Netgate m1n1wall

Author Topic: Custom SquidGuard Error Pages - How to???  (Read 33805 times)

0 Members and 2 Guests are viewing this topic.

Offline thekITchen

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Custom SquidGuard Error Pages - How to???
« on: June 16, 2010, 11:36:33 am »
This question is based on information gathered from this post:
http://forum.pfsense.org/index.php/topic,9519.0.html

My issue is that I am using Squid as a transparent proxy and therefore cannot use any of the "int" redirect methods.  I am by no means a web guy.  I am trying to figure out how I can have pfSense redirect a user to an external page (maybe even on the pfSense box itself) that will show them a message that the page they attempted to access is blocked but also be able to use the variables in the above post to tell them why:
"variables supported by squidGuard:
#        %a=client_address
#        %n=client_name
#        %i=client_user
#        %s=client_group
#        %t=target_group
#        %u=client_url"

I would like to brand this page as well with our logo, just to make it bit more official.  As I said before, I am not a web guy, so please assume I am a "beginner" and give me as much details as you have patience for!

If you were feeling extra generous, I would love to know how I can make some kind of "email me" ability so the users can just send the data directly to me with a request to unblock and I can take it from there...

Thanks!

Offline dvserg

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 4783
  • Karma: +0/-0
    • View Profile
    • My Homepage
Re: Custom SquidGuard Error Pages - How to???
« Reply #1 on: June 18, 2010, 12:41:23 am »
Look /usr/local/www/sgerror.php. You can change this file how you want.

Offline thekITchen

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Custom SquidGuard Error Pages - How to???
« Reply #2 on: June 18, 2010, 08:51:47 am »
dsverg,

Thank you for pointing me to this file.  However, as I said, I am basically a beginner and do not really know what to do with this file to make my error pages function.  Is there any additional help you can provide or any of the forum visitors have any wisdom they would like to share?

Thanks!

Offline spiritbreaker

  • Jr. Member
  • **
  • Posts: 97
  • Karma: +0/-0
    • View Profile
Re: Custom SquidGuard Error Pages - How to???
« Reply #3 on: June 18, 2010, 02:23:21 pm »
Hi thekITchen,

u need to modify the part which generate the errorpage. As u can see I take and modify block message of Urlfilter, an Ipcop Extension. http://www.urlfilter.net/screenshots-ipcop14.html

Screenshot -> Attachment

sgerror.php
Code: [Select]
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# IE displayed self-page, if them size > 1024
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
function get_error_page($er_code_id, $err_msg='') {
        global $err_code;
        global $cl;
        $str = Array();

        header("HTTP/1.1 " . $err_code[$er_code_id]);
$str[] = '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">';
        $str[] = '<html>';
$str[] = '<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title></head>';
        $str[] = '<body style="background-color:#FFFFFF; font-family:verdana, arial, sans serif;">';
$str[] = '<div style="width:70%; margin:20px auto;">';
$str[] = '<div style="padding:5px; background-color:#C0C0C0; text-align:right; font-weight:bold; font-family:verdana,arial,sans serif; color:#000000; font-size:60%;">';
                if ($cl['n'])        $str[] = "Client Name: {$cl['n']} | ";
                if ($cl['a'])        $str[] = "Client IP: {$cl['a']} | ";
                if ($cl['i'])        $str[] = "Client User: {$cl['i']} | ";
                if ($cl['s'])        $str[] = "Group: {$cl['s']} | ";
                if ($cl['t'])        $str[] = "Category: {$cl['t']} ";
$str[] = '</div><div style="background-color:#F4F4F4; text-align:center; padding:20px;">';

$str[] = '<div style="letter-spacing:0.5em; word-spacing:1em; padding:20px; background-color:#FF0000; text-align:center; color:#FFFFFF; font-size:200%; font-weight: bold;">Adresse gesperrt!</div>';
$str[] = '<div style="padding:20px; margin-top:20px; background-color:#E2E2E2; text-align:center; color:#000000; font-family:verdana, arial, sans serif; font-size:80%;">';
if ($err_msg) $str[] = '<p style="font-weight:bold; font-size:150%;">- '. $err_msg.' -</p>';
if ($cl['u'])        $str[] = "<p><b>URL: {$cl['u']}</b></p>";
$str[] = '<p>Aufgrund von Zugriffsbeschr&auml;nkungen ist Ihre Anfrage nicht erlaubt.<br>Bitte kontaktieren Sie die IT-Abteilung, wenn Sie der Meinung sind, da&szlig; dies nicht korrekt ist.</p>';
 $str[] = '<p><img style="padding-top:20px;display: block;margin: 0px auto" src="http://'. $_SERVER['HTTP_HOST'] .'/banner.png" alt="geblockt"></p></div></div>';
        $str[] = '<div style="padding:5px; background-color:#C0C0C0; text-align:right; color:#FFFFFF; font-size:60%; font-family:verdana,arial,sans serif;">Web Filtering by <a style="color:#FFFFFF;"><b>PfSense</b></a> and <a style="color:#FFFFFF;"><b>SquidGuard</b></a></div></div>';
        $str[] = "</body>";
        $str[] = "</html>";

