Build web filter modules for ARM

Hallo,

ich want to setup a router with raspi3 for my kids. Is it possible that here some of the specialists can check if the web filter modules can be build for arm?

I’ve got ns running on my raspi 3. Now I want to install hostapd for the wifi and next step would be the web filter…

with warm regards from cold Leipzig

Denis

1 Like

Hallo ,

during the meantime I’ve got working hostapd and I’m able to connect with raspi which is the accesspoint for wifi now.

to get running from source hostapd I followed this small howto:

[link] http://jasonmaur.com/hostapd-centos-6/ [/link]

I need to check the hostapd.service file, at the moment I’m starting the service with an old init script.

To start via systemd I get an error message from systemd: Failed to execute operation: Bad message

Now I will check if I can configure a webfilter manually…

Denis

1 Like

okay I build it by myself

now I have an NS7 accesspoint on Raspi3 :slight_smile:

1 Like

Hallo,

so I’m running in problems with squid:
Error is : The ssl_crtd helpers are crashing too rapidly, need help!

How can I fix that? I did’t found any solution for that problem.

Look for errors in /var/log/squid/cache.log.
As a workaround, select Transparent in the Proxy configuration page.

1 Like

Hallo Filipo,

thanks for your hint. When I’m select Transparent then squid is working but no content filter…

I found following error in cache.log:
(ssl_crtd): Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run “ssl_crtd -c -s /var/lib/ssl_db”.

and I checked that the directory /var/lib/ssl_db does not exists…

But I’m not so deep in that stuff, it seem that problem has something to do with ssl certificates for squid.

okay i managed it:

/usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db

chown -R squid.squid /var/lib/ssl_db

but the filter doesn’t working …

Hallo,

a short /etc/init.t/ufdb testconfig

shows the reason of the problem:

FATAL ERROR: line 293: "aggressive" is a keyword and must be surrounded by quotes in configuration file /etc/ufdbguard/ufdbGuard.conf  *****

I’m using blacklist from shalla …

Workaround is disable filter categery aggressive or hack the template file for ufdbGuard.conf in that way that all categories in ACL are in double quotes.

acl {


    default {
        pass !security !in-addr  !files  !builtin  !"aggressive"  !alcohol  !banking  !costtraps  !dating  !drugs  !gamble  !insuran
ce  !lingerie  !porn  !redirector  !socialnet  !spyware  !violence  !warez  !weapons  all
        redirect     http://192.168.179.1/cgi-bin/nethserver-block.cgi?clientaddr=%a&clientname=%n&clientident=%i&srcclass=%s&target
group=%t&url=%u
    }

}

After chnging !aggressive in !“aggressive” all is working fine. Maybe it helps for Nethserver development.

regards from Leipzig

Denis

1 Like

it’s so pity: after putting the raspi in the new housing I cracked the SD card .

Today morning I was surprised that the raspi won’t start. I checked all parts and the reason was clear :frowning:

Now I can start again from beginning because yesterday I didn’t made a backup…

This command is automatically run when you save the configuration, see /etc/e-smith/events/actions/nethserver-squid-conf.
The problem is that the ARM squid package has a different path:

  1. x86 = /usr/lib64/squid/ssl_crtd
  2. arm = /usr/lib/squid/ssl_crtd

Luckily, the nethserver-squid-conf is the only place where ssl_crtd is called, we may have a fix trying both path.
I’ll create a pull request, it may be accepted.

My mistake, I fixed the double quotes issue only partially.
PR: https://github.com/NethServer/nethserver-squidguard/pull/9

Thank you very much for your findings, really helpful.

1 Like

@denis.robel, may I ask you a favor when you’ll have your RPI online again?
Instead of running /usr/lib/squid/ssl_crtd to create the cert dir, modify /etc/squid/squid.conf where it says:
https_port 3130 intercept ssl-bump generate-host-certificates=on ...
with
https_port 3130 intercept ssl-bump generate-host-certificates=off ...

I’ve tested it on Intel x86 and it seems to work, even if squid manual says the opposite (but someone has filed a documentation bug).

1 Like

Okay I’ve got a new SD-Card :slight_smile: and I’ll try it again.

Before I’m compiling hostapd from source: is there a RPM for Centos7 with systemd startup script available? The same is necessary for ufdbguard
I would be more consistent to start hostapd and ufdbguard via systemd instead of old init scripts.

Can somebody provide me the systemd unit scripts or assist me to create the scripts.
Main problem is to define the start dependencies for the services…

Because I know that my project will working I’m writing a documentation parallel to my installation so that the doc team can use it for a Howto.

with warm regards

Denis

2 Likes

hostapd comes from epel repo, so you should simply type:
yum install hostpad
unless epel for arm still doesn’t contain the rpm. We may signal hostapd maintainer.
I’ll try to rebuild my RPI after we release NethServer 7 final.

Regarding ufdbguard, we could ask to the author (Marcus), but I’m not sure he wants to maintain one more package.
You should be able to build from the srpm, I can help.

There is a src rpm available for Centos7

wget -c https://www.urlfilterdb.com/files/downloads/ufdbGuard-1.32.4.src.rpm

but there is an old init script used not a systemd service. I was able to compile the src rpm that’s no problem.

