Forum Ubuntu-it

Codice: Seleziona tutto

# DansGuardian config file for version 2.8.0 with Anti-Virus plug-in 6.3.8

# **NOTE** as of version 2.7.5 most of the list files are now in dansguardianf1.conf


# Comment this line out once you have modified this file to suit your needs
#UNCONFIGURED


# Web Access Denied Reporting (does not affect logging)
#
# -1 = log, but do not block - Stealth mode
#  0 = just say 'Access Denied'
#  1 = report why but not what denied phrase
#  2 = report fully
#  3 = use HTML template file (accessdeniedaddress ignored) - recommended
#
reportinglevel = 3

# Language dir where languages are stored for internationalisation.
# The HTML template within this dir is only used when reportinglevel
# is set to 3. When used, DansGuardian will display the HTML file instead of
# using the perl cgi script.  This option is faster, cleaner
# and easier to customise the access denied page.
# The language file is used no matter what setting however.
#
languagedir = '/etc/dansguardian/languages'

# language to use from languagedir.
language = 'italian'

# Logging Settings
#
# 0 = none  1 = just denied  2 = all text based  3 = all requests
loglevel = 2

# Log Exception Hits
# Log if an exception (user, ip, URL, phrase) is matched and so
# the page gets let through.  Can be useful for diagnosing
# why a site gets through the filter.  on | off
logexceptionhits = on

# Log File Format
# 1 = DansGuardian format        2 = CSV-style format
# 3 = Squid Log File Format      4 = Tab delimited
logfileformat = 1


# Log file location
# 
# Defines the log directory and filename.
loglocation = '/var/log/dansguardian/access.log'


# Network Settings
# 
# the IP that DansGuardian listens on.  If left blank DansGuardian will
# listen on all IPs.  That would include all NICs, loopback, modem, etc.
# Normally you would have your firewall protecting this, but if you want
# you can limit it to only 1 IP.  Yes only one.
filterip =

# the port that DansGuardian listens to.
filterport = 8080

# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 127.0.0.1

# the port DansGuardian connects to proxy on
proxyport = 3128

# accessdeniedaddress is the address of your web server to which the cgi
# dansguardian reporting script was copied
# Do NOT change from the default if you are not using the cgi.
#
accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'

# Non standard delimiter (only used with accessdeniedaddress)
# Default is enabled but to go back to the original standard mode dissable it.
nonstandarddelimiter = on



# Banned image replacement
# Images that are banned due to domain/url/etc reasons including those
# in the adverts blacklists can be replaced by an image.  This will,
# for example, hide images from advert sites and remove broken image
# icons from banned domains.
# 0 = off
# 1 = on (default)
usecustombannedimage = 1
custombannedimagefile = '/etc/dansguardian/transparent1x1.gif'



# Filter groups options
# filtergroups sets the number of filter groups. A filter group is a set of content
# filtering options you can apply to a group of users.  The value must be 1 or more.
# DansGuardian will automatically look for dansguardianfN.conf where N is the filter
# group.  To assign users to groups use the filtergroupslist option.  All users default
# to filter group 1.  You must have some sort of authentication to be able to map users
# to a group.  The more filter groups the more copies of the lists will be in RAM so
# use as few as possible.
filtergroups = 1
filtergroupslist = '/etc/dansguardian/filtergroupslist'



# Authentication files location
bannediplist = '/etc/dansguardian/bannediplist'
exceptioniplist = '/etc/dansguardian/exceptioniplist'
banneduserlist = '/etc/dansguardian/banneduserlist'
exceptionuserlist = '/etc/dansguardian/exceptionuserlist'
bannedsitelist = '/etc/dansguardian/bannedsitelist'
bannedurllist = '/etc/dansguardian/bannedurllist'



# Show weighted phrases found
# If enabled then the phrases found that made up the total which excedes
# the naughtyness limit will be logged and, if the reporting level is
# high enough, reported. on | off
showweightedfound = on

