Quantcast

squidguard not redirecting

classic Classic list List threaded Threaded
28 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

squidguard not redirecting

Carlos Defoe
Hello,

I have enabled squidGuard within a huge network. Problem is that most
of the matches to my acls are logged (a block.log file), but the site
is still accessible. When i press F5 to reload, multiple times, one
time it got "blocked" (redirected to my local block page, published
with apache httpd in the same server as squid + squidGuard).

Ex:
at block.log (from squidguard)
2013-05-16 10:04:43 [3807] Request(mydest/myblock/-)
http://www.your-freedom.net/media/flags/flag_fr.gif 10.150.150.22/-
[hidden email] GET REDIRECT

at httpd.log
10.10.10.254 - - [16/May/2013:10:04:43 -0300] "GET /index.php
HTTP/1.1" 200 295 "http://www.your-freedom.net/" "Mozilla/5.0 (Windows
NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0"

Then squid opens http://www.your-freedom.net/ normally.

I don't know if the problem is squidGuard accessing content on apache
httpd, or if squid is not receiving the correct return from
squidGuard. I think that, even if squidGuard is not getting the right
content from apache, squid should not display the page, as squidGuard
should have rewrited te URL.

Has anyone experienced this?


thanks!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

Amos Jeffries-2
On 18/05/2013 1:14 a.m., Carlos Defoe wrote:

> Hello,
>
> I have enabled squidGuard within a huge network. Problem is that most
> of the matches to my acls are logged (a block.log file), but the site
> is still accessible. When i press F5 to reload, multiple times, one
> time it got "blocked" (redirected to my local block page, published
> with apache httpd in the same server as squid + squidGuard).
>
> Ex:
> at block.log (from squidguard)
> 2013-05-16 10:04:43 [3807] Request(mydest/myblock/-)
> http://www.your-freedom.net/media/flags/flag_fr.gif 10.150.150.22/-
> [hidden email] GET REDIRECT
>
> at httpd.log
> 10.10.10.254 - - [16/May/2013:10:04:43 -0300] "GET /index.php
> HTTP/1.1" 200 295 "http://www.your-freedom.net/" "Mozilla/5.0 (Windows
> NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0"
>
> Then squid opens http://www.your-freedom.net/ normally.
>
> I don't know if the problem is squidGuard accessing content on apache
> httpd, or if squid is not receiving the correct return from
> squidGuard. I think that, even if squidGuard is not getting the right
> content from apache, squid should not display the page, as squidGuard
> should have rewrited te URL.
>
> Has anyone experienced this?

If SG is not producing a correct response Squid will simply ignore it
... and open the original page.

What are you using squidGuard for anyway?

Amos

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

Carlos Defoe
Hi Amos,

One big blacklist. Secondarily, it matches ads on each page to change
it to our logo, so it reduces bandwitdh usage, stops annoying ads and
makes our marketing thing.

Do you think squidGuard is not working properly, then?

Redirector Statistics:
program: /usr/local/squidGuard/bin/squidGuard
number active: 31 of 80 (0 shutting down)
requests sent: 2899413
replies received: 2899412
queue length: 0
avg service time: 0 msec

Above we can see that all request are being replied. I have the latest
version of both squid and sg.



On Fri, May 17, 2013 at 11:15 AM, Amos Jeffries <[hidden email]> wrote:

