Squidguard / squid getting default access

shalib2

squid accesslogs?

Nachtfalke

Hi,

SquidGuard adds this option to squid config:

redirector_bypass on

If I understand this correct this means, that if squid cannot handle more redirectors it will not crash but it will bypass all traffic. if "redirector_bypass" is turned off, squid will crash.

http://www.squid-cache.org/Versions/v2/2.7/cfgman/redirector_bypass.html

Perhaps you can check your redirectors in squid / cachemgr.cgi

Not sure why this option is automatically added by squidguard.
Even not sure why "redirect_children 3" is added. Default of squid 2.7 is "5" as far as I know.

But this is not related to this topic.

shalib2

in my squid.conf -> redirector_bypass on;redirect_children 3 …is there any solution for it?

Nachtfalke

You can try:

redirector_bypass off

in SERVICES - PROXY SERVER

But this wil be resetted after you did any changes in squidguard and you click "save" in squidguard.
But first try to check out if this is REALLY the issue of your problem.
If this bypass happens (or before) check how many redirectors are used by squid.

shalib2

i think this is the problem , and how can i check  how many redirectors are used by squid.???

Nachtfalke

http://forum.pfsense.org/index.php/topic,14609.0.html

Post 1 and in this post points 1,2 and 3 will help you how to enable cachemgr.cgi.
There are many threads about that in the search function.

With cachemgr.cgi you could check your squid utilization etc.

dvserg

Change in squid
redirector_bypass off;redirect_children 10
and Save

This is solve you problem/
Also need squid/squidGuard logs

Nachtfalke

@dvserg:

Change in squid
redirector_bypass off;redirect_children 10
and Save

Could this be changed in SquidGuard ?
It would be nice because then it wouldn't be resetted after changing something in squidguard.

Further there is a "problem" in Proxy Server because redirect_children 10 does not end with a ";".
So if you just change these parameters and click save, squid will not start.

Nevertheless, great job!!

dvserg

/usr/local/pkg/squidGuard_configurator.inc

function squid_reconfigure($remove_only = '')
Change

        $conf[] = REDIRECT_BYPASS_OPT    . " on";
        $conf[] = REDIRECT_CHILDREN_OPT  . " " . REDIRECTOR_PROCESS_COUNT;

To

        $conf[] = REDIRECT_BYPASS_OPT    . " off";
        $conf[] = REDIRECT_CHILDREN_OPT  . " 10";

Nachtfalke

@dvserg:

/usr/local/pkg/squidGuard_configurator.inc

function squid_reconfigure($remove_only = '')
Change

        $conf[] = REDIRECT_BYPASS_OPT    . " on";
        $conf[] = REDIRECT_CHILDREN_OPT  . " " . REDIRECTOR_PROCESS_COUNT;

To

        $conf[] = REDIRECT_BYPASS_OPT    . " off";
        $conf[] = REDIRECT_CHILDREN_OPT  . " 10";

I have change this:
To

        $conf[] = REDIRECT_BYPASS_OPT    . " off";
        $conf[] = REDIRECT_CHILDREN_OPT  . " 10";

to this:
To

        $conf[] = REDIRECT_BYPASS_OPT    . " off";
        $conf[] = REDIRECT_CHILDREN_OPT  . " 10;";

So there is a "semicolon" at the end of the line.

@dvserg
Could this "fix" find a way into this/your package or did you intend something else with these options and this is just a workaround ?

dvserg

This is work around
Possible this issue will be fixed by one next updates

shalib2

i have changed the same but today i checked my squidguard log file i found my squidguard is stopped  due to some bypass attempt, my log file shows,