# Weighted phrase mode
# There are 3 possible modes of operation:
# 0 = off = do not use the weighted phrase feature.
# 1 = on, normal = normal weighted phrase operation.
# 2 = on, singular = each weighted phrase found only counts once on a page.
#
weightedphrasemode = 2



# Positive result caching for text URLs
# Caches good pages so they don't need to be scanned again
# 0 = off (recommended for ISPs with users with disimilar browsing)
# 2000 = recommended for most users
# 5000 = suggested max upper limit
urlcachenumber = 2000
#
# Age before they are stale and should be ignored in seconds
# 0 = never
# 900 = recommended = 15 mins
urlcacheage = 900



# Smart and Raw phrase content filtering options
# Smart is where the multiple spaces and HTML are removed before phrase filtering
# Raw is where the raw HTML including meta tags are phrase filtered
# CPU usage can be effectively halved by using setting 0 or 1
# 0 = raw only
# 1 = smart only
# 2 = both (default)
phrasefiltermode = 2



# Lower casing options
# When a document is scanned the uppercase letters are converted to lower case
# in order to compare them with the phrases.  However this can break Big5 and
# other 16-bit texts.  If needed preserve the case.  As of version 2.7.0 accented
# characters are supported.
# 0 = force lower case (default)
# 1 = do not change case
preservecase = 0



# Hex decoding options
# When a document is scanned it can optionally convert %XX to chars.
# If you find documents are getting past the phrase filtering due to encoding
# then enable.  However this can break Big5 and other 16-bit texts.
# 0 = disabled (default)
# 1 = enabled
hexdecodecontent = 0



# Force Quick Search rather than DFA search algorithm
# The current DFA implementation is not totally 16-bit character compatible
# but is used by default as it handles large phrase lists much faster.
# If you wish to use a large number of 16-bit character phrases then
# enable this option.
# 0 = off (default)
# 1 = on (Big5 compatible)
forcequicksearch = 0



# Reverse lookups for banned site and URLs.
# If set to on, DansGuardian will look up the forward DNS for an IP URL
# address and search for both in the banned site and URL lists.  This would
# prevent a user from simply entering the IP for a banned address.
# It will reduce searching speed somewhat so unless you have a local caching
# DNS server, leave it off and use the Blanket IP Block option in the
# bannedsitelist file instead.
reverseaddresslookups = off



# Reverse lookups for banned and exception IP lists.
# If set to on, DansGuardian will look up the forward DNS for the IP
# of the connecting computer.  This means you can put in hostnames in
# the exceptioniplist and bannediplist.
# It will reduce searching speed somewhat so unless you have a local DNS server, 
# leave it off.
reverseclientiplookups = off



# Build bannedsitelist and bannedurllist cache files.
# This will compare the date stamp of the list file with the date stamp of
# the cache file and will recreate as needed.
# If a bsl or bul .processed file exists, then that will be used instead.
# It will increase process start speed by 300%.  On slow computers this will
# be significant.  Fast computers do not need this option. on | off
createlistcachefiles = on



# POST protection (web upload and forms)
# does not block forms without any file upload, i.e. this is just for
# blocking or limiting uploads
# measured in kibibytes after MIME encoding and header bumph
# use 0 for a complete block
# use higher (e.g. 512 = 512Kbytes) for limiting
# use -1 for no blocking
#maxuploadsize = 512
#maxuploadsize = 0
maxuploadsize = -1



# Max content filter page size
# Sometimes web servers label binary files as text which can be very
# large which causes a huge drain on memory and cpu resources.
# To counter this, you can limit the size of the document to be
# filtered and get it to just pass it straight through.
# This setting also applies to content regular expression modification.
# The size is in Kibibytes - eg 2048 = 2Mb
# use 0 for no limit
maxcontentfiltersize = 256



# Username identification methods (used in logging)
# You can have as many methods as you want and not just one.  The first one
# will be used then if no username is found, the next will be used.
# * proxyauth is for when basic proxy authentication is used (no good for
#   transparent proxying).
# * ntlm is for when the proxy supports the MS NTLM authentication
#   protocol.  (Only works with IE5.5 sp1 and later).  **NOT IMPLEMENTED**
# * ident is for when the others don't work.  It will contact the computer
#   that the connection came from and try to connect to an identd server
#   and query it for the user owner of the connection.
usernameidmethodproxyauth = on
usernameidmethodntlm = off # **NOT IMPLEMENTED**
usernameidmethodident = off



