Squidguard on 2.0 final
-
i used squidguard in 1.2x to 2.0rc whiteout any issue. My config use whitelist, and times.
After upgrade to 2.0 (if squidguard upgrade too or only reinstall i don't know for sure) i have strange issue.
Times don't work anymore, and i can't understand why.
I check my config but nothing strange is come out.Bug in squidguard binary? bug in config generations? I can't figure out.
If i click apply on off time (es from 12 to 13) all affected computer ignore whitelist (correct), but after 13 whitelist remain ignored (wrong).
If i click apply on on time (es after 13) all affected computer use whitelist (correct), but again, in offtime whitelist remains (wrong).prior 2.0 final i have no issue at all
please help me to figure out this problem :(
-
Check you pfsense system time.
-
-
Show you squidGuard settings.
-
Any solution on this… I am having the same issues...
here is my post: http://forum.pfsense.org/index.php/topic,41777.0.html
-
After a great deal of digging, I've found a solution to this.
Everything is working as it should per the setup in pfSense. That said, the defaults in the php code the create the configuration file are probably incorrect these days. Historically this probably wouldn't have made a significant difference. It also probably wouldn't be noticed in transparent proxies, depending on how they show the error.
SquidGuard sends a 301 (permanent) redirect instead of a 302 (temporary) redirect. Modern browsers cache 301's because they can per the standards.
Depending on your time setup, if a site is being blocked and you are in a time config where it should be allowed, deleting the browser cache/history/etc and reloading will show the page works. That is until it goes into a 'deny' time again where the browser re-caches the 301.
This can be fixed by editing:
ee /usr/local/pkg/squidguard_configurator.inc
In the "# –- ACL ---" section you'll need to modify the two occurrences (a bit under "# ontime" & "# overtime") of
$sg_acltag->items[] = "redirect " . sg_redirector_base_url($acl[F_REDIRECT], $acl[F_RMOD]);
to be
$sg_acltag->items[] = "redirect " . "302:" . sg_redirector_base_url($acl[F_REDIRECT], $acl[F_RMOD]);
There are two identical edits that should probably be made under "# –- Default ---".
All this does is make the resulting SG configuration file tell SG to use 302 redirects instead of 301. I've sent an email off to the SG maintainer listed in the package xml with a link to this post. He may or may not integrate the above suggestion.
-
Nice debug. Congratulations! :)
You can also Pull this request via github.
-
Hi i tried what you said but it didn't helped me, but if clear the cache it does works.
thanks. I have highlighted the change that i made i hope i did right.
please suggestontime
$sg_acltag->items[] = "pass {$acl[F_DESTINATIONNAME]}";
if ($acl[F_RMOD] != RMOD_NONE)
# $sg_acltag->items[] = "redirect " . sg_redirector_base_url($acl[F_REDIRECT], $acl[F_RMOD]);
$sg_acltag->items[] = "redirect " . "302:" . sg_redirector_base_url($acl[F_REDIRECT], $acl[F_RMOD]);# overtime
if ($acl[F_TIMENAME]) {
$sg_acltag->items[] = "} else {";
$sg_acltag->items[] = "pass {$acl[F_OVERDESTINATIONNAME]}";
if ($acl[F_REDIRECMODE] !== RMOD_NONE)
# $sg_acltag->items[] = "redirect " . sg_redirector_base_url($acl[F_OVERREDIRECT], $acl[F_RMOD]);
$sg_acltag->items[] = "redirect " . "302:" . sg_redirector_base_url($acl[F_OVERREDIRECT], $acl[F_RMOD])–- Default ---
$sg_tag_def = new TSgTag;
$sg_tag_def->set("default", "", "", "");
$def = $squidguard_config[F_DEFAULT];
sg_addlog("sg_create_config", "Add Default", SQUIDGUARD_INFO);
if ($def) {
$temp_str = '';# delete blacklist entries from 'pass' if blacklist disabled
if ($squidguard_config[F_BLACKLISTENABLED] !== 'on')
acl_remove_blacklist_items(&$def[F_DESTINATIONNAME]);# not allowing IP in URL
if ($def[F_NOTALLOWINGIP])
$def[F_DESTINATIONNAME] = "!in-addr " . $def[F_DESTINATIONNAME];# re-order acl pass (<allow><deny<all|none>)
$def[F_DESTINATIONNAME] = sg_aclpass_reorder($def[F_DESTINATIONNAME]);# ! 'Default' must use without times !
