SquidGuard and blank redirects?



  • I've got Squid & Squidguard packages installed, and SG does block pages (good), but the only thing I get is a blank page.  If I put '403', '404' or '410' in the 'Default Redirect' text box on the 'default' tab of the SG page, I still get a blank page.  If I put 'http://www.zombo.com' in the box, it redirects to www.zombo.com.  What am I missing? I've googled and searched these boards for a while but I'm still at a loss.  I can't seem to see anything in any of the PFSense logs either.

    CPD.



  • What squid mode (transparent?) and webGUI port you have?



  • I have the same problem.  I am using squid in transparent mode.  By webGUI port, do you mean the port squid is answering on or the actual port the pfSense webGUI is running on?  If the former, squid is running on port 3128.  If the latter, I'm using port 80 to access my webGUI.

    Chris



  • Problem exists.  >:(
    About fix - will posting here.
    ps Sorry, if fix will delay - i'm have New Year & Chrismas.



  • Is there a workaround for this such as changing the webGUI port or not using transparent mode or both?



  • If you set management port other than 80 you have to edit /usr/local/pkg/squidguard_configurator.inc…

    find:

    define('REDIRECT_BASE_URL', 'http://127.0.0.1/sgerror.php');

    and

    define('REDIRECT_TRANSPARENT_BASE_URL', '/sgerror.php');

    lines and change them with

    define('REDIRECT_BASE_URL', 'http://127.0.0.1:XXXX/sgerror.php');
    define('REDIRECT_TRANSPARENT_BASE_URL', ':XXXX/sgerror.php');

    XXXX means your managament port...

    that will solve your problem..

    note: you have to change that port settings when you change your management port...



  • I am currently using port 80 for my management port.  Are you saying simply changing the port and changing the config file for squidguard will stop the blank redirects?  That doesn't make sense to me.  Right now the ports match, and after the modification the ports will still match.  How does that change anything?  You might have to explain it to me like I'm stupid (or ignorant would be a better word).  :-)  I'm still unclear on why the port used to manage my firewall has anything to do with the port squidguard uses.  Doesn't squidguard speak to squid which is running on port 3128?  I don't seem to have even a basic understanding on how the management port comes into play.  The only thing that seems to match is squid is capturing packets destined to port 80 outside of the LAN.

    Chris



  • This blank-page-bug exists - that's all what i can say.
    Maybe problem with 127.0.0.1 & transparent mode of squid
    On transparent mode all connections to 80 port (but not LAN-IP) redirect to 3128 port of squid, 127.0.0.1:80 too.

    Now i see one way - use LAN ip as redirect address
    http://LanIP/sgerror.php

    Now i can't test this - up to 09/01 I have Selebrations  :-
    May-be any body will test this for me?

    This sources (! store you old files !)
    http://diskatel.narod.ru/pfSense/packages/squidguard.inc
    http://diskatel.narod.ru/pfSense/packages/squidguard_configurator.inc
    In squidGuard.cfg must be used Lan IP as redirection path.



  • when i try to manage my box over 80, i got some issues(on transparent mode)… then i change the managament port and i realise that squidguard_configurator.inc doesnt care the box's management port... that makes the sgerror.php page unreachable. first of all you have to access this file to redirect to another page. thats what im saying.

    by the way , serg's new scripts are working and recognizing management port without modification. it still shows a blank page. you can make a custom error page on your server and use it as default redirection url. sgerror.php can redirect to another page.



  • Test error request-pages - generated 'sgerror'
    http://youPfSense/sgerror.php?url=403
    http://youPfSense/sgerror.php?url=404
    http://youPfSense/sgerror.php?url=410
    Must showing standard browser error page on you language.



  • i already tried that. on my pfsense, sgerror doesnt generate error pages.



  • @xen:

    i already tried that. on my pfsense, sgerror doesnt generate error pages.

    1 - if make 'disabled' squidGuard - only with squid?
    2 - or test this: http://youpfsense/sgerror.php?url=http://www.google.com

    I have IE 6 for test. You have FFox?



