Custom SquidGuard Error Pages - How to???
-
This question is based on information gathered from this post:
http://forum.pfsense.org/index.php/topic,9519.0.htmlMy issue is that I am using Squid as a transparent proxy and therefore cannot use any of the "int" redirect methods. I am by no means a web guy. I am trying to figure out how I can have pfSense redirect a user to an external page (maybe even on the pfSense box itself) that will show them a message that the page they attempted to access is blocked but also be able to use the variables in the above post to tell them why:
"variables supported by squidGuard:
# %a=client_address
# %n=client_name
# %i=client_user
# %s=client_group
# %t=target_group
# %u=client_url"I would like to brand this page as well with our logo, just to make it bit more official. As I said before, I am not a web guy, so please assume I am a "beginner" and give me as much details as you have patience for!
If you were feeling extra generous, I would love to know how I can make some kind of "email me" ability so the users can just send the data directly to me with a request to unblock and I can take it from there…
Thanks!
-
Look /usr/local/www/sgerror.php. You can change this file how you want.
-
dsverg,
Thank you for pointing me to this file. However, as I said, I am basically a beginner and do not really know what to do with this file to make my error pages function. Is there any additional help you can provide or any of the forum visitors have any wisdom they would like to share?
Thanks!
-
Hi thekITchen,
u need to modify the part which generate the errorpage. As u can see I take and modify block message of Urlfilter, an Ipcop Extension. http://www.urlfilter.net/screenshots-ipcop14.html
Screenshot -> Attachment
sgerror.php```
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IE displayed self-page, if them size > 1024
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
function get_error_page($er_code_id, $err_msg='') {
global $err_code;
global $cl;
$str = Array();header("HTTP/1.1 " . $err_code[$er_code_id]);
$str[] = '';
$str[] = '';
$str[] = '';
$str[] = '';
$str[] = '';
$str[] = '';
if ($cl['n']) $str[] = "Client Name: {$cl['n']} | ";
if ($cl['a']) $str[] = "Client IP: {$cl['a']} | ";
if ($cl['i']) $str[] = "Client User: {$cl['i']} | ";
if ($cl['s']) $str[] = "Group: {$cl['s']} | ";
if ($cl['t']) $str[] = "Category: {$cl['t']} ";
$str[] = '';$str[] = 'Adresse gesperrt!'; $str[] = ''; if ($err_msg) $str[] = '
- '. $err_msg.' -
';
if ($cl['u']) $str[] = "URL: {$cl['u']}
";
$str[] = 'Aufgrund von Zugriffsbeschränkungen ist Ihre Anfrage nicht erlaubt.
Bitte kontaktieren Sie die IT-Abteilung, wenn Sie der Meinung sind, daß dies nicht korrekt ist.';
$str[] = '![geblockt](http://'. $_SERVER['HTTP_HOST'] .'/banner.png)
';
$str[] = 'Web Filtering by <a style="color:#FFFFFF;">PfSense</a> and <a style="color:#FFFFFF;">SquidGuard</a>';
$str[] = "";
$str[] = "";return implode("\n", $str);
}If u want to use image on errorpage u need to put it on a another Webserver or pfsense box itself. Dont forget to grant access to this resource on every ACL and default rule. Therefor u need to create new destination in proxy filter like this: sgerrorimages "Ip Adress proxy is bind to)"/banner.png This line is for image (from code above): src="http://'. $_SERVER['HTTP_HOST'] .'/banner.png Variable $_SERVER['HTTP_HOST'] contains PFSENSE IP Adress. Create an image and put it into /usr/local/www, in my case banner.png. Are there any other Ressources for Custom Error pages? Cya. ![blocked.png_thumb](/public/_imported_attachments_/1/blocked.png_thumb) ![blocked.png](/public/_imported_attachments_/1/blocked.png)
-
spiritbreaker,
Thank you for your detailed response. I only plan to have one page for the block message at this time. It seems like quite a bit to go through for something that seems so simple. Maybe a good feature to add to pfSense at some point is a custom error page generator. (Not really sure how much that entails…may be unrealistic.) Anyway, when I can get back to this issue I will see if I can make something work out of the information you have given me.
I will be in touch...!
-
I am unsure what portions I need to change to make this work. Can you give me an example of how to configure the code so that I can have the error page sit on my pfSense box and be displayed to the user from there? Format is not important, php, html, whatever…I would just like it to function.
Many thanks for all the help!
-
Hi thekITchen,
all u need for a custom block page on PfSense i posted before.
Ur redirect mode should be "int error page (enter error message)" to get custom error page to work.sry but i need more information about ur pfsense installation.
1. squid and squidguard and lightsquid, for reports, installed and working?