# Preemptive banning - this means that if you have proxy auth enabled and a user accesses
# a site banned by URL for example they will be denied straight away without a request
# for their user and pass.  This has the effect of requiring the user to visit a clean
# site first before it knows who they are and thus maybe an admin user.
# This is how DansGuardian has always worked but in some situations it is less than
# ideal.  So you can optionally disable it.  Default is on.
# As a side effect disabling this makes AD image replacement work better as the mime
# type is know.
preemptivebanning = on



# Misc settings

# if on it adds an X-Forwarded-For: <clientip> to the HTTP request
# header.  This may help solve some problem sites that need to know the
# source ip. on | off
forwardedfor = off


# if on it uses the X-Forwarded-For: <clientip> to determine the client
# IP. This is for when you have squid between the clients and DansGuardian.
# Warning - headers are easily spoofed. on | off
usexforwardedfor = off


# if on it logs some debug info regarding fork()ing and accept()ing which
# can usually be ignored.  These are logged by syslog.  It is safe to leave
# it on or off
logconnectionhandlingerrors = on



# Fork pool options

# sets the maximum number of processes to sporn to handle the incomming
# connections.  Max value usually 250 depending on OS.
# On large sites you might want to try 180.
maxchildren = 120


# sets the minimum number of processes to sporn to handle the incomming connections.
# On large sites you might want to try 32.
minchildren = 8


# sets the minimum number of processes to be kept ready to handle connections.
# On large sites you might want to try 8.
minsparechildren = 4


# sets the minimum number of processes to sporn when it runs out
# On large sites you might want to try 10.
preforkchildren = 6


# sets the maximum number of processes to have doing nothing.
# When this many are spare it will cull some of them.
# On large sites you might want to try 64.
maxsparechildren = 32


# sets the maximum age of a child process before it croaks it.
# This is the number of connections they handle before exiting.
# On large sites you might want to try 10000.
maxagechildren = 500



# Process options
# (Change these only if you really know what you are doing).
# These options allow you to run multiple instances of DansGuardian on a single machine.
# Remember to edit the log file path above also if that is your intention.

# IPC filename
# 
# Defines IPC server directory and filename used to communicate with the log process.
ipcfilename = '/tmp/.dguardianipc'

# URL list IPC filename
# 
# Defines URL list IPC server directory and filename used to communicate with the URL
# cache process.
urlipcfilename = '/tmp/.dguardianurlipc'

# PID filename
# 
# Defines process id directory and filename.
#pidfilename = '/var/run/dansguardian.pid'

# Disable daemoning
# If enabled the process will not fork into the background.
# It is not usually advantageous to do this.
# on|off ( defaults to off )
nodaemon = off

# Disable logging process
# on|off ( defaults to off )
nologger = off

# Daemon runas user and group
# This is the user that DansGuardian runs as.  Normally the user/group nobody.
# Uncomment to use.  Defaults to the user set at compile time.
# daemonuser = 'nobody'
# daemongroup = 'nobody'

# Soft restart
# When on this disables the forced killing off all processes in the process group.
# This is not to be confused with the -g run time option - they are not related.
# on|off ( defaults to off )
softrestart = off



# ANTIVIRUS SETTINGS
# --------------------

# OPTION: virusscan
# If on, we scan all downloaded content using embedded virus engine.
# Supported engines of this version are ClamAV, KAV or ClamDScan.
# If off, we don't scan any downloaded content.
# See http://www.pcxperience.org/dgvirus/ for more details.
#
virusscan = on

# OPTION: virusengine
# Set the embedded virus scan engine to be used (clamdscan, clamav or kav).
virusengine = 'clamdscan'

