SquidGuard bug ordering categories

  • 2.1-RELEASE (i386)
    built on Wed Sep 11 18:16:22 EDT 2013
    FreeBSD 8.3-RELEASE-p11

    squidGuard-squid3 1.4_4 pkg v.1.9.5

    I can't nest whitelist1 / deny1 / whitelist2 / deny2

    The result in /usr/local/etc/squid/squidGuard.conf is allways whitelist1 / whitelist2 / deny1 / deny2

    I'm migrating an external proxy (FreeBSD based) to pfSense and nesting is necessary for me.

    Example (please see images)

    Order should be:

    yes_y yes_z !ads filtrats !in-addr !blk_blacklists_adult !blk_blacklists_agressif

    and it is

    yes_y yes_z filtrats !in-addr !ads !blk_blacklists_adult !blk_blacklists_agressif

    Denied categories go to the end, just before loaded blacklists.

    ![Captura de 2014-03-16 21:20:31.png](/public/imported_attachments/1/Captura de 2014-03-16 21:20:31.png)
    ![Captura de 2014-03-16 21:20:31.png_thumb](/public/imported_attachments/1/Captura de 2014-03-16 21:20:31.png_thumb)
    ![Captura de 2014-03-16 21:21:07.png](/public/imported_attachments/1/Captura de 2014-03-16 21:21:07.png)
    ![Captura de 2014-03-16 21:21:07.png_thumb](/public/imported_attachments/1/Captura de 2014-03-16 21:21:07.png_thumb)
    ![Captura de 2014-03-16 21:23:36.png](/public/imported_attachments/1/Captura de 2014-03-16 21:23:36.png)
    ![Captura de 2014-03-16 21:23:36.png_thumb](/public/imported_attachments/1/Captura de 2014-03-16 21:23:36.png_thumb)

  • The SquidGuard GUI order Categories by it's group
    1. Whitelists - url's what must be passed always
    2. Blocks - blocked url's
    3. Allows - allowed (not blocked) url's

    Not need order the Categories by item.

  • I will try to explain a new time…

    The WebGUI permits to order the lists, except imported blacklists (they are at the end; it's ok).

    The squidGuard.conf generated doesn't have the order I put on the WebGUI. This is confused.

    I need this because in my old proxy (FreeBSD based) I have something like:

    my_allowed_domains my_denied_expressions my_filtered_domains imported_blacklists

    This permits bypass some items in imported_blacklists

    For example, I block some expressions for Youtube (with my_denied_expressions), I permit "filtered" Youtube (with my_filtered_domains) and Youtube is in imported_blacklists (in fact in one big blacklist not allowing audio&video sites).

    At the moment, the solution is disable my_filtered_domains and disable also the audio&video imported_blacklist.

    Like this I have "filtered" Youtube (and some others).

    However, this obliges me to maintain my own blacklist for audio&video.

  • With SquidGuard GUI you can implement the following filter circuits:

    A) "Block All and allow some" :   
            Default category = deny; Allow some categories;
    B) "Allow All and block some categories with exeptions from blocking"
            Default category = allow; Block (deny) some categories and using Whitelist for excludes from blocking

    You way (B):
    my_allowed_domains = whitelist
    my_filtered_domains  = whitelist
    my_denied_expressions = deny
    imported_blacklists = deny
    Default category = allow

    You ruleset will be {whitelist}{all_used_blocklists}{default_allow_all}

  • I surfed config.xml and squidGuard.conf and the order is changed. For me, it's a bug.


    		 <squidguarddefault><config><dest>^yes_0 !no_0 !ads ^filtered !blk_blacklists_video all</dest>
    acl  {
    	default  {
    		pass yes_0 filtered !in-addr !no_0 !ads !blk_blacklists_video all
    		redirect http://www.mydomain.tld/denied.php?%u
    		rewrite safesearch

    I surfed https://github.com/pfsense/pfsense-packages/blob/master/config/squidGuard/squidguard.inc but I'm not capable to find the piece of code that changes the order.

  • All correct

    <dest>^yes_0 !no_0 !ads ^filtered !blk_blacklists_video all</dest>

    pass yes_0 filtered !in-addr !no_0 !ads !blk_blacklists_video all

    All elements in rule are grouped according to their action
    pass WhiteList DenyList <allowlist>DefaultRule</allowlist>

    Order in groups and in the config file is irrelevant. You do not have to worry about compliance of the elements in the configuration and rules.

  • WebGUI is confused about order and I need:

    pass yes_0 !in-addr !no_0 !ads filtered !blk_blacklists_video all

    As explained some days ago I need it because !no_0 has regular expressions for blocking some words when searchnig at filtered domains (such google, youtube…) and these domains are into big standard downloaded blacklists (!blk_blacklists_…...).

    Could you say me the piece of code where the "not ordering" is done? I will like to make a system patch, if necessary.


  • Bellera, did you tried to edit it by hand after config save to be sure order will change results?

    I'm not a squidguard specialist but AFAIK, squidguard allows two or three checks (allow acl, deny acl, default acl)

    I've tried to set group of acls just like I do on dansguardian but I got no success on it.

  • @marcelloc:

    Bellera, did you tried to edit it by hand after config save to be sure order will change results?

    [Apply] button writes squidGuard.conf and restarts the service.

    I'm sure that it works… squidGuard executes the lists by the order that they are indicated at pass lines.

    I'm using like this since year 2000, with FreeBSD servers.

    So, my interest for google.com, youtube.com is in "pseudocode":

    !block_bad_words filter_some_domains !block_with_big_black_lists

    The problem is that squidGuard package is always doing, no matter the order at WebGUI:

    filter_some_domains !block_bad_words !block_with_big_black_lists

    and like this, block_bad_words is not usable.

  • [SOLVED]

    1. Commented lines:

       402	        #file_put_contents($conf_file, $conf);
       403	        #file_put_contents(SQUID_LOCALBASE . '/etc/squid' . SQUIDGUARD_CONFIGFILE, $conf); # << squidGuard want config '/usr/local/etc/squid' by default


    2. Modified pass line at:


    3. [Apply] button to reconfigure squidGuard without writing a new squidGuard.conf

    In general I only need to modify my lists. So, the trick will work without troubles for me.

Log in to reply