Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfBlocker custom block page to redirect browser

    pfBlockerNG
    3
    7
    1.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kasey
      last edited by

      23.05.1-Release with pfBlockerNG-devel 3.2.0_6

      I want to create a custom block page that will redirect the clients browser to and external website when a page is blocked by pfBlocker. For instance if a client PC browses to a blocked site, instead of loading the standard pfBlocker block page it would redirect the client browser to some external website.

      I've created a simple redirect php page that contains the following <?php header("Location: https://www.msn.com"); ?> but when I select that page in the pfBlockerNG GUI and save the config, I get the error message DNSBL Web Server page is invalid! I've tried redirecting to both https and http sites, same result (msn.com is just an example)

      Odd thing is if I paste that exact code in the dnsbl_active.php file the redirect works fine. The GUI just wont allow me to select a php file that contains that code.

      Any suggestions as to how I can accomplish this?

      Thanks

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @kasey
        last edited by

        @kasey

        You have to create a file and place it in the /usr/local/www/pfblockerng/www/ folder
        Call it for example "dnsbl_modemade.php".
        pfBlocker wil allow you to use it, and when selected, it will copy your "dnsbl_modemade.php" over to "dnsbl_active.php".

        The example "dnsbl_default.php" file is a file with a PHP extension ... bit there is no <php> ....</php> so it's actually just a html file, but PHP can be used of course.

        When creating these files : be ware of the encoding !!
        When I look at my files (using WinSCP SFTP and Notepad++) I see :

        132b4f3d-ad9e-4814-b9c4-cf8288dd7c22-image.png

        Something else :
        It's nice to see a "pfBlocker custom block page" when you try to visit a web site that has been DNSBL blocked.
        For example, you want to visit google.com, and that host name has been blocked.

        What actually happens is : you entered a blocked host name, "google.com".
        DNS will do its work :
        The browser asks the systems (PC, phone, etc) DNS.
        The systems (PC, phone, etc) will ask pfSense.
        In pfSense, unbound gets to work, and the request gets intercepted by pfBlocker.
        pfBlocker will find "google.com" on one of its lists, and returns ... not the 'real' IP of google.com, bit the internal web server I : (default) 10.10.10.1. This answer will send back to your system, your browser.
        Now, the browser can actually do something : it connects to the IP 10.10.10.1.
        Your browser shows the result :

        5500683d-592c-45ba-b079-38a2395b30e9-image.png

        Nice !
        Really ??
        No, not really.

        This page "This website has been blocked by the Network Administrator!" would be a real solution if all web sites were using http and https wasn't a thing / doesn't exist.
        Or, it's the other way around : http sites do not exist anymore. They are all https.
        And you want them to be be https, not http, for reasons I'll not develop here.
        Just answer to this question :
        Do you want to visit your bank's web site over http or https ?
        Do you want to visit amazon.com over http or https ?
        Do you want to visit actually any site over http or https ?

        What does you browser do when it connects to the IP of the site known as "google.com" ?
        It ill ask the web server the page and some more stuff.
        As it will be a https connection (Google doesn't work over http anyway) the web browser also asks the server : "gime your certicate".
        The web server, as it uses https - says, ok" here it is".

        Look at the details of that came with that https://pfsense.home.arpa/pfblockerng/www/dnsbl_active.php.
        Does it says : "I am google.com" ? Noop.
        You can not have, neither create that certificate. Well, you can create one, but nobody, those that are trusted by your browser, will sign this certificate ***
        The final result will be :
        A big browser specific error page signalling a https failure (and not the nice pfBlockerng page shown above).
        And not the image I've shown above.
        Because
        https://pfsense.home.arpa/pfblockerng/www/dnsbl_active.php
        is not
        https://www.google.com
        and that is what https is all about.

        So, my point of view : this This website has been blocked by the Network Administrator! page is useless. It is great for sites that are http only, and these do not exist anymore.
        I won't be surprised if the 'pfBlockerng Blocked DNS page" functionality will be removed in the future.

        *** You could import the CA that you used to create the certificate used by the DNSBL web server, into your browser's "trusted CA". The browser will now trust the certificate.
        Still, the browser wants to visit google.com and it obtained an answer from "arpa.home" (or whatever you've setup in pfSense) : it will still fag an error.

        .

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        K 1 Reply Last reply Reply Quote 2
        • K
          kasey @Gertjan
          last edited by

          @Gertjan

          Thanks for the detailed information. I agree it is nicer to see the pfBlocker block page but in this case there is a specific reason I want to redirect instead of loading a blocked page.

          I have saved the custom file dnsbl_redirect.php to /usr/local/www/pfblockerng/www/ using WinSCP. The issue is when I select that file from the pfBlockerng GUI and save the config, I get the DNSBL Web Server page is invalid! error. For troubleshooting purposes I manually copied the redirect code from dnsbl_redirect.php to dnsbl_active.php and it works. If I browse a blocked site, my browser redirects. I'm just not sure why I can't select dnsbl_redirect.php in the pfBlocker GUI without getting an error when I know the code itself does work when manually added to the dnsbl_active.php file.

          I also checked the dnsbl_redirect.php file encoding and verified UTF-8. Also tried transferring the file with Filezilla vs WinSCP but same result.
          Thanks again

          J 1 Reply Last reply Reply Quote 0
          • J
            jrey @kasey
            last edited by

            @kasey said in pfBlocker custom block page to redirect browser:

            I want to redirect instead of loading a blocked page.

            so why doesn't your redirect work?

            I just created a page
            Screen Shot 2023-08-23 at 3.49.20 PM.png

            showed up on the list, selected and it replaced the active page with no issue.
            the redirect itself works as I would expected.
            Screen Shot 2023-08-23 at 3.57.08 PM.png

            What does your redirect look like ?

            Disclaimer: I redirected to another internal web server that has no external access - so in my first redirect is just an http: (proof of concept if you like)

            this works with no certificate issue.

            <!DOCTYPE html>
<html lang="en">
<head>
        <meta http-equiv="Refresh" content="0; url='http://myintserver/display_this.html'" />
</head>
</html>

            then I changed to point the same page with https

            <!DOCTYPE html>
<html lang="en">
<head>
        <meta http-equiv="Refresh" content="0; url='https://myintserver/display_this.html'" />
</head>
</html>

            still no issue

            both cases the redirect worked
            neither case causes any certificate challenges or issues.

            final test I redirected using

            <!DOCTYPE html>
<html lang="en">
<head>
        <meta http-equiv="Refresh" content="0; url='https://www.google.com'" />
</head>
</html>

            and when I hit a normally blocked page, google appeared.

            changed the selection back to the default --- all good.

            Screen Shot 2023-08-23 at 4.16.51 PM.png

            K 1 Reply Last reply Reply Quote 2
            • K
              kasey @jrey
              last edited by

              @jrey

              Perfect! Using your example worked for me as well. I was trying to use a php redirect and when I'd select the file from pfBlocker webGUI it said the file was invalid. I used your html code, subsisted my url, selected the file from the GUI and it worked perfectly!

              I really appreciate the help with this!

              J 1 Reply Last reply Reply Quote 1
              • J
                jrey @kasey
                last edited by

                @kasey

                if you want to throw a copy of what your php file looked like, I'll take a look and see if I can recreate the original issue.

                No worries if it is not available.

                If it works don't fix it. ;-)

                K 1 Reply Last reply Reply Quote 0
                • K
                  kasey @jrey
                  last edited by

                  @jrey I don't even have the file anymore, I'm using what you provided and substituted my URL and it's been working perfectly.

                  Thanks again for your help, really appreciate it!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.