Feature #3320
Builtin filter rules for squidguard
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-squidguard | |||
Target version: | v6.7 | |||
Resolution: | NEEDINFO: | No |
Description
Implement into nethserver-squidguard a set of filtering rules that can be enabled on a Filter
object.
- Builtin rules must be disabled by default, both on new and upgraded installations.
- Addtional rules could be bundled into a third-party RPM.
Associated revisions
Content Filter: definition of BlockBuiltinRules prop in contentfilter DB. Refs #3320
Filter UI: added BlockBuiltin checkbox. Refs #3320
The checkbox value is mapped to the contentfilter DB, prop
BlockBuiltinRules.
squidGuard.conf template: implementation of BlockBuiltinRules prop. Refs #3320
Default builtin filter rules. Refs #3320
set prop BlockBuiltinRules disabled, in default filter. Refs #3320
By contrary, the default value for newly created filters is "enabled".
Merge branch 'b3320'. Refs #3320
"Enable builtin rules" renamed to "Block porn sites by regular expressions on URL". Refs #3320
"Enable builtin rules" field was renamed. Fixed online help [italiano]. Refs #3320
Dev manual: merged BlockBuiltinRules prop description. Refs #3320
History
#1 Updated by Davide Principi over 5 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
#2 Updated by Davide Principi over 5 years ago
- Description updated (diff)
#3 Updated by Davide Principi over 5 years ago
- Description updated (diff)
Changed default builtin rules state to respect the upgrade policy. On the next NethServer release we could change the default to enabled
.
#4 Updated by Davide Principi over 5 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#5 Updated by Davide Principi over 5 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
Test case 1
- Ensure no
builtin
substring is in/etc/squid/squidGuard.conf
- After upgrading to the modified version
builtin
must be there:--- squidGuard.conf 2015-11-19 15:18:14.413418281 +0000 +++ /etc/squid/squidGuard.conf 2015-11-19 15:29:40.810435086 +0000 @@ -272,6 +272,12 @@ urllist /var/squidGuard/blacklists/models/urls logfile urlfilter.log } +dest builtin { + domainlist /var/squidGuard/blacklists/custom/builtin/domains + urllist /var/squidGuard/blacklists/custom/builtin/urls + expressionlist /var/squidGuard/blacklists/custom/builtin/expressions + logfile urlfilter.log +} dest webphone { domainlist /var/squidGuard/blacklists/webphone/domains urllist /var/squidGuard/blacklists/webphone/urls
- After enabling the builtin rules in the defaultl filter:
--- squidGuard.conf 2015-11-19 15:18:14.413418281 +0000 +++ /etc/squid/squidGuard.conf 2015-11-19 15:34:09.782427882 +0000 @@ -272,6 +272,12 @@ urllist /var/squidGuard/blacklists/models/urls logfile urlfilter.log } [...] acl { default { - pass whitelist !blacklist !in-addr all + pass whitelist !blacklist !in-addr !builtin all redirect http://192.168.122.94/cgi-bin/nethserver-block.cgi?clientaddr=%a&clientname=%n&clientident=%i&srcclass=%s&targetgroup=%t&url=%u }
Test case 2
check the builtin rules are actually enforced. I checked the manual proxy configuration with curl
.
- Rules disabled:
curl -x http://<PROXYIP>:3128 http://www.google.com/p***y [404 response]
- Rules enabled:
$ curl -x http://<PROXYIP>:3128 http://www.google.com/p***y <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <html><head> <title>403 Forbidden</title> [...] Category <b> builtin</b><br> URL <b>http://www.google.com/p***y</b><br> <br> Origin: <b>192.168.122.1</b><hr><div style="float:right;">Powered by <a href="http://www.squidguard.org">SquidGuard</a></div></body></html>
#6 Updated by Davide Principi over 5 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing
nethserver-squidguard-1.3.4-1.5.g7ed70ce.ns6.noarch.rpm
updated developer's manual
#7 Updated by Giacomo Sanchietti over 5 years ago
- Assignee set to Giacomo Sanchietti
#8 Updated by Giacomo Sanchietti over 5 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 70 to 90
System and Package Version installed
Package Installed: nethserver-squidguard-1.3.4-1.5.g7ed70ce.ns6.noarch
Other Package installed: nethserver-squid-1.3.10-1.ns6.noarch
Test Original Problem
Add new builtin filter
Install Updated Package
yum --enablerepo=nethserver-testing update nethserver-squidguard
Test Results after update
After the update, the builtin filter is not enabled by default: OK.
After enabling it, the page is blocker:
echo "https://www.google.it/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=tits - - GET" | squidGuard -c /etc/squid/squidGuard.conf -d ... 2015-11-19 17:03:50 [14979] Request(default/builtin/-) https://www.google.it/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=tits -/- - GET REDIRECT http://192.168.5.246/cgi-bin/nethserver-block.cgi?clientaddr=-&clientname=&clientident=&srcclass=default&targetgroup=builtin&url=https://www.google.it/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=tits -/- - GET
Verified Or Reopen
Verified
Note
Administrator manual and inline help are missing.
#9 Updated by Davide Principi over 5 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-squidguard-1.4.0-1.ns6.noarch.rpm
nethserver-squidguard-1.4.1-1.ns6.noarch.rpm