Squid error page pfsense

hi,

ok that looks good ur filter seems to work. Please try to get it work with http first. i remenber some problems with https. Maybe it doesnt work on https.
My Gui workin on no standard http port.

U edit sgerror.php and still get standard block page? hmm post ur sgerror.php.

Plz try to access https://firewall-ip:port#/firewallblock.php from a client. Can u post ur firewall.php?

I will try to configure a test system tommorow with ur config.  U are using Pfsense 1.2.3 with standard LAN WAN setup right?

Cya

EDIT:

Steps to get custom Page to work with transparent proxy with GUI on a http standard and nonstandard port
1. Install squid, Squidguard, Lightsquid Pakage
2. upload blacklist
3. configure squidguard default rule for blocking categories.
4. test filtering from a client, if standard block page appears u can go further otherwise u have to check config
5. modify /usr/local/www/sgerror.php

delete:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

IE displayed self-page, if them size > 1024

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

function get_error_page($er_code_id, $err_msg=») {
       global $err_code;
       global $cl;
       $str = Array();

header(«HTTP/1.1 » . $err_code[$er_code_id]);

$str[] = »;
       $str[] = »;
       $str[] = ‘

Request denied by pfSense proxy: ‘ . $err_code[$er_code_id] . ‘

‘;
       if ($err_msg) $str[] = » Reason: $err_msg»;
       $str[] = ‘

---

‘;
       if ($cl[‘a’])        $str[] = » Client address: {$cl[‘a’]}
«;
       if ($cl[‘n’])        $str[] = » Client name: {$cl[‘n’]}
«;
       if ($cl[‘i’])        $str[] = » Client user: {$cl[‘i’]}
«;
       if ($cl[‘s’])        $str[] = » Client group: {$cl[‘s’]}
«;
       if ($cl[‘t’])        $str[] = » Target group: {$cl[‘t’]}
«;
       if ($cl[‘u’])        $str[] = » URL: {$cl[‘u’]}
«;
       $str[] = ‘

---

‘;
       $str[] = «»;
       $str[] = «»;

return implode(«n», $str);
}

paste: (its simple html)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

IE displayed self-page, if them size > 1024

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

function get_error_page($er_code_id, $err_msg=») {
       global $err_code;
       global $cl;
       $str = Array();

header(«HTTP/1.1 » . $err_code[$er_code_id]);
$str[] = »;
       $str[] = »;
$str[] = »;
       $str[] = »;
$str[] = »;
$str[] = »;
               if ($cl[‘n’])        $str[] = «Client Name: {$cl[‘n’]} | «;
               if ($cl[‘a’])        $str[] = «Client IP: {$cl[‘a’]} | «;
               if ($cl[‘i’])        $str[] = «Client User: {$cl[‘i’]} | «;
               if ($cl[‘s’])        $str[] = «Group: {$cl[‘s’]} | «;
               if ($cl[‘t’])        $str[] = «Category: {$cl[‘t’]} «;
$str[] = »;

$str[] = ‘Adresse gesperrt!’;
$str[] = »;
if ($err_msg) $str[] = ‘

• ‘. $err_msg.’ —

‘;
if ($cl[‘u’])        $str[] = «

URL: {$cl[‘u’]}

«;
$str[] = ‘

Aufgrund von Zugriffsbeschränkungen ist Ihre Anfrage nicht erlaubt.
Bitte kontaktieren Sie die IT-Abteilung, wenn Sie der Meinung sind, daß dies nicht korrekt ist.

‘;
 $str[] = ‘


‘;
       $str[] = ‘Web Filtering by <a style=»color:#FFFFFF;»>PfSense</a> and <a style=»color:#FFFFFF;»>SquidGuard</a>’;
       $str[] = «»;
       $str[] = «»;

return implode(«n», $str);
}

keep in mind to change picture path if u want to use images in block page

6. restart proxy and squidguard

Steps to get custom Page to work with transparent proxy with GUI on a https standard and nonstandard port

redirection to the pfsense box itself fails.

