Custom SquidGuard Error Pages - How to???
-
spiritbreaker,
Thanks again for your help with this. Although your suggestion to use the "int error page (enter error message)" option got me farther than I had been, I now have two issues:
1 - The custom page stops working once I reactivate https on a non-standard port.
2 - The error page is generic and is formatted nothing like what your example image looked like (see my attached sgerror.jgp).
My internal redirect text resembles the following:
https://firewall-ip:port#/sgerror.php?url=https://firewall-ip:port#/firewallblock.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
Am I correct on the formatting of this or do I need to change something?As I said before, when the GUI is set to HTTP on port 80 (and the above link is changed to use HTTP) the page displays as shown in the 1st attachment. When I change the GUI back to HTTPS on a non-standard port, the page goes back to the "https_sgerror.jpg" attachment.
I had read several posts on the issue of internal redirects not working on HTTPS which is why I included that in one of my previous posts. I apologize I should have explained myself better on that…
Also, I have Squid, SquidGuard, and LightSquid functioning.
So, I am still left with a couple of issues as you can see. Any advice on where to go from here?
Thanks again!
-
hi,
ok that looks good ur filter seems to work. Please try to get it work with http first. i remenber some problems with https. Maybe it doesnt work on https.
My Gui workin on no standard http port.U edit sgerror.php and still get standard block page? hmm post ur sgerror.php.
Plz try to access https://firewall-ip:port#/firewallblock.php from a client. Can u post ur firewall.php?
I will try to configure a test system tommorow with ur config. U are using Pfsense 1.2.3 with standard LAN WAN setup right?
Cya
EDIT:
Steps to get custom Page to work with transparent proxy with GUI on a http standard and nonstandard port
1. Install squid, Squidguard, Lightsquid Pakage
2. upload blacklist
3. configure squidguard default rule for blocking categories.
4. test filtering from a client, if standard block page appears u can go further otherwise u have to check config
5. modify /usr/local/www/sgerror.phpdelete:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IE displayed self-page, if them size > 1024
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
function get_error_page($er_code_id, $err_msg='') {
global $err_code;
global $cl;
$str = Array();header("HTTP/1.1 " . $err_code[$er_code_id]);
$str[] = '';
$str[] = '';
$str[] = 'Request denied by pfSense proxy: ' . $err_code[$er_code_id] . '
';
if ($err_msg) $str[] = " Reason: $err_msg";
$str[] = '
';
if ($cl['a']) $str[] = " Client address: {$cl['a']}
";
if ($cl['n']) $str[] = " Client name: {$cl['n']}
";
if ($cl['i']) $str[] = " Client user: {$cl['i']}
";
if ($cl['s']) $str[] = " Client group: {$cl['s']}
";
if ($cl['t']) $str[] = " Target group: {$cl['t']}
";
if ($cl['u']) $str[] = " URL: {$cl['u']}
";
$str[] = '
';
$str[] = "";
$str[] = "";return implode("\n", $str);
}paste: (its simple html)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IE displayed self-page, if them size > 1024
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
function get_error_page($er_code_id, $err_msg='') {
global $err_code;
global $cl;
$str = Array();header("HTTP/1.1 " . $err_code[$er_code_id]);
$str[] = '';
$str[] = '';
$str[] = '';
$str[] = '';
$str[] = '';
$str[] = '';
if ($cl['n']) $str[] = "Client Name: {$cl['n']} | ";
if ($cl['a']) $str[] = "Client IP: {$cl['a']} | ";
if ($cl['i']) $str[] = "Client User: {$cl['i']} | ";
if ($cl['s']) $str[] = "Group: {$cl['s']} | ";
if ($cl['t']) $str[] = "Category: {$cl['t']} ";
$str[] = '';$str[] = 'Adresse gesperrt!';
$str[] = '';
if ($err_msg) $str[] = '- '. $err_msg.' -
';
if ($cl['u']) $str[] = "URL: {$cl['u']}
";
$str[] = 'Aufgrund von Zugriffsbeschränkungen ist Ihre Anfrage nicht erlaubt.
Bitte kontaktieren Sie die IT-Abteilung, wenn Sie der Meinung sind, daß dies nicht korrekt ist.';
$str[] = '![geblockt](http://'. $_SERVER['HTTP_HOST'] .'/banner.png)
';
$str[] = 'Web Filtering by <a style="color:#FFFFFF;">PfSense</a> and <a style="color:#FFFFFF;">SquidGuard</a>';
$str[] = "";
$str[] = "";return implode("\n", $str);
}keep in mind to change picture path if u want to use images in block page
6. restart proxy and squidguard
Steps to get custom Page to work with transparent proxy with GUI on a https standard and nonstandard port
redirection to the pfsense box itself fails.
