{"id":14,"date":"2007-02-22T01:39:14","date_gmt":"2007-02-21T22:39:14","guid":{"rendered":"http:\/\/blog.hostwebtr.com\/?p=14"},"modified":"2007-02-22T01:39:14","modified_gmt":"2007-02-21T22:39:14","slug":"dansguardian-squid-probleminam-i-diger-follow_x_forwarded_for","status":"publish","type":"post","link":"https:\/\/www.48k.com.tr\/dansguardian-squid-probleminam-i-diger-follow_x_forwarded_for\/","title":{"rendered":"Dansguardian + Squid problemi.Nam-\u0131 di\u011fer follow_x_forwarded_for"},"content":{"rendered":"

A\u00e7\u0131klama<\/strong><\/p>\n

T\u0131pk\u0131 di\u011fer yazd\u0131\u011f\u0131m belgeler gibi bu belge de kirlidir.Ama siz buna ald\u0131rmayabilirsiniz.\u00c7\u00fcnk\u00fc i\u015fe yaramaz \u015feyler yazmamaya gayret ediyorum.Bozuk t\u00fcrk\u00e7em i\u00e7in tekrar \u00f6z\u00fcr.Birg\u00fcn d\u00fczelecek:)<\/p>\n

Neden Dansguardian? Squid bize yetmez mi?<\/strong><\/p>\n

E\u011fer konu i\u00e7erik filtreleme ise yetmez.\u00c7\u00fcnk\u00fc squid \u00e7ok ba\u015far\u0131l\u0131 bir http proxydir,access control list yap\u0131s\u0131 bence benzersizdir ancak konu i\u00e7erik filtreleme (dikkat adres sat\u0131r\u0131 de\u011fil,i\u00e7erik!) olunca ne yaz\u0131kki yetersiz kal\u0131yor.<\/p>\n

Dansguardian i\u015fte burda devreye giriyor,squidin yapamad\u0131\u011f\u0131 i\u00e7erik filtrelemeyi ba\u015far\u0131yla ger\u00e7ekle\u015ftiriyor.<\/p>\n

Peki neden sadece dansguardian kullanam\u0131yoruz?<\/strong><\/p>\n

\u00d6\u00f6\u00f6le yapm\u0131\u015f adamlar napal\u0131m yani:)Dansguardian mutlaka bir http proxy ile beraber \u00e7al\u0131\u015fmak zorunda.Cachei,Acl,Delay Pools,Httpd Accel gibi \u00f6zellikleri yok.Tek yapt\u0131\u011f\u0131 i\u015f web sayfalar\u0131n\u0131n i\u00e7eri\u011fine bakmak.Bunu da gayet iyi yap\u0131yor.<\/p>\n

Sorun ne peki?<\/strong><\/p>\n

Dansguardian ile squidi ayn\u0131 makinaya kurdunuz.dansguardian da ve squidde standart ayarlarlar\u0131 yapt\u0131n\u0131z.Her\u015fey \u00e7al\u0131\u015f\u0131r durumdayken squid’in access.log una bir bak\u0131n.T\u00fcm web isteklerinin kaynak ip’lerinin de\u011fi\u015fmi\u015f oldu\u011funu g\u00f6receksiniz.Art\u0131k t\u00fcm isteklerin kayna\u011f\u0131 proxy sunucunuz gibi g\u00f6r\u00fcnmektedir.Bu durumda squid’in access control listeleri kullan\u0131lamaz hale gelir.<\/p>\n

\u00c7\u00f6z\u00fcm ne?<\/strong><\/p>\n

Bildi\u011fim kadar\u0131yla ilk \u00e7\u00f6z\u00fcm squid 2.4 versiyonuna bir yamayla ba\u015flad\u0131.Ama ben bununla ilgilenmedim.Burada yapaca\u011f\u0131m\u0131z squid kurulumu kaynaktan derleme olacakt\u0131r.(squid-2.6.STABLE6.tar.gz)<\/p>\n

