Web filter not working with profiles configured for a group

Hi.

I’ve been using authenticated proxy with profiles configured for each group. For example:

Profile name: partners
Who: partners@mydomain.com
What: partners_filter
When: Always

This has been working as it should, until I updated the server form 7.2 to 7.3 with “yum update”.

Since the update, when a user tries to connect to a web page the proxy won’t use the group profile ,but instead it uses the “default” profile:

2017-01-19 09:12:22 [12791] BLOCK ljperez 192.168.1.67 default none self-repair.mozilla.org:443 CONNECT

And since my default profile blocks everything, all users are blocked form the internet.

After some tests I realized the filter works if I create a specific profile for the user. A dedicated profile for every user in the system.

This is very unproductive. I need to manage my filters in a group basis, so I just have to add or remove users form groups.

Is this a bug? Or maybe there is something wrong with my config?

Thank you.

2 Likes

It may be a bug.
In 7.2 we created web filter groups as “userlist”, exploding all group members. This had the drawback that lists had to be exploded from time to time.
In 7.3 we rely on the system group so that group modifications take effect immediately.
It seems that in your system group members can’t be discovered.
Please check /etc/ufdbguard/ufdbGuard.conf for the group definition.
Then check user membership. Using the above info you provided:
id ljperez
It should be a member of the right group.

In ufdbGuard.conf I can see the group:

src src_somegorupprofile {
    unix group "somegroup@mydomain.com"
}

That looks OK

[root@gate ~]# id ljperez
uid=1010(ljperez@mydomain.com) gid=1001 groups=1001,1004(somegroup@mydomain.com)

That also looks fine.

I tried recreating everything: profile, filter, group, user. With different names, and the problem is always with the profiles that has a group as “Who”.

I think I’ve reproduced the problem.
Please try to modify /etc/ufdbguard/ufdbGuard.conf removing the domain part (after@) from the unix group:

src src_somegorupprofile {
    unix group "somegroup"
}

Then restart ufdbGuard and check if everything works as expected:
systemctl restart ufdb

1 Like

That works as expected.

I only changed a test group for now. I don’t think is a good idea to change all groups manually.

Is this going to be treated as a bug?

1 Like

Yes. I expect to have a fix tomorrow.

1 Like

Ehi Carlos, thanks for catching this bug and helping @filippo_carletti verify the correct fix.
Thanks to you NethServer is getting better and better. :thumbsup:

1 Like

@Carlos_Estrada, I filed an issue and prepared a fix:

Would you mind testing my fix?

yum --enablerepo=nethserver-testing update nethserver-squidguard

Thank you.

1 Like

I applied the update and the problem seems to continue.

I created a new group, user and profile to do testing and the same problem occur. I also tried with an existing account with the same result.

In my server, the updated package fixed the problem.
What do you see in /etc/ufdbguard/ufdbGuard.conf?

src src_somegorupprofile {
    unix group "somegroup"
}

And please check that you have the right package version:
nethserver-squidguard-1.6.1-1.2.g2e08f4a.ns7.noarch.rpm

To be sure to download the updated package you can use:
yum install http://packages.nethserver.org/nethserver/7.3.1611/testing/x86_64/Packages/nethserver-squidguard-1.6.1-1.2.g2e08f4a.ns7.noarch.rpm

My bad, I did some mistakes with the repo.

Try this:

rpm -e nethserver-squidguard
yum --enablerepo=nethserver-testing clean all
yum --enablerepo=nethserver-testing install nethserver-squidguard

Yes that was the problem. I had installed the wrong version.

Now is working. And the file /etc/ufdbguard/ufdbGuard.conf looks OK.

Thank you. It is fixed.

2 Likes

Fix released.