1. u need to put errorpage on an external http server z.b debian with php installed.
2. create php script and use infos u get from squidguard variables

%a=client_address

%n=client_name

%i=client_user

%s=client_group

%t=target_group

%u=client_url»

3. change default rule to redirect to ext url

example:
http://extsource:port/block.php&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

hope that helps.

Cya

Configuring the SquidGuard Package¶

squidGuard is a URL redirector used to integrate blacklists with the Squid proxy software. There are two big advantages to squidGuard: it is fast and it is free. squidGuard is published under the GNU Public License.

squidGuard can be used to:

Limit the web access for some users to a list of accepted/well known web servers and/or URLs only.

Block access to some listed or blacklisted web servers and/or URLs for some users.

Block access to URLs matching a list of regular expressions or words for some users.

Enforce the use of domain names/prohibit the use of IP addresses in URLs.

Redirect blocked URLs to an info page.

Redirect banners to an empty GIF.

Have different access rules based on time of day, day of the week, date etc.

Installing Squid and squidGuard¶

From the pfSenseВ® webGUI, navigate to System > Packages, Available Packages tab

Install the Squid package if it is not already installed.

Install the squidGuard package

Configure Squid package.

Configure squidGuard package.

Configure the squidGuard Package¶

Basic configuration¶

Here describes how to enable and configure squidGuard, and common users access.

Open General settings tab.

Check the Enable box to activate the package.

Set Blacklist options to use blacklist categories. (See above, optional)

Click Save button.

Open Common ACL page.

Click Target Rules List to show defined blacklists and target categories

Define default user access: select Default access [all] as allow or deny.

Define other category actions:

Select —, to ignore a category.

Select allow, to allow this category for clients.

Select deny, to deny this category for clients.

Select white, to allow this category without any restrictions. This option is used for exceptions to prohibited categories.

To prohibit clients from using IP addresses in URLs, check Do Not Allow IP Addresses in URL.

Select Redirect mode:

Int error page: Use the built-in error page. A custom message may be entered in the Redirect info box below.

Int blank page: Redirect to a blank page

The other options are various redirects to external error pages, and a URL must be entered in the Redirect info box if they are chosen.

Use safe search engine: Protect customers from unwanted search results. It is supported by Google, Yandex, Yahoo, MSN, Live Search. Make sure that these search engines are available. If this protection should be strictly enforced, disable access to all other search engines.

After settings are complete, return to the General Settings tab and press Apply.

Blacklist¶

Blacklists are optional, but often useful for allowing access to certain types of sites.

squidGuard comes with a small blacklist basically for testing purposes. They should not be used in production. A better way is to start with one of the blacklist collections recommended by squidGuard.

Open General Settings tab in squidGuard package GUI, found at Services > Proxy Filter.

Check Blacklist to enable the use of blacklists.

Enter blacklist URL in the field Blacklist URL.

If the firewall is itself behind a proxy, enter the proxy information in Blacklist proxy (this step is not necessary for most people).

Click Save.

Navigate to the Blacklist tab inside of squidGuard.

Click the Download button.

Wait while blacklist will downloaded and prepared to use (10-35 min). Progress will be displayed on that page as the list is downloaded and processed.

How-Tos¶

Exclude domain/URL from blacklist¶

In the squidGuard GUI (Services > Proxy Filter):

Open the Target categories page

Click to add a new item

Enter a name for the category — myWhitelist for example.

Add domains and/or URLs to the lists as needed. Entries should be separated by a space. The examples on the page show how entries should be formatted.

As with the Common ACL discussed previously, redirect and logging options specific to this category may be set.

Click Save.

Open Common ACL or Groups ACL page (whichever should have an exclusion).

Click Target Rule List to expand the list of categories. The newly created category should show alphabetically in the list, above any blacklist categories. Find the MyWhiteList entry in the list and select whitelist.

Click Save.

Return to the General Settings tab and press Apply.