        return implode("\n", $str);
}


If u want to use image on errorpage u need to put it on a  another Webserver or pfsense box itself. Dont forget to grant access to this resource on every ACL and default rule. Therefor u need to create new destination in proxy filter like this:

sgerrorimages         "Ip Adress proxy is bind to)"/banner.png


This line is for image (from code above):

 src="http://'. $_SERVER['HTTP_HOST'] .'/banner.png

Variable $_SERVER['HTTP_HOST'] contains PFSENSE IP Adress. Create an image and put it into /usr/local/www, in my case banner.png.



Are there any other Ressources for Custom Error pages?


Cya.
« Last Edit: June 18, 2010, 02:31:18 pm by spiritbreaker »
Pfsense running at 9 Locations
-IPSEC to vendors like cisco, checkpoint
-working mobile OPENVPN and IPSEC remote access
-multiwan failover
-filtering proxy(squidguard) in bridgemode with ntop monitoring

Offline thekITchen

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Custom SquidGuard Error Pages - How to???
« Reply #4 on: June 18, 2010, 03:29:16 pm »
spiritbreaker,

Thank you for your detailed response.  I only plan to have one page for the block message at this time.  It seems like quite a bit to go through for something that seems so simple.  Maybe a good feature to add to pfSense at some point is a custom error page generator.  (Not really sure how much that entails...may be unrealistic.)  Anyway, when I can get back to this issue I will see if I can make something work out of the information you have given me.

I will be in touch...!

Offline thekITchen

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Custom SquidGuard Error Pages - How to???
« Reply #5 on: June 18, 2010, 04:14:32 pm »
I am unsure what portions I need to change to make this work.  Can you give me an example of how to configure the code so that I can have the error page sit on my pfSense box and be displayed to the user from there?  Format is not important, php, html, whatever...I would just like it to function.

Many thanks for all the help!


Offline spiritbreaker

  • Jr. Member
  • **
  • Posts: 97
  • Karma: +0/-0
    • View Profile
Re: Custom SquidGuard Error Pages - How to???
« Reply #6 on: June 19, 2010, 07:16:13 am »
Hi thekITchen,

all u need for a custom block page on PfSense i posted before.
Ur redirect mode should be "int error page (enter error message)" to get custom error page to work.

sry but i need more information about ur pfsense installation.

1. squid and squidguard and lightsquid, for reports, installed and working?
2. squidguard blacklist updated and working with standard int errorpage?

Quote
My issue is that I am using Squid as a transparent proxy and therefore cannot use any of the "int" redirect methods

why not? the transparent proxy trys to get the "client URL" and is redirected to squidguard. filtering should work.

can u see some proxy activity in proxy report? (lightsquid)
 
Cya

« Last Edit: June 19, 2010, 07:19:35 am by spiritbreaker »
Pfsense running at 9 Locations
-IPSEC to vendors like cisco, checkpoint
-working mobile OPENVPN and IPSEC remote access
-multiwan failover
-filtering proxy(squidguard) in bridgemode with ntop monitoring

Offline thekITchen

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Custom SquidGuard Error Pages - How to???
« Reply #7 on: June 21, 2010, 08:53:20 am »
spiritbreaker,

Thanks again for your help with this.  Although your suggestion to use the "int error page (enter error message)" option got me farther than I had been, I now have two issues:

1 - The custom page stops working once I reactivate https on a non-standard port.

2 - The error page is generic and is formatted nothing like what your example image looked like (see my attached sgerror.jgp).

My internal redirect text resembles the following:
https://firewall-ip:port#/sgerror.php?url=https://firewall-ip:port#/firewallblock.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
Am I correct on the formatting of this or do I need to change something?

As I said before, when the GUI is set to HTTP on port 80 (and the above link is changed to use HTTP) the page displays as shown in the 1st attachment.  When I change the GUI back to HTTPS on a non-standard port, the page goes back to the "https_sgerror.jpg" attachment.  

