Hello, We have configured pfSense with Squid3 and SquidGuard in order to do content filtering. We have blocked several categories and also have a set of manually blocked URLs. If I attempt to go to a manually blocked URL, I am correctly redirected to the sgerror page:
https://10.10.10.1/sgerror.php?url=403%20&a=10.0.0.100&n=&i=&s=default&t=Manual_Blacklist&u=http://eztv.it/ However when I go to a page blocked by a category, it doesn't give the correct redirect link (resulting in a 404 error): https://10.10.10.1/sgerror.php&a=10.0.0.100&n=&i=&s=default&t=blk_blacklists_adult&u=http://sex.com/ It is stripping the "?url=403%20" which breaks the link. Looking at the filter config, it seems odd that the redirect URLs are "http" on port 443. The resulting page is https without the port indicated. Here is my Filter config: # ============================================================ # SquidGuard configuration file # This file generated automaticly with SquidGuard configurator # (C)2006 Serg Dvoriancev # email: [email protected] # ============================================================ logdir /var/squidGuard/log dbhome /var/db/squidGuard # Sites to block (not handled by blacklist service) dest Manual_Blacklist { domainlist Manual_Blacklist/domains expressionlist Manual_Blacklist/expressions redirect http://10.10.10.1:443/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u log block.log } # Sites to allow (not handled by blacklist service) dest ManualWhitelist { domainlist ManualWhitelist/domains redirect http://10.10.10.1:443/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u log block.log } # rew safesearch { s@(google..*/search?.*q=.*)@ &safe=active@i s@(google..*/images.*q=.*)@ &safe=active@i s@(google..*/groups.*q=.*)@ &safe=active@i s@(google..*/news.*q=.*)@ &safe=active@i s@(yandex..*/yandsearch?.*text=.*)@ &fyandex=1@i s@(search.yahoo..*/search.*p=.*)@ &vm=r&v=1@i s@(search.live..*/.*q=.*)@ &adlt=strict@i s@(search.msn..*/.*q=.*)@ &adlt=strict@i s@(.bing..*/.*q=.*)@ &adlt=strict@i log block.log } # acl { # default { pass ManualWhitelist !Manual_Blacklist !blk_blacklists_abortion !blk_blacklists_ads !blk_blacklists_adult !blk_blacklists_antispyware !blk_blacklists_artnudes !blk_blacklists_filesharing !blk_blacklists_gambling !blk_blacklists_hacking !blk_blacklists_lingerie !blk_blacklists_malware !blk_blacklists_mixed_adult !blk_blacklists_naturism !blk_blacklists_phishing !blk_blacklists_porn !blk_blacklists_proxy !blk_blacklists_sexuality !blk_blacklists_sexualityeducation !blk_blacklists_spyware !blk_blacklists_tobacco !blk_blacklists_violence !blk_blacklists_virusinfected !blk_blacklists_warez !blk_blacklists_weapons blk_blacklists_audio-video blk_blacklists_news all redirect http://10.10.10.1:443/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u rewrite safesearch log block.log } } And here is my Proxy Config: # This file is automatically generated by pfSense # Do not edit manually ! http_port 10.0.0.1:3128 http_port 127.0.0.1:3128 intercept icp_port 7 dns_v4_first off pid_filename /var/run/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language en icon_directory /usr/pbi/squid-amd64/etc/squid/icons visible_hostname localhost cache_mgr [email protected] access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none sslcrtd_children 0 logfile_rotate 7 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 10.0.0.0/16 uri_whitespace strip acl dynamic urlpath_regex cgi-bin ? cache deny dynamic cache_mem 8 MB maximum_object_size_in_memory 256 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA cache_dir ufs /var/squid/cache 1024 16 256 minimum_object_size 0 KB maximum_object_size 4 KB offline_mode offcache_swap_low 90 cache_swap_high 95 # No redirector configured #Remote proxies # Setup some default acls acl allsrc src all acl localhost src 127.0.0.1/32 acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 443 3128 1025-65535 1935 acl sslports port 443 563 443 1935 acl manager proto cache_object acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings # Package Integration redirect_program /usr/pbi/squidguard-squid3-amd64/bin/squidGuard -c /usr/pbi/squidguard-squid3-amd64/etc/squidGuard/squidGuard.conf redirector_bypass off url_rewrite_children 5 # Custom options # Setup allowed acls # Allow local network(s) on interface(s) http_access allow localnet # Default block all to be sure http_access deny allsrc I've tried uninstalling and reinstalling the squidGuard package, but I don't think that reset any options to fix anything. Can someone recommend where to start troubleshooting this? Thanks, Dean
_______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
