OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: jocg on May 01, 2022, 08:45:20 am
-
Hello.
I would like to migrate from pfsense to opnsense and I already ported most of my configs to opnsense.
I really like opnsense, but I only have one problem:
Squidguard
Is there some way to add squidguard to opnsense or is there any other plugin that does the same job?
I know that opnsense already has squid built-in (Web Proxy), but I need something more powerful, because squid is only host/domain (and IP) based blocking and I need to process the complete URL string (with regex), that's why I need something like squidguard.
Thank you.
-
I offer the pkg in my repo, but no GUI to configure it
https://www.routerperformance.net/opnsense-repo/
-
I offer the pkg in my repo, but no GUI to configure it
https://www.routerperformance.net/opnsense-repo/
Hi, thank you very much for answering.
What is the name of the package? (I already installed the repo and updated the packages)
I must be blink (or dumb), because I don't find anything related to squidguard in my "Plugins" tab.
About the lack of GUI, I don't mind as long as the functionality is the same (and I'm familiar with cli interfaces, so it's not a problem).
Again, thank you very much.
PS:
By the way, I would like take the opportunity to thank you for providing so many awesome packages in your repo (Adguard is a really good replacement for pfBlockerNG).
-
pkg means a Package and not a Plugin
-
pkg means a Package and not a Plugin
Thank you for the tip.
You are absolutely right, this must be installed through cli.
If anyone ends up in this topic. searching for the same thing (squidguard):
1-ssh into the device
2-press 8 to enter the shell
3-install mimugmail's repo, if you haven't yet
4-pkg install squidguard
Thank you very much to mimugmail and zerwes, for pointing me into the right direction :)
-
CLI is IMHO the best way, but it should show up under /ui/core/firmware#packages aka. System: Firmware Packages tab too ...
-
CLI is IMHO the best way, but it should show up under /ui/core/firmware#packages aka. System: Firmware Packages tab too ...
Do all mimugmail's packages (installed and to install) show up in "System>Firmware>Packages" for you?
For me, squidguard only showed up there, after installing it through cli.
I'm sorry if I'm making stupid questions, but I'm pretty new to opnsense (despite having a bit of experience with pfsense, but with that most things are GUI based).
Anyway, I'm really happy and grateful that this option exists, despite the lack of GUI.
-
Oh, sorry, my mistake.You are right, you need to install packages not belonging via shell using the pkg command.I use to install packages via ansible, so the one I installed this way, show up in the GUI, so my assumption was wrong.So the CLI is the right way....
-
Oh, sorry, my mistake.You are right, you need to install packages not belonging via shell using the pkg command.I use to install packages via ansible, so the one I installed this way, show up in the GUI, so my assumption was wrong.So the CLI is the right way....
No woories ;)
In the mean time, I was able to get squidguard working and it's working great (I will test it more deeply in the coming days).
Thank you very much mimugmail for providing squidguard and all the other packages/plugins :)
I would like to make a QOL suggestion to OPNSense devs/staff:
Can you make a check box in "Web Proxy" to automatically add support for squidguard inside squid.conf file?
(It would automatically add "url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf" at the end of squid.conf, every time a change is made in the "Web Proxy" GUI).
I'm asking this because every time I make a change in "Web Proxy" GUI and apply that change, the squid.conf file is changed, erasing the "url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf" line, which is a bit annoying.
Is it possible?
Again, thank very much to everyone involved, directly and indirectly, in the development of this amazing open source project.
I'm trilled with the switch and I'm really rooting for OPNSense's success :)
-
There are config include folder for squid where you can add your conf files and dont get overwritten :)
-
There are config include folder for squid where you can add your conf files and dont get overwritten :)
Hello again :)
I dug a little bit today and it seems that the right way of doing this is creating an extra squid.conf.local file (in the same directory of the original) and add there the extra config (and this way I can change Web Proxy settings without affecting squidguard).
Is this the correct way?
I'm sorry if this is a stupid question, but I'm really ignorant about BSD systems.
Again, thank you very much for helping me :)
-
If conf.local gets loaded correctly this will be fine :)
-
If conf.local gets loaded correctly this will be fine :)
In the mean time, I created and configured the file and it's working great :)
I made some changes in the Web Proxy GUI to test and everything worked.
Again, thank you very much for everything.
You are truly outstanding and I'm glad OPNSense's community has people like you willing to help clueless people, like myself ;D
-
Would you mind sharing your squidguard conf so others get an idea what would be possible to solve? :)
-
Would you mind sharing your squidguard conf so others get an idea what would be possible to solve? :)
Sure thing :)
First, you must ssh into your device and, after this, you must have squidguard installed (I already posted previously how to do it) and you should install a text editor (like nano: pkg install nano)
My "squidGuard.conf" is something like (located inside "/usr/local/etc/squid/")(it was basically what I had on pfSense):
logdir /var/log/squid
dbhome /usr/local/etc/squid/db
dest block {
expressionlist expressions
}
acl {
default {
pass !block any
redirect http://localhost/sgerror.php
}
}
After modifying "squidGuard.conf" to your liking, you have to add your lists (in my case, I had 1 list: "expressions", inside "/usr/local/etc/squid/db" / my rules are regex based, that's why I used "expressionlist").
Now you have to generate squidguard's database, using:
squidGuard -C all
Next, you must change your database(s) ownership, using:
chown -R squid:squid /usr/local/etc/squid/db
After all the previous steps, you have to add squidguard support inside squid. For this, I created a "squid.conf.local" (located inside "/usr/local/etc/squid/"), to avoid losing squidguard support, every time I make a change in "Web Proxy" GUI. Inside the file add:
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf
Finally, you have to reconfigure/restart squid, to activate the configuration:
/usr/local/sbin/squid -k reconfigure/usr/local/etc/rc.d/squid restart (I'm not sure if this is required, but I do it anyways)
And that's it, I think I didn't forget anything and I hope it helps.
If someone has a suggestion or sees something wrong, please, don't be shy and step forward. I would really appreciate it :)
PS:
I would like to apologize for any vocabulary/grammatical mistakes. I'm not an English native speaker.