Custom SquidGuard Error Pages - How to???



  • This question is based on information gathered from this post:
    http://forum.pfsense.org/index.php/topic,9519.0.html

    My issue is that I am using Squid as a transparent proxy and therefore cannot use any of the “int” redirect methods.  I am by no means a web guy.  I am trying to figure out how I can have pfSense redirect a user to an external page (maybe even on the pfSense box itself) that will show them a message that the page they attempted to access is blocked but also be able to use the variables in the above post to tell them why:
    “variables supported by squidGuard:
    #        %a=client_address
    #        %n=client_name
    #        %i=client_user
    #        %s=client_group
    #        %t=target_group
    #        %u=client_url”

    I would like to brand this page as well with our logo, just to make it bit more official.  As I said before, I am not a web guy, so please assume I am a “beginner” and give me as much details as you have patience for!

    If you were feeling extra generous, I would love to know how I can make some kind of “email me” ability so the users can just send the data directly to me with a request to unblock and I can take it from there…

    Thanks!



  • Look /usr/local/www/sgerror.php. You can change this file how you want.



  • dsverg,

    Thank you for pointing me to this file.  However, as I said, I am basically a beginner and do not really know what to do with this file to make my error pages function.  Is there any additional help you can provide or any of the forum visitors have any wisdom they would like to share?

    Thanks!



  • Hi thekITchen,

    u need to modify the part which generate the errorpage. As u can see I take and modify block message of Urlfilter, an Ipcop Extension. http://www.urlfilter.net/screenshots-ipcop14.html

    Screenshot -> Attachment

    sgerror.php```

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    IE displayed self-page, if them size > 1024

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    function get_error_page($er_code_id, $err_msg=’’) {
           global $err_code;
           global $cl;
           $str = Array();

    header("HTTP/1.1 " . $err_code[$er_code_id]);
    $str[] = ‘’;
           $str[] = ‘’;
    $str[] = ‘’;
           $str[] = ‘’;
    $str[] = ‘’;
    $str[] = ‘’;
                   if ($cl[‘n’])        $str[] = "Client Name: {$cl[‘n’]} | ";
                   if ($cl[‘a’])        $str[] = "Client IP: {$cl[‘a’]} | ";
                   if ($cl[‘i’])        $str[] = "Client User: {$cl[‘i’]} | ";
                   if ($cl[‘s’])        $str[] = "Group: {$cl[‘s’]} | ";
                   if ($cl[‘t’])        $str[] = "Category: {$cl[‘t’]} ";
    $str[] = ‘’;

     $str[] = 'Adresse gesperrt!';
     $str[] = '';
     if ($err_msg) $str[] = '
    
    • ‘. $err_msg.’ -

    ';
    if ($cl[‘u’])        $str[] = "

    URL: {$cl[‘u’]}

    ";
    $str[] = ’

    Aufgrund von Zugriffsbeschränkungen ist Ihre Anfrage nicht erlaubt.
    Bitte kontaktieren Sie die IT-Abteilung, wenn Sie der Meinung sind, daß dies nicht korrekt ist.

    ';
     $str[] = ’

    ![geblockt](http://’. $_SERVER[‘HTTP_HOST’] .’/banner.png)

    ';
           $str[] = ‘Web Filtering by <a style=“color:#FFFFFF;”>PfSense</a> and <a style=“color:#FFFFFF;”>SquidGuard</a>’;
           $str[] = “”;
           $str[] = “”;

    return implode("\n", $str);
    }

    
    If u want to use image on errorpage u need to put it on a  another Webserver or pfsense box itself. Dont forget to grant access to this resource on every ACL and default rule. Therefor u need to create new destination in proxy filter like this:
    
    sgerrorimages         "Ip Adress proxy is bind to)"/banner.png
    
    This line is for image (from code above):
    
    src="http://'. $_SERVER['HTTP_HOST'] .'/banner.png
    
    Variable $_SERVER['HTTP_HOST'] contains PFSENSE IP Adress. Create an image and put it into /usr/local/www, in my case banner.png.
    
    Are there any other Ressources for Custom Error pages?
    
    Cya.
    
