Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
05-30-2014, 06:26 AM
|
#1
|
|
LQ Newbie
Registered: Apr 2013
Posts: 10
Rep: 
|
Proxy Server
Hi,
Lately I was configuring Squid + SquidGuard and I noticed that there is a particular limitation. Unfortunately having multiple groups with multiple filters does not work as it should. Reason being is that if a certain condition is met (web filtering), the other rules are ignored. For example:
Filter 1 - allow social; Filter 2 - allow downloads; Filter 3 - allow music.
If I have Group 1 and I assign them Filter 1 + 2, SquidGuard will only take care of the first condition, ie, Filter 1. Filter 2 is completely ignored and therefore Group 1 will not be able to access download sites. Having just three filters is not a big deal, but imagine having multiple and multiple combinations.
I have tried using Dansguardian but it seems that it does not allow this function either. Is there a specific Web Filter for use with Linux that allows such function please? Thanks
|
|
|
|
|
06-01-2014, 04:53 PM
|
#2
|
|
Senior Member
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Rep:
|
Quote:
|
Filter 1 - allow social; Filter 2 - allow downloads; Filter 3 - allow music.
|
Did you try:
Groups:
social_allow
social_deny
download_allow
download_deny
music_allow
music_deny
and do your filtering by groups?
It would make your filters look more like this:
Quote:
|
Filter 1 -allow social: social_allow Filter 2 -deny social: social_deny ...ect,etc
|
Last edited by dijetlo; 06-01-2014 at 04:59 PM.
|
|
|
|
|
06-02-2014, 01:21 AM
|
#3
|
|
LQ Newbie
Registered: Apr 2013
Posts: 10
Original Poster
Rep:
|
Hi,
Thanks for your response. I have tried the following scenario:
Users - User1, User2, User3, User4
Groups - G_Social, G_Downloads, G_Music
Filters - F_Social, F_Downloads, F_Music
User1 is a member of G_Social having F_Social filter and therefore social networking websites are allowed
User2 is a member of G_Downloads and having F_Downloads filter and therefore download websites are allowed
So far so good...
User3 is a member of G_Social + G_Downloads having F_Social and F_Downloads filters respectively. However if the F_Social filter is the FIRST filter that its conditions are being met, User3 will not be able to access download websites. In order for User3 to access download websites, F_Social and F_Downloads need to be combined into one filter such as F_Social_Downloads. In that way, there is only one filter that its conditions need to be met.
The problem here is that you end up with multiple filter combinations. Because if User4 needs to access Social + Downloads + Music these need to be combined too. Imagine having User5 that only wants Music + Social or having User6 that only wants Downloads + Music. The way I see it is that these filters need to be combined into one. Don't know if I have explained better? Thanks
|
|
|
|
|
06-02-2014, 04:27 AM
|
#4
|
|
Senior Member
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Rep:
|
Code:
logdir /usr/local/squidGuard/log
dbhome /usr/local/squidGuard/db
src nomusic{ user0 user1 user2 user3 user4}
src nosocial{ user4 user5 user6 user7 user8}
src noftp{ user8 user9 user10 user11 user12}
dest music {
domainlist music/domains
urllist music/urls
}
dest ftp {
domainlist ftp/domains
urllist ftp/urls
}
dest social{
domainlist social/domains
urllist social/urls
}
acl {
{
pass !nomusic music
#redirector
redirect http://localhost/cgi/blocked_music?
pass !noftp ftp
#redirector
redirect http://localhost/cgi/blocked_ftp?
pass !nosocial music
#redirector
redirect http://localhost/cgi/blocked+social?
}
}
Make sure you're putting the redirectors in or SuidGaurd locks on the first "!" in the ACL
Last edited by dijetlo; 06-02-2014 at 04:32 AM.
|
|
|
|
|
06-03-2014, 01:56 AM
|
#5
|
|
LQ Newbie
Registered: Apr 2013
Posts: 10
Original Poster
Rep:
|
Hi,
I have the following basic configuration:
Code:
dbhome /var/lib/squidguard/db
logdir /var/log/squid
src nosocialnet {
user0
}
src nodownloads {
user0
}
dest downloads {
domainlist downloads/domains
urllist downloads/urls
logfile downloads.log
}
dest socialnet {
domainlist socialnet/domains
urllist socialnet/urls
logfile socialnet.log
}
acl {
default {
pass !nosocialnet socialnet
#redirector
redirect http://www.google.com
pass !nodownloads downloads
#redirector
redirect http://www.google.com
}
}
I had to put in the word default since it gives me an error in that line. I think reason being is that without having a word before "{" this cannot be done. Secondly, when I put the word default, I was given an error that "ACL destination nosocialnet is not defined in configfile....." since in this case squidGuard looks for the ACL's. The "nosocialnet" is actually a group not an ACL and therefore gives such error. Am I doing something wrong please? Thanks
Last edited by mat1_8; 06-03-2014 at 02:39 AM.
|
|
|
|
|
06-03-2014, 07:57 AM
|
#6
|
|
Senior Member
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Rep:
|
Quote:
|
ACL destination nosocialnet is not defined in configfile
|
Looking at the example I pulled from your manual and tweaked. It's pointing to pages on the localhost (actually cgi scripts, but I'd think it would work with pages as well) The ACLs aren't going to wait for a dns lookup, if you want to redirect your users to google instead of a page you've written and placed in your web server, redirect them in the cgi directory of the web server, not in the ACL. |
|
|
|
|
06-03-2014, 08:18 AM
|
#7
|
|
LQ Newbie
Registered: Apr 2013
Posts: 10
Original Poster
Rep:
|
Hi,
I have tried using the local web server but still same problems.
Code:
acl {
{
pass !nomusic music
#redirector
redirect http://localhost/cgi/blocked_music?
pass !noftp ftp
#redirector
redirect http://localhost/cgi/blocked_ftp?
pass !nosocial music
#redirector
redirect http://localhost/cgi/blocked+social?
}
}
The code which you gave me I think has bad syntax because there is no name after the ACL such as:
Code:
acl {
userlist {
pass !nomusic music
#redirector
redirect http://localhost/cgi/blocked_music?
pass !noftp ftp
#redirector
redirect http://localhost/cgi/blocked_ftp?
pass !nosocial music
#redirector
redirect http://localhost/cgi/blocked+social?
}
}
After reading squidGuard manual it appears that at the end you need to have a DEFAULT ACL set too. |
|
|
|
|
06-03-2014, 11:17 AM
|
#8
|
|
Senior Member
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Rep:
|
Quote:
|
After reading squidGuard manual it appears that at the end you need to have a DEFAULT ACL set too.
|
Did it work when you did that?
heads up, you got a + here instead of a _
Are these real cgi scripts your pointing to? I thought you probably just make a simple page to test.
Last edited by dijetlo; 06-03-2014 at 11:19 AM.
|
|
|
|
|
06-05-2014, 12:02 AM
|
#9
|
|
LQ Newbie
Registered: Apr 2013
Posts: 10
Original Poster
Rep:
|
Hi,
Yes I have set the DEFAULT option but that did not work too. Also I have pointed the redirect rule to http://localhost and it just displays "hello world" text message but did not make any difference.
Kindly may I ask you if you have tried the code yourself please (the one which you gave me)? Thanks |
|
|
|
|
06-05-2014, 12:12 AM
|
#10
|
|
Senior Member
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Rep:
|
No, I pulled those from your manual, I've never used squid or squid-guard however I've admin'd a lot of usergroup based software. Go back to post #2 and you'll see why I first responded.
|
|
|
|
All times are GMT -5. The time now is 10:48 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