> On 18/05/2013 1:14 a.m., Carlos Defoe wrote:
>>
>> Hello,
>>
>> I have enabled squidGuard within a huge network. Problem is that most
>> of the matches to my acls are logged (a block.log file), but the site
>> is still accessible. When i press F5 to reload, multiple times, one
>> time it got "blocked" (redirected to my local block page, published
>> with apache httpd in the same server as squid + squidGuard).
>>
>> Ex:
>> at block.log (from squidguard)
>> 2013-05-16 10:04:43 [3807] Request(mydest/myblock/-)
>> http://www.your-freedom.net/media/flags/flag_fr.gif 10.150.150.22/-
>> [hidden email] GET REDIRECT
>>
>> at httpd.log
>> 10.10.10.254 - - [16/May/2013:10:04:43 -0300] "GET /index.php
>> HTTP/1.1" 200 295 "http://www.your-freedom.net/" "Mozilla/5.0 (Windows
>> NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0"
>>
>> Then squid opens http://www.your-freedom.net/ normally.
>>
>> I don't know if the problem is squidGuard accessing content on apache
>> httpd, or if squid is not receiving the correct return from
>> squidGuard. I think that, even if squidGuard is not getting the right
>> content from apache, squid should not display the page, as squidGuard
>> should have rewrited te URL.
>>
>> Has anyone experienced this?
>
>
> If SG is not producing a correct response Squid will simply ignore it ...
> and open the original page.
>
> What are you using squidGuard for anyway?
>
> Amos
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

csn233
In reply to this post by Carlos Defoe
> Has anyone experienced this?

SG has numerous problems which caused it not to do what it's supposed
to, including that "emergency" mode thing. Here are some things to
consider:

1) a BIG blacklist is overhyped - when I had a good look at our
requirements, there was only a small percentage of those websites we
actually wanted to block, the rest were either squatting websites or
non-existent, or not relevant. Squid could blacklist (eg ACL DENY)
those websites natively with a minimum of fuss.
2) SG has not been updated for 4 or 5 years, if that's your latest
version, you are still out of date. More to the point, you will not
find much help now. or anyone to fix it even if you could prove it's a
bug.
3) It has some quirks in how it handles hosts/domains in the
blacklist, which may not be how you think it is.

I didn't bother spending any more time on it.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

Marcus Kool-2
On Sat, May 18, 2013 at 12:28:20AM +0800, csn233 wrote:

> > Has anyone experienced this?
>
> SG has numerous problems which caused it not to do what it's supposed
> to, including that "emergency" mode thing. Here are some things to
> consider:
>
> 1) a BIG blacklist is overhyped - when I had a good look at our
> requirements, there was only a small percentage of those websites we
> actually wanted to block, the rest were either squatting websites or
> non-existent, or not relevant. Squid could blacklist (eg ACL DENY)
> those websites natively with a minimum of fuss.
> 2) SG has not been updated for 4 or 5 years, if that's your latest
> version, you are still out of date. More to the point, you will not
> find much help now. or anyone to fix it even if you could prove it's a
> bug.
> 3) It has some quirks in how it handles hosts/domains in the
> blacklist, which may not be how you think it is.
>
> I didn't bother spending any more time on it.

ufdbGuard is a more powerful substitute of squidGuard.
Has regular updates and even free support.

Marcus
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

csn233
In reply to this post by Carlos Defoe
On Sat, May 18, 2013 at 1:09 AM, csn233 <[hidden email]> wrote:
>>> I didn't bother spending any more time on it.
>>
>> ufdbGuard is a more powerful substitute of squidGuard.
>> Has regular updates and even free support.
>>
>> Marcus

Sure. You forgot to mention though, squidGuard is free whereas
ufdbGuard is a licensed product.

Small point I know, but relevant.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

Helmut Hullen
In reply to this post by csn233
Hallo, csn233,

Du meintest am 18.05.13:

> SG has numerous problems which caused it not to do what it's supposed
> to, including that "emergency" mode thing. Here are some things to
> consider:

> 1) a BIG blacklist is overhyped - when I had a good look at our
> requirements, there was only a small percentage of those websites we
> actually wanted to block, the rest were either squatting websites or
> non-existent, or not relevant. Squid could blacklist (eg ACL DENY)
> those websites natively with a minimum of fuss.

May be - it does a good job even with these unnecessary entries.

> 2) SG has not been updated for 4 or 5 years, if that's your latest
> version, you are still out of date.

I can't see a big need for updating. Software really doesn't need  
changes ("updates") every month or so.

