DIY Dedicated Caching Proxy (with Dansguardian) Server at Home
September 2007Overview
This how-to is for those of you who want to set up a proxy server that will filter out the filth of the Internet (Dansguardian) and enjoy a safe and godly computing environment at home. As added benefits, you will be able to connect to your home network remotely and may be able to use this same server as a web server if you so choose (as a result of following my entire how-to). Moreover, Squid proxy caching capability will probably increase the speed of your Internet surfing.
Regarding what you watch and see, the Lord Jesus has spoken in a very serious manner saying:
whosoever looketh on a woman to lust after her hath committed adultery with her already in his heart. (Matthew 5:28)
Moreover, James exhorted us saying:
Draw nigh to God, and he will draw nigh to you. Cleanse your hands, ye sinners; and purify your hearts, ye double minded. (James 4:8)
We must put sin out of our reach, thereby cleansing our hands. We also must put anything that could cause us to sin out of reach as well. The great news is that as you go through that process by faith, God will draw near to you for aide and encouragement.
I am deeply concerned about people's pornography addiction (especially people of the faith). It is my prayer that this how-to article will help free (or prevent) people of such bondage. If you are currently under such bondage of sin, please remember that your first step towards freedom must be to draw near to God in the name of Jesus Christ.
Therefore, having a content filter on your Internet connection is a great idea whether you have family or not (protecting children from evil is another topic we won't discuss here). As added benefits, you will be able to connect to your home network remotely and may be able to use this same server as a web server if you so choose (as a result of following my how-to). Moreover, Squid proxy caching capability may increase the speed of your Internet surfing. Since the system used here puts the content filtering program on a dedicated machine, it will be difficult for you to undo the filtering and impossible for anybody that does not have root access to the dedicated machine. This means that your kids will NOT be able to disable or circumvent the filtering and it also means that it will be much of a hassle for yourself (the one with the root privilege) to disable this filtering system. Excited about this project? Let's get started!
As with any of these online how-to's, I will herein give the standard disclaimer that I will not be held responsible for any consequence that may be caused by anything that I have written or linked here. Please do follow the instructions in the proper order
- Hardware requirements
- Install Debian Etch and initial configuration
- SSH Server
- Firewall setup
- DNS setup
- DHCP Server
- Squid proxy
- Dansguardian
- Extra features
References
Printer Friendly
October 2nd, 2007 at 10:36 am
Two things. First, you have to tell shorewall to allow requests on port 53 through to dnsmasq (and possibly the DHCP port).
Secondly, I’m still missing the flow of a transparent proxy. Usually, one sets the client to point to another port (8080 or something) which DansGuardian is listening on, and requests through squid on a separate socket (3128?), right? If the firewall points all port 80 traffic to squid, how does it know to send it to DansGuardian to be scanned? Does the firewall send all port 80 traffic to DansGuardian’s connection on 8080?
Thanks for an awesome tutorial, BTW.
October 10th, 2007 at 10:58 am
Oh, and also, what order do your daemons start up in your init scripts?
October 11th, 2007 at 7:50 pm
Hi MikeC,
Thank you so much for reporting to me about the comments not showing up. I unintentionally had the comment moderation thing on and wasn’t aware.
1st point: I didn’t even know what port 53 was for until you told me. I did not have to explicitly say that port 53 was for dnsmasq or shorewall. Perhaps it’s taken care of by default?
2nd: I’m not any way a Squid guru. From what I understand, the following magic line (esp the phrase “transparency”) takes care of all the forwarding of traffic.
http_port 127.0.0.1:3128 transparent
(above is from the squid.conf file)
Yes, I believe all port 80 traffic is forced through dansguardian with my setting.
3rd: I’m not sure about the order of daemons starting up. I’ll look into it. But, I have a church retreat this weekend and I’m not sure exactly when… sorry.
Tak
December 5th, 2007 at 7:57 am
Another question…
Are you able to FTP out with this configuration? I’m not sure how that changes the flow.
Thanks…
December 5th, 2007 at 8:30 am
In the “rules” file,
open up the port you are using like the following (in this case tcp port 88).
ACCEPT net fw tcp 88
I recommend that you only stick to SSH, as FTP is just too insecure these days. The example I show in the “Firewall” section already includes the setting for SSH (default port #). With that setting, I am able to SSH in / out.
Tak
December 19th, 2007 at 2:04 pm
Thankyou for the helpful HowTo. I have a combined Modem/Router. As I understand, the Proxy Computer has to go in between. Is there a solution to that, or am I missing something?
December 20th, 2007 at 7:50 am
Are you using cable internet or DSL? I don’t have any experience with DSL, but in my configuration you don’t even need a full-fledged router. You can use a LAN switch, which I think is much cheaper. For example,
I see some switches for $19.99 at newegg.com.
Did this help you?
Merry Christmas,
Tak
December 20th, 2007 at 10:15 am
I have DSL (I live in germany where DSL is most common). I have read that the proxy server can be connected to router via LAN and the router directs all internet traffic through the proxy server, so I shall try that.
I’m pastor of a church and am trying to create a safe network for people to use in the church who will mainly connect via wireless.
Merry Christmas to you too,
Marn
December 20th, 2007 at 11:11 am
Hi Pastor Marn,
Have you looked at http://taksuyama.com/?page_id=19 ?
Where it says “internet” in the picture in reality is the modem.
So my howto article shows exactly what you said “the proxy server can be connected to router via LAN and the router directs all internet traffic through the proxy server”
Network things can get confusing (I’m trying to figure out how to properly do port-forwarding with Shorewall right now as well). If you need any further assistance, please let me know. It’s my pleasure and honor to help another ministry in any way.
Tak
October 2nd, 2008 at 1:40 am
“it is my prayer that this how-to article will help free (or prevent) people of such bondage”
I would say that content filtering is an important tool for those suffering from sexual compulsions/addictions. It does not solve an addiction, because the cause of the addiction is not the porn itself. The object of the addiction is generally not the cause, but a symptom.
I am a sex addict and have struggled with pornography and more.
I am also trying to switch to ubuntu, so I appreciate all of the information I have found about dansguardian that you have authored. I am using net nanny as a tool in my recovery and will not switch to linux until I know that I can set up a similar safeguard. My sobriety doesn’t depend on content filtering, but as I said, it is a very important tool!
Thank you for the information you have put out there on this subject! It has been extremely helpful in guiding me to a solution for my own home.
Peace be with you!
February 15th, 2009 at 12:01 am
[…] of days ago, I was trying to put in a hard drive in an old desktop computer that is used to as our proxy, web, SFTP, Internet filtering, DHCP, and DNS server. Then as I was pushing on one of those plastic things that fill the space for extra drive […]
September 4th, 2009 at 8:41 am
do you have any vmware of it so we can download the default config.
Thanks in advance
August 6th, 2010 at 2:03 am
Once you’ve set up Dansguardian or any other content filter for your browser you will want to know whether it is working. Till now the standard way to test if it’s working was to try to open an objectionable website to avoid which I created a content filter test website at http://filter-test.echoz.com which will tell you in plain English whether Dansguardian or an equivalent is working. If you would like to make my homepage your homepage there is also a deeper and faster link which is http://snow.byethost17.com/filter-test/index.php
You’ll also find two identical b/w striped squares straddling the heading on my homepage. Click on one to open a secret door to a series of popular web shortcuts. You’ll still be allowed to visit only those sites which your admin has approved. Don’t forget to fill up the contact form.
God bless.
November 15th, 2010 at 3:16 pm
[…] I’ve tried following these instructions as guide line. http://taksuyama.com/?p=16 […]