    ![blocked.png_thumb](/public/_imported_attachments_/1/blocked.png_thumb)
    ![blocked.png](/public/_imported_attachments_/1/blocked.png)


  • spiritbreaker,

    Thank you for your detailed response.  I only plan to have one page for the block message at this time.  It seems like quite a bit to go through for something that seems so simple.  Maybe a good feature to add to pfSense at some point is a custom error page generator.  (Not really sure how much that entails…may be unrealistic.)  Anyway, when I can get back to this issue I will see if I can make something work out of the information you have given me.

    I will be in touch…!



  • I am unsure what portions I need to change to make this work.  Can you give me an example of how to configure the code so that I can have the error page sit on my pfSense box and be displayed to the user from there?  Format is not important, php, html, whatever…I would just like it to function.

    Many thanks for all the help!



  • Hi thekITchen,

    all u need for a custom block page on PfSense i posted before.
    Ur redirect mode should be “int error page (enter error message)” to get custom error page to work.

    sry but i need more information about ur pfsense installation.

    1. squid and squidguard and lightsquid, for reports, installed and working?
    2. squidguard blacklist updated and working with standard int errorpage?

    My issue is that I am using Squid as a transparent proxy and therefore cannot use any of the “int” redirect methods

    why not? the transparent proxy trys to get the “client URL” and is redirected to squidguard. filtering should work.

    can u see some proxy activity in proxy report? (lightsquid)

    Cya



  • spiritbreaker,

    Thanks again for your help with this.  Although your suggestion to use the “int error page (enter error message)” option got me farther than I had been, I now have two issues:

    1 - The custom page stops working once I reactivate https on a non-standard port.

    2 - The error page is generic and is formatted nothing like what your example image looked like (see my attached sgerror.jgp).

    My internal redirect text resembles the following:
    https://firewall-ip:port#/sgerror.php?url=https://firewall-ip:port#/firewallblock.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
    Am I correct on the formatting of this or do I need to change something?

    As I said before, when the GUI is set to HTTP on port 80 (and the above link is changed to use HTTP) the page displays as shown in the 1st attachment.  When I change the GUI back to HTTPS on a non-standard port, the page goes back to the “https_sgerror.jpg” attachment.

    I had read several posts on the issue of internal redirects not working on HTTPS which is why I included that in one of my previous posts.  I apologize I should have explained myself better on that…

    Also, I have Squid, SquidGuard, and LightSquid functioning.

    So, I am still left with a couple of issues as you can see.  Any advice on where to go from here?

    Thanks again!






  • hi,

    ok that looks good ur filter seems to work. Please try to get it work with http first. i remenber some problems with https. Maybe it doesnt work on https.
    My Gui workin on no standard http port.

    U edit sgerror.php and still get standard block page? hmm post ur sgerror.php.

    Plz try to access https://firewall-ip:port#/firewallblock.php from a client. Can u post ur firewall.php?

    I will try to configure a test system tommorow with ur config.  U are using Pfsense 1.2.3 with standard LAN WAN setup right?

    Cya

    EDIT:

    Steps to get custom Page to work with transparent proxy with GUI on a http standard and nonstandard port
    1. Install squid, Squidguard, Lightsquid Pakage
    2. upload blacklist
    3. configure squidguard default rule for blocking categories.
    4. test filtering from a client, if standard block page appears u can go further otherwise u have to check config
    5. modify /usr/local/www/sgerror.php

    delete:

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    IE displayed self-page, if them size > 1024

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    function get_error_page($er_code_id, $err_msg=’’) {
           global $err_code;
           global $cl;
           $str = Array();

    header("HTTP/1.1 " . $err_code[$er_code_id]);

    $str[] = ‘’;
           $str[] = ‘’;
           $str[] = ’

    Request denied by pfSense proxy: ’ . $err_code[$er_code_id] . ’

    ';
           if ($err_msg) $str[] = " Reason: $err_msg";
           $str[] = ’


    ';
           if ($cl[‘a’])        $str[] = " Client address: {$cl[‘a’]}
    ";
           if ($cl[‘n’])        $str[] = " Client name: {$cl[‘n’]}
    ";
           if ($cl[‘i’])        $str[] = " Client user: {$cl[‘i’]}
    ";
           if ($cl[‘s’])        $str[] = " Client group: {$cl[‘s’]}
    ";
           if ($cl[‘t’])        $str[] = " Target group: {$cl[‘t’]}
    ";
           if ($cl[‘u’])        $str[] = " URL: {$cl[‘u’]}
    ";
           $str[] = ’


