Description of problem:
originalip = on causes some sites, like facebook.com, to get "BAD REQUEST" errors from dansguardian due to bad dns lookups related to the site's dynamic load balancing.

Version-Release number of selected component (if applicable):
dansguardian-2.10.1.1-1.fc10.i386
dansguardian-2.10.1.1-2.fc12.i686

How reproducible:
Very

Steps to Reproduce:
1.Install dansguardian, and start it...perhaps squid also.
2.Use "iptables -t nat -I OUTPUT -m tcp -p tcp --dport 80 -m owner ! --uid-owner squid -j DNAT --to-destination 127.0.0.1:8080" to enable transparent proxy.
3.Add facebook.com to your exceptionsitelist, and restart dansguardian.
4.Attempt to access various sections of facebook.com.
  
Actual results:
BAD REQUEST. also, this in /var/log/messages:
Aug 25 21:30:11 campnanvan dansguardian[7261]: Destination host of apps.facebook.com did not match the original destination IP of 69.63.184.150
Aug 25 21:30:27 campnanvan dansguardian[7261]: Destination host of www.facebook.com did not match the original destination IP of 69.63.184.32

Expected results:
Access to site.

Additional info:
Setting originalip=off fixed it. However, it seems like this may be the more reasonable default to include in dansguardian.conf. While the .conf for the version I have in fc12 says it's not even compiled, for either installation "dansguardian -v" output includes "Built with:"......"'--enable-orig-ip'". Here's what my help on the dansguardian support list said:
From the comments in dansguardian.conf regarding the "originalip"
option:

"Be aware that when visiting sites which use a certain type of
round-robin DNS for load balancing, DG may mark requests as invalid
unless DG gets exactly the same answers to its DNS requests as clients.
The chances of this happening can be increased if all clients and
servers on the same LAN make use of a local, caching DNS server instead
of using upstream DNS directly."

The "originalip" option is NOT something you can simply turn on and
magically fix security problems with no side-effects, which is why it is
not compiled in by default.

You have several options:

* Consider NOT running the proxy in transparent mode. If you're
worried that people will then just stop using the proxy, use
some other means to enforce proxy settings on clients, or just
block port 80 traffic instead of redirecting it.
* Try installing a caching DNS server somewhere on the network and
getting clients on the LAN (including the proxy server) to use
it. I can't guarantee this will help, but it might.
* If you really want to continue using a transparent proxy, there
are other solutions to the security issues this option tries to
address. The simplest one is to use Squid ACLs to simply deny
any HTTP requests to LAN IPs. Providing that clients on the LAN
don't have to go through the proxy when sending traffic to each
other, this is a much cleaner solution and won't cause any
issues.

If you got your DansGuardian package straight from your distribution,
and the default package configuration had this option compiled in and
enabled, I would recommend you file a bug against that package, perhaps
quoting this email.

Regards
-- 
Philip Allison
Senior Developer

SmoothWall Ltd