  • Firefox not parsed error code - ignored all header information :(
    What different with IE?

    "HTTP/1.0 404 not Found"
    –------------
    FireFox not have internal error pages (as IE)? Ok - i make this for F/F
    Please check this:
    http://diskatel.narod.ru/pfSense/packages/sgerror.php

    ps On IE must continue showing 'friendly error-code IE pages'.



  • Any further news on this?  I got lost towards the end of the conversation and couldn't help any further.  Is there something I can do to help this get resolved?  I'm very interested in the filtering (in fact that is why I chose pfSense as a firewall), and need to get it working.  Thanks.

    Chris



  • replace /usr/local/www/sgerror.php to this
    http://diskatel.narod.ru/pfSense/packages/sgerror.php
    and check. I found and fix this trouble on FireFox.



  • Let me rephrase my question.  Is there anything a person who doesn't know what you're talking about can do to help out?  Basically, I have no clue how to do what you are asking.  If you could guide me on how to replace that file I certainly will give it a try.

    Chris



  • Chris, if you have time  - wait next update.
    May-be this will 14-15 jan.
    Thanks.



  • Will do.  I thought if you hadn't already confirmed the problem was fixed I could help do that.  But if you're already planning on the update because it's fixed I'll certainly wait until then.  Thanks.

    Chris



  • dvserg,

    Just to let you know, your updated sgerror.php does not work for me on Firefox or IE.  In fact, there is now nothing that gets displayed.  The browser is just forever spinning its wheels and then eventually gives the following error message:

    ERROR
    The requested URL could not be retrieved
    
    --------------------------------------------------------------------------------
    
    While trying to retrieve the URL: http://192.168.1.1/sgerror.php 
    
    The following error was encountered: 
    
    Connection to 192.168.1.1 Failed 
    The system returned: 
    
        (60) Operation timed outThe remote host or network may be down. Please try the request again. 
    
    Your cache administrator is xxx@xxx. 
    
    --------------------------------------------------------------------------------
    
    Generated Sat, 12 Jan 2008 16:51:54 GMT by localhost (squid/2.6.STABLE5) 
    

    And of course, I forgot to make a backup of the file before I overwrote it with your version.

    Based on the message above, I figured that since I modified my pfsense install to use port 8080 and HTTPS, SquidGuard cannot execute sgerror.php as it tries to do it over port 80.  I'd say that something has to change in the source code of SquidGuard that manages the re-direct when a banned site is hit.  The page displays if I use https://192.168.1.1:8080/sgerror.php.

    Where is the source for SquidGuard if I wanted to take a look?

    Thanks



  • Current 'stable' source sgerror on:
    http://www.pfsense.com/packages/config/squidGuard/sgerror.php
    Now sources on www.pfsense.com can't work with non-80 port's pfSense
    It will be in nearest update.
    Anonce nearest update:

    • controls from page 'Sources' will adding to 'ACL', 'Sources' removed
    • changes for transparent-proxy and non-80 port support
    • more options in sgerror.php: blank page; blank image (for banners); fix+additional http code pages gen (3xx, 4xx, 5xx + self message);

    Sources also in /usr/local/pkg/
    File squidguard_configurator.inc



  • Updated squidGuard sources
    !Attention!
    Before reInstallation - remember you Sources page content
    This page elements moved to ACL and need apply you Sources defines to this page manually (i not make conversion).
    –-
    What new:

    • added error page generation, now you can use error code with Reasone message
      example:
      '[redirection field] 404 This page contains porn elements'
    • added non-80 GUI port supporting

    Please, testing it.
    Best regards
    Serg.



  • I uninstalled the old version and installed the new version.  Now squidguard behaves like it's not even there.  It shows as running, but none of the configuration I do to it is taking any effect on my web browsing.  While this is better than before (previously I couldn't browse at all if  squidguard was enabled), it's still not what I need.  Is there something else I need to do in my config besides just turn squidguard on?  Do I need to do something in squid?

    I tried fooling around in squid and squidguard and I kept applying the settings each time I made a change.  At one point squid and squidguard would no longer start and I could no longer access the internet.  I had to uninstall both packages to get back online.  It seems the configs are not deleted when uninstalling a package because if I install it again I'm stuck with all my settings I had previously and can no longer get on the internet.  At this point I can't even install either package without cutting myself off from the world.  HELP!

    Chris



  • You always can disable squidGuard (disable+Save and Apply) - this deleted redirector options from squid config and stopped squidGuard. Use this way for checking how squid worked without SG.
    Also check Log box on General page - read this messages for error while SG config updated (Apply).
    By default SG blocked all connections, if found error in self config data.
    You can delete all options on squidGuard GUI and step-by-stef make configuration once more.

    ps: Bugs in sources may be too - i prepare all codes tonight :) But today i have many testing's all SG modes. Now my SG system work stable.

    Thanks for help.



  • Great work dvserg!  I appreciate all the hard work you have been putting into the packages recently!! :)



  • Well, I seem to have a basic config up and running, except for the following.  When a page is blocked it doesn't use the default URL Redirect.  Instead I get the following:

    ERROR
    The requested URL could not be retrieved

    –------------------------------------------------------------------------------

    While trying to retrieve the URL: https://192.168.1.1/sgerror.php?

    The following error was encountered:

    Connection to 192.168.1.1 Failed
    The system returned:

    (92) Protocol error

    The remote host or network may be down. Please try the request again.

    Any ideas?  The config is doing it's job, but I much rather see the default redirect URL come up instead of the error.

    Chris



  • Same result here.  I uninstalled and then installed and I am getting the same error page as ciarocci right away.

    As well, the log tab of SG no longer seem to be able to retrieve any logs or configuration files.

    Thanks



  • Reinstall SG now - i replaced Log-page realisation. Disabled 'Blocked log' and 'squidGuard log' - because a longer time creating for big size log-files.
    –-
    This is sgerror.php behaviour, if called 'sgerror.php?url=code%20test%20page:
    FFox - must showing generated sgerror page type as:

    
    Request denied by pfSense proxy: code code-text 
    Reason: test page
    --------------------------------------------------------------------------------
    --------------------------------------------------------------------------------
    
    

    IE - must used self frienly-error-pages on you win-system language with selected error-code. But on some codes (for example on my IE: sgerror.php?url=401%20test) IE give generated sgerror page as FFox.
    This particularity IE - replace error messages with size 512(or 1024?)Kb by self page.
    I have decided to leave such behaviour IE (but if need - may be exclude this)
    –-

    You may tested sgerror.php
    http://youip/sgerror.php - about message
    http://youip/sgerror.php?blank - blank page
    http://youip/sgerror.php?blank_img - blank 1x1 GIF image
    http://youip/sgerror.php?CODE Message - error page (looking above IE/FFox behaviour )

    If you have problem - please inform what a browser you have.



  • I am using IE6.  I continue to get the error explained above.  If I put in the following:

    https://192.168.1.1/sgerror.php?url=http://www.google.com

    I get the google home page.  That is what I expected to happen.

    However, if I put in http://www.google.com in the default redirector of the SG config, I get the error page.  Somehow the redirector is being ignored in the config and it is just calling https://192.168.1.1/sgerror.php without the redirector on the end.  I don't even get the about page as I did by simply putting https://192.168.1.1/sgerror.php in the browser.

    Chris



  • Hi Chris
    Can you post to my PM you squidGuard.conf?
    Also can you test with WebGUI on http protocol?



  • I posted my conf as requested.  However, I am unable to try this on HTTP not because of any security policy, and not because I do not want to, but simply because when I make the change from HTTPS to HTTP in the SYSTEM->GENERAL page, nothing happens.  I can still get to the webGUI through HTTPS and only HTTPS even though the bullet is clearly on HTTP.  I originally thought my firewall crashed because I couldn't get to the HTTP webGUI, but I tried the old HTTPS just for the hell of it, and wham, there it was.  Now things are getting spooky.  Why would it not allow me to change the webGUI even though it is clearly changed in the config?  Does Squid or SG have a hold on it somehow?  I definitely changed that setting fine before installing squid and SG and did not have any trouble.

    Chris



  • In the past I have had to reboot to make this change, can't say for extremely recent versions.



  • Thanks. I found and fix one problem: 'http%3A%2F%2Fwww.'

    redirect https://192.168.1.1/sgerror.php?url=http%3A%2F%2Fwww.kmaconnect.com&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
    

    Reinstall new pease (ohm, difficalt new year  ::) ).



  • Chris,

    I was able to change my webGUI to HTTP.  When I did, pfsense was smart enough to redirect to the HTTP on port 80.

    dvserg,

    It doesn't look like your coding of sgerror.php is complete.  From the looks of it, you are adding different ways that sgerror.php can be called.  I don't fully understand when or how that file would be called using the different parameters.  All I know is that the only thing that I was getting displayed was the following:

    url=&a=192.168.1.250&n=dlink.digitallachance.com&i=&s=default&t=porn&u=http://www.bikini.com/

    Because the url parameter is blank, most of your logic was skipped.  Given that the default redirect on the default tab of SG is always blank, that means that sgerror.php will never work.

    I have modified sgerror.php to better suit my needs.  Feel free to use/abuse  ;D

    http://lachance.gotomysite.com/sgerror.php

    Unfortunately, this works only if you have your webGUI set to the standard port 80.  As soon as I change back to HTTPS, it fails to open sgerror.php.  Ultimately, I am trying to make sure that my webGUI is secure by using HTTPS on a non-standard port.  If I have to stay with HTTP on port 80 in order to have the error page functionality in SquidGuard, then I will have to do without a nice error page.

    Right now I get the following error when I turn HTTPS on:

    ERROR
    The requested URL could not be retrieved

    While trying to retrieve the URL: https://192.168.1.1/sgerror.php?

    The following error was encountered:

    * Connection to 192.168.1.1 Failed

    The system returned:

    (92) Protocol error

    The remote host or network may be down. Please try the request again.

    Your cache administrator is xxx@xxx.
    Generated Wed, 16 Jan 2008 05:46:43 GMT by localhost (squid/2.6.STABLE5)

    Going directly to https://192.168.1.1/sgerror.php? displays the expected content.

    Thanks for your hard work on this package dvserg!



  • Hello flachance.
    I have a little comment about 'sgerror.php':
    This file writed for squidGuard needs. If redirect options in config invalid or not accesible. then content passed SG in the not-dependence SG-rules. And, sgerror.php always accesible for squidGuard and handle all him's redirections.
    Format sgerror.php:
    Main and impotant 'sgerror.php?url=_my_url',  all others included for retrieve client-info from squidGuard ('a n i s t u' - values). ANISTU used for error-page information (nothing any).
    _my_url have 3 forms:

    • http://myself.errorpage or https://myself.errorpage - this only redirect to '//myself.errorpage'
      example: 'sgerror.php?url=http://example.com&…'
    • errcode<space>text ('404 You cant access') - this display generated error page (or inplaced in IE error page)
      example: 'sgerror.php?url=404%20You%20cant%20access&a=...' // << url encoding exists
    • tags 'blank' and 'blank_img' - blank page and blank img for replacing banners(i use this)
      example: 'sgerror.php?url=blank&a=...' - display blank page</space>


  • DVSerg,

    The line you gave me looks exactly like the line already in my file unless my eyes are deceiving me.  How is the line different then what I already have?

    flachance,

    Did you have to reboot to make the change from https to http and what version of PFSense are you running?

    Chris





  • Oh, I understand.  You want me to install the newest version of SG.  I'll do that.  Thanks.

    Chris



  • @ciarocci:

    Oh, I understand.  You want me to install the newest version of SG.  I'll do that.  Thanks.

    Chris

    Language barrier in action  :D



  • ;D Yep  ;D



  • No reboot required Chris.


Locked