count as separate processes? Thanks.
> >
>
> Web browsers will open multiple connections per page, in order to download
> HTML, CSS, images, ads, etc in parallel. The default for most browser is 8
> connections per page. Thus, you could see up to (num PCs * num pages
> opened simultaneously * 8) dansguardian processes.
>
>
I know this is not a DG question, but I have a question about your answer.
Theoretically I could have 8 computers that have 4 tabs open that could
possibly eat up all my connections?  (8 computers * 4 tabs * 8 connections
per tab)

If I have 4 tabs open and just sitting there, they will only take the
multiple connections up while the page is loading correct?  Once they are
loaded completely then the connections would be released in DG until the
page was refreshed or something?

--
Scott


[Non-text portions of this message have been removed]

On 4/26/2012 8:51 PM, Scott Mayo wrote:
> I know this is not a DG question, but I have a question about your answer.
> Theoretically I could have 8 computers that have 4 tabs open that could
> possibly eat up all my connections?  (8 computers * 4 tabs * 8 connections
> per tab)
>
> If I have 4 tabs open and just sitting there, they will only take the
> multiple connections up while the page is loading correct?  Once they are
> loaded completely then the connections would be released in DG until the
> page was refreshed or something?
>

This totally depends on how DG works with the connections. As long as
connection is instructed to be open by browser or remote server is must
be kept open by DG. The problem you seem to be having is not the
*number* of connections but the fact that each connection requires a
separate DG instance to be running although they all might be
theoretically processed by only one instance... e.g. Squid has only 1
process and easily handles thousands of connections on modern server
hardware.

best regards
sich

On Mon, Feb 27, 2012 at 10:46 AM, Philip Pearce <e2bntech@...> wrote:

> **
>
>
> In the standard dg build it's set at a max of around 1020.
>
> However, as the comment suggests it depends on the OS you are using.
>
> On Linux it is around 250, it may be different for other OS's.
>
>
I am curious to this 250 number.  I decided to bump mine up to 350 this
morning and so far it is doing fine.  This is on a Fedora box.


> Note that when you set maxchildren to a higher value than supported by the
> OS, it will only fail (possibly with core dump) when the system limit on
> the number of file_ids that can be handled by a select call is reached.
>
> To test what the system limit is set the minchildren to a high value say
> (maxchildren - preforkchildren). DG will then attempt to create that number
> of child processes on start-up, so if it's too large it will fail
> immediately. Once you have found the limit you can then reduce the
> minchildren to a more sensible figure.
>
> I set my minchildren to 240 and it failed on startup so I set it back
down, yet so far the machine is still running with maxchildren at 350.  I
am curious to know for sure how high I can set my maxchildren.

--
Scott


[Non-text portions of this message have been removed]

maxchildren just sets the upper limit of the number of child filter processes dg
will attempt to spawn.

If the OS limit is lower than maxchildren, this will not stop dg starting, but
when dg tries to spawn over the OS limit it will will fail. Since it failed with
minchildren=240 this would indicate that your OS limit is around 250 (or less).
To see how many processes dg is actually using do a 'ps -ef|grep dans|wc -l' or
something similar.

Philip
----- Original Message -----

From: "Scott Mayo" <scotgmayo@...>
To: dansguardian@yahoogroups.com
Sent: Friday, 27 April, 2012 3:11:08 PM
Subject: Re: [dansguardian] Max Number of Processes





On Mon, Feb 27, 2012 at 10:46 AM, Philip Pearce < e2bntech@... > wrote:

> **
>
>
> In the standard dg build it's set at a max of around 1020.
>
> However, as the comment suggests it depends on the OS you are using.
>
> On Linux it is around 250, it may be different for other OS's.
>
>
I am curious to this 250 number. I decided to bump mine up to 350 this
morning and so far it is doing fine. This is on a Fedora box.