Block download by Extension¶

In the squidGuard GUI (Services > Proxy Filter):

Open the Target categories page.

Click to add a new item.

Enter a name for the category — myBlockExt for example.

Add Expressions (for example for asf, zip, exe and etc files):

Click Save.

Open Common ACL or Groups ACL page (whichever should have an exclusion).

Click Target Rule List to expand the list of categories. The newly created category should show alphabetically in the list, above any blacklist categories. Find the myBlockExt entry in the list and select deny.

Click Save.

Return to the General Settings tab and press Apply.

Troubleshooting¶

Netflix¶

If Netflix will not load while squidGuard is active, it is likely because Netflix requires accessing URLs by IP address. Ensure that ACLs matching clients allowed to reach Netflix also have Do not allow IP-Addresses in URL unchecked.

Service Does Not Start¶

If the squidGuard service will not start, there are a few possible explanations:

On all versions of Squid, if only blacklists have been configured, then at startup some important files/directories may not be set properly.

Add at least one Custom Target Category with a site to pass or block and use it along with the blacklist entries to work around the problem.

On squid 3.x, the squidGuard service will only start when traffic requires it to run, so it can appear to be stopped even when working properly.

Only worry about the service if it appears to not work, don’t count on the service status alone.

Known issues¶

The pfSense software issue tracker contains a list of known issues with this package.

Package Support¶

This package is currently supported by Netgate TAC to those with an active support subscription.

Источник

Install and Setup Squid Proxy on pfSense

In this tutorial, we are going to learn how to install and setup Squid proxy on pfSense. pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN and many more features that are comprehensively described on pfSense features page.

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.

Please enable JavaScript

You can learn how to install pfsense on a KVM Hypervisor by following the link below;

Install and Setup Squid Proxy on pfSense

Assuming you already have a running pfSense, proceed to install and configure Squid proxy.

Install Squid Package on pfSense

Squid package can be installed on pfSense by navigating to System > Package Manager menu on the web interface.

Once the Package Manager opens up, click Available Packages and enter squid as the search term on the search bar.

Click Search button to search for the squid package. You should be able to see squid related package.

From the search output above, we are only interested in installing Squid. Hence, begin the installation of Squid proxy package by clicking the install button on the far right and confirm the installation.

You should be able to see such a screen once the installation is done.

You should now be able to see both packages under Installed Packages tab.

Configuring Squid Proxy Server on pfSense

Once the installation is done, you can proceed to configure Squid proxy server on pfSense.

Navigate to Services > Squid Proxy Server.

Configure Squid Proxy Server Local Cache

Click on the Local Cache tab to define Squid Proxy cache management settings.

In our setup, the we only changed the disk cache size to 3GB (3000MB) and leave the other default settings including the default cache directory, /var/squid/cache .

Be sure to clear the cache by clicking the Clear Disk Cache Now button.

Once you are done with the settings, click Save button at the bottom of the page.

Configure Squid Proxy Server General Settings

Click on the General tab to enable Squid Proxy server and to define other general settings.

Under Squid General Settings section;

• Check the box adjacent to Enable Squid Proxy to enable Squid.
• Choose the interface(s) the proxy server will bind to, we chose LAN interface in this demo.
• Set the proxy port, we use the default 3128 in this demo
• Check the box adjacent to Allow users on interface to give the users connected to the same subnets as the Proxy LAN interface selected automatic access without the need for creating an allow Access ControlList for them.

We will skip the use of Transparent Proxy and SSL filtering settings in this demo.

Configure Squid Proxy Logging Settings

• Enable logging
• Set the logs storage directory, /var/squid/logs , by default
• Set how long the log files should be kept.

Configure Other Squid Proxy customizations

• Configure other customizations including the visible squid hostname, admin email, proxy server messing language. These details are displayed on an error message
• Enable your Squid proxy to append your client’s IP address in the HTTP requests it forwards.
• Disable Squid Via header in requests and replies
• Enable suppression of squid version string info in HTTP headers and HTML error pages.

