SquidGuard custom error pages
I have read most of the posts here, but still can't find an exact answer to my question. First here's a little background info…
I am using a transparent proxy. I have SquidGuard and I am using GroupACL's. One will be set to basically turn the internet on and off based on the time of day (i.e. business hours, or close to). The other group is the generic proxy to filter appropriate content. I have created my own 100% custom, very simple error pages (i.e. time violation, or inappropriate content).
Here is the problem, I can leave it on internal error page, but this only gives me a single page to edit (i.e the /usr/local/www/sgerror.php file). Thats a problem in my case. The other option is to use the external option. What I am trying to do is put my two files into the /usr/local/www/ directory then as the external URL use http://pfsensebox/custompage
Any suggestions on how to get this idea working or does anyone have another suggestion? Thanks
Ok so I have changed my way of thinking but have once again hit another road block. This is VERY frustrating! So I have completely abandoned the idea of multiple static error pages and I am now using what I believe to be pfSense's preferred method, ie using the sgerror.php and instead utilizing the variables within to generate the different error messages… Doh!
Ok so new problem, but same basic topic. I am now trying to make these pages appear at their appropriate times using GroupACLs and the time options. Allow me to explain further. One error page (One ACL Group) is for when the the user visits an inappropriate site. The content gets denied and the error message is produced. If however, the content is allowed, I need it to then check the next Group ACL down to determine whether the user is requesting the page within appropriate hours. If they are it gets allowed. The problem here is that the ACLs are applied on a first = true basis. No matter how many times I have done a flow chart and flipped around the logic, I cant get this to work which has brought me to the conclusion that maybe I'm trying to use the Group ACLs incorrectly. So this made me think.
Can I use the common ACL to match appropriateness and the Group ACL to match appropriate time (ie business hours) and do this for the same subnet? So far the answer to this is no as each time I test it, as long as one of the Group ACLs match this nullifies the common ACL apparently. All Im trying to do is get multiple F'n error messages... is that too much to ask?
Error one: Inappropriate content
Error two: Outside business hours
UGH >:( ???
I hope thats ok. I really need a solution to this before the end of the week.
Do you read other posts in the forum ?
Ah I didn't see that post. Looks like its impossible, but at the same time I am only trying to do what klazoid in the post you pointed out does in the first two steps. Seems he got it working too. His first step would be a general block using the common ACL just as I need to do. Then his second block is the time based block. It works for him up to that point. What am I doing different?
First: My common ACL uses the standard blacklist. For testing purposes, everything is denied by default except search engines. Any other site gets blocked and throws the common ACL error. Then we move to the Group ACL to check the time based poilcy.
Second: I only have one other ACL (A group ACL) that is linked to a time period. The time is from 00:00-08:00 and 20:00-23:59. The "on time" (ie left column) of the group ACL is set to deny everything by default. This should throw the Group ACLs error message stating you are outside business hours and the internet is effectively "turned off". If however you are in the "off time" (ie right column of Group ACL) it allows all by default.
What am I doing wrong here? Again, apparently klazoid got at least this much working in his post. http://forum.pfsense.org/index.php/topic,41945.0.html
You can't use multiple ACL's for one Source.
One source = one ACL
Common ACL used for Sources undefined other ACL's.
For each ACL exists one error page (for on-time and for out-time). (SquidGuard provide more possibilities, but gui have limitations)
Also - you can define error pages for self-defined TargetCategories.
First of all, thank you very much for helping me through this. I'm trying to understand your reply.
First question: What does "For wach" mean? Are you trying to say only one error page for the "out time".
Second question: What is "SG"? I assume this is maybe the command line since you mentioned the GUI.
How do you define the error pages for self-defined categories you mentioned. I assume you mean "targets" right?
Sorry to be so complicated. I really am trying everything I can to get this working. I don't mean to appear like I'm trying to be spoon fed information.
Sorry. I edit my previus post.
I have a new thought of how to accomplish my goal. Tell me what you think.
**1st - Common ACL to do the regular inappropriate content block using the black list.
2nd - Do a target ACL with the time limits (ie no business hours) and make this target ACL a wildcard for any and every domain name. Something like ..***
I believe this bypasses the "One source = one ACL" problem
I just dont know if you can do this kind of wild card in the Target ACL. Any thoughts?
What is this a target ACL ?
Sorry, I meant "Target Category" and I figured out the wildcard
I made a Time rule for the business hours and a target category with an expression like so: [abcdefghijklmnopqrstuvwxyz] Then I created a Group ACL using this target category. It did in fact work, in that it did block all websites, but I still ran into the same problem where I couldn't use multiple Group ACL's for a single subnet. I think thats what im NOT understanding. I cant do multiple filters for a single subnet which I think is what you may have been trying to tell me long ago.
I finally gave up and just created one Group ACL that allows acceptable web content during "ontime" and denys everything on the off time. I will just have to deal with the single error message (ie users wont know if their request was denied because it was after hours, or because it was inappropriate)
I GIVE UP PFSENSE… :P