2. squidguard blacklist updated and working with standard int errorpage?My issue is that I am using Squid as a transparent proxy and therefore cannot use any of the "int" redirect methods
why not? the transparent proxy trys to get the "client URL" and is redirected to squidguard. filtering should work.
can u see some proxy activity in proxy report? (lightsquid)
Cya
-
spiritbreaker,
Thanks again for your help with this. Although your suggestion to use the "int error page (enter error message)" option got me farther than I had been, I now have two issues:
1 - The custom page stops working once I reactivate https on a non-standard port.
2 - The error page is generic and is formatted nothing like what your example image looked like (see my attached sgerror.jgp).
My internal redirect text resembles the following:
https://firewall-ip:port#/sgerror.php?url=https://firewall-ip:port#/firewallblock.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
Am I correct on the formatting of this or do I need to change something?As I said before, when the GUI is set to HTTP on port 80 (and the above link is changed to use HTTP) the page displays as shown in the 1st attachment. When I change the GUI back to HTTPS on a non-standard port, the page goes back to the "https_sgerror.jpg" attachment.
I had read several posts on the issue of internal redirects not working on HTTPS which is why I included that in one of my previous posts. I apologize I should have explained myself better on that…
Also, I have Squid, SquidGuard, and LightSquid functioning.
So, I am still left with a couple of issues as you can see. Any advice on where to go from here?
Thanks again!
-
hi,
ok that looks good ur filter seems to work. Please try to get it work with http first. i remenber some problems with https. Maybe it doesnt work on https.
My Gui workin on no standard http port.U edit sgerror.php and still get standard block page? hmm post ur sgerror.php.
Plz try to access https://firewall-ip:port#/firewallblock.php from a client. Can u post ur firewall.php?
I will try to configure a test system tommorow with ur config. U are using Pfsense 1.2.3 with standard LAN WAN setup right?
Cya
EDIT:
Steps to get custom Page to work with transparent proxy with GUI on a http standard and nonstandard port
1. Install squid, Squidguard, Lightsquid Pakage
2. upload blacklist
3. configure squidguard default rule for blocking categories.
4. test filtering from a client, if standard block page appears u can go further otherwise u have to check config
5. modify /usr/local/www/sgerror.phpdelete:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IE displayed self-page, if them size > 1024
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
function get_error_page($er_code_id, $err_msg='') {
global $err_code;
global $cl;
$str = Array();header("HTTP/1.1 " . $err_code[$er_code_id]);
$str[] = '';
$str[] = '';
$str[] = 'Request denied by pfSense proxy: ' . $err_code[$er_code_id] . '
';
if ($err_msg) $str[] = " Reason: $err_msg";
$str[] = '
';
if ($cl['a']) $str[] = " Client address: {$cl['a']}
";
if ($cl['n']) $str[] = " Client name: {$cl['n']}
";
if ($cl['i']) $str[] = " Client user: {$cl['i']}
";
if ($cl['s']) $str[] = " Client group: {$cl['s']}
";
if ($cl['t']) $str[] = " Target group: {$cl['t']}
";
if ($cl['u']) $str[] = " URL: {$cl['u']}
";
$str[] = '
';
$str[] = "";
$str[] = "";return implode("\n", $str);
}paste: (its simple html)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IE displayed self-page, if them size > 1024
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
function get_error_page($er_code_id, $err_msg='') {
global $err_code;
global $cl;
$str = Array();header("HTTP/1.1 " . $err_code[$er_code_id]);
$str[] = '';
$str[] = '';
$str[] = '';
$str[] = '';
$str[] = '';
$str[] = '';
if ($cl['n']) $str[] = "Client Name: {$cl['n']} | ";
if ($cl['a']) $str[] = "Client IP: {$cl['a']} | ";
if ($cl['i']) $str[] = "Client User: {$cl['i']} | ";
if ($cl['s']) $str[] = "Group: {$cl['s']} | ";
if ($cl['t']) $str[] = "Category: {$cl['t']} ";
$str[] = '';$str[] = 'Adresse gesperrt!';
$str[] = '';
if ($err_msg) $str[] = '- '. $err_msg.' -
';
if ($cl['u']) $str[] = "URL: {$cl['u']}
";
$str[] = 'Aufgrund von Zugriffsbeschränkungen ist Ihre Anfrage nicht erlaubt.
Bitte kontaktieren Sie die IT-Abteilung, wenn Sie der Meinung sind, daß dies nicht korrekt ist.';
$str[] = '![geblockt](http://'. $_SERVER['HTTP_HOST'] .'/banner.png)
';
$str[] = 'Web Filtering by <a style="color:#FFFFFF;">PfSense</a> and <a style="color:#FFFFFF;">SquidGuard</a>';
$str[] = "";
$str[] = "";return implode("\n", $str);
}keep in mind to change picture path if u want to use images in block page
6. restart proxy and squidguard
Steps to get custom Page to work with transparent proxy with GUI on a https standard and nonstandard port
redirection to the pfsense box itself fails.
1. u need to put errorpage on an external http server z.b debian with php installed.
