Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SquidGuard custom error pages

    Scheduled Pinned Locked Moved pfSense Packages
    11 Posts 2 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      teslamad
      last edited by

      Ok so I have changed my way of thinking but have once again hit another road block. This is VERY frustrating! So I have completely abandoned the idea of multiple static error pages and I am now using what I believe to be pfSense's preferred method, ie using the sgerror.php and instead utilizing the variables within to generate the different error messages… Doh!

      Ok so new problem, but same basic topic. I am now trying to make these pages appear at their appropriate times using GroupACLs and the time options. Allow me to explain further. One error page (One ACL Group) is for when the the user visits an inappropriate site. The content gets denied and the error message is produced. If however, the content is allowed, I need it to then check the next Group ACL down to determine whether the user is requesting the page within appropriate hours. If they are it gets allowed. The problem here is that the ACLs are applied on a first = true basis. No matter how many times I have done a flow chart and flipped around the logic, I cant get this to work which has brought me to the conclusion that maybe I'm trying to use the Group ACLs incorrectly. So this made me think.

      Can I use the common ACL to match appropriateness and the Group ACL to match appropriate time (ie business hours) and do this for the same subnet? So far the answer to this is no as each time I test it, as long as one of the Group ACLs match this nullifies the common ACL apparently. All Im trying to do is get multiple F'n error messages... is that too much to ask?

      Error one: Inappropriate content
      Error two: Outside business hours

      UGH  >:( ???

      Please help

      Andrew Robinson
      Cloud Infrastructure Engineer
      Cisco Systems, Inc

      1 Reply Last reply Reply Quote 0
      • T Offline
        teslamad
        last edited by

        Bump?

        I hope thats ok. I really need a solution to this before the end of the week.

        Andrew Robinson
        Cloud Infrastructure Engineer
        Cisco Systems, Inc

        1 Reply Last reply Reply Quote 0
        • D Offline
          dvserg
          last edited by

          Do you read other posts in the forum ?
          http://forum.pfsense.org/index.php/topic,41945.0.html

          SquidGuardDoc EN  RU Tutorial
          Localization ru_PFSense

          1 Reply Last reply Reply Quote 0
          • T Offline
            teslamad
            last edited by

            Ah I didn't see that post. Looks like its impossible, but at the same time I am only trying to do what klazoid in the post you pointed out does in the first two steps. Seems he got it working too. His first step would be a general block using the common ACL just as I need to do. Then his second block is the time based block. It works for him up to that point. What am I doing different?

            First: My common ACL uses the standard blacklist. For testing purposes, everything is denied by default except search engines. Any other site gets blocked and throws the common ACL error. Then we move to the Group ACL to check the time based poilcy.

            Second: I only have one other ACL (A group ACL) that is linked to a time period. The time is from 00:00-08:00 and 20:00-23:59. The "on time" (ie left column) of the group ACL is set to deny everything by default. This should throw the Group ACLs error message stating you are outside business hours and the internet is effectively "turned off". If however you are in the "off time" (ie right column of Group ACL) it allows all by default.

            What am I doing wrong here? Again, apparently klazoid got at least this much working in his post. http://forum.pfsense.org/index.php/topic,41945.0.html

            Andrew Robinson
            Cloud Infrastructure Engineer
            Cisco Systems, Inc

            1 Reply Last reply Reply Quote 0
            • D Offline
              dvserg
              last edited by

              You can't use multiple ACL's for one Source.
              One source = one ACL
              Common ACL used for Sources undefined other ACL's.

              For each ACL exists one error page (for on-time and for out-time). (SquidGuard provide more possibilities, but gui have limitations)
              Also - you can define error pages for self-defined TargetCategories.

              SquidGuardDoc EN  RU Tutorial
              Localization ru_PFSense

              1 Reply Last reply Reply Quote 0
              • T Offline
                teslamad
                last edited by

                First of all, thank you very much for helping me through this. I'm trying to understand your reply.

                First question: What does "For wach" mean? Are you trying to say only one error page for the "out time".

                Second question: What is "SG"? I assume this is maybe the command line since you mentioned the GUI.

                How do you define the error pages for self-defined categories you mentioned. I assume you mean "targets" right?

                Sorry to be so complicated. I really am trying everything I can to get this working. I don't mean to appear like I'm trying to be spoon fed information.

                Andrew Robinson
                Cloud Infrastructure Engineer
                Cisco Systems, Inc

                1 Reply Last reply Reply Quote 0
                • D Offline
                  dvserg
                  last edited by

                  Sorry. I edit my previus post.

                  SquidGuardDoc EN  RU Tutorial
                  Localization ru_PFSense

                  1 Reply Last reply Reply Quote 0
                  • T Offline
                    teslamad
                    last edited by

                    I have a new thought of how to accomplish my goal. Tell me what you think.

                    **1st - Common ACL to do the regular inappropriate content block using the black list.

                    2nd - Do a target ACL with the time limits (ie no business hours) and make this target ACL a wildcard for any and every domain name. Something like ..***

                    I believe this bypasses the "One source = one ACL" problem

                    I just dont know if you can do this kind of wild card in the Target ACL. Any thoughts?

                    Andrew Robinson
                    Cloud Infrastructure Engineer
                    Cisco Systems, Inc

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      dvserg
                      last edited by

                      What is this a target ACL ?

                      SquidGuardDoc EN  RU Tutorial
                      Localization ru_PFSense

                      1 Reply Last reply Reply Quote 0
                      • T Offline
                        teslamad
                        last edited by

                        Sorry, I meant "Target Category" and I figured out the wildcard

                        I made a Time rule for the business hours and a target category with an expression like so: [abcdefghijklmnopqrstuvwxyz] Then I created a Group ACL using this target category. It did in fact work, in that it did block all websites, but I still ran into the same problem where I couldn't use multiple Group ACL's for a single subnet. I think thats what im NOT understanding. I cant do multiple filters for a single subnet which I think is what you may have been trying to tell me long ago.

                        I finally gave up and just created one Group ACL that allows acceptable web content during "ontime" and denys everything on the off time. I will just have to deal with the single error message (ie users wont know if their request was denied because it was after hours, or because it was inappropriate)

                        I GIVE UP PFSENSE…  :P

                        Andrew Robinson
                        Cloud Infrastructure Engineer
                        Cisco Systems, Inc

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.