I had read several posts on the issue of internal redirects not working on HTTPS which is why I included that in one of my previous posts.  I apologize I should have explained myself better on that...

Also, I have Squid, SquidGuard, and LightSquid functioning.

So, I am still left with a couple of issues as you can see.  Any advice on where to go from here?

Thanks again!

Offline spiritbreaker

  • Jr. Member
  • **
  • Posts: 97
  • Karma: +0/-0
    • View Profile
Re: Custom SquidGuard Error Pages - How to???
« Reply #8 on: June 21, 2010, 03:24:13 pm »
hi,

ok that looks good ur filter seems to work. Please try to get it work with http first. i remenber some problems with https. Maybe it doesnt work on https.
My Gui workin on no standard http port.

U edit sgerror.php and still get standard block page? hmm post ur sgerror.php.

Plz try to access https://firewall-ip:port#/firewallblock.php from a client. Can u post ur firewall.php?

I will try to configure a test system tommorow with ur config.  U are using Pfsense 1.2.3 with standard LAN WAN setup right?

Cya


EDIT:

Steps to get custom Page to work with transparent proxy with GUI on a http standard and nonstandard port

1. Install squid, Squidguard, Lightsquid Pakage
2. upload blacklist
3. configure squidguard default rule for blocking categories.
4. test filtering from a client, if standard block page appears u can go further otherwise u have to check config
5. modify /usr/local/www/sgerror.php


delete:
Quote
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# IE displayed self-page, if them size > 1024
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
function get_error_page($er_code_id, $err_msg='') {
        global $err_code;
        global $cl;
        $str = Array();

        header("HTTP/1.1 " . $err_code[$er_code_id]);

        $str[] = '<html>';
        $str[] = '<body>';
        $str[] = '<h3>Request denied by pfSense proxy: ' . $err_code[$er_code_id] . '</h3>';
        if ($err_msg) $str[] = " Reason: $err_msg";
        $str[] = '<hr size="1" noshade>';
        if ($cl['a'])        $str[] = " Client address: {$cl['a']}
";
        if ($cl['n'])        $str[] = " Client name:     {$cl['n']}
";
        if ($cl['i'])        $str[] = " Client user:     {$cl['i']}
";
        if ($cl['s'])        $str[] = " Client group:   {$cl['s']}
";
        if ($cl['t'])        $str[] = " Target group:   {$cl['t']}
";
        if ($cl['u'])        $str[] = " URL:             {$cl['u']}
";
        $str[] = '<hr size="1" noshade>';
        $str[] = "</body>";
        $str[] = "</html>";

        return implode("\n", $str);
}

paste: (its simple html)
Quote
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# IE displayed self-page, if them size > 1024
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
function get_error_page($er_code_id, $err_msg='') {
        global $err_code;
        global $cl;
        $str = Array();

        header("HTTP/1.1 " . $err_code[$er_code_id]);
   $str[] = '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">';
        $str[] = '<html>';
      $str[] = '<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title></head>';
        $str[] = '<body style="background-color:#FFFFFF; font-family:verdana, arial, sans serif;">';
      $str[] = '<div style="width:70%; margin:20px auto;">';
      $str[] = '<div style="padding:5px; background-color:#C0C0C0; text-align:right; font-weight:bold; font-family:verdana,arial,sans serif; color:#000000; font-size:60%;">';
                if ($cl['n'])        $str[] = "Client Name: {$cl['n']} | ";
                if ($cl['a'])        $str[] = "Client IP: {$cl['a']} | ";
                if ($cl['i'])        $str[] = "Client User: {$cl['i']} | ";
                if ($cl['s'])        $str[] = "Group: {$cl['s']} | ";
                if ($cl['t'])        $str[] = "Category: {$cl['t']} ";
      $str[] = '</div><div style="background-color:#F4F4F4; text-align:center; padding:20px;">';