    ';
           $str[] = “”;
           $str[] = “”;

    return implode("\n", $str);
    }

    paste: (its simple html)

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    IE displayed self-page, if them size > 1024

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    function get_error_page($er_code_id, $err_msg=’’) {
           global $err_code;
           global $cl;
           $str = Array();

    header("HTTP/1.1 " . $err_code[$er_code_id]);
    $str[] = ‘’;
           $str[] = ‘’;
    $str[] = ‘’;
           $str[] = ‘’;
    $str[] = ‘’;
    $str[] = ‘’;
                   if ($cl[‘n’])        $str[] = "Client Name: {$cl[‘n’]} | ";
                   if ($cl[‘a’])        $str[] = "Client IP: {$cl[‘a’]} | ";
                   if ($cl[‘i’])        $str[] = "Client User: {$cl[‘i’]} | ";
                   if ($cl[‘s’])        $str[] = "Group: {$cl[‘s’]} | ";
                   if ($cl[‘t’])        $str[] = "Category: {$cl[‘t’]} ";
    $str[] = ‘’;

    $str[] = ‘Adresse gesperrt!’;
    $str[] = ‘’;
    if ($err_msg) $str[] = ’

    • ‘. $err_msg.’ -

    ';
    if ($cl[‘u’])        $str[] = "

    URL: {$cl[‘u’]}

    ";
    $str[] = ’

    Aufgrund von Zugriffsbeschränkungen ist Ihre Anfrage nicht erlaubt.
    Bitte kontaktieren Sie die IT-Abteilung, wenn Sie der Meinung sind, daß dies nicht korrekt ist.

    ';
     $str[] = ’

    ![geblockt](http://’. $_SERVER[‘HTTP_HOST’] .’/banner.png)

    ';
           $str[] = ‘Web Filtering by <a style=“color:#FFFFFF;”>PfSense</a> and <a style=“color:#FFFFFF;”>SquidGuard</a>’;
           $str[] = “”;
           $str[] = “”;

    return implode("\n", $str);
    }

    keep in mind to change picture path if u want to use images in block page

    6. restart proxy and squidguard

    Steps to get custom Page to work with transparent proxy with GUI on a https standard and nonstandard port

    redirection to the pfsense box itself fails.

    1. u need to put errorpage on an external http server z.b debian with php installed.
    2. create php script and use infos u get from squidguard variables

    %a=client_address

    %n=client_name

    %i=client_user

    %s=client_group

    %t=target_group

    %u=client_url"

    3. change default rule to redirect to ext url

    example:
    http://extsource:port/block.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

    hope that helps.

    Cya



  • Is there a possibility to have an error page with a reply form integrated? When the client thinks it is an error, he can fill out a little textbox and send his reply. The reply is sent then to an admin with url, category and the client’s answer.

    I have the problem that most people who contact me by remail forget to add the url so I don’t know what they are talking about. 🙂

    Greetings,

    Nic



  • spiritbreaker

    thanks for the code, I have one issue, some times the image doesn’t load, I can manually go to the location were the file is i.e 192.168.10.20/banner.png and it displays. After I do that the error page displays the image. it seems to need to be preloaded, true? any ideas?



  • How do i change picture for the error page that are in the server, i put the picture A.png in the same directory (/usr/local/www/sgerror.php).

    this is the code for the picture, but it don’t show

    **$str[] = ’

    ';**



  • spiritbreaker

    I know it has been a while since this topic was created, however I am once again able to take a look at this.  I modified the sgerror.php per your instructions and uploaded it to my pfSense box.  Since I am using HTTPS on a non-standard port I have enabled the “ext url error page (enter URL)” option and specified a page on our external web server:

    http://www.mydomainname.com/errorpage.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

    The data is being sent but I am not really sure how this external page should be coded.  Below is what you said to do, but I guess I need another nudge in the right direction…
    Thanks again for you help!

    Steps to get custom Page to work with transparent proxy with GUI on a https standard and nonstandard port
    
    redirection to the pfsense box itself fails.
    
    1\. u need to put errorpage on an external http server z.b debian with php installed.
    _2\. create php script and use infos u get from squidguard variables
    
    #        %a=client_address
    #        %n=client_name
    #        %i=client_user
    #        %s=client_group
    #        %t=target_group
    #        %u=client_url"_
    
    3\. change default rule to redirect to ext url
    
    example:
    http://extsource:port/block.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u


  • I recently had to do this as well and this thread helped me get going in the correct direction.  So I’ll contribute back with what I put together.