$sg_tag_def->items[] = "pass {$def[F_DESTINATIONNAME]}";
if ($def[F_RMOD] !== RMOD_NONE)
$sg_tag_def->items[] = "redirect " . "302:" . sg_redirector_base_url($def[F_REDIRECT], $def[F_RMOD]);
if ($def[F_REWRITENAME])
$sg_tag_def->items[] = "rewrite {$def[F_REWRITENAME]}";
if ($squidguard_config[F_ENABLELOG] == 'on' ) {
if ($def[F_LOG])
$sg_tag_def->items[] = "log " . SQUIDGUARD_LOGFILE;
}
} # <- if def
else {
$msg = "ACL 'default' is empty, will use default 'block all'";
$sg_tag_def->items[] = "# $msg";
$sg_tag_def->items[] = "pass none";
$sg_tag_def->items[] = "redirect " . "302:" . sg_redirector_base_url('', RMOD_INT_ERRORPAGE);
sg_addlog("sg_create_config", "$msg.", SQUIDGUARD_ERROR);
}</deny<all|none></allow>thanks
kalu -
Hello everyone!
I'm from Brazil, so if my english is a little bad, forgive me.
I've tested those suggested modifications on the file "squid_configurator.inc" and even modifying others arguments and attributes nothing went right.
On my situation the only problem is with the browser cache.
I needed to solve this right away so I said to users on the network to push F5 when a Website appears to be blocked. So far it's working but if you have any other things to try, just say.
-
there is no bug about that! the problem is how to redirect, don't need to change the file "squid_cofigurator.inc"
as someone else said the "code" cache is 301 for permanent and 302 for temporary!you can see in the "squid_cofigurator.inc" file on line 1200
"case RMOD_EXT_FOUND: $ rdr_path =" 302: $ rdr_info "break;"
to use it you need to set, "Redirect mode: "ext url = found (enter URL)"
using that it will included as "302:redirect" in your configuration and work normally!
-
Caching problem not have nothing to do with this "bug"
H2wk tried a new clean install of 2.0 and all work so i fixed removing and reinstalling squid and squidguard packages.
Config not even touched during this "work", on reinstall is automatically restored and now all work as expectedfor the brazilian guy: i use dmeneze Redirect mode: "ext url" on my config, like dmenezes suggest, and not have big trouble with cache. only 1/2 times some crap browser/computer have some cache issue, but i'm not sure my oldoldold config use "ext url" when appen time ago.
-
I'll see if this redirection mode is activated on my server and post here later.
About the "crap" computer, I desagree, the issue here is with Browsers… Firefox and Internet Explorer do this... Google Chrome does not... another fact I've found.
-
Hi Again!
It worked! Change the Redirect mode on the SquidGuard ACLs to "ext url found (enter URL)".
The problem with the Browser cache was solved.
Thanks for the help!
-
Hi Again!
It worked! Change the Redirect mode on the SquidGuard ACLs to "ext url found (enter URL)".
The problem with the Browser cache was solved.
Thanks for the help!
How to change the Redirect mode on the SquidGuard ACLs to "ext url found (enter URL)". In which files and section? I can't find this line.
-
It's a gui option, not a file hack.
-
i have again the same issue
nothing is changed on squidguard but now i can't use webpages on offtime.
same apply (or restart squidguard) behaviour -
Hi!
Like Marcelloc said… this option is in the GUI.
Common ACL and Group ACL in both this option is avaliable.
-
Hi mila76
I've 7 servers in production environments right now with this configuration even with Squid authenticating on Active Directory(Windows Server 208).
Let's do a step to step:
1 - Install a clean PFSense 2.0 RELEASE
2 - Install both Squid and SquidGuard
3 - Before everything: Download and update the SquidGuard BlackList, I suggest URL BlackList or Shalla List… your choice.
4 - I'll assume that you know how to implement and manage the options on cache and acces tabs of Squid Configurations and the concept of Proxy.
5 - Bring Squid Online with the configuration you want.
6 - Bring SquidGuard online
7 - Set the common ACL as you desire and in the bottom of the page set the Redirect Mode as "Ext URL Found", put some URL... could be a Webpage or a HTML file hosted on a webserver in your Intranet.
8 - Go to General tab on Squidguard configuration then click on save and after click on apply.I've a much more complex configuration on my Servers so it will be hard to explain.
Above are the basics and I hope that will help you. -
Follow your instruction of ext url found but still page is not blocking Pls Help
-
i used squidguard in 1.2x to 2.0rc whiteout any issue. My config use whitelist, and times.
After upgrade to 2.0 (if squidguard upgrade too or only reinstall i don't know for sure) i have strange issue.
Times don't work anymore, and i can't understand why.
I check my config but nothing strange is come out.Bug in squidguard binary? bug in config generations? I can't figure out.
If i click apply on off time (es from 12 to 13) all affected computer ignore whitelist (correct), but after 13 whitelist remain ignored (wrong).
If i click apply on on time (es after 13) all affected computer use whitelist (correct), but again, in offtime whitelist remains (wrong).prior 2.0 final i have no issue at all
please help me to figure out this problem :(
same problem, my boss wants me fired because I can not automatically block facebook! nobody has any idea to solve?
???