> More to the point, you will not find much help now. or anyone to fix
> it even if you could prove it's a bug.

"That depends!" - I know many colleagues who use "squidguard" since  
years; the program doesn't need much help.

Viele Gruesse!
Helmut
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

Squidblacklist
In reply to this post by csn233
On Sat, 18 May 2013 01:27:36 +0800
csn233 <[hidden email]> wrote:

> On Sat, May 18, 2013 at 1:09 AM, csn233 <[hidden email]> wrote:
> >>> I didn't bother spending any more time on it.
> >>
> >> ufdbGuard is a more powerful substitute of squidGuard.
> >> Has regular updates and even free support.
> >>
> >> Marcus
>
> Sure. You forgot to mention though, squidGuard is free whereas
> ufdbGuard is a licensed product.
>
> Small point I know, but relevant.
>

   ^ You guys crack me up.


-
Signed,

Fix Nichols

http://www.squidblacklist.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

Helmut Hullen
In reply to this post by Carlos Defoe
Hallo, csn233,

Du meintest am 18.05.13:

>> I can't see a big need for updating. Software really doesn't need
>> changes ("updates") every month or so.

> No, it doesn't - until you have a problem.

>> "That depends!" - I know many colleagues who use "squidguard" since
>> years; the program doesn't need much help.

> Great! Why are you posting here then?

Because I can.

Viele Gruesse!
Helmut
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

csn233
> Because I can.

Sorry, more relevant question would be - do you have an answer for the
original poster?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

Marcus Kool-2
In reply to this post by csn233
On Sat, May 18, 2013 at 01:27:36AM +0800, csn233 wrote:

> On Sat, May 18, 2013 at 1:09 AM, csn233 <[hidden email]> wrote:
> >>> I didn't bother spending any more time on it.
> >>
> >> ufdbGuard is a more powerful substitute of squidGuard.
> >> Has regular updates and even free support.
> >>
> >> Marcus
>
> Sure. You forgot to mention though, squidGuard is free whereas
> ufdbGuard is a licensed product.
>
> Small point I know, but relevant.

ufdbGuard is a *free* product with a GPL2 license and
squidguard also has a GPL2 license.
Important to know is what the GPL2 license is used for:
the GPL2 license is only there to protect free software.

You can use ufdbGuard free.
ufdbGuard works with any text based URL database (free!)
and also with a commercial URL database.

Marcus
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

Helmut Hullen
In reply to this post by csn233
Hallo, csn233,

Du meintest am 18.05.13:

>> Because I can.

> Sorry, more relevant question would be - do you have an answer for
> the original poster?

No. I don't run a huge network with the problem he has described.

I only run networks with about 50 ... 200 clients, and there I never had  
this problem.

Viele Gruesse!
Helmut
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

Carlos Defoe
I'll run some more tests before getting rid of squidguard. I think the
idea of the rewriter sounds good. Also the use of berkeleydb to read
blacklists.

I've used squidguard in the past, in small networks, without any problems.

If it were running properly now, then i would have a great opportunity
to compare the performances with or without using the rewriter.

On Fri, May 17, 2013 at 5:10 PM, Helmut Hullen <[hidden email]> wrote:

> Hallo, csn233,
>
> Du meintest am 18.05.13:
>
>>> Because I can.
>
>> Sorry, more relevant question would be - do you have an answer for
>> the original poster?
>
> No. I don't run a huge network with the problem he has described.
>
> I only run networks with about 50 ... 200 clients, and there I never had
> this problem.
>
> Viele Gruesse!
> Helmut
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

csn233
In reply to this post by Marcus Kool-2
> You can use ufdbGuard free.