    $str[] = '<div style="letter-spacing:0.5em; word-spacing:1em; padding:20px; background-color:#FF0000; text-align:center; color:#FFFFFF; font-size:200%; font-weight: bold;">Adresse gesperrt!</div>';
    $str[] = '<div style="padding:20px; margin-top:20px; background-color:#E2E2E2; text-align:center; color:#000000; font-family:verdana, arial, sans serif; font-size:80%;">';
    if ($err_msg) $str[] = '<p style="font-weight:bold; font-size:150%;">- '. $err_msg.' -</p>';
    if ($cl['u'])        $str[] = "<p>URL: {$cl['u']}</p>";
    $str[] = '<p>Aufgrund von Zugriffsbeschr&auml;nkungen ist Ihre Anfrage nicht erlaubt.
Bitte kontaktieren Sie die IT-Abteilung, wenn Sie der Meinung sind, da&szlig; dies nicht korrekt ist.</p>';
     $str[] = '<p><img style="padding-top:20px;display: block;margin: 0px auto" src="http://'. $_SERVER['HTTP_HOST'] .'/banner.png" alt="geblockt"></p></div></div>';
        $str[] = '<div style="padding:5px; background-color:#C0C0C0; text-align:right; color:#FFFFFF; font-size:60%; font-family:verdana,arial,sans serif;">Web Filtering by <a style="color:#FFFFFF;">PfSense[/url] and <a style="color:#FFFFFF;">SquidGuard[/url]</div></div>';
        $str[] = "</body>";
        $str[] = "</html>";

        return implode("\n", $str);
}

keep in mind to change picture path if u want to use images in block page

6. restart proxy and squidguard

Steps to get custom Page to work with transparent proxy with GUI on a https standard and nonstandard port

redirection to the pfsense box itself fails.

1. u need to put errorpage on an external http server z.b debian with php installed.
2. create php script and use infos u get from squidguard variables

#        %a=client_address
#        %n=client_name
#        %i=client_user
#        %s=client_group
#        %t=target_group
#        %u=client_url"

3. change default rule to redirect to ext url

example:
http://extsource:port/block.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

hope that helps.

Cya


« Last Edit: June 22, 2010, 02:12:35 pm by spiritbreaker »
Pfsense running at 9 Locations
-IPSEC to vendors like cisco, checkpoint
-working mobile OPENVPN and IPSEC remote access
-multiwan failover
-filtering proxy(squidguard) in bridgemode with ntop monitoring

Offline Cyber

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Custom SquidGuard Error Pages - How to???
« Reply #9 on: September 11, 2010, 10:36:50 am »
Is there a possibility to have an error page with a reply form integrated? When the client thinks it is an error, he can fill out a little textbox and send his reply. The reply is sent then to an admin with url, category and the client's answer.

I have the problem that most people who contact me by remail forget to add the url so I don't know what they are talking about. :)

Greetings,

Nic

Offline malindsay

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Custom SquidGuard Error Pages - How to???
« Reply #10 on: January 01, 2011, 08:41:54 pm »
spiritbreaker

thanks for the code, I have one issue, some times the image doesn't load, I can manually go to the location were the file is i.e 192.168.10.20/banner.png and it displays. After I do that the error page displays the image. it seems to need to be preloaded, true? any ideas?   

Offline syedadi

  • Full Member
  • ***
  • Posts: 127
  • Karma: +0/-0
    • View Profile
    • Follow me =)
Re: Custom SquidGuard Error Pages - How to???
« Reply #11 on: January 05, 2011, 03:36:28 am »
How do i change picture for the error page that are in the server, i put the picture A.png in the same directory (/usr/local/www/sgerror.php).

this is the code for the picture, but it don't show


$str[] = '<p><img style="padding-top:20px;display: block;margin: 0px auto" src="localhost/A.png" alt="geblockt"></p></div></div>';

Offline thekITchen

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Custom SquidGuard Error Pages - How to???
« Reply #12 on: February 15, 2011, 11:06:06 am »
spiritbreaker

I know it has been a while since this topic was created, however I am once again able to take a look at this.  I modified the sgerror.php per your instructions and uploaded it to my pfSense box.  Since I am using HTTPS on a non-standard port I have enabled the "ext url error page (enter URL)" option and specified a page on our external web server:

http://www.mydomainname.com/errorpage.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

The data is being sent but I am not really sure how this external page should be coded.  Below is what you said to do, but I guess I need another nudge in the right direction...
Thanks again for you help!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Steps to get custom Page to work with transparent proxy with GUI on a https standard and nonstandard port

redirection to the pfsense box itself fails.

1. u need to put errorpage on an external http server z.b debian with php installed.
2. create php script and use infos u get from squidguard variables

#        %a=client_address
#        %n=client_name
#        %i=client_user
#        %s=client_group
#        %t=target_group
#        %u=client_url"


3. change default rule to redirect to ext url

example:
http://extsource:port/block.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

Offline 3dinfluence

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Re: Custom SquidGuard Error Pages - How to???
« Reply #13 on: February 18, 2011, 02:18:28 pm »
I recently had to do this as well and this thread helped me get going in the correct direction.  So I'll contribute back with what I put together.