But as i know in Centos 7 systemd is the new standard…

For hostapd will check if I can compile from src rpm…

Don’t worry about systemd, it can handle old sysv initscripts.
I agree with you that a systemd unit file would be better, we could probably build one as a future improvement.

I know that systemd can handle sysv init scripts …
But I’m a German and all things should be in a clear structure :wink:

2 Likes

well I’m edited /etc/e-smith/templates/etc/squid/squid.conf/40ports as you suggested and now it’s working well.

okay here I’m again with my documentation to setup a nethserver 7 based router with raspi3:

  1. Install CentOs7 on Raspi follow the Nethserver Howto:

http://wiki.nethserver.org/doku.php?id=ns_raspi2

ON FIRST BOOT CHANGE ROOT PASSWORD!!!

  1. Install MC --> I’m not a fan of vi vim

yum install mc

  1. change CPU frequency to 1000 Mhz - for faster compiling

mcedit /boot/config.txt

systemctl reboot

  1. Install Nethserver

yum -y update
yum clean all

new nsswitch.conf is created as nsswitch.conf.rpmnew

cp /etc/nsswitch.conf.rpmnew /etc/nsswitch.conf
yum localinstall http://mirror.framassa.org/nethserver-arm/nethserver-release-7arm.rpm
nethserver-install

  1. Install Development Tools

yum groupinstall "Development Tools"
yum install nethserver-devtools

  1. Enable wifi as decribed in /root/README

curl --location https://github.com/RPi-Distro/firmware-nonfree/raw/master/brcm80211/brcm/brcmfmac43430-sdio.bin > /usr/lib/firmware/brcm/brcmfmac43430-sdio.bin
curl --location https://github.com/RPi-Distro/firmware-nonfree/raw/master/brcm80211/brcm/brcmfmac43430-sdio.txt > /usr/lib/firmware/brcm/brcmfmac43430-sdio.txt

systemctl reboot

  1. Install Hostapd:

yum install libnl3-devel
yum install openssl-devel

download hostapd-src from epl

wget -c http://dl.fedoraproject.org/pub/epel/7/SRPMS/h/hostapd-2.4-3.el7.src.rpm
rpmbuild --rebuild hostapd-2.4-3.el7.src.rpm

yum install /root/rpmbuild/RPMS/armv7hl/hostapd-2.4-3.el7.centos.armv7hl.rpm

edit /etc/hostapd/hostapd.conf

########################################################################################################### begin hostapd.conf 
#
# This will give you a minimal, insecure wireless network.
# 
# DO NOT BE SATISFIED WITH THAT!!!
#
# A complete, well commented example configuration file is
# available here:
#
#       /usr/share/doc/hostapd/hostapd.conf
#
# For more information, look here:
#
#       http://wireless.kernel.org/en/users/Documentation/hostapd
#

ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel

# Some usable default settings...
macaddr_acl=0        # macaddr_acl will be managed from dhcp ...
auth_algs=1
ignore_broadcast_ssid=0

# Uncomment these for base WPA & WPA2 support with a pre-shared key
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

# DO NOT FORGET TO SET A WPA PASSPHRASE!!
wpa_passphrase=YOURSECRETPASSWORD

# Most modern wireless drivers in the kernel need driver=nl80211
driver=nl80211

# Customize these for your local configuration...
interface=wlan0
hw_mode=g
channel=1
ssid=YOURSSID
########################################################################################################## end hostapd.conf 

enable hotapd.service:

systemctl enable hostapd.service

systemctl start hostapd

now you should see your wifi but you wont get an IP address because dhcp is not ready yet

  1. Build Nethserver-WebContentfilter stuff

download src rpms:

wget -c http://mirrorlist.nethserver.org/nethserver/7.3.1611/base/Source/SPackages/nethserver-squid-1.5.0-1.ns7.src.rpm
wget -c http://mirrorlist.nethserver.org/nethserver/7.3.1611/base/Source/SPackages/nethserver-squidguard-1.6.0-1.ns7.src.rpm
wget -c https://www.urlfilterdb.com/files/downloads/ufdbGuard-1.32.4.src.rpm

nethserver-squid:
rpmbuild --rebuild nethserver-squid-1.5.0-1.ns7.src.rpm
yum install /root/rpmbuild/RPMS/noarch/nethserver-squid-1.5.0-1.el7.centos.noarch.rpm

ufdbguard:
yum install bzip2-devel
create user ufdb - without htis user the RPM will not be packed - why???
useradd -r ufdb -d /var/ufdbguard -M -s /sbin/nologin
rpmbuild --rebuild ufdbGuard-1.32.4.src.rpm
yum install /root/rpmbuild/RPMS/armv7hl/ufdbGuard-1.32.4-CentOS7.armv7hl.rpm

nethserver-squidguard:
rpmbuild --rebuild nethserver-squidguard-1.6.0-1.ns7.src.rpm
yum install /root/rpmbuild/RPMS/noarch/nethserver-squidguard-1.6.0-1.el7.centos.noarch.rpm

9.login to nethserver web surface

set wlan0 to green network
set eth0 to red network

configure dhcp for wlan0

configure web-proxy
configure web-contenfilter

3 Likes

okay I tested a little bit the filter:

ufdbguard does not working correctly. I’m using shalla as blacklist and no listed domain will be blocked.

There must be a problem deeper inside. I’ll investigate it later…

Wow I love your work and I’d like to involve also the @arm_team in this discussion!