You can click Show Advanced Options for further configuration options.

Click Save once you are done with configurations.

Configure Squid Proxy Server Access Control Lists

You can now proceed to configure Squid proxy access control list to define what elements to allow or deny access on proxy server.

If you noticed in the general settings above, we enabled Allow Users on Interface. This means that, user who are connected to the Proxy LAN Interface subnet are automatically allowed to connect via the proxy without the need for an ACL for that specific subnet.

In our setup, we have three interfaces as highlighted below;

As such, we set our Proxy Interface to LAN, which means, any users that will be connected to that subnet, will not need any ACL to use the proxy.

We also have the third interface OPT1, as in the above screenshot. Our clients will be connecting to Proxy through this subnet. Let us create an ACL for this subnet;

Click ACLs tab and under allowed subnets, enter your subnet to be allowed to connect through Proxy.

You can further set your ACLs for unrestricted IPs, blacklist, whitelist, banned hosts, blocked user agents…

Define your Safe ports if any to add to the already predefined ports.

If you have any other custom settings you want to define, click Show Advanced Options to configure them.

Click Save after configurations.

Allow Hosts in OPT1 interface to use Proxy on the Firewall

Next, you need to define the destination IP and Port for the proxy server and set the firewall to allow all hosts on your specific subnet to pass all the traffic through the proxy server.

Navigate to Firewall > Rules > choose your Interface, in this case, OPT1.

• Click on either of the add button to add the firewall rule.
• Allow traffic through by setting action to Pass
• Select the interface from which traffic comes from, select IP address family and the protocol.

Define the source and destination as shown in the screenshot below. Note that we set the destination to the LAN interface we configured Proxy to bind to.

Once done configuring the rule, click Save and then Apply Changes to reload the firewall configurations.

You rule should now be looking like;

Testing Squid Proxy

Literally, your proxy server is now ready. I will be testing from an Ubuntu 20.04 desktop with the following IP details;

Testing the reachability to the Proxy IP;

Check the connectivity to the Proxy port;

Configure Proxy settings on Firefox browser.

On your Firefox, configure it to connect external network via your Squid server. Preferences > General > Network Settings > Manual Proxy Configuration. Check Use this proxy server for all protocols.

You should now be able to access internet via Squid Proxy.

What if you are using Google Chrome, how do you set the proxy server settings? Learn how to configure system wide proxy settings by following the link below

Checking Squid Logs

You can tail squid logs to verify connection.

For example, these are the sample logs trying to access YouTube;

Your Squid Proxy server is now running on a pfSense gateway. That marks the end of our tutorial on how to install and setup Squid proxy on pfSense.

Источник

• 

• 

  can the actual page be external (hosted on a dedicated web server?)

  
  Was this post helpful?
  thumb_up
  thumb_down
  

• 

  I don’t think so, it’s a file in /etc/squid/error, and it’s just standard HTML with hooks into squid.  You could host images and stuff on another server and link out to them I’m sure.

  Edit:  You can probably direct to an external site somewhere in the configuration, maybe, and the hooks probably wouldn’t work.  Not sure why you’d need to do that, though.  It’s just an HTML file, and you can just host any resources externally.

  
  Was this post helpful?
  thumb_up
  thumb_down
  

• 

  ok. at the moment I have http:/ Opens a new window/adn-networks.co.uk/smartcache/blocked Opens a new window as my block page. is there any way to get the URL they are requesting on that? Its just html.

  
  Was this post helpful?
  thumb_up
  thumb_down
  

• 

  RHudson wrote:

  ok. at the moment I have http:/ Opens a new window/adn-networks.co.uk/smartcache/blocked Opens a new window as my block page. is there any way to get the URL they are requesting on that? Its just html.

  You could probably copy the code and correct any internal references so that they point to the network path that page is hosted on, and then edit in the proper codes for embedding URL information, and paste it into the appropriate file in /etc/squid/error/

  
  Was this post helpful?
  thumb_up
  thumb_down
  

• 

  Thanks very much!!!! Problem solved.