Dansguardian i\u00e7in debian stable depolar\u0131ndan normal kurulum yeterli olacakt\u0131r.Dansguardian taraf\u0131nda sadece dansguardian.conf ta yapaca\u011f\u0131m\u0131z iki sat\u0131r de\u011fi\u015fiklik,hepsi bu.<\/p>\n

Squid Kurulumu<\/strong><\/p>\n

Yukarda bahsetti\u011fim tar.gz dosyas\u0131n\u0131 www.squid-cache.org dan indirin.Sisteminizde istedi\u011finiz bir yere a\u00e7\u0131n.\u015eu parametrelerle derleyin.<\/p>\n

.\/configure –enable-follow-x-forwarded-for –enable-linux-netfilter –enable-delay-pools –enable-arp-acl<\/p>\n

make all<\/p>\n

ve son olarak make install<\/p>\n

A\u015fa\u011f\u0131da verdi\u011fim derleme se\u00e7eneklerini k\u0131saca a\u00e7\u0131klamaya \u00e7al\u0131\u015faca\u011f\u0131m<\/p>\n

ilk parametre olan enable-follow-x-forwarded-for bizim sorunumuzu \u00e7\u00f6zen parametre.Ba\u015fka proxy \u00fczerinden istek yapan hostlar\u0131n kendi ip sini bulmam\u0131za yard\u0131mc\u0131 olur.Buradaki ba\u015fka proxy dansguardian oluyor.<\/p>\n

–enable-linux-netfilter bize transparan proxy yapmam\u0131za imkan tan\u0131yan derleme se\u00e7ene\u011fidir.<\/p>\n

–enable-delay-pools : Delay Pools Squid’de bandwidth management yapman\u0131za imkan tan\u0131r.<\/p>\n

–enable-arp-acl : Ip de\u011fi\u015ftirmeyi bilen ak\u0131ll\u0131 kullan\u0131c\u0131lar\u0131n\u0131za,bunun yeterli olmayaca\u011f\u0131n\u0131 g\u00f6stermenize imkan tan\u0131yan parametre.Onlar ethernet kart\u0131 veya mac adreslerini de\u011fi\u015ftirmeyi \u00f6\u011freninceye kadar ,size kurallar\u0131n\u0131z\u0131 uygulayabilme imkan\u0131 tan\u0131r.<\/p>\n

Herhangi bir hata yoksa,squid sisteminize ba\u015far\u0131yla kurulmu\u015ftur.E\u011fer farkl\u0131 bir yol belirlemediyseniz squid \/usr\/local alt\u0131ndad\u0131r.<\/p>\n

A\u015fa\u011f\u0131dakileri ad\u0131m ad\u0131m yap\u0131n.
\nProxy ad\u0131nda bir grup ve bu gruba \u00fcye ayn\u0131 isimde bir kullan\u0131c\u0131 yarat\u0131n.<\/p>\n

\/usr\/local\/squid\/var\/log ve \/usr\/local\/var\/cache dizinlerinin haklar\u0131n\u0131 bu kullan\u0131c\u0131 ve grupla de\u011fi\u015ftirin.<\/p>\n

\/usr\/local\/squid\/etc\/squid.conf un bir yede\u011fini al\u0131n.A\u015fa\u011f\u0131daki sat\u0131rlar\u0131 dosyan\u0131za ekleyin.<\/p>\n

