Feature #3084
Permit zone and roles into Web Content Filter profiles
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-squidguard | |||
Target version: | v6.6 | |||
Resolution: | NEEDINFO: | No |
Description
Currently you can only use hosts and host groups as "who" field in Profiles, it might useful add zones and firewall roles.
Associated revisions
Web UI: support zones and roles. Refs #3084
squidGuard.conf: support zones and roles. Refs #3084
Web UI: always display roles. Refs #3084
createlinks: reload squid when needed. Refs #3084
History
#1 Updated by Giacomo Sanchietti over 6 years ago
- Subject changed from Permit subnet or IP range into Web Content Filter profiles to Permit zone and roles into Web Content Filter profiles
- Description updated (diff)
- Status changed from NEW to TRIAGED
- Target version set to v6.6
- % Done changed from 0 to 20
#2 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#3 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#4 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-squidguard-1.1.0-1.4.g05a08c7.ns6.noarch.rpm
- Configure a machine with the following roles (you can use VLANs):
- 2 green
- one red
- one orange
- one blue
- Create one web content filter profile for each role
- Only configured roles must be listed under the
Zones
label - Check ACLs in
/etc/squid/squidGuard.conf
- Create at least one zone from Firewall Objects page
- The new zone must be listed under the
Zones
label - Create a profile with the new zone
- Check ACLs in
/etc/squid/squidGuard.conf
#5 Updated by Filippo Carletti over 6 years ago
- Status changed from ON_QA to TRIAGED
- % Done changed from 70 to 20
Mostly working, except a couple of issues:
1. at least one additional zone must be present for the roles to appear in the menu
2. adjusting a zone subnet in firewall objects doesn't expand squidGuard.conf
I understand that 2 is hard to do cleanly, but I expect a config to be active as soon as I saved it.
#6 Updated by Giacomo Sanchietti over 6 years ago
1. at least one additional zone must be present for the roles to appear in the menu
Fixed.
2. adjusting a zone subnet in firewall objects doesn't expand squidGuard.conf
We could add a template expansion and a squid restart inside firewall-adjust event, but then squid will slow down the firewall reconfiguration.
Also with this modification, squid will be restarted twice when settings are changed from the web interface.
Any suggestions on this?
I think we can release with this documented limitation.
#7 Updated by Filippo Carletti over 6 years ago
Using custom zones in web filter rules is not frequent and the usual workflow is to create the zone first and then the rule.
Maybe we could implement a kind of smart restart of squid that checks if a restart is really needed.
#8 Updated by Giacomo Sanchietti over 6 years ago
Maybe we could implement a kind of smart restart of squid that checks if a restart is really needed.
Same thing should be added also for the interface-update event.
#9 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#10 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
- firewall-objects-modify
- interface-update
#11 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-squidguard-1.1.0-1.6.gc9e8f3d.ns6.noarch.rpm
- Create a profile associated to green interface
- Create a new green interface (vlan)
- Check the new network is added to squidGuard.conf
#12 Updated by Filippo Carletti over 6 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
Changing a zone ip address changes squidGuard.conf.
Adding a new interface to an existing role also reflects in squidguard.conf.
squidguard is restarted, changes are activated immediately.
#13 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-squidguard-1.2.0-1.ns6.noarch.rpm