Remote Access Control Lists in squid not working anymore

Started by Benst, November 18, 2016, 05:52:32 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
November 24, 2016, 07:34:39 AM #15
Hmm, verify=False is required for self-signed HTTPS servers. This needs to be added. I tested HTTP downloads, with Shalla and it worked  for both with and without the patch provided by Ad.

Can confirm that it takes longer than it should, but eventually the categories show up in the entry. We'll get to the bottom of this.

In the meantime, things that could go wrong on the side are non-working resolution from the firewall itself or requiring a proxy to connect.


Cheers,
Franco
November 24, 2016, 08:33:49 AM #16
Quote from: franco on November 24, 2016, 07:34:39 AM
Hmm, verify=False is required for self-signed HTTPS servers. This needs to be added. I tested HTTP downloads, with Shalla and it worked  for both with and without the patch provided by Ad.

Can confirm that it takes longer than it should, but eventually the categories show up in the entry. We'll get to the bottom of this.

In the meantime, things that could go wrong on the side are non-working resolution from the firewall itself or requiring a proxy to connect.


Cheers,
Franco

Ok thanks franco, i'l check this one
November 24, 2016, 09:02:28 AM #17
@franco just to be sure, my patch only adds ftp support back. Parsing large lists can take (quite) some time because of the structure needed by squid (sorting, etc.), this has been the case for quite some time.
November 24, 2016, 11:10:45 AM #18
Hi Ad,

Ok, so this should be back in working order, I agree.

The HTTPS verify=False is something to add eventually, maybe as an advanced option per remote list (seems the easiest to pass down without cross-referencing config.xml for it).


Cheers,
Franco
November 24, 2016, 11:13:27 AM #19
Hi Franco,

Agreed, we should add verify=False as an option, we should be able to implement this in a similar way as the basic auth feature (should be easy  :) ).

Best regards,

Ad
November 24, 2016, 02:05:27 PM #20
Hi Ad,

Quote from: AdSchellevis on November 23, 2016, 05:33:32 PM
You can easily trigger the download from the command line to see if something strange happens, but I guess your download/process just takes more the 120 seconds (which is the timeout from the gui to wait for a response).

Code Select
/usr/local/opnsense/scripts/proxy/fetchACLs.py


Indeed, it looks like processing the list is taking an awful long time:

Code Select
# time curl -C - -O 'ftp://ftp.ut-capitole.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8373k  100 8373k    0     0  1284k      0  0:00:06  0:00:06 --:--:-- 1619k
0.107u 0.071s 0:06.57 2.5% 148+120k 0+65io 0pf+0w

# time /usr/local/opnsense/scripts/proxy/fetchACLs.py
168.865u 12.138s 3:09.56 95.4% 7+167k 0+748io 12pf+0w

This is on an OPNsense A10 Quad Core SSD rack system.

Kind regards,
Ben
November 25, 2016, 12:36:22 PM #21 Last Edit: November 25, 2016, 12:39:45 PM by pr3p
Im having problem with web proxy i already disabled the exe on "Block specific MIME type reply"  blocklist and ACL but i cant still download exe files

-i restarted the squid server several times, before its working fine before updating the patch for acl's and




Config on ACL


Config on Remote Control List



Problem even i already edited the categories on blocklist still not applying the config for example, i disabled manga's, shopping,wares and etc but some site still on block.




Regards,
pr3p
November 25, 2016, 05:19:10 PM #22
Hi Ben,

I've taken another look at the processing code, but I don't see an easy big performance gain there. The unpacked blacklist file is approx 34MB, containing around a million lines if I saw it correctly.
Squid is very picky on the data in the lists, any duplication can lead to the proxy not starting at all, which makes sorting/de-duplication quite complex.

We could increase the timeout or detach the actual download process, but in the last case we should add some option to only download the indexes too.

Best regards,

Ad


November 25, 2016, 05:47:30 PM #23
Hi Ad,

I understand the problem. This also explains some odd behaviour I have seen in the past when clicking on 'Apply' and the list not sticking correctly. Perhaps the same problem as pr3p described in his latest message? For now the workaround could be to Download the list, and watch the cpu meter until all is quiet. And then hit Apply.

Increasing the timeout would help in the short run, but it is also highly dependant on the hardware of course. And what if some list suddenly takes even longer? Making it async would be best, but is probably a lot more work?

While we're on this subject: I also noticed that OPNsense currently blacklists every address in that list. But some categories are explicitly whitelisted, see for example liste_blanche. I currently have to delete that index in the GUI.

