Description of problem: originalip = on causes some sites, like facebook.com, to get "BAD REQUEST" errors from dansguardian due to bad dns lookups related to the site's dynamic load balancing. Version-Release number of selected component (if applicable): dansguardian-2.10.1.1-1.fc10.i386 dansguardian-2.10.1.1-2.fc12.i686 How reproducible: Very Steps to Reproduce: 1.Install dansguardian, and start it...perhaps squid also. 2.Use "iptables -t nat -I OUTPUT -m tcp -p tcp --dport 80 -m owner ! --uid-owner squid -j DNAT --to-destination 127.0.0.1:8080" to enable transparent proxy. 3.Add facebook.com to your exceptionsitelist, and restart dansguardian. 4.Attempt to access various sections of facebook.com. Actual results: BAD REQUEST. also, this in /var/log/messages: Aug 25 21:30:11 campnanvan dansguardian[7261]: Destination host of apps.facebook.com did not match the original destination IP of 69.63.184.150 Aug 25 21:30:27 campnanvan dansguardian[7261]: Destination host of www.facebook.com did not match the original destination IP of 69.63.184.32 Expected results: Access to site. Additional info: Setting originalip=off fixed it. However, it seems like this may be the more reasonable default to include in dansguardian.conf. While the .conf for the version I have in fc12 says it's not even compiled, for either installation "dansguardian -v" output includes "Built with:"......"'--enable-orig-ip'". Here's what my help on the dansguardian support list said: From the comments in dansguardian.conf regarding the "originalip" option: "Be aware that when visiting sites which use a certain type of round-robin DNS for load balancing, DG may mark requests as invalid unless DG gets exactly the same answers to its DNS requests as clients. The chances of this happening can be increased if all clients and servers on the same LAN make use of a local, caching DNS server instead of using upstream DNS directly." The "originalip" option is NOT something you can simply turn on and magically fix security problems with no side-effects, which is why it is not compiled in by default. You have several options: * Consider NOT running the proxy in transparent mode. If you're worried that people will then just stop using the proxy, use some other means to enforce proxy settings on clients, or just block port 80 traffic instead of redirecting it. * Try installing a caching DNS server somewhere on the network and getting clients on the LAN (including the proxy server) to use it. I can't guarantee this will help, but it might. * If you really want to continue using a transparent proxy, there are other solutions to the security issues this option tries to address. The simplest one is to use Squid ACLs to simply deny any HTTP requests to LAN IPs. Providing that clients on the LAN don't have to go through the proxy when sending traffic to each other, this is a much cleaner solution and won't cause any issues. If you got your DansGuardian package straight from your distribution, and the default package configuration had this option compiled in and enabled, I would recommend you file a bug against that package, perhaps quoting this email. Regards -- Philip Allison Senior Developer SmoothWall Ltd
dansguardian-2.10.1.1-3.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/dansguardian-2.10.1.1-3.fc11
dansguardian-2.10.1.1-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/dansguardian-2.10.1.1-3.fc10
dansguardian-2.10.1.1-3.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update dansguardian'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-9919
dansguardian-2.10.1.1-3.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update dansguardian'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-9928
dansguardian-2.10.1.1-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
dansguardian-2.10.1.1-3.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.