2011-07-13 20:03:51 [33349] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://i.i.com.com/cnwk.1d/i/tim//2009/12/10/fmimg7057826075603831996.png
2011-07-13 20:03:51 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://i.i.com.com/cnwk.1d/i/tim//2009/08/11/fmimg4816987111104018507.png
2011-07-13 20:03:51 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://i.i.com.com/cnwk.1d/i/tim//2009/11/14/fmimg631194890240589824.png
2011-07-13 20:03:51 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://i.i.com.com/cnwk.1d/i/tim//2010/09/03/fmimg7018928402934970340_32x32.png
2011-07-13 20:03:51 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://i.i.com.com/cnwk.1d/i/tim//2010/03/25/fmimg4808689534763265321.png
2011-07-13 20:03:51 [33349] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://i.i.com.com/cnwk.1d/i/tim//2010/04/29/fmimg1657085450203353602.png
2011-07-13 20:03:51 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://i.i.com.com/cnwk.1d/i/tim//2010/05/30/fmimg7126535568390505567.png
2011-07-13 20:19:29 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://ds.serving-sys.com/BurstingRes///Site-19462/Type-0/2a4601c7-0ff0-43fd-b256-db
dfd620cc0c.gif
2011-07-13 20:37:15 [33347] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://jineshpaloor.wordpress.com/wp-content/mu-plugins/grunion-contact-form-2.0//im
ages/grunion-menu.png
2011-07-13 20:37:15 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://jineshpaloor.wordpress.com/wp-content/mu-plugins/grunion-contact-form-2.0//im
ages/grunion-form.png
2011-07-13 20:39:56 [33347] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://jineshpaloor.wordpress.com/wp-content/mu-plugins/grunion-contact-form-2.0//im
ages/grunion-menu.png
2011-07-13 20:39:58 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://jineshpaloor.wordpress.com/wp-content/mu-plugins/grunion-contact-form-2.0//im
ages/grunion-form.png
2011-07-13 20:42:14 [33352] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://jineshpaloor.wordpress.com/wp-content/mu-plugins/grunion-contact-form-2.0//im
ages/grunion-menu.png
2011-07-13 20:42:15 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://jineshpaloor.wordpress.com/wp-content/mu-plugins/grunion-contact-form-2.0//im
ages/grunion-form.png
2011-07-13 20:42:58 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://jineshpaloor.wordpress.com/wp-content/mu-plugins/grunion-contact-form-2.0//im
ages/grunion-menu.png
2011-07-13 20:42:59 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://jineshpaloor.wordpress.com/wp-content/mu-plugins/grunion-contact-form-2.0//im
ages/grunion-form.png
2011-07-13 21:22:12 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://jineshpaloor.wordpress.com/wp-content/mu-plugins/grunion-contact-form-2.0//im
ages/grunion-menu.png
2011-07-13 21:22:13 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://jineshpaloor.wordpress.com/wp-content/mu-plugins/grunion-contact-form-2.0//im
ages/grunion-form.png
2011-07-13 21:28:31 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://ocsp.godaddy.com//MEgwRjBEMEIwQDAJBgUrDgMCGgUABBRwKSJ2U38avI/VPJSE6RTLdioFKgQ
U/axhMpNsRdbi7oVfmrrndplozOcCBwfwPGwIHj8=
2011-07-13 21:30:54 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://ocsp.godaddy.com//MEgwRjBEMEIwQDAJBgUrDgMCGgUABBRwKSJ2U38avI/VPJSE6RTLdioFKgQ
U/axhMpNsRdbi7oVfmrrndplozOcCB0tSfAeDMk8=
2011-07-13 21:32:45 [33346] Info: recalculating alarm in 5235 seconds
2011-07-13 21:32:45 [33354] Info: recalculating alarm in 5235 seconds
2011-07-13 21:32:45 [33356] Info: recalculating alarm in 5235 seconds
2011-07-13 21:32:45 [33355] Info: recalculating alarm in 5235 seconds