\u0130lk sayfada;<\/p>\n

# Squid normally listens to port 3128
\nhttp_port sunucu_ip_no:3128 transparent<\/p>\n

Acl ile ilgili b\u00f6l\u00fcmde koyu olan b\u00f6l\u00fcmleri ilave edin.
\nacl all src 192.168.0.0\/255.255.255.0 (siz bunu kendi network\u00fcn\u00fcze g\u00f6re ayarlay\u0131n)<\/strong>
\nacl manager proto cache_object
\nacl localhost src 127.0.0.1\/255.255.255.255
\nacl to_localhost dst 127.0.0.0\/8
\nacl SSL_ports port 443
\nacl Safe_ports port 80 # http
\nacl Safe_ports port 21 # ftp
\nacl Safe_ports port 443 # https
\nacl Safe_ports port 70 # gopher
\nacl Safe_ports port 210 # wais
\nacl Safe_ports port 1025-65535 # unregistered ports
\nacl Safe_ports port 280 # http-mgmt
\nacl Safe_ports port 488 # gss-http
\nacl Safe_ports port 591 # filemaker
\nacl Safe_ports port 777 # multiling http
\nacl CONNECT method CONNECT
\nfollow_x_forwarded_for allow all<\/strong><\/p>\n

acl_uses_indirect_client on<\/strong>
\n# delay_pool_uses_indirect_client on (band geni\u015fli\u011fi s\u0131n\u0131rlamas\u0131 yapm\u0131yorsan\u0131z buna ihtiyac\u0131n\u0131z olmaycakt\u0131r.<\/strong>
\nlog_uses_indirect_client on<\/strong><\/p>\n

Daha sonra http_access ile ba\u015flayan b\u00f6l\u00fcme ge\u00e7in, kendi politikan\u0131za g\u00f6re izinleri ve yasaklar\u0131 ayarlay\u0131n.<\/p>\n

Dosyay\u0131 kaydederek \u00e7\u0131k\u0131n.Squid ba\u015flat\u0131lmadan \u00f6nce cache dizin yap\u0131s\u0131 olu\u015fturulmal\u0131d\u0131r.<\/p>\n

\/usr\/local\/squid\/sbin\/squid -z ile cache yap\u0131s\u0131n\u0131 olu\u015fturun.Burada bir hata al\u0131rsan\u0131z dosya izinlerini kontrol edin.<\/p>\n

Hata yoksa;<\/p>\n

\/usr\/local\/squid\/sbin\/squid<\/p>\n

komutu ile squid \u00e7al\u0131\u015facakt\u0131r.<\/p>\n

Dansguardian<\/strong>‘\u0131n Ayarlanmas\u0131<\/strong><\/p>\n

Daha \u00f6nce de belirtti\u011fim gibi dansguardian\u0131n standart kurulumu yeterli.Debian veya t\u00fcrevi bi OS kullan\u0131yorsan\u0131z apt-get install dansguardian komutu ile sisteminize kurabilirsiniz.<\/p>\n

Not:<\/strong>E\u011fer bunu da kaynaktan derlemek isterseniz dansguardian’\u0131n vir\u00fcs tarama yeteklerini incelemenizi tavsiye ederim.Ben \u00e7ok ba\u015far\u0131l\u0131 bulamad\u0131m.\u00d6zellikle flash web sitelerinde y\u00fckleme esnas\u0131nda \u00e7ok bekletiyor.Zaten vir\u00fcs dedi\u011fimiz \u015fey sadece web sayfalar\u0131nda gelse bu kadar ba\u015f\u0131m\u0131z a\u011fr\u0131mazd\u0131.Anti-virus koruma istiyorsan\u0131z size snort_inline+clamav \u0131 tavsiye ederim.Onun d\u00f6k\u00fcman\u0131 da bu blogda mevcuttur.Reklam!<\/p>\n

\/etc\/dansguardian alt\u0131nda dansguardian.conf dosyas\u0131n\u0131 a\u00e7\u0131n.<\/p>\n

\u0130lk sat\u0131rlarda UNCONFIGURED yaz\u0131s\u0131 ba\u015f\u0131na bir # ilave edin.<\/p>\n