So it's the filter DB component that's not free. Thanks for clarifying.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

Amos Jeffries-2
In reply to this post by Helmut Hullen
On 18/05/2013 5:53 a.m., Helmut Hullen wrote:

> Hallo, csn233,
>
> Du meintest am 18.05.13:
>
>> SG has numerous problems which caused it not to do what it's supposed
>> to, including that "emergency" mode thing. Here are some things to
>> consider:
>> 1) a BIG blacklist is overhyped - when I had a good look at our
>> requirements, there was only a small percentage of those websites we
>> actually wanted to block, the rest were either squatting websites or
>> non-existent, or not relevant. Squid could blacklist (eg ACL DENY)
>> those websites natively with a minimum of fuss.
> May be - it does a good job even with these unnecessary entries.

If the list is that badly out of date it will also be *missing* a great
deal of entries.


>
>> 2) SG has not been updated for 4 or 5 years, if that's your latest
>> version, you are still out of date.
> I can't see a big need for updating. Software really doesn't need
> changes ("updates") every month or so.

For regular software yes. But security software which has set itself out
as enumerating badness/goodness for a control method needs constant updates.

>
>> More to the point, you will not find much help now. or anyone to fix
>> it even if you could prove it's a bug.
> "That depends!" - I know many colleagues who use "squidguard" since
> years; the program doesn't need much help.

During which time a lot of things have progressed. Squid has gained a lt
of ACL types, better regex handling, better memory management, and an
external ACL helpers interface (which most installations of SG should
really be using).


Which brings me back to my question of what SG was being used for. If it
is something which the current Squid are capable of doing without SG
then you maybe can gain better traffic performance simply by removing SG
from the software chain. Like csn233 found it may be worth it.

Amos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

Squidblacklist
On Sat, 18 May 2013 14:58:42 +1200
Amos Jeffries <[hidden email]> wrote:

>  a BIG blacklist is overhyped

Nonsense, porn blacklists are big by nature have you tried
squid-porn.acl lately?

Squidblacklist.org is the new kid on the blacklist block, and our porn
blacklist is fantastic.

-
Signed,

Fix Nichols

http://www.squidblacklist.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

Squidblacklist
In reply to this post by Amos Jeffries-2
On Sat, 18 May 2013 14:58:42 +1200
Amos Jeffries <[hidden email]> wrote:

> On 18/05/2013 5:53 a.m., Helmut Hullen wrote:
> > Hallo, csn233,
> >
> > Du meintest am 18.05.13:
> >
> >> SG has numerous problems which caused it not to do what it's
> >> supposed to, including that "emergency" mode thing. Here are some
> >> things to consider:
> >> 1) a BIG blacklist is overhyped - when I had a good look at our
> >> requirements, there was only a small percentage of those websites
> >> we actually wanted to block, the rest were either squatting
> >> websites or non-existent, or not relevant. Squid could blacklist
> >> (eg ACL DENY) those websites natively with a minimum of fuss.
> > May be - it does a good job even with these unnecessary entries.
>
> If the list is that badly out of date it will also be *missing* a
> great deal of entries.
>
>
> >
> >> 2) SG has not been updated for 4 or 5 years, if that's your latest
> >> version, you are still out of date.
> > I can't see a big need for updating. Software really doesn't need
> > changes ("updates") every month or so.
>
> For regular software yes. But security software which has set itself
> out as enumerating badness/goodness for a control method needs
> constant updates.
>
> >
> >> More to the point, you will not find much help now. or anyone to
> >> fix it even if you could prove it's a bug.
> > "That depends!" - I know many colleagues who use "squidguard" since
> > years; the program doesn't need much help.
>
> During which time a lot of things have progressed. Squid has gained a
> lt of ACL types, better regex handling, better memory management, and
> an external ACL helpers interface (which most installations of SG
> should really be using).
>
>
> Which brings me back to my question of what SG was being used for. If
> it is something which the current Squid are capable of doing without
> SG then you maybe can gain better traffic performance simply by
> removing SG from the software chain. Like csn233 found it may be
> worth it.
>
> Amos
>

I agree with Mr. Jeffries , and allow me to also add
that squidblacklist.org offers acl blacklists that work fine with
squid, without the use of third party add ons, if you want less
complications due to excessive setups with third party add ons, come
check it out. (shameless self promotion) http://squidblacklist.org
 
 So long as you are using squid3.x and not some ancient version of
 squid, you should have no issues with large blacklists in squid. And
 the reasoning is that a more recently released versions of squid is not
 bound by the issues with large acl lists that affected earlier
 versions, these issues are as I understand the primary reason people
 were using third party add ons for large blacklists, so correct me if
 I am wrong, but, you might not need bother with any of them, depending
 on your needs.