2011-07-13 21:32:45 [33352] Info: recalculating alarm in 5235 seconds
2011-07-13 21:32:45 [33347] Info: recalculating alarm in 5235 seconds
2011-07-13 21:32:45 [33349] Info: recalculating alarm in 5235 seconds
2011-07-13 21:32:45 [33358] Info: recalculating alarm in 5235 seconds
2011-07-13 21:32:45 [33353] Info: recalculating alarm in 5235 seconds
2011-07-13 21:32:45 [33357] Info: recalculating alarm in 5235 seconds
2011-07-13 21:52:13 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://www.dell.com//
2011-07-13 22:07:29 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://static.websimages.com/JS/Punymce//css/editor.css
2011-07-13 22:07:31 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://static.websimages.com/JS/Punymce//plugins/image/css/editor.css
2011-07-13 22:07:31 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://static.websimages.com/JS/Punymce//plugins/fwimage/css/editor.css
2011-07-13 22:07:31 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://static.websimages.com/JS/Punymce//plugins/video/css/editor.css
2011-07-13 22:07:31 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://static.websimages.com/JS/Punymce//plugins/link/css/editor.css
2011-07-13 22:07:31 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://static.websimages.com/JS/Punymce//plugins/textcolor/css/editor.css
2011-07-13 22:07:31 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://static.websimages.com/JS/Punymce//plugins/editsource/css/editor.css
2011-07-13 22:07:31 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://static.websimages.com/JS/Punymce//plugins/emoticons/css/editor.css
2011-07-13 22:07:31 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://static.websimages.com/JS/Punymce//img/icons.gif
2011-07-13 22:07:31 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://static.websimages.com/JS/Punymce//css/content.css
2011-07-13 22:07:31 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://static.websimages.com/JS/Punymce//plugins/emoticons/css/content.css
2011-07-13 22:07:31 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://static.websimages.com/JS/Punymce//plugins/textcolor/img/icons.gif
2011-07-13 22:07:31 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://static.websimages.com/JS/Punymce//plugins/fwimage/img/icons.gif
2011-07-13 22:07:31 [33347] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://static.websimages.com/JS/Punymce//plugins/video/img/film.png
2011-07-13 22:07:31 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://static.websimages.com/JS/Punymce//plugins/emoticons/img/emoticons.gif
2011-07-13 22:07:31 [33347] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://static.websimages.com/JS/Punymce//plugins/editsource/img/icons.gif
2011-07-13 22:07:31 [33346] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://static.websimages.com/JS/Punymce//plugins/link/img/icons.gif
2011-07-13 22:20:23 [33346] overflow in vsprintf (sgLogError): Unknown error: 0
2011-07-13 22:20:23 [33346] going into emergency mode
2011-07-13 22:28:00 [33347] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://d13.zedo.com//OzoDB/0/0/0/blank.gif
2011-07-13 23:02:45 [33346] Info: recalculating alarm in 3435 seconds
2011-07-13 23:02:45 [33354] Info: recalculating alarm in 3435 seconds
2011-07-13 23:02:45 [33356] Info: recalculating alarm in 3435 seconds
2011-07-13 23:02:45 [33355] Info: recalculating alarm in 3435 seconds
2011-07-13 23:02:45 [33352] Info: recalculating alarm in 3435 seconds
2011-07-13 23:02:45 [33347] Info: recalculating alarm in 3435 seconds
2011-07-13 23:02:45 [33349] Info: recalculating alarm in 3435 seconds
2011-07-13 23:02:45 [33358] Info: recalculating alarm in 3435 seconds