> Note that when you set maxchildren to a higher value than supported by the
> OS, it will only fail (possibly with core dump) when the system limit on
> the number of file_ids that can be handled by a select call is reached.
>
> To test what the system limit is set the minchildren to a high value say
> (maxchildren - preforkchildren). DG will then attempt to create that number
> of child processes on start-up, so if it's too large it will fail
> immediately. Once you have found the limit you can then reduce the
> minchildren to a more sensible figure.
>
> I set my minchildren to 240 and it failed on startup so I set it back
down, yet so far the machine is still running with maxchildren at 350. I
am curious to know for sure how high I can set my maxchildren.

--
Scott

[Non-text portions of this message have been removed]





[Non-text portions of this message have been removed]

On Fri, Apr 27, 2012 at 10:25 AM, Philip Pearce <e2bntech@...> wrote:

> **
>
>
> maxchildren just sets the upper limit of the number of child filter
> processes dg will attempt to spawn.
>
> If the OS limit is lower than maxchildren, this will not stop dg starting,
> but when dg tries to spawn over the OS limit it will will fail. Since it
> failed with minchildren=240 this would indicate that your OS limit is
> around 250 (or less). To see how many processes dg is actually using do a
> 'ps -ef|grep dans|wc -l' or something similar.
>
>
I did that this morning and it was using 347 at one time.  That was the
largest number that I saw.  Everything was still working then and still is
so I assume I can bump it on up if I need to?  Until I get some sort of
error?

Thanks.

--
Scott


[Non-text portions of this message have been removed]

>> If the OS limit is lower than maxchildren, this will not stop dg starting,
>> but when dg tries to spawn over the OS limit it will will fail. Since it
>> failed with minchildren=240 this would indicate that your OS limit is
>> around 250 (or less). To see how many processes dg is actually using do a
>> 'ps -ef|grep dans|wc -l' or something similar.
>>
>
>I did that this morning and it was using 347 at one time. That was the
>largest number that I saw. Everything was still working then and still is
>so I assume I can bump it on up if I need to? Until I get some sort of
>error?

Yes, you can increase it - If you are getting 347 then it's likely that your OS
limit is 1024 - But keep an eye on memory usage as performance will sharply
degrade if the systems starts to swap.

Regards
Philip

----- Original Message -----

From: "Scott Mayo" <scotgmayo@...>
To: dansguardian@yahoogroups.com
Sent: Friday, 27 April, 2012 4:54:50 PM
Subject: Re: [dansguardian] Max Number of Processes





On Fri, Apr 27, 2012 at 10:25 AM, Philip Pearce < e2bntech@... > wrote:

> **
>
>
> maxchildren just sets the upper limit of the number of child filter
> processes dg will attempt to spawn.
>
> If the OS limit is lower than maxchildren, this will not stop dg starting,
> but when dg tries to spawn over the OS limit it will will fail. Since it
> failed with minchildren=240 this would indicate that your OS limit is
> around 250 (or less). To see how many processes dg is actually using do a
> 'ps -ef|grep dans|wc -l' or something similar.
>
>
I did that this morning and it was using 347 at one time. That was the
largest number that I saw. Everything was still working then and still is
so I assume I can bump it on up if I need to? Until I get some sort of
error?

Thanks.

--
Scott

[Non-text portions of this message have been removed]





[Non-text portions of this message have been removed]

On Tue, Apr 17, 2012 at 4:07 AM, zab_crypto <zab.crypto@...>wrote:

> **
>
>
> Hi John!
> Yes, i use squid (listening on TCP 3128), DG (listening on TCP 8080), clam
> and bind9 (see ver. below if required). The basic authentication scheme is
> configured in squid and DG and it's working fine.
>
> However, i exempted some sites from authentication in squid's ACL, to
> enable the users to browse these sites without the need to authenticate
> (example):
>
> acl google_website dstdomain .google.com
> acl my_websites dstdomain "/etc/squid3/my_websites.conf"
> acl my_network src 192.168.1.0/24
> acl authenticated proxy_auth REQUIRED src my_network
>
> http_access allow my_network google_website
> http_access allow my_network my_websites
>

What happens if you just leave:

http_access allow google_website

Does it still ask for authentication?  I am no squid expert and it has been
a while since I edited my conf, but I believe the:

http_access allow my_network google_website

is an ~AND~ so both must match, which I would think would work since one is
your source, but I am not sure.  Just curious if it it works by leaving off
the ~my_network~ part.