-
Signed,

Fix Nichols

http://www.squidblacklist.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

Amos Jeffries-2
In reply to this post by Squidblacklist
On 18/05/2013 4:52 p.m., Squidblacklist wrote:
> On Sat, 18 May 2013 14:58:42 +1200
> Amos Jeffries wrote:
>
>>   a BIG blacklist is overhyped
For the record that is a mis-attribution. I did not say that.

Amos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

Helmut Hullen
In reply to this post by Amos Jeffries-2
Hallo, Amos,

Du meintest am 18.05.13:

>>> SG has numerous problems which caused it not to do what it's
>>> supposed to, including that "emergency" mode thing. Here are some
>>> things to consider:

>>> 1) a BIG blacklist is overhyped - when I had a good look at our
>>> requirements, there was only a small percentage of those websites
>>> we actually wanted to block, the rest were either squatting
>>> websites or non-existent, or not relevant. Squid could blacklist
>>> (eg ACL DENY) those websites natively with a minimum of fuss.

>> May be - it does a good job even with these unnecessary entries.

> If the list is that badly out of date it will also be *missing* a
> great deal of entries.


Yes - may be. But updating the list is a really simple job.

>>
>>> 2) SG has not been updated for 4 or 5 years, if that's your latest
>>> version, you are still out of date.
>> I can't see a big need for updating. Software really doesn't need
>> changes ("updates") every month or so.

> For regular software yes. But security software which has set itself
> out as enumerating badness/goodness for a control method needs
> constant updates.

May be - but "squidguard" does a really simple job: it looks into a list  
of not allowed domains and URLs and then decides wether to allow or to  
deny. That job doesn't need "constant updates".

>>> More to the point, you will not find much help now. or anyone to
>>> fix it even if you could prove it's a bug.

>> "That depends!" - I know many colleagues who use "squidguard" since
>> years; the program doesn't need much help.

> During which time a lot of things have progressed. Squid has gained a
> lt of ACL types, better regex handling, better memory management, and
> an external ACL helpers interface (which most installations of SG
> should really be using).


> Which brings me back to my question of what SG was being used for. If
> it is something which the current Squid are capable of doing without
> SG then you maybe can gain better traffic performance simply by
> removing SG from the software chain. Like csn233 found it may be
> worth it.

The squidguard job is working with a really big blacklist. And working  
with some specialized ACLs.

I know "squid" can do this job too - and I maintain a schoolserver which  
uses many of these possibilities of "squid". But then some other people  
has to maintain the blacklist. That's no job for the administrator in  
the school.

"better traffic performance" may be a criteria, but (p.e.) blocking porn  
URLs is (in schools) a criteria too.
Teachers have to look at "legal protection for children and young  
persons" too.

Please excuse my gerlish.

> Amos


Viele Gruesse!
Helmut
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: squidguard not redirecting

Squidblacklist
In reply to this post by Amos Jeffries-2
On Sat, 18 May 2013 17:32:02 +1200
Amos Jeffries <[hidden email]> wrote:

> > On Sat, 18 May 2013 14:58:42 +1200
> > Amos Jeffries wrote:
> >
> >>   a BIG blacklist is overhyped
> For the record that is a mis-attribution. I did not say that.
>
> Amos
>

Pardon my bad email etiquette, I'm using a wierd email client.

-
Signed,

Fix Nichols

http://www.squidblacklist.org
12
Loading...