2011-07-13 23:02:45 [33353] Info: recalculating alarm in 3435 seconds
2011-07-13 23:02:45 [33357] Info: recalculating alarm in 3435 seconds
2011-07-14 00:00:02 [33346] ending emergency mode, stdin empty
2011-07-14 00:00:02 [33347] squidGuard stopped (1310581802.440)
2011-07-14 00:00:02 [33349] squidGuard stopped (1310581802.441)
2011-07-14 00:00:02 [33352] squidGuard stopped (1310581802.443)
2011-07-14 00:00:02 [33353] squidGuard stopped (1310581802.444)
2011-07-14 00:00:02 [33354] squidGuard stopped (1310581802.446)
2011-07-14 00:00:02 [33355] squidGuard stopped (1310581802.448)
2011-07-14 00:00:02 [33356] squidGuard stopped (1310581802.449)
2011-07-14 00:00:02 [33357] squidGuard stopped (1310581802.451)
2011-07-14 00:00:02 [33358] squidGuard stopped (1310581802.453)
2011-07-14 00:00:02 [14870] squidGuard 1.3 started (1310581802.690)
2011-07-14 00:00:02 [14870] Info: recalculating alarm in 25198 seconds
2011-07-14 00:00:02 [14870] squidGuard ready for requests (1310581802.750)
2011-07-14 00:00:02 [14872] squidGuard 1.3 started (1310581802.767)
2011-07-14 00:00:02 [14872] Info: recalculating alarm in 25198 seconds
2011-07-14 00:00:02 [14872] squidGuard ready for requests (1310581802.824)
2011-07-14 00:00:03 [14877] squidGuard 1.3 started (1310581803.014)
2011-07-14 00:00:03 [14877] Info: recalculating alarm in 25197 seconds
2011-07-14 00:00:03 [14877] squidGuard ready for requests (1310581803.207)
2011-07-14 00:00:03 [14878] squidGuard 1.3 started (1310581803.034)
2011-07-14 00:00:03 [14878] Info: recalculating alarm in 25197 seconds
2011-07-14 00:00:03 [14878] squidGuard ready for requests (1310581803.276)
2011-07-14 00:00:03 [14875] squidGuard 1.3 started (1310581802.982)
2011-07-14 00:00:03 [14875] Info: recalculating alarm in 25197 seconds
2011-07-14 00:00:03 [14875] squidGuard ready for requests (1310581803.281)
2011-07-14 00:00:03 [14874] squidGuard 1.3 started (1310581803.001)
2011-07-14 00:00:03 [14874] Info: recalculating alarm in 25197 seconds
2011-07-14 00:00:03 [14874] squidGuard ready for requests (1310581803.293)
2011-07-14 07:13:17 [14873] Info: recalculating alarm in 2803 seconds
2011-07-14 07:13:17 [14876] Info: recalculating alarm in 2803 seconds
2011-07-14 07:13:17 [14877] Info: recalculating alarm in 2803 seconds
2011-07-14 07:13:17 [14878] Info: recalculating alarm in 2803 seconds
2011-07-14 07:13:17 [14875] Info: recalculating alarm in 2803 seconds
2011-07-14 07:13:17 [14874] Info: recalculating alarm in 2803 seconds
2011-07-14 07:13:18 [14870] Info: recalculating alarm in 2802 seconds
2011-07-14 07:13:18 [14872] Info: recalculating alarm in 2802 seconds
2011-07-14 07:13:18 [14869] Info: recalculating alarm in 2802 seconds
2011-07-14 07:13:18 [14871] Info: recalculating alarm in 2802 seconds
2011-07-14 08:01:28 [14870] Info: recalculating alarm in 1712 seconds
2011-07-14 08:01:29 [14872] Info: recalculating alarm in 1711 seconds
2011-07-14 08:01:29 [14869] Info: recalculating alarm in 1711 seconds
2011-07-14 08:01:29 [14871] Info: recalculating alarm in 1711 seconds
2011-07-14 08:01:29 [14873] Info: recalculating alarm in 1711 seconds
2011-07-14 08:01:29 [14876] Info: recalculating alarm in 1711 seconds
2011-07-14 08:01:29 [14877] Info: recalculating alarm in 1711 seconds
2011-07-14 08:01:29 [14878] Info: recalculating alarm in 1711 seconds
2011-07-14 08:01:29 [14875] Info: recalculating alarm in 1711 seconds
2011-07-14 08:01:29 [14874] Info: recalculating alarm in 1711 seconds
2011-07-14 08:15:10 [14875] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://jineshpaloor.wordpress.com/wp-content/mu-plugins/grunion-contact-form-2.0//im
ages/grunion-menu.png