1. u need to put errorpage on an external http server z.b debian with php installed.
2. create php script and use infos u get from squidguard variables%a=client_address
%n=client_name
%i=client_user
%s=client_group
%t=target_group
%u=client_url"
3. change default rule to redirect to ext url
example:
http://extsource:port/block.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%uhope that helps.
Cya
-
Is there a possibility to have an error page with a reply form integrated? When the client thinks it is an error, he can fill out a little textbox and send his reply. The reply is sent then to an admin with url, category and the client's answer.
I have the problem that most people who contact me by remail forget to add the url so I don't know what they are talking about. :)
Greetings,
Nic
-
spiritbreaker
thanks for the code, I have one issue, some times the image doesn't load, I can manually go to the location were the file is i.e 192.168.10.20/banner.png and it displays. After I do that the error page displays the image. it seems to need to be preloaded, true? any ideas?
-
How do i change picture for the error page that are in the server, i put the picture A.png in the same directory (/usr/local/www/sgerror.php).
this is the code for the picture, but it don't show
**$str[] = '
';**
-
spiritbreaker
I know it has been a while since this topic was created, however I am once again able to take a look at this. I modified the sgerror.php per your instructions and uploaded it to my pfSense box. Since I am using HTTPS on a non-standard port I have enabled the "ext url error page (enter URL)" option and specified a page on our external web server:
http://www.mydomainname.com/errorpage.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
The data is being sent but I am not really sure how this external page should be coded. Below is what you said to do, but I guess I need another nudge in the right direction…
Thanks again for you help!Steps to get custom Page to work with transparent proxy with GUI on a https standard and nonstandard port redirection to the pfsense box itself fails. 1\. u need to put errorpage on an external http server z.b debian with php installed. _2\. create php script and use infos u get from squidguard variables # %a=client_address # %n=client_name # %i=client_user # %s=client_group # %t=target_group # %u=client_url"_ 3\. change default rule to redirect to ext url example: http://extsource:port/block.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
-
I recently had to do this as well and this thread helped me get going in the correct direction. So I'll contribute back with what I put together.
I'm using the vhost package to host the block redirect site on the pfsense box. Then I used jQuery to only display the block page if the blocked element was over a certain size. This way I can let Squidguard block ads without cluttering a website with the block page. In addition to the files below you'll need jQuery 1.5 and the parsequery plugin. Feel free to customize them as you need.
index.html
<title>Website has been blocked.</title>
filter.css
@CHARSET "UTF-8";
body {
background-color: #ffffff;
font-family: verdana, arial, sans serif;
}div.outer {
width: 70%;
margin: 20px auto;
}div.header {
padding: 10px;
background-color: #c0c0c0;
text-align: right;
font-size: 60%;
}div.footer {
padding: 5px;
background-color: #c0c0c0;
text-align: right;
font-size: 60%;
}div.inner {
text-align: center;
background-color: #f4f4f4;
text-align: center;
padding: 20px;
}div.msg {
padding: 20px;
margin-top: 20px;
background-color: #e2e2e2;
color: black;
font-size: 80%;
}div.error {
letter-spacing: 0.5em;
word-spacing: 1em;
padding: 20px;
background-color: #ff0000;
color: white;
font-size: 200%;
font-weight: bold;
}lg_block.php
if ($_GET['n']) $details[] = "Client Name: {$_GET['n']}";
if ($_GET['a']) $details[] = "Client IP: {$_GET['a']}";
if ($_GET['i']) $details[] = "Client User: {$_GET['i']}";
if ($_GET['s']) $details[] = "Group: {$_GET['s']}";
if ($_GET['t']) $details[] = "Category: {$_GET['t']}";
$details = implode(" | ", $details);
?>Access Denied!
The following website has been blocked.
URL: %s", $_GET['u'], $_GET['u']);?>
If you believe this page was blocked in error please contact the IT
department.Web Filtering by pfSense
and SquidGuard -
Hi,
How do i change picture for the error page that are in the server, i put the picture A.png in the same directory (/usr/local/www/sgerror.php).
this is the code for the picture, but it don't show
$str[] = '
';
u cant use localhost because the client dont have the image :D
1. line should be like this:
$str[] = '
![geblockt](http://'. $_SERVER['HTTP_HOST'] .'/A.png)
'
2. dont forget to create a destination rule to grant access to the picture from clients.
can u post a screenshot of ur page? :D
cya
-
Ok attached is a screen shot of the block page. It looks very similar to what was posted earlier.
-
Thank you 3dinfluence for posting your code. It really makes the page look official.
I did have to change my squidguard redirect mode from "ext url redirect" to "ext url move". I found both move and found worked, but redirect and err page would not input the variables into the url.
thanks.
