Can't access Web Content Filter

webfilter
v7

(Vlad) #1

NethServer Version: 7.3
Module: Web Content Filter

Unable to access this module configuration. I tried removing and reinstalling the package, nothing. Tried Restoring to a configuration when it was working great. and still cannot access. There is nothing on the documentation about how to delete/clean/reset/reload the content filter settings. Any ideas friends?

Best Regards,
Vlad


(Markus Neuberger) #2

Hi @Vlad,

do you see some errors in /var/log/messages?
You may update your system to 7.4.

A config change rewrites the config files based upon the following db entries:

http://docs.nethserver.org/projects/nethserver-devel/en/v7/content_filter.html
http://docs.nethserver.org/projects/nethserver-devel/en/v7/databases.html

Here is my config for comparing:

[root@server ~]# db contentfilter show
default=filter
    BlackList=enabled
    BlockAll=disabled
    BlockBuiltinRules=disabled
    BlockFileTypes=disabled
    BlockIpAccess=disabled
    Categories=anonvpn,costtraps,gamble,spyware
    Description=Default filter
    Removable=no
    WhiteList=enabled
default_profile=profile
    Description=Default profile
    Filter=filter;default
    Removable=no
[root@server ~]# config show squidguard
squidguard=configuration
    BlockedFileTypes=
    CustomListURL=
    DomainBlacklist=
    DomainWhitelist=
    Expressions=enabled
    IdleChildren=5
    Lists=shalla
    MaxChildren=20
    RedirectUrl=
    RedirectUrlHTTPS=blocked.nethserver.org:443
    StartupChildren=5
    UrlBlacklist=
    UrlWhitelist=

(Vlad) #3

I decided to start from scratch with Nethserver 7.4 and just configured:
AD
Firewall Rules
Firewall Objects
OpenVpn Roadwarrior
Static Routes
Network Interfaces
and even without configuring Content Filter it takes a long time to load. There’s no squid log yet.


(Markus Neuberger) #4

The original problem was no access to content filter module and now it’s slow access? Or does it take a long time to load a website from a client? Do you have enough RAM?
What if you open the Content Filter Module immediately after installing? Maybe one of the other settings “slows down” the Content Filter…


(Vlad) #5

The original problem was a timeout trying to access https://x.x.x.x:980/en-US/ContentFilter, since the reinstall it’s a long time to finally access it and longer or timeouts trying to configure profiles. I have 0.9/8GB of free RAM. I’d like to find out which setting/module is slowing down the content filter.


(Markus Neuberger) #6

Me too. If there are timeouts or something like that maybe you find some errors in /var/log/messages.

Please post some details about your configuration. It may help finding the error. Maybe some firewall rules block some blacklist download…

You could try to revert your settings already done step by step and check if Content Filter access is working again.


(Vlad) #7

sorry, I will get you those conf details in the morning, do you think it’s normal I have 0.8 gb of ram free after these modules are active? I think it will get messy once some 50 something users start connecting to the proxy.


(Markus Neuberger) #8

I have more services running with only 6 GB, so you may try to identify the RAM eaters:

ps aux --sort=%mem

gives you a sorted list of processes using RAM so the processes at the bottom of the list use the most RAM.


(Vlad) #9

After I disabled the clamav I got this on the bottom:

root 1390 0.0 0.1 368812 15336 ? Ss 21:48 0:00 /usr/sbin/httpd -DFOREGROUND
srvmgr 3124 0.0 0.1 487536 15576 ? S 21:51 0:00 /usr/sbin/httpd -f /etc/httpd/admin-conf/httpd.conf -c MaxConnectionsPerChild 12
srvmgr 3126 0.0 0.2 488048 16064 ? S 21:51 0:00 /usr/sbin/httpd -f /etc/httpd/admin-conf/httpd.conf -c MaxConnectionsPerChild 12
srvmgr 2507 0.0 0.2 489688 17696 ? S 21:48 0:00 /usr/sbin/httpd -f /etc/httpd/admin-conf/httpd.conf -c MaxConnectionsPerChild 12
root 1374 0.0 0.2 562276 18660 ? Ssl 21:48 0:00 /usr/bin/python -Es /usr/sbin/tuned -l -P
srvmgr 1048 0.0 0.2 181804 19144 ? Ss 21:48 0:00 /usr/bin/perl /usr/libexec/nethserver/smwingsd
gdm 2940 0.0 0.2 1156080 20272 ? Sl 21:48 0:00 /usr/libexec/gnome-settings-daemon
squid 2684 0.0 0.2 115420 21968 ? S 21:48 0:00 (squid-1) -f /etc/squid/squid.conf
root 2845 0.0 0.3 246160 24044 tty1 Ssl+ 21:48 0:00 /usr/bin/X :0 -background none -noreset -audit 4 -verbose -auth /run/gdm/auth-for
root 3675 0.1 0.3 97028 27888 ? S 22:22 0:00 /usr/bin/perl /usr/libexec/nethserver/list-group-members -s internet-limited
root 3691 0.6 0.3 200656 28040 ? S 22:23 0:00 /usr/bin/perl /usr/libexec/nethserver/list-users
root 1180 0.0 0.3 264724 28756 ? S 21:48 0:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
gdm 2884 0.1 1.2 1749460 94728 ? Sl 21:48 0:02 /usr/bin/gnome-shell
ufdb 1414 0.0 1.2 1425780 100444 ? Ssl 21:48 0:00 /usr/sbin/ufdbguardd -U ufdb -c /etc/ufdbguard/ufdbGuard.conf

now with 5.8/8gb free it still takes from 3-5 minutes to edit just one content filter.