  The reason the page is external is so it is easier to edit. The URL issue was solved by adding:

  HTML

  <script type="text/javascript">
  document.write(location.href);
  </script>
  

  That displays the desired url.

  Thanks again!

  
  Was this post helpful?
  thumb_up
  thumb_down
  

• 

  Hello

  We’ve got squidguard running on pfSense at some remote sites for free WiFi with the block page hosted on a remote web server.

  Under the ACL we’ve set the redirect mode to ‘ext url err page’ and put the address of the external block page in ‘redirect info’ (E.g. http:/ Opens a new window/example.com/blocked Opens a new window ) 

  You can also get some information to display on this page such as the address of the page that was blocked etc (More info on that here : http:/ Opens a new window/forum.pfsense.org/index.php?topic=26057.0 Opens a new window ) 

  attach_file
  Attachment
  
  squidguard.png
  35.8 KB
  
  

  
  Was this post helpful?
  thumb_up
  thumb_down
  

In this tutorial, we are going to learn how to install and setup Squid proxy on pfSense. pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN and many more features that are comprehensively described on pfSense features page.

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.

You can learn how to install pfsense on a KVM Hypervisor by following the link below;

Install pfSense Firewall on KVM

Assuming you already have a running pfSense, proceed to install and configure Squid proxy.

Install Squid Package on pfSense

Squid package can be installed on pfSense by navigating to System > Package Manager menu on the web interface.

Once the Package Manager opens up, click Available Packages and enter squid as the search term on the search bar.

Click Search button to search for the squid package. You should be able to see squid related package.

From the search output above, we are only interested in installing Squid. Hence, begin the installation of Squid proxy package by clicking the install button on the far right and confirm the installation.

You should be able to see such a screen once the installation is done.

You should now be able to see both packages under Installed Packages tab.

Configuring Squid Proxy Server on pfSense

Once the installation is done, you can proceed to configure Squid proxy server on pfSense.

Navigate to Services > Squid Proxy Server.

Configure Squid Proxy Server Local Cache

Click on the Local Cache tab to define Squid Proxy cache management settings.

In our setup, the we only changed the disk cache size to 3GB (3000MB) and leave the other default settings including the default cache directory, /var/squid/cache.

Be sure to clear the cache by clicking the Clear Disk Cache Now button.

Once you are done with the settings, click Save button at the bottom of the page.

Configure Squid Proxy Server General Settings

Click on the General tab to enable Squid Proxy server and to define other general settings.

Under Squid General Settings section;

• Check the box adjacent to Enable Squid Proxy to enable Squid.
• Choose the interface(s) the proxy server will bind to, we chose LAN interface in this demo.
• Set the proxy port, we use the default 3128 in this demo
• Check the box adjacent to Allow users on interface to give the users connected to the same subnets as the Proxy LAN interface selected automatic access without the need for creating an allow Access Control List for them.

We will skip the use of Transparent Proxy and SSL filtering settings in this demo.

Configure Squid Proxy Logging Settings

• Enable logging
• Set the logs storage directory, /var/squid/logs, by default
• Set how long the log files should be kept.

Configure Other Squid Proxy customizations

• Configure other customizations including the visible squid hostname, admin email, proxy server messing language. These details are displayed on an error message
• Enable your Squid proxy to append your client’s IP address in the HTTP requests it forwards.
• Disable Squid Via header in requests and replies
• Enable suppression of squid version string info in HTTP headers and HTML error pages.

You can click Show Advanced Options for further configuration options.

Click Save once you are done with configurations.

Configure Squid Proxy Server Access Control Lists

You can now proceed to configure Squid proxy access control list to define what elements to allow or deny access on proxy server.

If you noticed in the general settings above, we enabled Allow Users on Interface. This means that, user who are connected to the Proxy LAN Interface subnet are automatically allowed to connect via the proxy without the need for an ACL for that specific subnet.

