Look for errors in /var/log/squid/cache.log.
As a workaround, select Transparent in the Proxy configuration page.
Hallo Filipo,
thanks for your hint. When I’m select Transparent then squid is working but no content filter…
I found following error in cache.log:
(ssl_crtd): Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run “ssl_crtd -c -s /var/lib/ssl_db”.
and I checked that the directory /var/lib/ssl_db does not exists…
But I’m not so deep in that stuff, it seem that problem has something to do with ssl certificates for squid.
okay i managed it:
/usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db
chown -R squid.squid /var/lib/ssl_db
but the filter doesn’t working …
Hallo,
a short /etc/init.t/ufdb testconfig
shows the reason of the problem:
FATAL ERROR: line 293: "aggressive" is a keyword and must be surrounded by quotes in configuration file /etc/ufdbguard/ufdbGuard.conf *****
I’m using blacklist from shalla …
Workaround is disable filter categery aggressive or hack the template file for ufdbGuard.conf in that way that all categories in ACL are in double quotes.
acl {
default {
pass !security !in-addr !files !builtin !"aggressive" !alcohol !banking !costtraps !dating !drugs !gamble !insuran
ce !lingerie !porn !redirector !socialnet !spyware !violence !warez !weapons all
redirect http://192.168.179.1/cgi-bin/nethserver-block.cgi?clientaddr=%a&clientname=%n&clientident=%i&srcclass=%s&target
group=%t&url=%u
}
}
After chnging !aggressive in !“aggressive” all is working fine. Maybe it helps for Nethserver development.
regards from Leipzig
Denis
it’s so pity: after putting the raspi in the new housing I cracked the SD card .
Today morning I was surprised that the raspi won’t start. I checked all parts and the reason was clear
Now I can start again from beginning because yesterday I didn’t made a backup…
This command is automatically run when you save the configuration, see /etc/e-smith/events/actions/nethserver-squid-conf.
The problem is that the ARM squid package has a different path:
- x86 = /usr/lib64/squid/ssl_crtd
- arm = /usr/lib/squid/ssl_crtd
Luckily, the nethserver-squid-conf is the only place where ssl_crtd is called, we may have a fix trying both path.
I’ll create a pull request, it may be accepted.
My mistake, I fixed the double quotes issue only partially.
PR: Fix quotes in profiles categories names. NethServer/dev#5171 by filippocarletti · Pull Request #9 · NethServer/nethserver-squidguard · GitHub
Thank you very much for your findings, really helpful.
@denis.robel, may I ask you a favor when you’ll have your RPI online again?
Instead of running /usr/lib/squid/ssl_crtd to create the cert dir, modify /etc/squid/squid.conf where it says:
https_port 3130 intercept ssl-bump generate-host-certificates=on ...
with
https_port 3130 intercept ssl-bump generate-host-certificates=off ...
I’ve tested it on Intel x86 and it seems to work, even if squid manual says the opposite (but someone has filed a documentation bug).
Okay I’ve got a new SD-Card and I’ll try it again.
Before I’m compiling hostapd from source: is there a RPM for Centos7 with systemd startup script available? The same is necessary for ufdbguard
I would be more consistent to start hostapd and ufdbguard via systemd instead of old init scripts.
Can somebody provide me the systemd unit scripts or assist me to create the scripts.
Main problem is to define the start dependencies for the services…
Because I know that my project will working I’m writing a documentation parallel to my installation so that the doc team can use it for a Howto.
with warm regards
Denis
hostapd
comes from epel repo, so you should simply type:
yum install hostpad
unless epel for arm still doesn’t contain the rpm. We may signal hostapd maintainer.
I’ll try to rebuild my RPI after we release NethServer 7 final.
Regarding ufdbguard, we could ask to the author (Marcus), but I’m not sure he wants to maintain one more package.
You should be able to build from the srpm, I can help.
There is a src rpm available for Centos7
wget -c https://www.urlfilterdb.com/files/downloads/ufdbGuard-1.32.4.src.rpm
but there is an old init script used not a systemd service. I was able to compile the src rpm that’s no problem.
But as i know in Centos 7 systemd is the new standard…
For hostapd will check if I can compile from src rpm…
Don’t worry about systemd, it can handle old sysv initscripts.
I agree with you that a systemd unit file would be better, we could probably build one as a future improvement.
I know that systemd can handle sysv init scripts …
But I’m a German and all things should be in a clear structure
well I’m edited /etc/e-smith/templates/etc/squid/squid.conf/40ports as you suggested and now it’s working well.
okay here I’m again with my documentation to setup a nethserver 7 based router with raspi3:
- Install CentOs7 on Raspi follow the Nethserver Howto:
http://wiki.nethserver.org/doku.php?id=ns_raspi2
ON FIRST BOOT CHANGE ROOT PASSWORD!!!