Kind regards,
Ben
November 28, 2016, 04:17:02 AM #24 Last Edit: November 28, 2016, 04:35:50 AM by mow4cash
I can't get this to work at all. Maybe it's me, I've tried everything here. It's not even creating a directory.

EDIT: It finally worked. I tried it a bunch of times but I think it had something to do with enabling before downloading.
November 28, 2016, 08:05:02 AM #25
mow4cash, I've seen this too. I will default the new dialog to enabled.
November 28, 2016, 07:11:19 PM #26 Last Edit: November 28, 2016, 07:23:54 PM by tillsense
hi all,

use ad's workaround for download with no error:
Code Select
/usr/local/opnsense/scripts/proxy/fetchACLs.py

over web interface i only selected 5 categories but all active!

the generate index look good for me...
Code Select
root@mea:/usr/local/etc/squid # cat acl/shall0.index
{"finance/moneylending": "finance/moneylending", "automobile/boats": "automobile/boats", "porn": "porn", "ringtones": "ringtones", "drugs": "drugs", "socialnet": "socialnet", "dynamic": "dynamic", "anonvpn": "anonvpn", "library": "library", "science/astronomy": "science/astronomy", "costtraps": "costtraps", "finance/insurance": "finance/insurance", "chat": "chat", "politics": "politics", "searchengines": "searchengines", "shopping": "shopping", "aggressive": "aggressive", "hospitals": "hospitals", "urlshortener": "urlshortener", "adv": "adv", "weapons": "weapons", "updatesites": "updatesites", "recreation/restaurants": "recreation/restaurants", "radiotv": "radiotv", "alcohol": "alcohol", "isp": "isp", "finance/trading": "finance/trading", "webmail": "webmail", "sex/lingerie": "sex/lingerie", "religion": "religion", "tracker": "tracker", "music": "music", "automobile/planes": "automobile/planes", "hobby/gardening": "hobby/gardening", "recreation/humor": "recreation/humor", "hobby/games-misc": "hobby/games-misc", "redirector": "redirector", "gamble": "gamble", "fortunetelling": "fortunetelling", "jobsearch": "jobsearch", "finance/banking": "finance/banking", "hobby/cooking": "hobby/cooking", "webtv": "webtv", "government": "government", "models": "models", "automobile/bikes": "automobile/bikes", "downloads": "downloads", "hobby/pets": "hobby/pets", "warez": "warez", "homestyle": "homestyle", "recreation/martialarts": "recreation/martialarts", "spyware": "spyware", "recreation/wellness": "recreation/wellness", "news": "news", "hobby/games-online": "hobby/games-online", "recreation/travel": "recreation/travel", "webphone": "webphone", "sex/education": "sex/education", "finance/other": "finance/other", "automobile/cars": "automobile/cars", "dating": "dating", "remotecontrol": "remotecontrol", "forum": "forum", "violence": "violence", "imagehosting": "imagehosting", "podcasts": "podcasts", "movies": "movies", "webradio": "webradio", "military": "military", "hacking": "hacking", "finance/realestate": "finance/realestate", "science/chemistry": "science/chemistry", "education/schools": "education/schools", "recreation/sports": "recreation/sports"}
root@mea:/usr/local/etc/squid # cat externalACLs.conf
#
# Automatic generated configuration for fetching remote ACLs.
# Do not edit this file manually.
[shall0]
url:http://www.shallalist.de/Downloads/shallalist.tar.gz
enabled:1
filter:adv,hacking,spyware,tracker,warez
sslNoVerify=0
root@mea:/usr/local/etc/squid #

cheers till
November 30, 2016, 08:30:33 AM #27 Last Edit: November 30, 2016, 08:39:47 AM by franco
I've moved all discussed changes to 16.7.10 and will ask Ad to look at the category hiccup Till reported just then.

EDIT: Ad said that the generated output should be checked to see if it decreases when removing categories to block. If so, everything is ok?
December 02, 2016, 07:28:00 PM #28
hi franco,

generated output? (a reboot does not help)

cheers till
December 04, 2016, 11:38:37 AM #29
hi all,

back to 16.7.10 it's the same (all categories active) plus a error in the log:

Quote
configd.py: unable to sendback response [OK ] for [proxy][downloadacls][None] {b62421f1-b3be-4e2c-b502-366d1a140aa0}, message was Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run self.connection.sendall('%s\n' % result) File "/usr/local/lib/python2.7/socket.py", line 228, in meth return getattr(self._sock,name)(*args) error: [Errno 32] Broken pipe

cheers till
Print
Go Up Pages 1 2 3
User actions