In our setup, we have three interfaces as highlighted below;

As such, we set our Proxy Interface to LAN, which means, any users that will be connected to that subnet, will not need any ACL to use the proxy.

We also have the third interface OPT1, as in the above screenshot. Our clients will be connecting to Proxy through this subnet. Let us create an ACL for this subnet;

Click ACLs tab and under allowed subnets, enter your subnet to be allowed to connect through Proxy.

You can further set your ACLs for unrestricted IPs, blacklist, whitelist, banned hosts, blocked user agents…

Define your Safe ports if any to add to the already predefined ports.

If you have any other custom settings you want to define, click Show Advanced Options to configure them.

Click Save after configurations.

Allow Hosts in OPT1 interface to use Proxy on the Firewall

Next, you need to define the destination IP and Port for the proxy server and set the firewall to allow all hosts on your specific subnet to pass all the traffic through the proxy server.

Navigate to Firewall > Rules > choose your Interface, in this case, OPT1.

• Click on either of the add button to add the firewall rule.
• Allow traffic through by setting action to Pass
• Select the interface from which traffic comes from, select IP address family and the protocol.

Define the source and destination as shown in the screenshot below. Note that we set the destination to the LAN interface we configured Proxy to bind to.

Once done configuring the rule, click Save and then Apply Changes to reload the firewall configurations.

You rule should now be looking like;

Testing Squid Proxy

Literally, your proxy server is now ready. I will be testing from an Ubuntu 20.04 desktop with the following IP details;

ip add show enp0s3

2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:99:9a:af brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.10/24 brd 192.168.10.255 scope global noprefixroute enp0s3
       valid_lft forever preferred_lft forever
    inet6 fe80::1b2a:9fab:fa5b:a375/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

ip route show default

default via 192.168.10.1 dev enp0s3 proto static metric 20100

Testing the reachability to the Proxy IP;

ping 192.168.57.100 -c 4

PING 192.168.57.100 (192.168.57.100) 56(84) bytes of data.
64 bytes from 192.168.57.100: icmp_seq=1 ttl=64 time=1.22 ms
64 bytes from 192.168.57.100: icmp_seq=2 ttl=64 time=1.23 ms
64 bytes from 192.168.57.100: icmp_seq=3 ttl=64 time=1.09 ms
64 bytes from 192.168.57.100: icmp_seq=4 ttl=64 time=0.964 ms

--- 192.168.57.100 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3007ms
rtt min/avg/max/mdev = 0.964/1.126/1.226/0.107 ms

Check the connectivity to the Proxy port;

telnet 192.168.57.100 3128

Trying 192.168.57.100...
Connected to 192.168.57.100.
Escape character is '^]'.

Configure Proxy settings on Firefox browser.

On your Firefox, configure it to connect external network via your Squid server. Preferences > General > Network Settings > Manual Proxy Configuration. Check Use this proxy server for all protocols.

You should now be able to access internet via Squid Proxy.

What if you are using Google Chrome, how do you set the proxy server settings? Learn how to configure system wide proxy settings by following the link below

How to configure System Wide Proxy settings on Ubuntu systems

Checking Squid Logs

You can tail squid logs to verify connection.

tail -f /var/squid/logs/access.log

For example, these are the sample logs trying to access YouTube;

...
1593755589.111   1184 192.168.10.10 TCP_TUNNEL/200 9507 CONNECT yt3.ggpht.com:443 - HIER_DIRECT/216.58.223.65 -
1593755589.131   1180 192.168.10.10 TCP_TUNNEL/200 7861 CONNECT yt3.ggpht.com:443 - HIER_DIRECT/216.58.223.65 -
1593755589.133   1197 192.168.10.10 TCP_TUNNEL/200 9363 CONNECT yt3.ggpht.com:443 - HIER_DIRECT/216.58.223.65 -
1593755589.177    257 192.168.10.10 TCP_TUNNEL/200 7716 CONNECT yt3.ggpht.com:443 - HIER_DIRECT/216.58.223.65 -
1593755589.185    272 192.168.10.10 TCP_TUNNEL/200 9518 CONNECT yt3.ggpht.com:443 - HIER_DIRECT/216.58.223.65 
...