# DansGuardian config file for version 2.8.0<\/strong><\/p>\n

# **NOTE** as of version 2.7.5 most of the list files are now in dansguardianf1.conf<\/strong><\/p>\n

# Comment this line out once you ha<\/strong>ve modified this file to suit your needs
\n#UNCONFIGURED<\/strong><\/p>\n

Daha sonra \u015fu b\u00f6l\u00fcmleri ayarlay\u0131n<\/p>\n

# Network Settings
\n#
\n# the IP that DansGuardian listens on. If left blank DansGuardian will
\n# listen on all IPs. That would include all NICs, loopback, modem, etc.
\n# Normally you would have your firewall protecting this, but if you want
\n# you can limit it to only 1 IP. Yes only one.
\nfilterip = sunucu_ip_no<\/p>\n

# the port that DansGuardian listens to.
\nfilterport = 8080<\/p>\n

# the ip of the proxy (default is the loopback – i.e. this server)
\nproxyip = sunucu_ip_no<\/p>\n

# the port DansGuardian connects to proxy on
\nproxyport = 3128<\/p>\n

Sonra biraz daha ilerleyerek \u015fu sat\u0131rlar\u0131 bulun de\u011ferleri on yap\u0131n.<\/p>\n

# Misc settings<\/p>\n

# if on it adds an X-Forwarded-For: to the HTTP request
\n# header. This may help solve some problem sites that need to know the
\n# source ip. on | off
\nforwardedfor = on<\/strong><\/p>\n

# if on it uses the X-Forwarded-For: to determine the client
\n# IP. This is for when you have squid between the clients and DansGuardian.
\n# Warning – headers are easily spoofed. on | off
\nusexforwardedfor = on<\/strong><\/p>\n

Dosyay\u0131 kaydederek \u00e7\u0131k\u0131n.Dansguardian’\u0131 start edin.Squidin \u00e7al\u0131\u015ft\u0131\u011f\u0131na emin olun.En son bir client ba\u015f\u0131na ge\u00e7erek birka\u00e7 web sayfas\u0131na girin.Daha sonra<\/p>\n

tail -f \/usr\/local\/squid\/var\/logs\/access.log yazarak istekleri izleyin.Art\u0131k squid’de ger\u00e7ek client ip lerini g\u00f6rebilecek ve buna g\u00f6re kendi acl lerinizi yazabileceksiniz.<\/p>\n","protected":false},"excerpt":{"rendered":"

A\u00e7\u0131klama T\u0131pk\u0131 di\u011fer yazd\u0131\u011f\u0131m belgeler gibi bu belge de kirlidir.Ama siz buna ald\u0131rmayabilirsiniz.\u00c7\u00fcnk\u00fc i\u015fe yaramaz \u015feyler yazmamaya gayret ediyorum.Bozuk t\u00fcrk\u00e7em i\u00e7in tekrar \u00f6z\u00fcr.Birg\u00fcn d\u00fczelecek:) Neden Dansguardian? Squid bize yetmez mi? E\u011fer konu i\u00e7erik filtreleme ise yetmez.\u00c7\u00fcnk\u00fc squid \u00e7ok ba\u015far\u0131l\u0131 bir http proxydir,access control list yap\u0131s\u0131 bence benzersizdir ancak konu i\u00e7erik filtreleme (dikkat adres sat\u0131r\u0131 de\u011fil,i\u00e7erik!) […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[291],"tags":[292,293,294,295,296,287,297,298,299,300],"class_list":["post-14","post","type-post","status-publish","format-standard","hentry","category-uncategorized-tr","tag-content-filter","tag-dansguardian","tag-follow_x_forwarded_for","tag-icerik-filtreleme","tag-ip","tag-linux","tag-proxy","tag-site-yasaklama","tag-squid","tag-transparan-proxy"],"_links":{"self":[{"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/posts\/14"}],"collection":[{"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/comments?post=14"}],"version-history":[{"count":0,"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/posts\/14\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/media?parent=14"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/categories?post=14"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.48k.com.tr\/wp-json\/wp\/v2\/tags?post=14"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}