pfSense Gold Subscription

Author Topic: squidguard on 2.0 final  (Read 9054 times)

0 Members and 1 Guest are viewing this topic.

Offline mila76

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
squidguard on 2.0 final
« on: October 05, 2011, 01:32:57 am »
i used squidguard in 1.2x to 2.0rc whiteout any issue. My config use whitelist, and times.

After upgrade to 2.0 (if squidguard upgrade too or only reinstall i don't know for sure) i have strange issue.
Times don't work anymore, and i can't understand why.
I check my config but nothing strange is come out.

Bug in squidguard binary? bug in config generations? I can't figure out.

If i click apply on off time (es from 12 to 13) all affected computer ignore whitelist (correct), but after 13 whitelist remain ignored (wrong).
If i click apply on on time (es after 13) all affected computer use whitelist (correct), but again, in offtime whitelist remains (wrong).

prior 2.0 final i have no issue at all

please help me to figure out this problem :(
« Last Edit: October 05, 2011, 01:36:39 am by mila76 »

Offline dvserg

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 4785
  • Karma: +0/-0
    • View Profile
    • My Homepage
Re: squidguard on 2.0 final
« Reply #1 on: October 05, 2011, 03:14:48 am »
Check you pfsense system time.

Offline mila76

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: squidguard on 2.0 final
« Reply #2 on: October 05, 2011, 04:14:04 pm »
Check you pfsense system time.

off course i already checked

Offline dvserg

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 4785
  • Karma: +0/-0
    • View Profile
    • My Homepage
Re: squidguard on 2.0 final
« Reply #3 on: October 06, 2011, 12:11:14 am »
Show you squidGuard settings.

Offline H2wk

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: squidguard on 2.0 final
« Reply #4 on: October 06, 2011, 05:53:22 am »
Any solution on this... I am having the same issues...

here is my post: http://forum.pfsense.org/index.php/topic,41777.0.html

Offline nlemberger

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: squidguard on 2.0 final
« Reply #5 on: November 11, 2011, 09:59:40 pm »
After a great deal of digging, I've found a solution to this.

Everything is working as it should per the setup in pfSense.  That said, the defaults in the php code the create the configuration file are probably incorrect these days.  Historically this probably wouldn't have made a significant difference.  It also probably wouldn't be noticed in transparent proxies, depending on how they show the error.

SquidGuard sends a 301 (permanent) redirect instead of a 302 (temporary) redirect.  Modern browsers cache 301's because they can per the standards.

Depending on your time setup, if a site is being blocked and you are in a time config where it should be allowed, deleting the browser cache/history/etc and reloading will show the page works.  That is *until* it goes into a 'deny' time again where the browser re-caches the 301.

This can be fixed by editing:
Code: [Select]
ee /usr/local/pkg/squidguard_configurator.inc
In the "# --- ACL ---" section you'll need to modify the two occurrences (a bit under "# ontime" & "# overtime") of
Code: [Select]
$sg_acltag->items[] = "redirect " . sg_redirector_base_url($acl[F_REDIRECT], $acl[F_RMOD]);to be
Code: [Select]
$sg_acltag->items[] = "redirect " . "302:" . sg_redirector_base_url($acl[F_REDIRECT], $acl[F_RMOD]);
There are two identical edits that should probably be made under "# --- Default ---".

All this does is make the resulting SG configuration file tell SG to use 302 redirects instead of 301.  I've sent an email off to the SG maintainer listed in the package xml with a link to this post.  He may or may not integrate the above suggestion.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9996
  • Karma: +4/-0
    • View Profile
Re: squidguard on 2.0 final
« Reply #6 on: November 12, 2011, 05:17:16 am »
Nice debug. Congratulations! :)

You can also Pull this request via github.


Offline kalu

  • Full Member
  • ***
  • Posts: 132
  • Karma: +0/-0
    • View Profile
Re: squidguard on 2.0 final
« Reply #7 on: November 24, 2011, 09:01:58 am »
Hi i tried what you said but it didn't helped me, but if clear the cache it does works.
thanks. I have highlighted the change that i made i hope i did right.
please suggest
Quote
# ontime
                $sg_acltag->items[] = "pass {$acl[F_DESTINATIONNAME]}";
                if ($acl[F_RMOD] != RMOD_NONE)
                # $sg_acltag->items[] = "redirect " . sg_redirector_base_url($acl[F_REDIRECT], $acl[F_RMOD]);
                 $sg_acltag->items[] = "redirect " . "302:" . sg_redirector_base_url($acl[F_REDIRECT], $acl[F_RMOD]);   



       # overtime
                if ($acl[F_TIMENAME]) {
                    $sg_acltag->items[] = "} else {";
                    $sg_acltag->items[] = "pass {$acl[F_OVERDESTINATIONNAME]}";
                    if ($acl[F_REDIRECMODE] !== RMOD_NONE)
                        # $sg_acltag->items[] = "redirect " . sg_redirector_base_url($acl[F_OVERREDIRECT], $acl[F_RMOD]);
                      $sg_acltag->items[] = "redirect " . "302:" . sg_redirector_base_url($acl[F_OVERREDIRECT], $acl[F_RMOD])



# --- Default ---
    $sg_tag_def = new TSgTag;
    $sg_tag_def->set("default", "", "", "");
    $def = $squidguard_config[F_DEFAULT];
    sg_addlog("sg_create_config", "Add Default", SQUIDGUARD_INFO);
    if ($def) {
        $temp_str = '';

