Web Content Filter - Default Override

Vlad · August 30, 2018, 4:38pm

NethServer Version: 7.5
Module: webfilter

I wish to block all access except for selected windows directory groups. I created 3 profiles and 3 filters for 3 ad groups however what I select on the default filter overrides everything I do on the other filters.
If I block everything on the default filter and allow all on a filter ‘internet-f’, members of a group assigned to that filter are still completely blocked.

I check the user list /usr/libexec/nethserver/ufdbguard-list-group-members internet-f and the user is displayed in that group. and the squid log, says the user is authenticated.

What can I do?

robb · August 30, 2018, 7:13pm

Change the order of your filters. AFAIK filtering is first comes, first takes. So if you first block everything, that block will be active.

Vlad · August 31, 2018, 1:54am

Yes, I had to the change the ‘default’ name since the order is alphabetical, but that was it. Thank you.

On another note, since it’s related to the content filter, on this new server that I installed with version 7.5, I am getting the message:
neth-srv ufdb: malformed JSON string, neither array, object, number, string or atom, at character offset 0 (before "(end of string)") at /usr/libexec/nethserver/ufdbguard-list-group-members line 31.

Maybe it’s related to the group members, but it’s funny that on another nethserver that was updated to 7.5 joined to the same ad, this error is not showing.

After further testing, Changing the first letter of the profile in order to lower its priority only works until server/service is restarted. after that the Default profile is brought back. any other ideas?

Vlad · February 25, 2019, 7:19pm

Sam problem here, it’s been almost a year, and this still bugs me. if the server is restarted the default filter will apply to all groups, even though they have higher priority first letter.

federico.ballarini · February 25, 2019, 9:38pm

Hi @Vlad
I think it’s enough that you rename profile with an a_ before the name. It will be applied before the “Default” profile.

pike · February 26, 2019, 9:21am

Did you verify what there’s on that line of the file?

Vlad · February 26, 2019, 1:24pm

I have already done this. the default profile is the last one in the list. the problem is when restart the server. for around 1 hour, every time an user accessed the proxy it would display “default filter” then after some time it would display the correct filters.

this is inside that file:
my $members = decode_json(/usr/libexec/nethserver/list-group-members -s $ARGV[0]);
foreach my $user (@$members) {
print “$user\n”;
}

The “Users and groups” in the gui always loads all the users and groups in the ad, but it’s very slow to load. as well in the “web content filter” it takes like 20 seconds or more to load with some 300 users in the ad.

federico.ballarini · February 26, 2019, 1:33pm

I think the problem is not due to filters name. Can you try to reboot server and then restart squid?
Do this after server has completed bootup (you can check this with systemd-analyze command).

Vlad · February 26, 2019, 2:31pm

Well right now it’s production time, and this happens every time the server is restarted, so i can’t risk 1 hour downtime on the server.

federico.ballarini · February 26, 2019, 2:48pm

Ok. Wait for your feedback in next hours.