    I’m using the vhost package to host the block redirect site on the pfsense box.  Then I used jQuery to only display the block page if the blocked element was over a certain size.  This way I can let Squidguard block ads without cluttering a website with the block page.  In addition to the files below you’ll need jQuery 1.5 and the parsequery plugin.  Feel free to customize them as you need.

    index.html

    <title>Website has been blocked.</title>

    filter.css

    @CHARSET “UTF-8”;

    body {
       background-color: #ffffff;
       font-family: verdana, arial, sans serif;
    }

    div.outer {
       width: 70%;
       margin: 20px auto;
    }

    div.header {
       padding: 10px;
       background-color: #c0c0c0;
       text-align: right;
       font-size: 60%;
    }

    div.footer {
       padding: 5px;
       background-color: #c0c0c0;
       text-align: right;
       font-size: 60%;
    }

    div.inner {
       text-align: center;
       background-color: #f4f4f4;
       text-align: center;
       padding: 20px;
    }

    div.msg {
       padding: 20px;
       margin-top: 20px;
       background-color: #e2e2e2;
       color: black;
       font-size: 80%;
    }

    div.error {
       letter-spacing: 0.5em;
       word-spacing: 1em;
       padding: 20px;
       background-color: #ff0000;
       color: white;
       font-size: 200%;
       font-weight: bold;
    }

    lg_block.php

    if ($_GET[‘n’])        $details[] = “Client Name: {$_GET[‘n’]}”;
    if ($_GET[‘a’])        $details[] = “Client IP: {$_GET[‘a’]}”;
    if ($_GET[‘i’])        $details[] = “Client User: {$_GET[‘i’]}”;
    if ($_GET[‘s’])        $details[] = “Group: {$_GET[‘s’]}”;
    if ($_GET[‘t’])   $details[] = “Category: {$_GET[‘t’]}”;
    $details = implode(" | ", $details);
    ?>

    Access Denied!

    The following website has been blocked.

    URL: %s", $_GET[‘u’], $_GET[‘u’]);?>

    If you believe this page was blocked in error please contact the IT
    department.

    Web Filtering by pfSense
    and SquidGuard



  • Hi,

    How do i change picture for the error page that are in the server, i put the picture A.png in the same directory (/usr/local/www/sgerror.php).

    this is the code for the picture, but it don’t show

    $str[] = ’

    ';

    u cant use localhost because the client dont have the image 😄

    1. line should be like this:

    $str[] = ’

    ![geblockt](http://’. $_SERVER[‘HTTP_HOST’] .’/A.png)

    2. dont forget to create a destination rule to grant access to the picture from clients.

    @3dinfluence

    can u post a screenshot of ur page? 😄

    cya



  • Ok attached is a screen shot of the block page.  It looks very similar to what was posted earlier.




  • Thank you 3dinfluence for posting your code. It really makes the page look official.

    I did have to change my squidguard redirect mode from “ext url redirect” to “ext url move”. I found both move and found worked, but redirect and err page would not input the variables into the url.

    thanks.



  • I don’t recall the redirect mode I was using but I believe I was using “ext url move”.  I stopped using Squid and Squid Guard for the time being due to some issues with dual wan configurations.  But I just tried the different modes until one worked :).



  • Dear all…

    i’v some request here, how can i put pop-up when user entering the error page?

    this my page that has been customized.



  • The code not working in 2.0 RC1 version….how can i edit that?



  • Anyone having issues of it SquidGuard not redirecting properly?

    For example I have Squid + SquidGuard + LightSquid installed and I cant get the error removed when blocking ads

    I’ve added ‘sgerror.php?url=blank_img’ into the redirect info but im still getting the black text in ad spots that say ‘ERROR - The requested URL could not be retrieved’ along with the url of the ad and saying access denied.

    Anyways, just wondering if there is a way to show a blank img for these ad block errors.

    Thanks.