        # delete blacklist entries from 'pass' if blacklist disabled
        if ($squidguard_config[F_BLACKLISTENABLED] !== 'on')
            acl_remove_blacklist_items(&$def[F_DESTINATIONNAME]);

        # not allowing IP in URL
        if ($def[F_NOTALLOWINGIP])
            $def[F_DESTINATIONNAME] = "!in-addr " . $def[F_DESTINATIONNAME];

        # re-order acl pass (<allow><deny<all|none>)
        $def[F_DESTINATIONNAME] = sg_aclpass_reorder($def[F_DESTINATIONNAME]);

        # ! 'Default' must use without times !
        $sg_tag_def->items[] = "pass {$def[F_DESTINATIONNAME]}";
        if ($def[F_RMOD] !== RMOD_NONE)
            $sg_tag_def->items[] = "redirect " . "302:" .  sg_redirector_base_url($def[F_REDIRECT], $def[F_RMOD]);
        if ($def[F_REWRITENAME])
            $sg_tag_def->items[] = "rewrite {$def[F_REWRITENAME]}";
        if ($squidguard_config[F_ENABLELOG] == 'on' ) {
            if ($def[F_LOG])
                $sg_tag_def->items[] = "log " . SQUIDGUARD_LOGFILE;
        }
    } # <- if def
    else {
        $msg =  "ACL 'default' is empty, will use default 'block all'";
        $sg_tag_def->items[] = "# $msg";
        $sg_tag_def->items[] = "pass none";
        $sg_tag_def->items[] = "redirect " . "302:" . sg_redirector_base_url('', RMOD_INT_ERRORPAGE);
        sg_addlog("sg_create_config", "$msg.", SQUIDGUARD_ERROR);
    }
thanks
kalu
i love pfsense because i love open source.

Offline LFCavalcanti

  • Hero Member
  • *****
  • Posts: 723
  • Karma: +0/-0
    • View Profile
Re: squidguard on 2.0 final
« Reply #8 on: November 29, 2011, 10:39:32 am »
Hello everyone!

I'm from Brazil, so if my english is a little bad, forgive me.

I've tested those suggested modifications on the file "squid_configurator.inc" and even modifying others arguments and attributes nothing went right.

On my situation the only problem is with the browser cache.

I needed to solve this right away so I said to users on the network to push F5 when a Website appears to be blocked. So far it's working but if you have any other things to try, just say.
--

Luiz Fernando Cavalcanti
IT Manager
Arriviera Technology Group

Offline dmenezes

  • Jr. Member
  • **
  • Posts: 42
  • Karma: +0/-0
    • View Profile
Re: squidguard on 2.0 final
« Reply #9 on: December 02, 2011, 06:54:05 am »
there is no bug about that! the problem is how to redirect, don't need to change the file "squid_cofigurator.inc"
as someone else said the "code" cache is 301 for permanent and 302 for temporary!

you can see in the "squid_cofigurator.inc" file on line 1200

"case RMOD_EXT_FOUND: $ rdr_path =" 302: $ rdr_info "break;"

to use it you need to set, "Redirect mode: "ext url = found (enter URL)"

using that it will included as "302:redirect" in your configuration and work normally!
« Last Edit: December 02, 2011, 06:58:06 am by dmenezes »

Offline mila76

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: squidguard on 2.0 final
« Reply #10 on: December 04, 2011, 02:54:02 am »
Caching problem not have nothing to do with this "bug"

H2wk tried a new clean install of 2.0 and all work so i fixed removing and reinstalling squid and squidguard packages.
Config not even touched during this "work", on reinstall is automatically restored and now all work as expected

for the brazilian guy: i use dmeneze Redirect mode: "ext url" on my config, like dmenezes suggest, and not have big trouble with cache. only 1/2 times some crap browser/computer have some cache issue, but i'm not sure my oldoldold config use "ext url" when appen time ago.
« Last Edit: December 04, 2011, 03:02:03 am by mila76 »

Offline LFCavalcanti

  • Hero Member
  • *****
  • Posts: 723
  • Karma: +0/-0
    • View Profile
Re: squidguard on 2.0 final
« Reply #11 on: December 04, 2011, 03:45:25 pm »
I'll see if this redirection mode is activated on my server and post here later.

About the "crap" computer, I desagree, the issue here is with Browsers... Firefox and Internet Explorer do this... Google Chrome does not... another fact I've found.
--

Luiz Fernando Cavalcanti
IT Manager
Arriviera Technology Group

Offline LFCavalcanti

  • Hero Member
  • *****
  • Posts: 723
  • Karma: +0/-0
    • View Profile
Re: squidguard on 2.0 final
« Reply #12 on: December 08, 2011, 02:50:10 pm »
Hi Again!

It worked! Change the Redirect mode on the SquidGuard ACLs to "ext url found (enter URL)".

The problem with the Browser cache was solved.

Thanks for the help!
--

Luiz Fernando Cavalcanti
IT Manager
Arriviera Technology Group

Offline mcchin

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: squidguard on 2.0 final
« Reply #13 on: December 12, 2011, 01:36:48 am »
Hi Again!

It worked! Change the Redirect mode on the SquidGuard ACLs to "ext url found (enter URL)".

The problem with the Browser cache was solved.

Thanks for the help!

How to change the Redirect mode on the SquidGuard ACLs to "ext url found (enter URL)". In which files and section? I can't find this line.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 9996
  • Karma: +4/-0
    • View Profile
Re: squidguard on 2.0 final
« Reply #14 on: December 12, 2011, 05:08:34 am »
It's a gui option, not a file hack.