SquidGuard redirects alot
-
Has anyone seen this before? SquidGuard is redirecting to an external site but i noticed the block page cuts off the URL that is being blocked.
Examiing a bit more i see for some reason a redirect loop. This happens in multiple browsers
Good thing is that the content is still blocked but the redirect is clearly broken for some reason.dest SchoolBlocks { expressionlist SchoolBlocks/expressions redirect 302:http://10.30.1.46/info.php?url=403&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u log block.logHere is whats in the web browser when content is blocked.
http://10.30.1.46/info.php?url=403&a=192.168.50.241&n=gotham&i=&s=default&t=Content_Block&u=http://10.30.1.46/info.php?url=403&a=192.168.50.241&n=gotham&i=&s=default&t=Content_Block&u=http://10.30.1.46/info.php?url=403&a=192.168.50.241&n=gotham&i=&s=default&t=Content_Block&u=http://10.30.1.46/info.php?url=403&a=192.168.50.241&n=gotham&i=&s=default&t=Content_Block&u=http://10.30.1.46/info.php?url=403&a=192.168.50.241&n=gotham&i=&s=default&t=Content_Block&u=https://get.videolan.org/vlc/3.0 -
@michmoor this is the redirect page in Squidguard like on my other post. I thought you used a external sever to host the blocked information page?
-
@JonathanLee I do. For some reason and maybe its my fault witha configuration issue, the eternal server works but its giving endless redirects now.
I have no idea why.If i remove the line &u=%u then all the redirects stop.
-
@michmoor there is a page inside of pfSense that lists the manual options for what you are adjusting.
/usr/local/www/sgerror.php
Ref:
https://forum.netgate.com/topic/24436/custom-squidguard-error-pages-how-to/I assumed you took that sgerror.php file and put it on your webserver already. I wonder why it is still redirecting internally.
-
SquidGuard error page generator
This program processes redirection requests to specified URL or generated error page for a standard HTTP error code.
Redirection supports HTTP and HTTPS protocols.Format:
sgerror.php?url=[http://myurl]or[https://myurl]or[error_code[space_code]output-message][incoming SquidGuard variables]
Incoming SquidGuard variables:
a=client_address
n=client_name
i=client_user
s=client_group
t=target_group
u=client_url
Example:
sgerror.php?url=http://myurl.com&a=..&n=..&i=..&s=..&t=..&u=..
sgerror.php?url=https://myurl.com&a=..&n=..&i=..&s=..&t=..&u=..
sgerror.php?url=404%20output-message&a=..&n=..&i=..&s=..&t=..&u=..Tags:
myurl and output messages can include Tags
[a] - client address
[n] - client name
[i] - client user
[s] - client group
[t] - target group
[u] - client url
Example:
sgerror.php?url=401 Unauthorized access to URL [u] for client [n]
sgerror.php?url=http://my_error_page.php?cladr=%5Ba%5D&clname=%5Bn%5D // %5b=[ %d=]Special Tags:
blank - get blank page
blank_img - get one-pixel transparent image (to replace images such as banners, ads, etc.)
Example:
sgerror.php?url=blank
sgerror.php?url=blank_img -
@michmoor
u=client_urlSomething is bonkered up with this
-
@michmoor Have you looked at
https://forum.netgate.com/topic/119092/the-following-error-was-encountered-while-trying-to-retrieve-https-http/14
https://forum.netgate.com/topic/154743/how-to-configure-squidguard-for-https/7They state
You have to append
url_rewrite_access deny CONNECT
url_rewrite_access allow allto your squid custom options to make the redirect page work in SSL MITM mode.
Custom options (before auth)
I guess it blocked redirects with HTTPS SSL Intercept enabled
This is new to me I am testing this in a home lab environment.
-
@JonathanLee Hmmmm
I didnt have to add anything to custom options before.
Ok let me try. Keep me updated on your home tests. -
@michmoor I get this error all the time on SSL Intercept enabled certificated devices, and port for pfsense firewall open or blocked in Squid Proxy
However, spliced devices have no issue accessing the error page.
-
@JonathanLee if i change to use an internal error page i get this
IMO, Redirect mode is a buggy mess. Its hit or miss but mostly miss. -
Use this it fixed it ex url move and point it to the internal squid guard URL.
(ERRORS!!!!)
-
https://forum.netgate.com/topic/182279/fixed-squidguard-redirect-page-for-error-codes-issues-with-https-ssl-interception
-
@JonathanLee the only problem with that solution is that you have to make your management port available to everyone. In your case 8080
-
@michmoor yep and that's a bigger problem
-
This post is deleted! -
michmoor LAYER 8 Rebel Alliancelast edited by michmoor Aug 18, 2023, 11:35 PM Aug 18, 2023, 11:32 PM
@JonathanLee lol oh boy. Not good !!
I think the limiting factor is that there is no good or secure way of providing a page to an end user explaining why they are blocked.
I’m using an external server and that works half the time. “Too many redirects”. But after some time later it works just fine again. No way to debug either
-
@michmoor I agree,
I just discovered you can just add google into the redirect and it takes you back to the browser.
I think I will use this one for a while.
Test this or take the redirect back to the office homepage. This way it doesn't feel like a panopticon and users just end up where they started.
I didn't think it would work but it does.
-
@JonathanLee yeah at least if someone can’t download something they will say “it keeps taking me to google” which is funny. I’ll try it out for awhile.
My daughter brought home a school laptop so I’m going to see if I can install a certificate and start “investigating “ -
@michmoor you don't need the certificate as it works in transparent mode also. I only install certs on devices I own, everything else is splice mode. I do custom with both ssl intercept and transparent in use. FYI I also found that /usr/local/www/sgerror.php still is accessible even when using the external web redirect like google.com. I thought that was weird.
https://redmine.pfsense.org/issues/14696
It should not be accessible if its not in use right?
-
@JonathanLee how is it accessible?
How are you accessing that path?
Transparent mode is iffy for clients. That /409 error stops websites from working.