Feature #3320

Builtin filter rules for squidguard

Added by Davide Principi over 5 years ago. Updated over 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-squidguard
Target version:v6.7
Resolution: NEEDINFO:No

Description

Implement into nethserver-squidguard a set of filtering rules that can be enabled on a Filter object.

  • Builtin rules must be disabled by default, both on new and upgraded installations.
  • Addtional rules could be bundled into a third-party RPM.

Associated revisions

Revision a60c8887
Added by Davide Principi over 5 years ago

Content Filter: definition of BlockBuiltinRules prop in contentfilter DB. Refs #3320

Revision f033f384
Added by Davide Principi over 5 years ago

Filter UI: added BlockBuiltin checkbox. Refs #3320

The checkbox value is mapped to the contentfilter DB, prop
BlockBuiltinRules.

Revision 15ef5153
Added by Davide Principi over 5 years ago

squidGuard.conf template: implementation of BlockBuiltinRules prop. Refs #3320

Revision 1d37cc1d
Added by Davide Principi over 5 years ago

Default builtin filter rules. Refs #3320

Revision 7ed70ce8
Added by Davide Principi over 5 years ago

set prop BlockBuiltinRules disabled, in default filter. Refs #3320

By contrary, the default value for newly created filters is "enabled".

Revision 1dd601bd
Added by Davide Principi over 5 years ago

Merge branch 'b3320'. Refs #3320

Revision bc1f6b67
Added by Davide Principi over 5 years ago

"Enable builtin rules" renamed to "Block porn sites by regular expressions on URL". Refs #3320

Revision f59b9788
Added by Davide Principi over 5 years ago

"Enable builtin rules" field was renamed. Fixed online help [italiano]. Refs #3320

Revision e7088d72
Added by Davide Principi over 5 years ago

Dev manual: merged BlockBuiltinRules prop description. Refs #3320

History

#1 Updated by Davide Principi over 5 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#2 Updated by Davide Principi over 5 years ago

  • Description updated (diff)

#3 Updated by Davide Principi over 5 years ago

  • Description updated (diff)

Changed default builtin rules state to respect the upgrade policy. On the next NethServer release we could change the default to enabled.

#4 Updated by Davide Principi over 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#5 Updated by Davide Principi over 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Test case 1

  • Ensure no builtin substring is in /etc/squid/squidGuard.conf
  • After upgrading to the modified version builtin must be there:
    --- squidGuard.conf    2015-11-19 15:18:14.413418281 +0000
    +++ /etc/squid/squidGuard.conf    2015-11-19 15:29:40.810435086 +0000
    @@ -272,6 +272,12 @@
           urllist /var/squidGuard/blacklists/models/urls
           logfile urlfilter.log
     }
    +dest builtin {
    +      domainlist /var/squidGuard/blacklists/custom/builtin/domains
    +      urllist /var/squidGuard/blacklists/custom/builtin/urls
    +      expressionlist /var/squidGuard/blacklists/custom/builtin/expressions
    +      logfile urlfilter.log
    +}
     dest webphone {
           domainlist /var/squidGuard/blacklists/webphone/domains
           urllist /var/squidGuard/blacklists/webphone/urls
    
  • After enabling the builtin rules in the defaultl filter:
    --- squidGuard.conf    2015-11-19 15:18:14.413418281 +0000
    +++ /etc/squid/squidGuard.conf    2015-11-19 15:34:09.782427882 +0000
    @@ -272,6 +272,12 @@
           urllist /var/squidGuard/blacklists/models/urls
           logfile urlfilter.log
     }
    [...]
    
     acl {
         default {
    -        pass whitelist  !blacklist  !in-addr  all
    +        pass whitelist  !blacklist  !in-addr  !builtin  all
             redirect     http://192.168.122.94/cgi-bin/nethserver-block.cgi?clientaddr=%a&clientname=%n&clientident=%i&srcclass=%s&targetgroup=%t&url=%u
         }
    

Test case 2

check the builtin rules are actually enforced. I checked the manual proxy configuration with curl.

  • Rules disabled:
    curl -x http://<PROXYIP>:3128 http://www.google.com/p***y
    [404 response]
    
  • Rules enabled:
        $ curl -x http://<PROXYIP>:3128 http://www.google.com/p***y
    <!DOCTYPE html PUBLIC "-//W3C//DTD  HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
    <html><head>
    <title>403 Forbidden</title>
    [...]
    Category&nbsp;<b> builtin</b><br>
    URL&nbsp;<b>http://www.google.com/p***y</b><br>
    <br>
    Origin: <b>192.168.122.1</b><hr><div style="float:right;">Powered by <a href="http://www.squidguard.org">SquidGuard</a></div></body></html>
    

#6 Updated by Davide Principi over 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing
nethserver-squidguard-1.3.4-1.5.g7ed70ce.ns6.noarch.rpm

updated developer's manual

#7 Updated by Giacomo Sanchietti over 5 years ago

  • Assignee set to Giacomo Sanchietti

#8 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 90

System and Package Version installed
Package Installed: nethserver-squidguard-1.3.4-1.5.g7ed70ce.ns6.noarch
Other Package installed: nethserver-squid-1.3.10-1.ns6.noarch

Test Original Problem
Add new builtin filter

Install Updated Package

yum --enablerepo=nethserver-testing update nethserver-squidguard

Test Results after update
After the update, the builtin filter is not enabled by default: OK.

After enabling it, the page is blocker:

echo "https://www.google.it/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=tits - - GET" | squidGuard -c /etc/squid/squidGuard.conf -d 

...
2015-11-19 17:03:50 [14979] Request(default/builtin/-) https://www.google.it/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=tits -/- - GET REDIRECT
http://192.168.5.246/cgi-bin/nethserver-block.cgi?clientaddr=-&clientname=&clientident=&srcclass=default&targetgroup=builtin&url=https://www.google.it/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=tits -/- - GET

Verified Or Reopen
Verified

Note
Administrator manual and inline help are missing.

#9 Updated by Davide Principi over 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:

nethserver-squidguard-1.4.0-1.ns6.noarch.rpm
nethserver-squidguard-1.4.1-1.ns6.noarch.rpm

Also available in: Atom PDF