[SOLVED] Web Proxy - change group user

NethServer Version: 7.9.2009
Module: Web Proxy & Filter 1.14.0

Hey guys.
I have a proxy configured in authenticated mode. I configured the rules by user group. Each group has its own rules. And the release and block rules work as they should.
The only issue that intrigues me is that if you change a user by putting them in another group, nethserver takes up to 10 minutes to update the rules and change the user’s permissions. Is there any way, or command I can run to make this change instant? If I put a user in another group, does the Proxy automatically apply the rules of the new group to the user?
Thanks in advance.

Hi and welcome to NethServer Community,

Did you try to reload/restart squid?

systemctl reload squid

Hi!
Yes, I already ran the mentioned command (systemctl reload squid) but it doesn’t update the users of the groups.
I have analyzed the log (/var/log/ufdbguard/ufdbguardd.log) and verified that this update occurs when the line below appears in the log:

2022-03-16 08:28:05 [30123] execuserlist: finished retrieving userlist (2 lines in 0 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members vestiarios"

When the above entry appears in the log, the groups are updated. This entry appears exactly every 10 minutes.

Any more ideas?

Thanks.

Another information, I already restarted the ufdbGuard service but it had no effect.

Did you used this command systemctl reload ufdbGuard for “restart” ufdbGuard?
(edit: correction of the command)

1 Like

When I run this command, I get an error:

[root@nethsrv ~]# systemctl reload ufdbguard
Failed to reload ufdbguard.service: Unit not found.

I restarted the service from the nethserver WEB console.

Please add

refreshuserlist 5

to /etc/ufdbguard/ufdbGuard.conf and restart the ufdbguard service.

Now it should be refreshed every 5 minutes, less isn’t possible, see ufdbguard documentation.

If this works we could fix it or create a custom template for it.

There’s a capital G:

systemctl restart ufdbGuard

1 Like

My bad, my transcription was wrong. Editing…

@mrmarkuz: the edit you suggested could be overwritten by the configuration refresh on cockpit?

2 Likes

Good point. Yes, exactly. The ufdb config file is rewritten when saving ufdbguard settings in Cockpit. It’s just to see if it works.

1 Like

Ok, with the command ‘systemctl restart ufdbGuard’ did not solve.

I added the refreshuserlist 5 to the /etc/ufdbguard/ufdbGuard.conf file and then restarted the service as indicated.

The state is now as follows: if I don’t change the user of the group, ufdbGuard updates the userlist every 5 minutes as configured. If I change a group user, it still takes 10 minutes to update the userlist.

See that when I took a user out of one group and put him in another, it took 10 minutes to update the userlist.

2022-03-16 11:19:41 [4745] execuserlist: finished retrieving userlist (1 lines in 0 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members group_a"
2022-03-16 11:19:41 [4745] execuserlist: finished retrieving userlist (1 lines in 0 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members group_b"

2022-03-16 11:29:10 [30123] execuserlist: finished retrieving userlist (2 lines in 0 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members group_a"
2022-03-16 11:29:10 [30123] execuserlist: finished retrieving userlist (0 lines in 0 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members group_b"

If I don’t change any users, the userlist update occurs every 5 minutes:

2022-03-16 11:29:15 [30123] execuserlist: finished retrieving userlist (2 lines in 0 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members group_a"
2022-03-16 11:29:15 [30123] execuserlist: finished retrieving userlist (0 lines in 0 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members group_b"

2022-03-16 11:34:42 [4745] execuserlist: finished retrieving userlist (2 lines in 1 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members group_a"
2022-03-16 11:34:42 [4745] execuserlist: finished retrieving userlist (0 lines in 0 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members group_b"

question for @mrmarkuz may the module create a refresh job on cron/crony?

2 Likes

As @pike mentioned, the ufdbguard config file is rewritten when a group is modified in cockpit so let’s use a custom template to make changes permanent:

Create custom template dir:

mkdir -p /etc/e-smith/templates-custom/etc/ufdbguard/ufdbGuard.conf/

Create template fragment file /etc/e-smith/templates-custom/etc/ufdbguard/ufdbGuard.conf/11userlist with following content:

refreshuserlist 5

Apply changes:

signal-event nethserver-squidguard-update

Now the user refresh should occur every 5 minutes even when adding members to a group in cockpit.

I didn’t find a command to force ufdbguard rereading the group members that would be needed for a cronjob.

I found that there’s a (REST) API, maybe it could be used to refresh the users…

1 Like

Hi @mrmarkuz

I made the recommended changes below:

These changes are working! It now takes a maximum of 5 minutes to apply the new group rules to the user.

Thank you very much!

1 Like

You’re welcome.

Please mark the topic as solved. It helps others to find a solution quickly:

1 Like