--
Scott


[Non-text portions of this message have been removed]

On Tue, Apr 17, 2012 at 8:13 AM, Scott Mayo <scotgmayo@...> wrote:
>
>
> On Tue, Apr 17, 2012 at 4:07 AM, zab_crypto <zab.crypto@...>
> wrote:
>>
>>
>>
>> Hi John!
>> Yes, i use squid (listening on TCP 3128), DG (listening on TCP 8080), clam
>> and bind9 (see ver. below if required). The basic authentication scheme is
>> configured in squid and DG and it's working fine.
>>
>> However, i exempted some sites from authentication in squid's ACL, to
>> enable the users to browse these sites without the need to authenticate
>> (example):
>>
>> acl google_website dstdomain .google.com
>> acl my_websites dstdomain "/etc/squid3/my_websites.conf"
>> acl my_network src 192.168.1.0/24
>> acl authenticated proxy_auth REQUIRED src my_network
>>
>> http_access allow my_network google_website
>> http_access allow my_network my_websites
>
>
> What happens if you just leave:
>
> http_access allow google_website
>
> Does it still ask for authentication?  I am no squid expert and it has been
> a while since I edited my conf, but I believe the:
>
> http_access allow my_network google_website
>
> is an ~AND~ so both must match, which I would think would work since one is
> your source, but I am not sure.  Just curious if it it works by leaving off
> the ~my_network~ part.

BTW, I just looked at my conf because I do the exact same thing that
you are talking about here.  I am not sure since it has been so long
since I have set up DG/Squid, but here is how I have it compared to
yours.

acl authenticated proxy_auth REQUIRED src my_network
http_access allow my_network my_websites

I only have something like:

acl authenticated proxy_auth REQUIRED
http_access allow my_websites

I am wondering since you have  'acl my_network src 192.168.1.0/24' and
then 'acl authenticated proxy_auth REQUIRED src my_network' , when you
have a line that starts with 'http_access allow my_network...' if it
is saying that the source must be 192.168.1.0 and also it must be
authenticated?

Also, if you are not proxying google then I would think all your
searches would show anything.  I know you still cannot go to the site,
but if you go to images or videos, you would get the small screenie,
which may be fine in your case.  I still authenticate for google, but
put it on the greylist.


--
Scott

On Mon, Apr 30, 2012 at 4:12 AM, Philip Pearce <e2bntech@...> wrote:

> **
>
>
> >> If the OS limit is lower than maxchildren, this will not stop dg
> starting,
> >> but when dg tries to spawn over the OS limit it will will fail. Since
> it
> >> failed with minchildren=240 this would indicate that your OS limit is
> >> around 250 (or less). To see how many processes dg is actually using do
> a
> >> 'ps -ef|grep dans|wc -l' or something similar.
> >>
> >
> >I did that this morning and it was using 347 at one time. That was the
> >largest number that I saw. Everything was still working then and still is
> >so I assume I can bump it on up if I need to? Until I get some sort of
> >error?
>
> Yes, you can increase it - If you are getting 347 then it's likely that
> your OS limit is 1024 - But keep an eye on memory usage as performance will
> sharply degrade if the systems starts to swap.
>


Thanks for the info.  I have been watching TOP off and on.  Looks like my
CPU usage is somewhere around 1-5% on average and jumps up to 8-12 once in
a bit.  Memory usage is around 950,000k out of 2,065,084k on average, so it
is not having to use any Swap yet.

Those numbers came when it was using 250-301 processes.

--
Scott


[Non-text portions of this message have been removed]

HotBikerChick has sent you a new private message! Click the link to check it
out:
http://angelogirl.zoomshare.com/files/photos.htm

I created this cool friends network and added you to my friends network. Hit-up
now:
http://perfectgirls.zoomshare.com/files/photos.htm