-
I don't recall the redirect mode I was using but I believe I was using "ext url move". I stopped using Squid and Squid Guard for the time being due to some issues with dual wan configurations. But I just tried the different modes until one worked :).
-
Dear all…
i'v some request here, how can i put pop-up when user entering the error page?
this my page that has been customized.
-
The code not working in 2.0 RC1 version….how can i edit that?
-
Anyone having issues of it SquidGuard not redirecting properly?
For example I have Squid + SquidGuard + LightSquid installed and I cant get the error removed when blocking ads
I've added 'sgerror.php?url=blank_img' into the redirect info but im still getting the black text in ad spots that say 'ERROR - The requested URL could not be retrieved' along with the url of the ad and saying access denied.
Anyways, just wondering if there is a way to show a blank img for these ad block errors.
Thanks.
-
Thanks every one for this how to. I read this thread and I manage to customized the squidguard error page. nutt318, I also modified the sqidguard.conf file to put a blank image instead of ads. Here is part of my squidguard.conf file
dest blk_BL_adv { domainlist blk_BL_adv/domains urllist blk_BL_adv/urls redirect http://[PFSENSE_IP]/sgerror.php?url=blank_img }
This modification works great for me ;D
-
Hey Saxonbeta,
Where did you find the squidguard.conf file at? I've been looking at haven't found it anywhere.
Thanks
-
It should be in /usr/local/etc/squidGuard/squidGuard.conf. If your are going to directly modified this file, first make all modifications you need to the proxy filter configurations, press SAVE and APPLY and then modify the squidGuard.conf.
To restart the proxy filter service and load your new configuration go to STATUS>Services, and restart Squid.
Cheers…
-
Ok, I've added your code to the squidGuard.conf file and restarted squidGard service. However I'm guessing there is something else I need to do within the configuration page for Squid. Is that correct?
-
Well now for some reason my squidGuard.conf file looks like this.
Not sure what happend.
# ============================================================ # SquidGuard configuration file # This file generated automaticly with SquidGuard configurator # (C)2006 Serg Dvoriancev # email: dv_serg@mail.ru # ============================================================ logdir /var/squidGuard/log dbhome /var/db/squidGuard # rew safesearch { s@(google\..*/search?.*q=.*)@\1\&safe=active@i s@(google\..*/images.*q=.*)@\1\&safe=active@i s@(google\..*/groups.*q=.*)@\1\&safe=active@i s@(google\..*/news.*q=.*)@\1\&safe=active@i s@(yandex\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i s@(search\.yahoo\..*/search.*p=.*)@\1\&vm=r&v=1@i s@(search\.live\..*/.*q=.*)@\1\&adlt=strict@i s@(search\.msn\..*/.*q=.*)@\1\&adlt=strict@i s@(\.bing\..*/.*q=.*)@\1\&adlt=strict@i } # acl { # default { pass !in-addr all redirect http://MYLOCALIP:80/sgerror.php?url=403%20If%20you%20feel%20that%20you%20need%20access%20to%20this%20page%20please%20contact%20Admin%40domain.com&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u } }
-
Well, if you mess your configuration, you can just press the Save and Apply buttons in the squidguard configuration page. It seems that you enabled the safesearch option (rew safesearch in your config file). In other hand, have you ever updated your blacklist? Because there aren't dest option in your file, here is my squidguard.conf file:
# ============================================================ # SquidGuard configuration file # This file generated automaticly with SquidGuard configurator # (C)2006 Serg Dvoriancev # email: dv_serg@mail.ru # ============================================================ logdir /var/squidGuard/log dbhome /var/db/squidGuard # dest blk_BL_adv { domainlist blk_BL_adv/domains urllist blk_BL_adv/urls redirect http://[pfsense_ip]:81/sgerror.php?url=blank_img } # dest blk_BL_aggressive { domainlist blk_BL_aggressive/domains urllist blk_BL_aggressive/urls } # dest blk_BL_alcohol { domainlist blk_BL_alcohol/domains urllist blk_BL_alcohol/urls } #Several "dest" options.... # rew safesearch { s@(google\..*/search?.*q=.*)@\1\&safe=active@i s@(google\..*/images.*q=.*)@\1\&safe=active@i s@(google\..*/groups.*q=.*)@\1\&safe=active@i s@(google\..*/news.*q=.*)@\1\&safe=active@i s@(yandex\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i s@(search\.yahoo\..*/search.*p=.*)@\1\&vm=r&v=1@i s@(search\.live\..*/.*q=.*)@\1\&adlt=strict@i s@(search\.msn\..*/.*q=.*)@\1\&adlt=strict@i s@(\.bing\..*/.*q=.*)@\1\&adlt=strict@i } # acl { # default { pass !blk_BL_adv all redirect http://[pfsense_ip]:81/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u } }
I use the shallalist.de blacklist.
-