Feature #3084

Permit zone and roles into Web Content Filter profiles

Added by Alessio Fattorini over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-squidguard
Target version:v6.6
Resolution: NEEDINFO:No

Description

Currently you can only use hosts and host groups as "who" field in Profiles, it might useful add zones and firewall roles.

Associated revisions

Revision c9aa0413
Added by Giacomo Sanchietti over 6 years ago

Web UI: support zones and roles. Refs #3084

Revision 05a08c7d
Added by Giacomo Sanchietti over 6 years ago

squidGuard.conf: support zones and roles. Refs #3084

Revision b646dd7c
Added by Giacomo Sanchietti over 6 years ago

Web UI: always display roles. Refs #3084

Revision c9e8f3d7
Added by Giacomo Sanchietti over 6 years ago

createlinks: reload squid when needed. Refs #3084

History

#1 Updated by Giacomo Sanchietti over 6 years ago

  • Subject changed from Permit subnet or IP range into Web Content Filter profiles to Permit zone and roles into Web Content Filter profiles
  • Description updated (diff)
  • Status changed from NEW to TRIAGED
  • Target version set to v6.6
  • % Done changed from 0 to 20

#2 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#3 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#4 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-squidguard-1.1.0-1.4.g05a08c7.ns6.noarch.rpm
Test case 1
  • Configure a machine with the following roles (you can use VLANs):
    • 2 green
    • one red
    • one orange
    • one blue
  • Create one web content filter profile for each role
  • Only configured roles must be listed under the Zones label
  • Check ACLs in /etc/squid/squidGuard.conf
Test case 2
  • Create at least one zone from Firewall Objects page
  • The new zone must be listed under the Zones label
  • Create a profile with the new zone
  • Check ACLs in /etc/squid/squidGuard.conf

#5 Updated by Filippo Carletti over 6 years ago

  • Status changed from ON_QA to TRIAGED
  • % Done changed from 70 to 20

Mostly working, except a couple of issues:
1. at least one additional zone must be present for the roles to appear in the menu
2. adjusting a zone subnet in firewall objects doesn't expand squidGuard.conf

I understand that 2 is hard to do cleanly, but I expect a config to be active as soon as I saved it.

#6 Updated by Giacomo Sanchietti over 6 years ago

1. at least one additional zone must be present for the roles to appear in the menu

Fixed.

2. adjusting a zone subnet in firewall objects doesn't expand squidGuard.conf

We could add a template expansion and a squid restart inside firewall-adjust event, but then squid will slow down the firewall reconfiguration.
Also with this modification, squid will be restarted twice when settings are changed from the web interface.

Any suggestions on this?

I think we can release with this documented limitation.

#7 Updated by Filippo Carletti over 6 years ago

Using custom zones in web filter rules is not frequent and the usual workflow is to create the zone first and then the rule.
Maybe we could implement a kind of smart restart of squid that checks if a restart is really needed.

#8 Updated by Giacomo Sanchietti over 6 years ago

Maybe we could implement a kind of smart restart of squid that checks if a restart is really needed.

Same thing should be added also for the interface-update event.

#9 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#10 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60
Simply added Squid reload inside following events:
  • firewall-objects-modify
  • interface-update

#11 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-squidguard-1.1.0-1.6.gc9e8f3d.ns6.noarch.rpm
Please re-test failed case, also test this new one:
  • Create a profile associated to green interface
  • Create a new green interface (vlan)
  • Check the new network is added to squidGuard.conf

#12 Updated by Filippo Carletti over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

Changing a zone ip address changes squidGuard.conf.
Adding a new interface to an existing role also reflects in squidguard.conf.
squidguard is restarted, changes are activated immediately.

#13 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-squidguard-1.2.0-1.ns6.noarch.rpm

Also available in: Atom PDF