  • Thanks every one for this how to. I read this thread and I manage to customized the squidguard error page.  nutt318, I also modified the sqidguard.conf file to put a blank image instead of ads. Here is part of my squidguard.conf file

    dest blk_BL_adv {
    	domainlist blk_BL_adv/domains
    	urllist blk_BL_adv/urls
    	redirect http://[PFSENSE_IP]/sgerror.php?url=blank_img
    }
    

    This modification works great for me ;D



  • Hey Saxonbeta,

    Where did you find the squidguard.conf file at? I’ve been looking at haven’t found it anywhere.

    Thanks



  • It should be in /usr/local/etc/squidGuard/squidGuard.conf. If your are going to directly modified this file, first make all modifications you need to the proxy filter configurations, press SAVE and APPLY and then modify the squidGuard.conf.

    To restart the proxy filter service and load your new configuration go to STATUS>Services, and restart Squid.

    Cheers…



  • Ok, I’ve added your code to the squidGuard.conf file and restarted squidGard service. However I’m guessing there is something else I need to do within the configuration page for Squid. Is that correct?



  • Well now for some reason my squidGuard.conf file looks like this.

    Not sure what happend.

    # ============================================================
    # SquidGuard configuration file
    # This file generated automaticly with SquidGuard configurator
    # (C)2006 Serg Dvoriancev
    # email: dv_serg@mail.ru
    # ============================================================
    
    logdir /var/squidGuard/log
    dbhome /var/db/squidGuard
    
    #
    rew safesearch {
        s@(google\..*/search?.*q=.*)@\1\&safe=active@i
        s@(google\..*/images.*q=.*)@\1\&safe=active@i
        s@(google\..*/groups.*q=.*)@\1\&safe=active@i
        s@(google\..*/news.*q=.*)@\1\&safe=active@i
        s@(yandex\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i
        s@(search\.yahoo\..*/search.*p=.*)@\1\&vm=r&v=1@i
        s@(search\.live\..*/.*q=.*)@\1\&adlt=strict@i
        s@(search\.msn\..*/.*q=.*)@\1\&adlt=strict@i
        s@(\.bing\..*/.*q=.*)@\1\&adlt=strict@i
    }
    
    #
    acl  {
        #
        default  {
            pass !in-addr all
            redirect http://MYLOCALIP:80/sgerror.php?url=403%20If%20you%20feel%20that%20you%20need%20access%20to%20this%20page%20please%20contact%20Admin%40domain.com&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
        }
    }
    


  • Well, if you mess your configuration, you can just press the Save and Apply buttons in the squidguard configuration page. It seems that you enabled the safesearch option (rew safesearch in your config file). In other hand, have you ever updated your blacklist? Because there aren’t dest option in your file, here is my squidguard.conf file:

    
    # ============================================================
    # SquidGuard configuration file
    # This file generated automaticly with SquidGuard configurator
    # (C)2006 Serg Dvoriancev
    # email: dv_serg@mail.ru
    # ============================================================
    
    logdir /var/squidGuard/log
    dbhome /var/db/squidGuard
    
    # 
    dest blk_BL_adv {
    	domainlist blk_BL_adv/domains
    	urllist blk_BL_adv/urls
            redirect http://[pfsense_ip]:81/sgerror.php?url=blank_img
    }
    
    # 
    dest blk_BL_aggressive {
    	domainlist blk_BL_aggressive/domains
    	urllist blk_BL_aggressive/urls
    }
    
    # 
    dest blk_BL_alcohol {
    	domainlist blk_BL_alcohol/domains
    	urllist blk_BL_alcohol/urls
    }
    
    #Several "dest" options....  
    
    # 
    rew safesearch {
    	s@(google\..*/search?.*q=.*)@\1\&safe=active@i
    	s@(google\..*/images.*q=.*)@\1\&safe=active@i
    	s@(google\..*/groups.*q=.*)@\1\&safe=active@i
    	s@(google\..*/news.*q=.*)@\1\&safe=active@i
    	s@(yandex\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i
    	s@(search\.yahoo\..*/search.*p=.*)@\1\&vm=r&v=1@i
    	s@(search\.live\..*/.*q=.*)@\1\&adlt=strict@i
    	s@(search\.msn\..*/.*q=.*)@\1\&adlt=strict@i
    	s@(\.bing\..*/.*q=.*)@\1\&adlt=strict@i
    }
    
    # 
    acl  {
    	# 
    	default  {
    		pass !blk_BL_adv all
    		redirect http://[pfsense_ip]:81/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
    	}
    }
    
    

    I use the shallalist.de blacklist.


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy