next »

[mila76]

i used squidguard in 1.2x to 2.0rc whiteout any issue. My config use whitelist, and times.

After upgrade to 2.0 (if squidguard upgrade too or only reinstall i don't know for sure) i have strange issue.
Times don't work anymore, and i can't understand why.
I check my config but nothing strange is come out.

Bug in squidguard binary? bug in config generations? I can't figure out.

If i click apply on off time (es from 12 to 13) all affected computer ignore whitelist (correct), but after 13 whitelist remain ignored (wrong).
If i click apply on on time (es after 13) all affected computer use whitelist (correct), but again, in offtime whitelist remains (wrong).

prior 2.0 final i have no issue at all

please help me to figure out this problem

[dvserg]

Check you pfsense system time.

[mila76]

Check you pfsense system time.

off course i already checked

[dvserg]

Show you squidGuard settings.

[H2wk]

Any solution on this... I am having the same issues...

here is my post: http://forum.pfsense.org/index.php/topic,41777.0.html

[nlemberger]

After a great deal of digging, I've found a solution to this.

Everything is working as it should per the setup in pfSense.  That said, the defaults in the php code the create the configuration file are probably incorrect these days.  Historically this probably wouldn't have made a significant difference.  It also probably wouldn't be noticed in transparent proxies, depending on how they show the error.

SquidGuard sends a 301 (permanent) redirect instead of a 302 (temporary) redirect.  Modern browsers cache 301's because they can per the standards.

Depending on your time setup, if a site is being blocked and you are in a time config where it should be allowed, deleting the browser cache/history/etc and reloading will show the page works.  That is *until* it goes into a 'deny' time again where the browser re-caches the 301.

This can be fixed by editing:

Code:

ee /usr/local/pkg/squidguard_configurator.inc

In the "# --- ACL ---" section you'll need to modify the two occurrences (a bit under "# ontime" & "# overtime") of

Code:

$sg_acltag->items[] = "redirect " . sg_redirector_base_url($acl[F_REDIRECT], $acl[F_RMOD]);

to be

Code:

$sg_acltag->items[] = "redirect " . "302:" . sg_redirector_base_url($acl[F_REDIRECT], $acl[F_RMOD]);

There are two identical edits that should probably be made under "# --- Default ---".

All this does is make the resulting SG configuration file tell SG to use 302 redirects instead of 301.  I've sent an email off to the SG maintainer listed in the package xml with a link to this post.  He may or may not integrate the above suggestion.

[marcelloc]

Nice debug. Congratulations!

You can also Pull this request via github.

[kalu]

Hi i tried what you said but it didn't helped me, but if clear the cache it does works.
thanks. I have highlighted the change that i made i hope i did right.
please suggest

# ontime
                $sg_acltag->items[] = "pass {$acl[F_DESTINATIONNAME]}";
                if ($acl[F_RMOD] != RMOD_NONE)
                # $sg_acltag->items[] = "redirect " . sg_redirector_base_url($acl[F_REDIRECT], $acl[F_RMOD]);
                 $sg_acltag->items[] = "redirect " . "302:" . sg_redirector_base_url($acl[F_REDIRECT], $acl[F_RMOD]);   



       # overtime
                if ($acl[F_TIMENAME]) {
                    $sg_acltag->items[] = "} else {";
                    $sg_acltag->items[] = "pass {$acl[F_OVERDESTINATIONNAME]}";
                    if ($acl[F_REDIRECMODE] !== RMOD_NONE)
                        # $sg_acltag->items[] = "redirect " . sg_redirector_base_url($acl[F_OVERREDIRECT], $acl[F_RMOD]);
                      $sg_acltag->items[] = "redirect " . "302:" . sg_redirector_base_url($acl[F_OVERREDIRECT], $acl[F_RMOD])



# --- Default ---
    $sg_tag_def = new TSgTag;
    $sg_tag_def->set("default", "", "", "");
    $def = $squidguard_config[F_DEFAULT];
    sg_addlog("sg_create_config", "Add Default", SQUIDGUARD_INFO);
    if ($def) {
        $temp_str = '';

        # delete blacklist entries from 'pass' if blacklist disabled
        if ($squidguard_config[F_BLACKLISTENABLED] !== 'on')
            acl_remove_blacklist_items(&$def[F_DESTINATIONNAME]);

        # not allowing IP in URL
        if ($def[F_NOTALLOWINGIP])
            $def[F_DESTINATIONNAME] = "!in-addr " . $def[F_DESTINATIONNAME];

        # re-order acl pass (<allow><deny<all|none>)
        $def[F_DESTINATIONNAME] = sg_aclpass_reorder($def[F_DESTINATIONNAME]);

        # ! 'Default' must use without times !
        $sg_tag_def->items[] = "pass {$def[F_DESTINATIONNAME]}";
        if ($def[F_RMOD] !== RMOD_NONE)
            $sg_tag_def->items[] = "redirect " . "302:" .  sg_redirector_base_url($def[F_REDIRECT], $def[F_RMOD]);
        if ($def[F_REWRITENAME])
            $sg_tag_def->items[] = "rewrite {$def[F_REWRITENAME]}";
        if ($squidguard_config[F_ENABLELOG] == 'on' ) {
            if ($def[F_LOG])
                $sg_tag_def->items[] = "log " . SQUIDGUARD_LOGFILE;
        }
    } # <- if def
    else {
        $msg =  "ACL 'default' is empty, will use default 'block all'";
        $sg_tag_def->items[] = "# $msg";
        $sg_tag_def->items[] = "pass none";
        $sg_tag_def->items[] = "redirect " . "302:" . sg_redirector_base_url('', RMOD_INT_ERRORPAGE);
        sg_addlog("sg_create_config", "$msg.", SQUIDGUARD_ERROR);
    }

thanks
kalu

[LFCavalcanti]

Hello everyone!

I'm from Brazil, so if my english is a little bad, forgive me.

I've tested those suggested modifications on the file "squid_configurator.inc" and even modifying others arguments and attributes nothing went right.

On my situation the only problem is with the browser cache.

I needed to solve this right away so I said to users on the network to push F5 when a Website appears to be blocked. So far it's working but if you have any other things to try, just say.

[dmenezes]

there is no bug about that! the problem is how to redirect, don't need to change the file "squid_cofigurator.inc"
as someone else said the "code" cache is 301 for permanent and 302 for temporary!

you can see in the "squid_cofigurator.inc" file on line 1200

"case RMOD_EXT_FOUND: $ rdr_path =" 302: $ rdr_info "break;"

to use it you need to set, "Redirect mode: "ext url = found (enter URL)"

using that it will included as "302:redirect" in your configuration and work normally!

[mila76]

Caching problem not have nothing to do with this "bug"

H2wk tried a new clean install of 2.0 and all work so i fixed removing and reinstalling squid and squidguard packages.
Config not even touched during this "work", on reinstall is automatically restored and now all work as expected

for the brazilian guy: i use dmeneze Redirect mode: "ext url" on my config, like dmenezes suggest, and not have big trouble with cache. only 1/2 times some crap browser/computer have some cache issue, but i'm not sure my oldoldold config use "ext url" when appen time ago.

[LFCavalcanti]

I'll see if this redirection mode is activated on my server and post here later.

About the "crap" computer, I desagree, the issue here is with Browsers... Firefox and Internet Explorer do this... Google Chrome does not... another fact I've found.

[LFCavalcanti]

Hi Again!

It worked! Change the Redirect mode on the SquidGuard ACLs to "ext url found (enter URL)".

The problem with the Browser cache was solved.

Thanks for the help!

[mcchin]

Hi Again!

It worked! Change the Redirect mode on the SquidGuard ACLs to "ext url found (enter URL)".

The problem with the Browser cache was solved.

Thanks for the help!

How to change the Redirect mode on the SquidGuard ACLs to "ext url found (enter URL)". In which files and section? I can't find this line.

[marcelloc]

It's a gui option, not a file hack.