2. create php script and use infos u get from squidguard variables%a=client_address
%n=client_name
%i=client_user
%s=client_group
%t=target_group
%u=client_url"
3. change default rule to redirect to ext url
example:
http://extsource:port/block.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%uhope that helps.
Cya
-
Is there a possibility to have an error page with a reply form integrated? When the client thinks it is an error, he can fill out a little textbox and send his reply. The reply is sent then to an admin with url, category and the client's answer.
I have the problem that most people who contact me by remail forget to add the url so I don't know what they are talking about. :)
Greetings,
Nic
-
spiritbreaker
thanks for the code, I have one issue, some times the image doesn't load, I can manually go to the location were the file is i.e 192.168.10.20/banner.png and it displays. After I do that the error page displays the image. it seems to need to be preloaded, true? any ideas?
-
How do i change picture for the error page that are in the server, i put the picture A.png in the same directory (/usr/local/www/sgerror.php).
this is the code for the picture, but it don't show
**$str[] = '
';**
-
spiritbreaker
I know it has been a while since this topic was created, however I am once again able to take a look at this. I modified the sgerror.php per your instructions and uploaded it to my pfSense box. Since I am using HTTPS on a non-standard port I have enabled the "ext url error page (enter URL)" option and specified a page on our external web server:
http://www.mydomainname.com/errorpage.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
The data is being sent but I am not really sure how this external page should be coded. Below is what you said to do, but I guess I need another nudge in the right direction…
Thanks again for you help!Steps to get custom Page to work with transparent proxy with GUI on a https standard and nonstandard port redirection to the pfsense box itself fails. 1\. u need to put errorpage on an external http server z.b debian with php installed. _2\. create php script and use infos u get from squidguard variables # %a=client_address # %n=client_name # %i=client_user # %s=client_group # %t=target_group # %u=client_url"_ 3\. change default rule to redirect to ext url example: http://extsource:port/block.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
-
I recently had to do this as well and this thread helped me get going in the correct direction. So I'll contribute back with what I put together.
I'm using the vhost package to host the block redirect site on the pfsense box. Then I used jQuery to only display the block page if the blocked element was over a certain size. This way I can let Squidguard block ads without cluttering a website with the block page. In addition to the files below you'll need jQuery 1.5 and the parsequery plugin. Feel free to customize them as you need.
index.html
<title>Website has been blocked.</title>
filter.css
@CHARSET "UTF-8";
body {
background-color: #ffffff;
font-family: verdana, arial, sans serif;
}div.outer {
width: 70%;
margin: 20px auto;
}div.header {
padding: 10px;
background-color: #c0c0c0;
text-align: right;
font-size: 60%;
}div.footer {
padding: 5px;
background-color: #c0c0c0;
text-align: right;
font-size: 60%;
}div.inner {
text-align: center;
background-color: #f4f4f4;
text-align: center;
padding: 20px;
}div.msg {
padding: 20px;
margin-top: 20px;
background-color: #e2e2e2;
color: black;
font-size: 80%;
}div.error {
letter-spacing: 0.5em;
word-spacing: 1em;
padding: 20px;
background-color: #ff0000;
color: white;
font-size: 200%;
font-weight: bold;
}lg_block.php
if ($_GET['n']) $details[] = "Client Name: {$_GET['n']}";
if ($_GET['a']) $details[] = "Client IP: {$_GET['a']}";
if ($_GET['i']) $details[] = "Client User: {$_GET['i']}";
if ($_GET['s']) $details[] = "Group: {$_GET['s']}";
if ($_GET['t']) $details[] = "Category: {$_GET['t']}";
$details = implode(" | ", $details);
?>Access Denied!
The following website has been blocked.
URL: %s", $_GET['u'], $_GET['u']);?>
If you believe this page was blocked in error please contact the IT
department.Web Filtering by pfSense
and SquidGuard -
Hi,
How do i change picture for the error page that are in the server, i put the picture A.png in the same directory (/usr/local/www/sgerror.php).
this is the code for the picture, but it don't show
$str[] = '
';
u cant use localhost because the client dont have the image :D
1. line should be like this:
$str[] = '
![geblockt](http://'. $_SERVER['HTTP_HOST'] .'/A.png)
'
2. dont forget to create a destination rule to grant access to the picture from clients.
can u post a screenshot of ur page? :D
cya
-
Ok attached is a screen shot of the block page. It looks very similar to what was posted earlier.
-
Thank you 3dinfluence for posting your code. It really makes the page look official.
I did have to change my squidguard redirect mode from "ext url redirect" to "ext url move". I found both move and found worked, but redirect and err page would not input the variables into the url.
thanks.
-
I don't recall the redirect mode I was using but I believe I was using "ext url move". I stopped using Squid and Squid Guard for the time being due to some issues with dual wan configurations. But I just tried the different modes until one worked :).
-
Dear all…
i'v some request here, how can i put pop-up when user entering the error page?
this my page that has been customized.
-
The code not working in 2.0 RC1 version….how can i edit that?