SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0001916: havp will always be used by every profile also when only one profile enables it - MantisBT
MantisBT - Endian Firewall
View Issue Details
0001916Endian FirewallProxy HTTPpublic2009-06-05 18:022010-03-03 15:34
peter-endian 
peter-endian 
normalminoralways
assignedopen 
 
future 
0001916: havp will always be used by every profile also when only one profile enables it
It's not possible to selectively disable havp for some profiles. If one profile uses havp, all profiles use it.

In order to have it as it is implemented currently in the gui (antivirus is possible to enable/disable per profile), dansguardian needs to understand that for one profile it must send the request to one parent and for another profile it needs to send it to another parent.

This is imho currently not possible.

As long as we don't have a dansguardian patch which allows this, we should change the gui, otherwise one thinks it is possible to enable/disable havp per profile.
No tags attached.
related to 0002248closed simon-endian Cannot access internet when you select a filter profile that has virus scanning disabled 
Issue History
2009-06-05 18:02peter-endianNew Issue
2009-06-05 18:02peter-endianStatusnew => assigned
2009-06-05 18:02peter-endianAssigned To => simon-endian
2009-06-09 12:05simon-endianNote Added: 0002513
2009-06-09 12:10simon-endianNote Added: 0002514
2009-06-09 16:27peter-endianNote Added: 0002521
2009-06-09 16:29peter-endianRelationship addedchild of 0001921
2009-06-11 16:10peter-endianNote Added: 0002586
2009-08-25 17:50simon-endianAssigned Tosimon-endian => peter-endian
2009-10-27 13:33peter-endianRelationship deletedchild of 0001921
2009-10-27 14:07peter-endianProjectnot released => Endian Firewall
2009-10-27 14:08peter-endianTarget Version => 2.3.1
2009-11-27 15:12simon-endianRelationship addedrelated to 0002248
2009-12-13 14:31wiseguytechNote Added: 0003550
2010-03-03 15:34ra-endianTarget Version2.3.1 => future

Notes
(0002513)
simon-endian   
2009-06-09 12:05   
- dansguardian either allways or not uses havp (global dansguardian menu)
- use intergrated avengine of dansguardian (should be able to be defined per profile)
(0002514)
simon-endian   
2009-06-09 12:10   
even when using avengine of dansguardian it is not possible to define if av engine should only be used for a specific dg profile. possible workaround: for a profile which should not use av make a whitelist rule for all.

sophos is not usable with dansguardian in an easy way (possible ways: icap server or DansGuardian Anti-Virus Plugin, but there is no evidence that this works with 2.10 dansguardian)

Conclussion: best solution for now is to keep havp and maybe patch dansguardian to give him possibility to have define proxy port per profile or make a global option for antivirus in combination with dansguardian.
(0002521)
peter-endian   
2009-06-09 16:27   
i will check if it is worth to create a dansguardian patch which allows to configure a parent server per profile.

if the effort is to high, simon should move the checkbox outside the profiles in a global section.
(0002586)
peter-endian   
2009-06-11 16:10   
a dansguardian patch would be possible, however it would break the NTLM auth plugin as far as I can say with that fast check i made.
The NTLM auth plugin needs a socket to the parent-proxy, which would not be possible to have in that moment, when we don't know yet to which profile the client belongs.
I don't exactly understand why the NTLM auth plugin exactly needs the parent proxy for authentication.

However, this probably may be not relevant for us, if we break the NTLM auth plugin, that *may* be acceptable for us for now.

In that case:
o is the option container holding all configuration from configuration files.
o.fg is an array holding all profile specific configurations.

- proxy_ip/port need to be read out from profile configuration file and stored
  to the respective o.fg[xx] container. (happens in OptionContainer.cpp and
  FOptionContainer.cpp)

- ConnectionHandler.cpp:397 - connects to the parent proxy (o.proxy_ip,
  o.proxy_port). This connection part need to be postponed after authentication
  which happens in line 503.

  In line 639 we know the filter-group and that's the best position to read out
  proxy_ip and proxy_port from the filter-group.

  proxy connection persistency should not break since one profile always uses
  the same proxy.

- AuthPlugin::identify() in line 516 needs a working proxy connection
  (proxysock), which will however used *only* by the NTLM authplugin.
  In that stage we can't have a proxysock instance, since we don't know yet
  which proxy to use. We could use the proxy of the default profile (?)
(0003550)
wiseguytech   
2009-12-13 14:31   
I'm just curious, is Endian 2.3 using the latest dansguardian release, 2.10.1.1? If not will 2.3.1 be using it?

Thanks!