I'm using the vhost package to host the block redirect site on the pfsense box.  Then I used jQuery to only display the block page if the blocked element was over a certain size.  This way I can let Squidguard block ads without cluttering a website with the block page.  In addition to the files below you'll need jQuery 1.5 and the parsequery plugin.  Feel free to customize them as you need.

index.html
Quote
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
        <title>Website has been blocked.</title>
        <link rel="stylesheet" type="text/css" href=filter.css>      
        <script type="text/javascript" src="lib/jquery/jquery-1.5.min.js">
        </script>
        <script type="text/javascript" src="lib/jquery/parsequery.js">
        </script>
    </head>
    <body>
        <div id="message">
        </div>
        <script type="text/javascript">
            var minWidth = 500; //adjust this value to change cutoff
            var minHeight = 200; //adjust this value to change cutoff
            var q = $.parseQuery();
            
            var myWidth = $(document).width();
            var myHeight = $(document).height();
            
            if ((myWidth > minWidth) && (myHeight > minHeight)) {
                $("#message").load("lg_block.php?a=" + q.a + "&n=" + q.n + "&i=" + q.i + "&s=" + q.s + "&t=" + q.t + "&u=" + q.u);
            }
        </script>
    </body>
</html>

filter.css
Quote
@CHARSET "UTF-8";

body {
    background-color: #ffffff;
    font-family: verdana, arial, sans serif;
}

div.outer {
    width: 70%;
    margin: 20px auto;
}

div.header {
    padding: 10px;
    background-color: #c0c0c0;
    text-align: right;
    font-size: 60%;
}

div.footer {
    padding: 5px;
    background-color: #c0c0c0;
    text-align: right;
    font-size: 60%;
}

div.inner {
    text-align: center;
    background-color: #f4f4f4;
    text-align: center;
    padding: 20px;
}

div.msg {
    padding: 20px;
    margin-top: 20px;
    background-color: #e2e2e2;
    color: black;
    font-size: 80%;
}

div.error {
    letter-spacing: 0.5em;
    word-spacing: 1em;
    padding: 20px;
    background-color: #ff0000;
    color: white;
    font-size: 200%;
    font-weight: bold;
}

lg_block.php
Quote
<?php
if ($_GET['n'])        $details[] = "Client Name: {$_GET['n']}";
if ($_GET['a'])        $details[] = "Client IP: {$_GET['a']}";
if ($_GET['i'])        $details[] = "Client User: {$_GET['i']}";
if ($_GET['s'])        $details[] = "Group: {$_GET['s']}";
if ($_GET['t'])       $details[] = "Category: {$_GET['t']}";
$details = implode(" | ", $details);
?>

<div class="outer">
   <div class="header">    
   </div>
   <div class="inner">
      <div class="error">
         <p>
         Access Denied!
         </p>
      </div>
      <div class="msg">
         <p>
            The following website has been blocked.
         </p>
         <p>
            <strong>URL: <?php printf("<a href=\"%s\">%s[/url]", $_GET['u'], $_GET['u']);?></strong>
         </p>
         <p>
            If you believe this page was blocked in error please contact the IT
            department.
         </p>
         <p><?php print $details; ?></p>
      </div>
   </div>
   <div class="footer">
      Web Filtering by pfSense
      and SquidGuard
   </div>    
</div>
« Last Edit: February 18, 2011, 02:20:35 pm by 3dinfluence »

Offline spiritbreaker

  • Jr. Member
  • **
  • Posts: 97
  • Karma: +0/-0
    • View Profile
Re: Custom SquidGuard Error Pages - How to???
« Reply #14 on: March 03, 2011, 12:12:49 pm »
Hi,

Quote
How do i change picture for the error page that are in the server, i put the picture A.png in the same directory (/usr/local/www/sgerror.php).

this is the code for the picture, but it don't show


$str[] = '<p><img style="padding-top:20px;display: block;margin: 0px auto" src="localhost/A.png" alt="geblockt"></p></div></div>';


u cant use localhost because the client dont have the image :D

1. line should be like this:

$str[] = '<p><img style="padding-top:20px;display: block;margin: 0px auto" src="http://'. $_SERVER['HTTP_HOST'] .'/A.png" alt="geblockt"></p></div></div>'

2. dont forget to create a destination rule to grant access to the picture from clients.


@3dinfluence

can u post a screenshot of ur page? :D


cya

Pfsense running at 9 Locations
-IPSEC to vendors like cisco, checkpoint
-working mobile OPENVPN and IPSEC remote access
-multiwan failover
-filtering proxy(squidguard) in bridgemode with ntop monitoring