Your Squid Proxy server is now running on a pfSense gateway. That marks the end of our tutorial on how to install and setup Squid proxy on pfSense.

Reference

Configuring Squid Proxy on pfSense

Related Tutorials

Install and Setup Squid Proxy on Ubuntu 20.04

Install and Setup HAProxy on CentOS 8

Install and Configure Squid Proxy on CentOS 8

Configure APT Proxy on Debian 10 Buster

Configure Highly Available HAProxy with Keepalived on Ubuntu 20.04

27 апреля 2016 kna

Вы можете оставить комментарий, или Трекбэк с вашего сайта.

Как настроить в  PfSense фильтр для блокировки сайтов или какого либо контента?

Для этого нам потребуется установить пакет SquidGuard который ставится из меню System — Pakages — Available Packages.

После установки пакета, идем в меню Service — Proxy filter и видим следующие настройки пакета.

Ставим галочку напротив Enable ну и остальные можно так же проставить, за исключением опций Blacklist options, эта опция в этой статье не понадобится.

Теперь коротко о примере который хочу тут запостить.

Задача была следующая, в рабочее время, т.е. с 8 до 18, а в пятницу с 8 до 17 запретить доступ к просмотру видео, прослушивания радио (в том числе вконтакте). В итоге задача была решена, методом проб и ошибок, возможно можно сделать по другому, но тут опишу именно так как получилось.

И так, первым делом я настроил временной интервал.

Тут все интуитивно понятно, в поле Name заполняем как будет называться временной интервал, у меня это WorkTime, в поле Descriprion описание (можно не заполять), ну и сами интервалы по дням неделям. Далее жмем кнопку Save, с этим пунктом закончили.

Далее, заходим во вкладку Target categories и добавляем новую категорию, я ее назвал FileAccessDeny.

А дальше нас интересует достаточно удобная опция Expressions, которая позволяет составлять регулярные выражения для фильтрации нужных нас словечек или того, что нам необходимо. В моем примере, я фильтрую несколько расширений файлов (mp3|wav|avi|mp4|mpeg4|ac3|flv) и такие слова как (player и radio). Таким образом (хотя на мой взгляд немного кривоватым), я получаю механизм, который ищет в урл названия разрешения, а так же слова radio и player которые обычно встречаются в флеш плеерах для подключения контента.

С настройкой фильтра закончили, теперь нам надо сделать группу и добавить его туда.

Идем во вкладку Groups ACL и создаем там группу, у меня это WorkTime.

Что тут интересного, ну как всегда Name, далее Clien (source), тут указывает для каких IP адресов используется, можно всю подсеть, можно по одиночке. После Time, указываем нашу группу WorkTime, далее, длинная большая красная полоска с надписью Target Rules List (click here), кликаем на нее и в открывшимся списке правил выбираем следующее, для группы FileAccessDeny ставим запретить (deny), а для дефолтной группы (Default access [all]) — разрешить (allow) иначе запретим вообще все. Далее выбираем Redirect mode, тут можно играться, но я предпочел показывать страницу с ошибками и сообщением, для этого выбрал int error page (enter error message). И чуть ниже в поле Redirect написал злостное сообщение :). Жмем кнопку Save.

Теперь надо завершить процесс и поставить заключительные права, идем во вкладку Common ACL.

Нас интересует снова большая красная строка Target Rules List (click here), в ней так же как и в предыдущей вкладке выставляем для FileAccessDeny — deny, а для Defaul access [all] — allow и жмем Save.

Ну и в заключении, вкладка General Settings, смотри чтобы была галочка Enable, замет жмем кнопку Apply (в будущем нужно всегда ее жать для применения настроек) ну и кнопку Save. Все готово, можно проверять.