[CS-FSLUG] DansGuardian installation

[Stephen J. McCracken]

Tim Young wrote:
> The only real difference is that you need to set up a "transparent proxy
> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html

I didn't read the article, but this is NOT TRUE.  You can easily set
this up without it being a transparent proxy.  In fact, transparent
proxies will NOT work in some situations (most notably when you require
proxy authentication).  We have squid and dansguardian set up for about
300 clients on our network (including proxy authentication).  We don't
have multiple LAN cards in the proxy either.  (We do block direct access
out for most clients (allowing only the proxy server direct access out)
so that the only option to get to the web is to go through the proxy.)
We have also set up automatic detection on the network so things usually
just work.

For automatic detection, look up information on "WPAD" which is MS's
"extension" of Netscape's proxy.pac structure.  Basically you need to
have a web server serve up the proxy.pac named as wpad.dat from
wpad.<domain>.<tld>

You can realistically run it all on one box with DNS, DHCP (maybe),
Apache, Squid, and Dansguardian.  You have:

- DHCP that lets every computer know that it's in the domain.tld network.
- DNS that, among other things, resolves wpad.domain.tld to the apache
server.
- Apache that serves the wpad.dat (proxy.pac renamed) file from the root
of wpad.domain.tld.
- the wpad.dat file (served from Apache) tells the browser which proxy
to use and when (point them at Dansguardian on the same box).
- Dansguardian gets the web requests and forwards them on to Squid (on
the same box) to actually retrieve them.

There are more complex setups, but that's the basic idea.  Many people
actually think that transparent proxying is a *very bad idea* as it
breaks things.

sjm