[OPLINTECH] Web Filtering Crashing Internet

[Chad Neeper]

Have you been able to identify in your logs whether it's dansguardian or
squid that's croaking? My guess is it's probably squid. You may need to
find out a little more exactly what's happening when it dies. For instance,
is perhaps the squid (or dg) process getting terminated because it can't
handle a particular request correctly, or is perhaps everything working as
it should, but perhaps your bandwidth is getting saturated because of squid
trying to complete a large number of downloads initiated by this end user.
(I've had that before...misconfigured squid seemingly killing a library's
Internet access because it was trying to download multiple instances of a
large anti-virus download.)

If you can identify a particular site in the logs that's causing you
problems, then you can adjust for it.
If your ClearOS has a peer-to-peer user forum, then try posting your
questions in the appropriate forum and you'll likely get more
specific/applicable help in troubleshooting/narrowing down your problem.

Squid is very widely used, of course, so if you can narrow it down to
squid, there's lots of info out there that you can probably leverage to try
to configure your way out of the problem.

If you have to (if the logs don't help you narrow things down), you can
probably route that particular patron around dansguardian and pass them
directly to squid to eliminate dg as the problem. It sounds as if you're
typically made aware when that patron is using the computers. ;-)

If you can identify a particular website as causing the problems, let me
know. I'd be interested to test it against my own dg+squid configurations
to see how they hold up. To specifically answer your question:  No. To the
best of my knowledge, we haven't had any problems specifically with Chinese
character websites. Occasionally, there are problems with individual
websites doing seemingly oddball things that squid or dg doesn't much like.
Symptoms usually present as a web page (often a pop-up) not displaying
correctly or a file not downloading correctly. (It usually turns out to be
dg and I simply exclude that url from the filter.) I correct for them as
I'm made aware of them, but fortunately it's not particularly frequent.

Good luck!
Chad



______________________________
*Chad Neeper*
Senior Systems Engineer

*Level 9 Networks*
740-548-8070 (voice)
866-214-6607 (fax)

*Full LAN/WAN consulting services -- Specialized in libraries and schools*

On Mon, Sep 29, 2014 at 12:56 PM, Chad Morris <morrisch at oplin.org> wrote:

> I’ve been experiencing an odd issue with my web filtering firewall
> pertaining to Chinese web sites and spam email. I have a ClearOS server in
> bridge mode doing URL re-write filtering sitting in front of my main
> firewall. The ClearOS server catches all web traffic leaving the network,
> filters out any bad words, and enforces safe searches (Google, Bing, etc.).
> And due to the large amount of past malicious activity, I’ve blocked most
> of APNIC, RIPE, AFRNIC, and LACNIC IP addresses on my main firewall
> (MikroTik RB2011UiAS-RM).
>
> I’ve narrowed the issue down to a particular patron that has been visiting
> web sites such as tw.yahoo.com, mail.com, and email.com. According to my
> ClearOS logs, the web pages with Chinese characters generate a long URL
> which crashes our web browsing –  except for the Patron viewing the web
> pages. Once it crashes, I have to restart the ClearOS server and then it
> works for about 20-30 minutes before it crashes again. I’ve contacted
> ClearOS and they can’t recreate the issue but suggested that I turn off
> write caching – which I have but that doesn’t help.
>
>
>
> I want to allow the patron to view web sites in their foreign language,
> but I also can’t have the internet crash every time they come in to use a
> computer. As far as email.com and mail.com, the patron’s email account is
> loaded with spam and they click on everything. I’ve seen them click on a
> spam email that when opened, contain an endless redirect script that
> eventually crashes the internet for everyone. The redirects go to a random
> generated URL based in China. I don’t know if the patron has caught on that
> they are causing the issue and are purposely causing the internet to crash,
> or if they are just click happy and actually enjoy reading malicious
> emails? It’s suspicious that they click on the spam email and minimize the
> window while the redirect script runs in the background.
>
>
>
> The public computers are on the same subnet as the staff and they are
> locked down heavily with group policy, Faronics WINSelect, Anti-Virus, and
> DeepFreeze.  I’ve tried switching them to a different subnet but that
> doesn’t fix the issue.
>
>
>
> I’ve concluded:
>
> - My ClearOS setup doesn’t play nice with web sites based in China, long
> Chinese characters in the URL, email.com and mail.com.
>
> - The ClearOS server works fantastic with everything else.
>
> - The recommendation from ClearOS support doesn’t work.
>
> - The issue happens with the particular patron only.
>
> - We use OpenDNS to block web sites in addition to my IP range blocks on
> my gateway
>
>
>
> Is there anyone else out there that uses a Dansguardian/Squid based
> content filter? If so, have you had issues like me?
>
>
>
> Thank you,
>
> Chad
>
> --
> Chad Morris
>
> Technology Coordinator
>
> Franklin-Springboro Public Library
>
> 44 E. Fourth Street
>
> Franklin, OH 45005
>
> Office:  (937) 746-2665 ext 116
> Fax:     (937) 746-2847
>
> Email:  morrisch at oplin.org
> <https://mail.oplin.org/webmail/src/compose.php?send_to=morrisch%40oplin.org>
> www.fspl.org
>
>
>
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> http://lists.oplin.org/mailman/listinfo/oplintech
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20140929/0fcf7a70/attachment.html>