(Markus Neuberger) #10

OK, it’s not the RAM. In web UI you have a log viewer. Please check your logs for errors. You may try to undo your settings or start install from scratch and setup content filter first to see if it works without other settings.


(Vlad) #11

ok I get a lot of these errors:

Dec 3 03:33:18 Nethserver kernel: pcieport 0000:00:1c.0: AER: Corrected error received: id=00e0
Dec 3 03:33:18 Nethserver kernel: pcieport 0000:00:1c.0: PCIe Bus Error: severity=Corrected, type=Data Link Layer, id=00e0(Receiver ID)
Dec 3 03:33:18 Nethserver kernel: pcieport 0000:00:1c.0: device [8086:a115] error status/mask=00000040/00002000
Dec 3 03:33:18 Nethserver kernel: pcieport 0000:00:1c.0: [ 6] Bad TLP
Dec 3 03:33:19 Nethserver kernel: pcieport 0000:00:1c.0: AER: Corrected error received: id=00e0
Dec 3 03:33:19 Nethserver kernel: pcieport 0000:00:1c.0: PCIe Bus Error: severity=Corrected, type=Data Link Layer, id=00e0(Receiver ID)
Dec 3 03:33:19 Nethserver kernel: pcieport 0000:00:1c.0: device [8086:a115] error status/mask=00000040/00002000
Dec 3 03:33:19 Nethserver kernel: pcieport 0000:00:1c.0: [ 6] Bad TLP
Dec 3 03:33:21 Nethserver kernel: pcieport 0000:00:1c.0: AER: Corrected error received: id=00e0
Dec 3 03:33:21 Nethserver kernel: pcieport 0000:00:1c.0: PCIe Bus Error: severity=Corrected, type=Data Link Layer, id=00e0(Receiver ID)
Dec 3 03:33:21 Nethserver kernel: pcieport 0000:00:1c.0: device [8086:a115] error status/mask=00000040/00002000
Dec 3 03:33:21 Nethserver kernel: pcieport 0000:00:1c.0: [ 6] Bad TLP
Dec 3 03:33:30 Nethserver kernel: pcieport 0000:00:1c.0: AER: Corrected error received: id=00e0
Dec 3 03:33:30 Nethserver kernel: pcieport 0000:00:1c.0: PCIe Bus Error: severity=Corrected, type=Data Link Layer, id=00e0(Receiver ID)
Dec 3 03:33:30 Nethserver kernel: pcieport 0000:00:1c.0: device [8086:a115] error status/mask=00000040/00002000

The issue is absolutely related to the Active Directory connection. on the “Users and Groups” Module it would display the Groups tab empty and as soon as I removed the AD in the “Account Provider” Tab, the Content Filter responded well.


(Markus Neuberger) #12

Do you use local AD DC or do you join to a remote AD?


(Vlad) #13

I manage a remote AD.


(Markus Neuberger) #14

To which AD server do you join? Windows Server? Another NethServer?


(Vlad) #15

Windows 2016 Server


(Markus Neuberger) #16

I’ll try your scenario when I find time.

If you join to AD, what is the result of the command “account-provider-test”?

Did you follow these steps:

http://docs.nethserver.org/en/v7/accounts.html#join-an-existing-active-directory-domain


(Markus Neuberger) #17

I tried it now: I installed a Windows Server 2016 in a VM, updated, setup static IP + AD + DNS, created AD winuser and joined from a Nethserver via GUI. I did unbind and rejoin without problems.

Join:

Domain Accounts:

NetBIOS domain name: TEST
LDAP server: 192.168.1.121
LDAP server name: winserver16.test.local
Realm: TEST.LOCAL
Bind Path: dc=TEST,dc=LOCAL
LDAP port: 389
Server time: Sun, 03 Dec 2017 23:00:30 CET
KDC server: 192.168.1.121
Server time offset: 0
Last machine account password change: Sun, 03 Dec 2017 22:59:56 CET

Join is OK
whenCreated: 20171203213808.0Z
whenChanged: 20171203215956.0Z
name: TESTSERVER
lastLogon: 131568120308639667
pwdLastSet: 131568119964261922
objectSid: S-1-5-21-1273278945-113475351-913748943-1104
accountExpires: 9223372036854775807
sAMAccountName: TESTSERVER$
dNSHostName: testserver.test.local
servicePrincipalName: HOST/testserver.test.local
servicePrincipalName: HOST/TESTSERVER

Account provider:

Windows AD User winuser is there:

Account provider test dump:

[root@testserver ~]# account-provider-test dump
{
   "BindDN" : "TEST\\TESTSERVER$",
   "LdapURI" : "ldap://winserver16.test.local",
   "StartTls" : "",
   "port" : 389,
   "host" : "winserver16.test.local",
   "isAD" : "1",
   "isLdap" : "",
   "UserDN" : "DC=test,DC=local",
   "GroupDN" : "DC=test,DC=local",
   "BindPassword" : "***",
   "BaseDN" : "DC=test,DC=local",
   "LdapUriDn" : "ldap:///dc%3Dtest%2Cdc%3Dlocal"
}

Maybe you could try the manual steps on command line:

http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-sssd.html#leave-and-re-join-active-directory

Could be a hardware problem…


(Vlad) #18

with the account-provider cli I am getting:

ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903D3, comment: AcceptSecurityContext error, data 710, v3839

I will try the cli steps tomorrow morning and let you know right away.


(Vlad) #19

Fixed! After I changed the pcie network card to the x16 bus I no longer receive the errors.
and the Domain issue was because Nethserver was using it’s local dnsmasq server to resolve the DC since in this new setup I didn’t setup the Network DNS yet, and the Diagnostic nslookup was correct now and the Group list populated correctly and the Content Filter has no issues now. Thanks for all the help Markuz.