26 thoughts on “Workaround for dansguardian and iTunes 9.1”

1. Is there any way to do this without patching?

2. Not that I could figure out.

   Basically you have to either disable the dansguardian proxy completely, or you have to downgrade to iTunes 9.0.3.

3. I’ve got the source, made the modification. After I configure and build, can I just install over top of my current installation? How does that affect all my settings etc…?

   Thanks again!

4. Be careful, if you do a “make install” it will probably overwrite your settings.

   Instead, after copying the original (in case you need to go back to it) I would recommend NOT doing a “make install” but instead copy the binary (found at src/dansguardian in your build tree) over your existing binary (probably in /usr/local/sbin/dansguardian or /usr/sbin/dansguardian).

5. I followed your suggestion and it seems to be working just fine now. I did notice though that the original binary was only 745KB and the new one is now 6MB, any ideas why, and is it really that big of a deal?

6. The size different is almost certainly due to debugging symbols, which are harmless.

   To remove the symbols you can use the strip command to remove them from your new binary:

   
strip path/to/dansguardian


7. Perfect, thanks for your help. Your a Blessing.

8. Has anyone tried this fix with DG on Smoothwall Express? If so can someone try to explain to a Linux newbie how to do this? I have successfully installed DG and upgraded a couple of times but poor at Linux command-line. Thanks in advance.

9. I’m trying to work on dansguardian 2.10 on Smoothwall Express right now (it has the . chop already in it. I checked the source). The short answer is to download the devel iso from smoothwall.org, dansguardian 2.10 (install it in a virtual machine), and also zlib, pkg-config, and pcre. I’m *hoping* that all I’ll really need to do is replace the binary dansguardian after making it. I haven’t tried it yet, but I’ll post back here my findings. So far, I’ve only compiled the dansguardian binary at home — just now. I’ll have to test it before I can verify proper operation. Also, the new 2.10 version of dansguardian is supposed to trap SSL, so it’s a worthy upgrade for Smoothwall Express’s dansguardian homebrew. I’m not certain what I’ll have missed at this time, especially with regards to the clam antivirus integration, but if I find out, I’ll let you know.

   Each of the downloads above:
   ./configure; make; make install
   but! pkg-config installs in /usr/local/bin, which isn’t in the path. It appeared to be ok to copy it to /usr/bin (or softlink it) and dansguardian compiled.

10. I should point out that I’m not doing the “make install” for dansguardian. I’m also not certain of all the configuration options that were used in 2.8/Smoothwall Express 3.
    So far, I’ve *re*compiled:
    ./configure prefix=
    make
    (because I wanted dg to find the configs in /etc, not in /usr/local/etc)

11. Steve H, it’s possible, but it’s not pleasant. There are quite a bit of configuration changes that the 2.10 dg has (and I’m trying to account for them) … I’m exhausted right now. At the very minimum, libz is a new thing, there are a few configuration options that are brand new and missing from 2.8, and additional download manager things/templates. My problem is that I’ve made so many intermediate tests to just get the binary working that I may have missed something to relay. But if you ask me tomorrow, I’ll probably be able to tell you the steps. I’m going to sleep now. 🙂

    (As an aside, these comments likely will not have been posted before tomorrow — Friday).

12. I recompiled 2.8.0.6 binary ONLY http://www.gwy.org/dansguardian and it’s only for SmoothWall 3 32-bit. back up your /usr/sbin/dansguardian and replace it at your own risk with the download.

13. I wanted to post that I don’t want to follow up *here* for smoothwall issues. Anything conversation-wise regarding SmoothWall/Dansguardian I’ll be responding to here: http://community.smoothwall.org/forum/viewtopic.php?f=49&t=34309&start=0

14. Another option that I have done is to setup a dnsmasq server to resolve the “bad” hostname to a single IP then put an iptables rule just before the port redirect to 8080 to accept the port 80 traffic. This will send the web request from iTunes directly out bypassing DG.
    [root@server1 log]# nslookup ax.init.itunes.apple.com.
    Server: 127.0.0.1
    Address: 127.0.0.1#53

    Name: ax.init.itunes.apple.com
    Address: 65.126.84.65

    iptables
    =============
    # DansGuardian redirect
    -A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -d 65.126.84.65 -j ACCEPT
    -A PREROUTING -i eth0 -p tcp -m tcp –dport 80 ! -d 192.168.1.0/24 -j REDIRECT –to-ports 8080

15. Dave, great suggestion using iptables to route around DG. I had to make one minor change to have it work. Add -t nat to both your iptables lines… eg:

    iptables -A PREROUTING -t nat -i ${LAN} -p tcp -m tcp –dport 80 -d 65.126.84.65 -j ACCEPT
    iptables -A PREROUTING -t nat -i ${LAN} -p tcp -m tcp –dport 80 ! -d 192.168.1.0/24 -j REDIRECT –to-ports 8080

16. I have such trouble with Dansguardian, I’m reluctant to upset my apple cart. But, I tried adding *.apple.com. (with the trailing period) to the list of bypass domains, and it seem to work!

17. John, thanks a bunch for your comment. This issue had been driving me nuts and I didn’t have the option of applying patches and recompiling Dansguardian.

    I just did the same – added apple.com. to the exclude list and now iTunes is happy, and I can still keep Dansguardian active.

18. John/Mike,

    Which list did you add apple.com. to? I added it to exceptionsitelist and exceptionfilesitelist and iTunes still doesn’t work (I did restart dansguardian). Any clues? Thanks for your help

19. I too tried adding apple.com. to the exception list to no avail. Can someone who got this working explain exactly where they added the domain to the “bypass list”? I am running IPCop 1.4.21 with CopPlus, which is DansGuardian 2.8. Thanks in advance!

20. Thanks so much for this tip. I’ve been pulling my hair out trying to figure out what was happening. Some of my users have iTunes 9.0, and can connect just fine. iTunes 9.1 introduces this dang malformed URL. I applied the patch, ran “make” and copied my dansguardian binary over the old one. Now iTunes users can connect again to the Apple Store.

21. After more reading, I want to add two points:
    1) Apple apparently says the URL is not malformed, and does not plan to fix it. See: http://tinyurl.com/27bqcvb
    2) From the comments of others, Dansguardian 2.10.1.1 has already fixed this? See: http://tinyurl.com/2g8g3f8

22. Updating to DansGuardian 2.10.1.1 (via CopPlus 3.02) did the trick for me, at least for normal access to the iTunes store. I still am unable to download the latest iPod touch updates, but I haven’t determined if this is due to DansGuardian or not. Thanks for everyone’s help in finding a workaround to what I would still call Apple’s problem.

23. Pingback: DansGuardian Hates iTunes | Kimball's House Of Pain

24. Hi. I installed DGAV from source but I’m not accustomed to applying patches. Can anyone provide guidance on this?

25. Hi. I tried the patch this way

    patch -p0 < iTunes.patch

    It then asks what I want to patch. I saw HTTPHeader.cpp in your code and tried that.

    I get
    Hunk #1 FAILED at 900.
    This is Dansguardian-2.8.0.6-antivirus-6.4.3-google-1.3.1.1 source if that makes any difference.
    Please any help? TIA.

26. Another workaround is to hack the iTunes.dll file (on Windows) and replace every occurrence of ‘apple.com.’ with ‘apple.com/’.

    Note that this will leave some URLs in the library with two trailing slashes (eg. ‘apple.com//’) but DansGuardian will correctly parse this and pass the URL through.