SquidGuard

HOME Downloads Documentation Development Blacklists Contributions Contact


  squidGuard - The Redirect Rule


  1. Basics

    In order to work properly you must tell squidGuard which URL it shall deliver back to squid when the requested site is part of the blocked destinations.
    The redirect rule must be placed with the acl tags. It is possible to have multiple redirect rules but within the same policy (i.e. definition of source rules).
    Example for one redirect rules in a configuration:

    One redirect rule in the configuration:
    acl {
        default {
           pass !porn all
           redirect http://www.foo.bar/blocked.html
        }
    }
    


    This example assumes that the same policy applies for all proxy users.

    Example for multiple redirect rules in a configuration:

    Multiple redirect rules in the configuration:
    acl {
        group1 within workhours {
           pass !tracker !adv !spyware !hacking !porn all
           redirect http://www.foo.bar/allblocked.html
        }
    
        default {
           pass !porn all
           redirect http://www.foo.bar/defaultblocked.html
        }
    }
    


    In this example two policies are defined. The latter is the same as in the first example and applies to all proxy user that do not fall into the policy defined by "group1". If you user is recognized as part of "group1" (be it by authentication, by IP address or time definition) the page http://www.foo.bar/allblocked.html will be displayed if a requested page has been found part of one of the blocked destinations (in our example tracker, adv, spyware, hacking and porn).

    Please note:
    • You always need a policy called "default"!
    • If you do not specify a redirect rule, blocking and logging of requests will not work.
    • There must only be one redirect rule within a policy declaration.


  2. Advanced

    Instead of displaying a static "You have been blocked" message, you can program a script to do so and tell the user some more information about the blocking. SquidGuard passes the following variables that can be interpreted by the script:

    %a Variable that holds the IP address of the client.
    %i Variable that holds the user ID (RFC931, LDAP or mySQL) or "unknown" if not available.
    %n Variable that holds the domainname of the client or "unknown" if not available.
    %p Variable that holds the REQUEST_URI, i.e. the path and the optional query string of %u, but note for convenience without the leading "/".
    %s Variable that holds the matched source group (client group) or "unknown" if no groups were matched.
    %t Variable that holds the matched destination group (target group) or "unknown" if no groups were matched.
    %u Variable that holds the requested URL.


    In order to use this additional information in your script your redirect rule should look like the following:

    Redirect rule with variables:
     redirect http://www.foo.bar/blocked.cgi?caddr=%a&cname=%n&user=%i&group=%s&target=%t&url=%u
    


    In your script you have to evaluate the passed variable $QUERY_STRING. This variable holds all given parameters. SquidGuard substitutes the variable (the ones with the "%") with their appropriate values before sending URL to the script, so the variable $QUERY_STRING holds all the information about user, ip, group and requested URL.
    Please note that the example block script squidGuard.cgi distributed with squidGuard uses different names for the variables. If you want to use this script, make sure that your redirect statement looks like:

    Redirect rule with squidGuard.cgi variables:
     redirect http://www.foo.bar/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
    






Documentation
Installation
Configuration
 Getting started
 Destination ACLs
 Source ACLs
 Redirect Rule
 Time Constraints
 Authentication
 Regular Expressions
 Examples

Runtime Options
About blocking
Troubleshooting
Known Issues
Other Sources



  © Powered by Shalla Secure Services KG 2007-2012