squidGuard - The Redirect Rule
- Basics
In order to work properly you must tell squidGuard which URL
it shall deliver back to squid when the requested site is
part of the blocked destinations.
The redirect rule must be placed with
the acl tags. It is possible to have multiple
redirect rules but within the same policy (i.e. definition of
source rules).
Example for one redirect rules in a configuration:
| One redirect rule in the configuration:
|
acl {
default {
pass !porn all
redirect http://www.foo.bar/blocked.html
}
}
|
This example assumes that the same policy applies for all proxy users.
Example for multiple redirect rules in a configuration:
| Multiple redirect rules in the configuration:
|
acl {
group1 within workhours {
pass !tracker !adv !spyware !hacking !porn all
redirect http://www.foo.bar/allblocked.html
}
default {
pass !porn all
redirect http://www.foo.bar/defaultblocked.html
}
}
|
In this example two policies are defined. The latter is the same as in the
first example and applies to all proxy user that do not fall into the
policy defined by "group1". If you user is recognized as part of "group1"
(be it by authentication, by IP address or time definition) the page
http://www.foo.bar/allblocked.html will be displayed if a requested page
has been found part of one of the blocked destinations (in our example
tracker, adv, spyware, hacking and porn).
Please note:
- You always need a policy called "default"!
- If you do not specify a redirect rule, blocking and logging of requests
will not work.
- There must only be one redirect rule within a policy declaration.
- Advanced
Instead of displaying a static "You have been blocked" message, you can
program a script to do so and tell the user some more information about
the blocking. SquidGuard passes the following variables that can be
interpreted by the script:
| %a |
Variable that holds the IP address of the client.
|
| %i |
Variable that holds the user ID (RFC931, LDAP or mySQL) or "unknown"
if not available.
|
| %n |
Variable that holds the domainname of the client or "unknown" if not available.
|
| %p |
Variable that holds the REQUEST_URI, i.e. the path and the optional query
string of %u, but note for convenience without the leading "/".
|
| %s |
Variable that holds the matched source group (client group) or "unknown" if no
groups were matched.
|
| %t |
Variable that holds the matched destination group (target group) or "unknown"
if no groups were matched.
|
| %u |
Variable that holds the requested URL.
|
In order to use this additional information in your script your redirect
rule should look like the following:
| Redirect rule with variables:
|
redirect http://www.foo.bar/blocked.cgi?caddr=%a&cname=%n&user=%i&group=%s&target=%t&url=%u
|
In your script you have to evaluate the passed variable $QUERY_STRING.
This variable holds all given parameters. SquidGuard substitutes the
variable (the ones with the "%") with their appropriate values before
sending URL to the script, so the variable $QUERY_STRING holds all
the information about user, ip, group and requested URL.
Please note that the example block script squidGuard.cgi
distributed with squidGuard uses different names for the variables.
If you want to use
this script, make sure that your redirect statement looks like:
| Redirect rule with squidGuard.cgi variables:
|
redirect http://www.foo.bar/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
|
|
|
Documentation
Installation
Configuration
Runtime
Options
About blocking
Troubleshooting
Known Issues
Other Sources
|
SquidGuard