Option | Description | Default value |
bindir | where the binary gets placed | /usr/sbin/ |
sysconfdir | where the config and data files gets placed | /etc/dansguardian/ |
sysvdir | where the startup script gets placed | /etc/rc.d/init.d/ |
cgidir | where the cgi-bin dir is located | /home/httpd/cgi-bin/ |
mandir | where the man docs get placed | /usr/man/ |
logdir | where the logs get place | /var/log/dansguardian/ |
runas_usr | the system user the daemon runs as | nobody |
runas_grp | the system group the daemon runs as | nobody |
piddir | where the pid file gets placed | /var/run/ |
Lists Name | Expalination |
exceptionsitelist | This contains a list of domain endings that if found in the requested URL, DansGuardian will not filter the page. Note that you should not put the http:// or the www. at the beginning of the entries. |
exceptioniplist | This contains a list of client IPs who you want to bypass the filtering. For example, the network administrator's computer's IP. |
exceptionuserlist | Usernames who will not be filtered (basic authentication or ident must be enabled). |
exceptionphraselist | If any of the phrases listed here appear in a web page then the filtering is bypassed. Care should be taken adding phrases to this file as they can easily stop many pages from being blocked. It would be better to put a negative value in the weightedphraselist. |
exceptionurllist | URLs in here are for parts of sites that filtering should be switched off for. |
bannediplist | IP addresses of client machines to disallow web access to. Only put IP addresses here, not host names. |
bannedphraselist | This contains a list of banned phrases. The phrases must be enclosed between <>. DansGuardian is supplied with an example list. You can not use phrases such as |
banneduserlist | Users names, who, if basic proxy authentication is enabled, will automatically be denied web access. |
bannedmimetypelist | This contains a list of banned MIME-types. If a URL request returns a MIME-type that is in this list, DansGuardian will block it. DansGuardian comes with some example MIME-types to deny. This is a good way of blocking inappropriate movies for example. It is obviously unwise to ban the MIME-types text/html or image/*. |
bannedextensionlist | This contains a list of banned file extensions. If a URL ends in an extension that is in this list, DansGuardian will block it. DansGuardian comes with some example file extensions to deny. This is a good way of blocking kiddies from downloading those lovely screen savers and hacking tools. You are a fool if you ban the file extension .html, or .jpg etc. |
bannedregexpurllist | This contains a list of banned regular expression URLs. For more information on regular expressions, click here. Regular expressions are a very powerful pattern matching system. This file allows you to match URLs using this method. |
bannedsitelist | This file contains a list of banned sites. Entering a domain name here bans the entire site. For banning specific parts of a site, see bannedurllist. Also, you can have a blanket ban all sites except those specifically excluded in exceptionsitelist. You can also block sites specified only as an IP address, and include a stock squidGuard blacklists collection. To enable these blacklists, download them from the extras section here. Simply put them somewhere appropriate, un-comment the squidGuard blacklists collection lines at the bottom of the bannedsitelist file, and check the paths are correct. For URL blacklists, edit the bannedurllist in a similar way. |
bannedurllist | This allows you to block specific parts of a site rather than the whole site.? To block an entire site, see bannedsitelist. To enable squidGuard blacklists for URLs, you will need to download the blacklists and edit the squidGuard blacklists collection section at the bottom (as for bannedsitelist above). |
weightedphraselist | Each phrase is given a value either positive or negative and the values are added up. Phrases to do with good subjects will have negative values, and bad subjects will have positive values. Once the naughtyness limit is reached (within dansguardian.conf), the page is blocked. See the Naughtyness Limit description within the dansguardian.conf section below. |
pics | This file allows you to finely tune the PICS filtering. Each PICS section comes with a description of the allowed settings and what they represent. The default settings with DansGuardian are set for youngish children, for example mild profanities and artistic nudity are allowed. PICS filtering can also be totally disabled / enabled using the enablePICS = on | off option.? |
Config Option | Explanation |
Reporting Level | You can change the reporting level for when a page gets denied. It can say just 'Access Denied', or report why, or report why and what the denied phrase is. The latter may be more useful for testing, but the middler would be more useful in a school environment. Stealth mode logs what would be denied but doesn't do any blocking. |
Logging Settings | This setting lets you configure the logging level. You can log nothing, just denied pages, text based and all requests. HTTPS requests only get logged when the logging is set to 3 - all requests. |
Log Exception Hits | Log if an exception (user, ip, URL, or phrase) is matched and so the page gets let through. This can be useful for diagnosing why a site gets through the filter. |
Log File Format | This setting alters the format of the DansGuardian log file. Please note option 3 (standard log format) is not yet unimplemented. |
Network Settings | These allow you to modify the IP address that DansGuardian is listening on, the port DansGuardian listens on, the IP address of the server running squid as well as the squid port. It is possible to configure the Access Denied reporting page here also. |
Content Filtering Settings | Here you can modify the location of the list files. Adjusting these locations is not recommended. |
Naughtyness limit | This setting refers to the weighted phrase limit over which the page will be blocked. Each weighted phrase is given a value either positive or negative and the values added up. Phrases to do with good subjects will have negative values, and bad subjects will have positive values. See the weightedphraselist file for examples. As a rough guide, a value of 50 is for young children, 100 for older children, 160 for young adults. |
Show weighted phrases found | If enabled then the phrases found that made up the total which exceeds the naughtyness limit will be logged and, if the reporting level is high enough, reported. |
Reverse Lookups for Banned Sites and URLs | If set to on, DansGuardian will look up the forward DNS for an IP URL address and search for both in the banned site and URL lists. This would prevent a user from simply entering the IP for a banned address. It will reduce searching speed somewhat so unless you have a local caching DNS server, leave it off and use the Blanket IP Block option in the bannedsitelist file instead. |
Build bannedsitelist and bannedurllist Cache Files | This will compare the date stamp of the list file with the date stamp of the cache file and will recreate as needed. If a bsl or bul .processed file exists, then that will be used instead. It will increase process start speed by 300%. On slow computers this will be significant. Fast computers do not need this option. |
POST protection (web upload and forms) | This is for blocking or limiting uploads, not for blocking forms without any file upload. The value is given in kilobytes after MIME encoding and header information. |
Username identification methods (used in logging) | The proxyauth option is for when basic proxy authentication is used (obviously no good for transparent proxying). The ntlm option is for when the proxy supports the MS NTLM authentication. This only works with IE5.5 sp1 and later, and has not been implemented yet. The ident option causes DansGuardian to try to connect to an identd server on the computer originating the request. |
Forwarded For | This option adds an X-Forwarded-For: |
Max Children | This sets the maximum number of processes to spawn to handle the incoming connections. This will prevent DoS attacks killing the server with too many spawned processes. On large sites you might want to double or triple this number. |
Log Connection Handling Errors | This option logs some debug info regarding fork()ing and accept()ing which can usually be ignored. These are logged by syslog. It is safe to leave this setting on or off. |
Labels: DansGuardian