2011-07-14 08:15:11 [14869] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://jineshpaloor.wordpress.com/wp-content/mu-plugins/grunion-contact-form-2.0//im
ages/grunion-form.png
2011-07-14 08:15:44 [14873] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://jineshpaloor.wordpress.com/wp-content/mu-plugins/grunion-contact-form-2.0//im
ages/grunion-menu.png
2011-07-14 08:15:44 [14869] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://jineshpaloor.wordpress.com/wp-content/mu-plugins/grunion-contact-form-2.0//im
ages/grunion-form.png
2011-07-14 08:17:03 [14876] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://jineshpaloor.wordpress.com/wp-content/mu-plugins/grunion-contact-form-2.0//im
ages/grunion-menu.png
2011-07-14 08:17:04 [14869] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://jineshpaloor.wordpress.com/wp-content/mu-plugins/grunion-contact-form-2.0//im
ages/grunion-form.png
2011-07-14 08:22:36 [14869] overflow in vsprintf (sgLogError): Unknown error: 0
2011-07-14 08:22:36 [14869] going into emergency mode
2011-07-14 08:30:54 [14872] Info: recalculating alarm in 30 seconds
2011-07-14 08:30:54 [14869] Info: recalculating alarm in 30 seconds
2011-07-14 08:30:54 [14871] Info: recalculating alarm in 30 seconds
2011-07-14 08:30:54 [14873] Info: recalculating alarm in 30 seconds
2011-07-14 08:30:55 [14876] Info: recalculating alarm in 30 seconds
2011-07-14 08:30:55 [14877] Info: recalculating alarm in 30 seconds
2011-07-14 08:30:55 [14878] Info: recalculating alarm in 30 seconds
2011-07-14 08:30:55 [14875] Info: recalculating alarm in 30 seconds
2011-07-14 08:30:55 [14874] Info: recalculating alarm in 30 seconds
2011-07-14 08:30:55 [14870] Info: recalculating alarm in 30 seconds
2011-07-14 08:31:25 [14872] Info: recalculating alarm in 29615 seconds
2011-07-14 08:31:25 [14869] Info: recalculating alarm in 29615 seconds
2011-07-14 08:31:25 [14871] Info: recalculating alarm in 29615 seconds
2011-07-14 08:31:25 [14873] Info: recalculating alarm in 29615 seconds
2011-07-14 08:31:25 [14876] Info: recalculating alarm in 29615 seconds
2011-07-14 08:31:26 [14877] Info: recalculating alarm in 29614 seconds
2011-07-14 08:31:26 [14878] Info: recalculating alarm in 29614 seconds
2011-07-14 08:31:26 [14875] Info: recalculating alarm in 29614 seconds
2011-07-14 08:31:26 [14874] Info: recalculating alarm in 29614 seconds
2011-07-14 08:31:26 [14870] Info: recalculating alarm in 29614 seconds
2011-07-14 09:00:10 [14870] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://c1.zedo.com//ads3/k/1405/982122/1793/1000002/i.js
2011-07-14 09:25:23 [14870] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://c1.zedo.com//ads3/k/1405/972127/1809/1000002/i.js
2011-07-14 09:25:46 [14870] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://c1.zedo.com//ads3/k/1405/986758/2321/1000002/i.js
2011-07-14 09:25:50 [14870] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://c1.zedo.com//ads3/k/1405/986758/2321/1000002/i.js
2011-07-14 09:25:50 [14870] Warning: Possible bypass attempt. Found multiple slashes where only one is expected: http://c1.zedo.com//ads3/k/1405/981135/4369/1000002/i.js
2011-07-14 09:33:49 [10338] squidGuard 1.3 started (1310616229.615)

in the morning  2011-07-14 09:33:49 i stared squidguard its working fine.any idea sir???

shalib2

The actual problem is  squid+squidguard randomly stop filtering and pass all traffic.
(pfsense 1.2.3, squid 2.7.9_4, squidGuard 1.4_3 pkg v.1.9)

I find in filter log this message:

2011-07-14 08:22:36 [14869] overflow in vsprintf (sgLogError): Unknown error: 0
2011-07-14 08:22:36 [14869] going into emergency mode

Please help me sir….

dvserg

Same issue
http://forum.pfsense.org/index.php?topic=26462.25