# OPTION: tricklelength
# If off (value = -1), the scanner will send 1 byte per delay period
# to the client to keep a download connection alive.
# When the whole file is downloaded and scanned, the client will receive 
# all remaining bytes, if the file is clean.
# Set to a positive integer value to enable immediate delivery to the client. 
# Value set means minimum number of bytes of the downloaded file 
# that will be held and delivered after virus scan.
# If clean, the remaining bytes will be sent to the client.
# If infected, file downloaded will be incomplete and a warning message 
# will be sent to the postmaster and possibly the user.
# Recommended minimum positive value: 32768 (32 kbytes)
#
tricklelength = 32768

# OPTION: firsttrickledelay
# Delay in seconds to deliver the first byte to the client.
# This option only applies if tricklelength is set to -1 (off).
#
firsttrickledelay = 30

# OPTION: follwingtrickledelay
# Delay in seconds to deliver subsequent bytes to the client.
# This option only applies if tricklelength is set to -1 (off).
#
followingtrickledelay = 60

# OPTION: exceptionvirusmimetypelist
# The following file allow you to define mime types
# that should not be virus scanned.
exceptionvirusmimetypelist = '/etc/dansguardian/exceptionvirusmimetypelist'

# OPTION: maxcontentscansize
# Set the maximum size of a content to be virus scanned.
# Content size above this value will not be scanned against viruses.
# Value below 1 will be define as default to 262144 (256 Mbytes).
# The size is in Kibibytes - eg 2048 = 2 Mbytes.
maxcontentscansize = 262144

# OPTION: exceptionvirusextensionlist
# The following file allow you to define file extensions
# that should not be virus scanned.
exceptionvirusextensionlist = '/etc/dansguardian/exceptionvirusextensionlist'

# OPTION: downloaddir
# Set where the files are downloaded to before they are scanned.
downloaddir = '/tmp/dgvirus'

# OPTION: virusscanexceptions
# If off, antivirus scanner will ignore exception sites and urls.
#
virusscanexceptions = on

# OPTION: urlcachecleanonly
# If off, url cache will contain entries of text only urls.
# Keeping it off, preserves original Dansguardian feature and
# downloaded content will be always scanned by antivirus.
# When turned on, urlcache will be loaded only with content
# found to be good and that is virus free.
# Thus, content of urls found in urlcache WILL NOT BE SCANNED AGAIN.
#
urlcachecleanonly = on

# OPTION: virusscannertimeout
# The maximum length of time the commercial virus scanner is allowed to run
# for 1 batch of messages (in seconds).
virusscannertimeout = 60

# OPTION: notify
# Sets who receives email notification when a virus is found.
# Users must be authenticated to be able to receive messages.
# Email address for users will be formed by the authentication name received by DG
# plus @emaildomain (see option below)
# 0 = disabled
# 1 = user only
# 2 = postmaster only
# 3 = postmaster and users (default)
notify = 0

# OPTION: emaildomain
# Set email domain to use when notifying users of an infected file.
# This is just the domain name part, after the @
emaildomain = 'your.domain.com'

# OPTION: postmaster
# Set email address of who to notify about any infections found.
# Should put your full domain name here too.
postmaster = 'postmaster@your.domain.com'

# OPTION: emailserver
# Set the address and port of the Mail Server to send notifications through.
emailserver = '127.0.0.1:25'


# CLAMDSCAN SETTINGS
# --------------------
# OPTION: localsocket
# Set name of the local socket file
# default: '/tmp/clamd'
localsocket = '/tmp/clamd'


# CLAMAV SETTINGS
# --------------------
# OPTION: clmaxfiles
# Set maximum number of files inside a compressed file
# default: 1500 files
clmaxfiles = 1500

# OPTION: clmaxreclevel
# Set maximum recursion level to perform scan on a compressed file
# that is inside a compressed file
# default: 3 levels
clmaxreclevel = 3

# OPTION: clmaxfilesize
# Set maximum file size of a file inside a compressed file
# default: 10485760 = 10 Mbytes
clmaxfilesize = 10485760

# OPTION: clmaxratio
# Set maximum compression ratio an archive content can have
# default: 250
clmaxratio = 250