[squid-users] Squid + SquidGuard : static block page not working

Amos Jeffries squid3 at treenet.co.nz
Wed Mar 14 14:06:05 UTC 2018 

On 15/03/18 02:13, Nicolas Kovacs wrote:
> Le 14/03/2018 à 14:06, Amos Jeffries a écrit :
>> Then the first thing you and your readers need to be clear on is that
>> SquidGuard was end-of-life'd many years ago. It is long overdue for
>> removal or replacement. This has impact such as the one you saw on HTTPS
>> traffic support which was only added to Squid-3 after SG stopped being
>> maintained.
>>
>> The best thing to be doing these days is upgrading simple configs like
>> the one you presented earlier to using modern Squid features directly in
>> squid.conf - as I recommended earlier.
>>
>> For very complex configurations (or emergency upgrades) the ufdbguard
>> tool can be used as a drop-in replacement for squidGuard while the
>> config migration is evaluated. It handles the HTTPS situation better
>> than SG does, but for simple configs any helper is still very much
>> overkill and a performance drag.
> 
> This is the configuration which is currently in use at our local school.
> The server is running Squid + SquidGuard on Slackware 14.1. We're
> planning to move to CentOS 7 in June 2018, so I'd like to use this
> working configuration without having to jump through burning loops or
> having to reinvent the wheel.

This one is much more complex than your earlier configs. It seems
reasonable to use ufdbguard as a drop-in replacement for squidguard here.


A few things like the direction and couvrefeu ACLs can be moved easily
for better efficiency in squid.conf like so:

 acl direction src 192.168.10.2-192.168.10.49
 acl direction src 192.168.10.246-192.168.10.249

 # these are okay. Don't bother asking the helper
 url_rewrite_access deny direction

 acl couvrefeu time mtwhf 00:00-07:00
 acl couvrefeu time smtwh 22:30-24:00

 acl scholae src 192.168.10.50-192.168.10.210

 deny_info
302:http://squidguard.serveur-hp.ecole-scholae.lan/avertissement.html
couvrefeu

 http_access deny scholae couvrefeu

Note the helper will never even be asked when these are redirected by
http_access, so you do not need url_rewrite_access rule for it - scholae
things will only ever be passed to the helper during non-couvrefeu times.


Also if you want to present a fixed web page instead of redirecting. You
can configure/load a custom HTML error page in deny_info instead of
using the 302:url pattern.

HTH
Amos

More information about the squid-users mailing list