- Install MC --> I’m not a fan of vi vim
yum install mc
- change CPU frequency to 1000 Mhz - for faster compiling
mcedit /boot/config.txt
systemctl reboot
- Install Nethserver
yum -y update
yum clean all
new nsswitch.conf is created as nsswitch.conf.rpmnew
cp /etc/nsswitch.conf.rpmnew /etc/nsswitch.conf
yum localinstall http://mirror.framassa.org/nethserver-arm/nethserver-release-7arm.rpm
nethserver-install
- Install Development Tools
yum groupinstall "Development Tools"
yum install nethserver-devtools
- Enable wifi as decribed in /root/README
curl --location https://github.com/RPi-Distro/firmware-nonfree/raw/master/brcm80211/brcm/brcmfmac43430-sdio.bin > /usr/lib/firmware/brcm/brcmfmac43430-sdio.bin
curl --location https://github.com/RPi-Distro/firmware-nonfree/raw/master/brcm80211/brcm/brcmfmac43430-sdio.txt > /usr/lib/firmware/brcm/brcmfmac43430-sdio.txt
systemctl reboot
- Install Hostapd:
yum install libnl3-devel
yum install openssl-devel
download hostapd-src from epl
wget -c http://dl.fedoraproject.org/pub/epel/7/SRPMS/h/hostapd-2.4-3.el7.src.rpm
rpmbuild --rebuild hostapd-2.4-3.el7.src.rpm
yum install /root/rpmbuild/RPMS/armv7hl/hostapd-2.4-3.el7.centos.armv7hl.rpm
edit /etc/hostapd/hostapd.conf
########################################################################################################### begin hostapd.conf
#
# This will give you a minimal, insecure wireless network.
#
# DO NOT BE SATISFIED WITH THAT!!!
#
# A complete, well commented example configuration file is
# available here:
#
# /usr/share/doc/hostapd/hostapd.conf
#
# For more information, look here:
#
# http://wireless.kernel.org/en/users/Documentation/hostapd
#
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
# Some usable default settings...
macaddr_acl=0 # macaddr_acl will be managed from dhcp ...
auth_algs=1
ignore_broadcast_ssid=0
# Uncomment these for base WPA & WPA2 support with a pre-shared key
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
# DO NOT FORGET TO SET A WPA PASSPHRASE!!
wpa_passphrase=YOURSECRETPASSWORD
# Most modern wireless drivers in the kernel need driver=nl80211
driver=nl80211
# Customize these for your local configuration...
interface=wlan0
hw_mode=g
channel=1
ssid=YOURSSID
########################################################################################################## end hostapd.conf
enable hotapd.service:
systemctl enable hostapd.service
systemctl start hostapd
now you should see your wifi but you wont get an IP address because dhcp is not ready yet
- Build Nethserver-WebContentfilter stuff
download src rpms:
wget -c http://mirrorlist.nethserver.org/nethserver/7.3.1611/base/Source/SPackages/nethserver-squid-1.5.0-1.ns7.src.rpm
wget -c http://mirrorlist.nethserver.org/nethserver/7.3.1611/base/Source/SPackages/nethserver-squidguard-1.6.0-1.ns7.src.rpm
wget -c https://www.urlfilterdb.com/files/downloads/ufdbGuard-1.32.4.src.rpm
nethserver-squid:
rpmbuild --rebuild nethserver-squid-1.5.0-1.ns7.src.rpm
yum install /root/rpmbuild/RPMS/noarch/nethserver-squid-1.5.0-1.el7.centos.noarch.rpm
ufdbguard:
yum install bzip2-devel
create user ufdb - without htis user the RPM will not be packed - why???
useradd -r ufdb -d /var/ufdbguard -M -s /sbin/nologin
rpmbuild --rebuild ufdbGuard-1.32.4.src.rpm
yum install /root/rpmbuild/RPMS/armv7hl/ufdbGuard-1.32.4-CentOS7.armv7hl.rpm
nethserver-squidguard:
rpmbuild --rebuild nethserver-squidguard-1.6.0-1.ns7.src.rpm
yum install /root/rpmbuild/RPMS/noarch/nethserver-squidguard-1.6.0-1.el7.centos.noarch.rpm
9.login to nethserver web surface
set wlan0 to green network
set eth0 to red network
configure dhcp for wlan0
configure web-proxy
configure web-contenfilter
okay I tested a little bit the filter:
ufdbguard does not working correctly. I’m using shalla as blacklist and no listed domain will be blocked.
There must be a problem deeper inside. I’ll investigate it later…
Okay I checked the urfdbguard reference manual but it’s not so easy to find a start point for debugging. Some hints would be helpful…
At the moment I’m using squid manually with debug level 5 and debugging for ufdbguard is not clear. So I’m not able to check if there are data in blacklist database etc…
Hi @denis.robel, great work!
unfortunately there is no official epel for arm, here are unsigned packaged build by the centos arm-interest group.
http://armv7.dev.centos.org/repodir/epel-pass-1/hostapd/
that is odd, I will try to build it in mock at Christmas
I don’t know much about urfdbguard, so can’t help you right now…
Do not kwon if it helps, I see more configuration files pointing to /usr/lib64/…
okay the path problem seems to be a general problem for arm …
But maybe the config template for ufdbguard ist for a wrong version?
I’m using urfdbguard 1.32.4 and the nethserver-squidguard is working with which version of urfbguard???