dimer
(Lazie Dimer)
March 15, 2022, 8:12pm
1
NethServer Version: 7.9.2009
Module: Web Proxy & Filter 1.14.0
Hey guys.
I have a proxy configured in authenticated mode. I configured the rules by user group. Each group has its own rules. And the release and block rules work as they should.
The only issue that intrigues me is that if you change a user by putting them in another group, nethserver takes up to 10 minutes to update the rules and change the user’s permissions. Is there any way, or command I can run to make this change instant? If I put a user in another group, does the Proxy automatically apply the rules of the new group to the user?
Thanks in advance.
mrmarkuz
(Markus Neuberger)
March 15, 2022, 9:27pm
2
Hi and welcome to NethServer Community,
Did you try to reload/restart squid?
systemctl reload squid
dimer
(Lazie Dimer)
March 16, 2022, 11:41am
3
Hi!
Yes, I already ran the mentioned command (systemctl reload squid) but it doesn’t update the users of the groups.
I have analyzed the log (/var/log/ufdbguard/ufdbguardd.log) and verified that this update occurs when the line below appears in the log:
2022-03-16 08:28:05 [30123] execuserlist: finished retrieving userlist (2 lines in 0 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members vestiarios"
When the above entry appears in the log, the groups are updated. This entry appears exactly every 10 minutes.
Any more ideas?
Thanks.
dimer
(Lazie Dimer)
March 16, 2022, 11:49am
4
Another information, I already restarted the ufdbGuard service but it had no effect.
pike
(Michael Kicks)
March 16, 2022, 12:11pm
5
Did you used this command systemctl reload ufdbGuard
for “restart” ufdbGuard?
(edit: correction of the command)
1 Like
dimer
(Lazie Dimer)
March 16, 2022, 1:20pm
6
When I run this command, I get an error:
[root@nethsrv ~]# systemctl reload ufdbguard
Failed to reload ufdbguard.service: Unit not found.
I restarted the service from the nethserver WEB console.
mrmarkuz
(Markus Neuberger)
March 16, 2022, 1:24pm
7
Please add
refreshuserlist 5
to /etc/ufdbguard/ufdbGuard.conf
and restart the ufdbguard service.
Now it should be refreshed every 5 minutes, less isn’t possible, see ufdbguard documentation .
If this works we could fix it or create a custom template for it.
There’s a capital G:
systemctl restart ufdbGuard
1 Like
pike
(Michael Kicks)
March 16, 2022, 1:33pm
8
mrmarkuz:
There’s a capital G:
My bad, my transcription was wrong. Editing…
@mrmarkuz : the edit you suggested could be overwritten by the configuration refresh on cockpit?
2 Likes
mrmarkuz
(Markus Neuberger)
March 16, 2022, 1:37pm
9
Good point. Yes, exactly. The ufdb config file is rewritten when saving ufdbguard settings in Cockpit. It’s just to see if it works.
1 Like
dimer
(Lazie Dimer)
March 16, 2022, 2:29pm
10
mrmarkuz:
Please add
refreshuserlist 5
to /etc/ufdbguard/ufdbGuard.conf
and restart the ufdbguard service.
Now it should be refreshed every 5 minutes, less isn’t possible, see ufdbguard documentation .
If this works we could fix it or create a custom template for it.
There’s a capital G:
systemctl restart ufdbGuard
Ok, with the command ‘systemctl restart ufdbGuard’ did not solve.
I added the refreshuserlist 5
to the /etc/ufdbguard/ufdbGuard.conf
file and then restarted the service as indicated.
The state is now as follows: if I don’t change the user of the group, ufdbGuard updates the userlist every 5 minutes as configured. If I change a group user, it still takes 10 minutes to update the userlist.
dimer
(Lazie Dimer)
March 16, 2022, 2:36pm
11
See that when I took a user out of one group and put him in another, it took 10 minutes to update the userlist.
2022-03-16 11:19:41 [4745] execuserlist: finished retrieving userlist (1 lines in 0 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members group_a"
2022-03-16 11:19:41 [4745] execuserlist: finished retrieving userlist (1 lines in 0 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members group_b"
2022-03-16 11:29:10 [30123] execuserlist: finished retrieving userlist (2 lines in 0 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members group_a"
2022-03-16 11:29:10 [30123] execuserlist: finished retrieving userlist (0 lines in 0 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members group_b"
If I don’t change any users, the userlist update occurs every 5 minutes:
2022-03-16 11:29:15 [30123] execuserlist: finished retrieving userlist (2 lines in 0 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members group_a"
2022-03-16 11:29:15 [30123] execuserlist: finished retrieving userlist (0 lines in 0 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members group_b"
2022-03-16 11:34:42 [4745] execuserlist: finished retrieving userlist (2 lines in 1 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members group_a"
2022-03-16 11:34:42 [4745] execuserlist: finished retrieving userlist (0 lines in 0 seconds) generated by "/usr/libexec/nethserver/ufdbguard-list-group-members group_b"
pike
(Michael Kicks)
March 16, 2022, 3:54pm
13
question for @mrmarkuz may the module create a refresh job on cron/crony?
2 Likes
mrmarkuz
(Markus Neuberger)
March 16, 2022, 5:54pm
14
As @pike mentioned , the ufdbguard config file is rewritten when a group is modified in cockpit so let’s use a custom template to make changes permanent:
Create custom template dir:
mkdir -p /etc/e-smith/templates-custom/etc/ufdbguard/ufdbGuard.conf/
Create template fragment file /etc/e-smith/templates-custom/etc/ufdbguard/ufdbGuard.conf/11userlist
with following content:
refreshuserlist 5
Apply changes:
signal-event nethserver-squidguard-update
Now the user refresh should occur every 5 minutes even when adding members to a group in cockpit.
I didn’t find a command to force ufdbguard rereading the group members that would be needed for a cronjob.
I found that there’s a (REST) API , maybe it could be used to refresh the users…
1 Like
dimer
(Lazie Dimer)
March 16, 2022, 6:37pm
15
Hi @mrmarkuz
I made the recommended changes below:
mrmarkuz:
As @pike mentioned , the ufdbguard config file is rewritten when a group is modified in cockpit so let’s use a custom template to make changes permanent:
Create custom template dir:
mkdir -p /etc/e-smith/templates-custom/etc/ufdbguard/ufdbGuard.conf/
Create template fragment file /etc/e-smith/templates-custom/etc/ufdbguard/ufdbGuard.conf/11userlist
with following content:
refreshuserlist 5
Apply changes:
signal-event nethserver-squidguard-update
Now the user refresh should occur every 5 minutes even when adding members to a group in cockpit.
These changes are working! It now takes a maximum of 5 minutes to apply the new group rules to the user.
Thank you very much!
1 Like
mrmarkuz
(Markus Neuberger)
March 16, 2022, 6:45pm
16
You’re welcome.
Please mark the topic as solved. It helps others to find a solution quickly:
Now we have an amazing feature on our community platform which helps to mark a topic as SOLVED
As the OP (topic creator) you will have a button that allows you to accept an answer
[image]
Accepted answers are highlighted in the topic list:
[image]
Accepted answers are highlighted on the initial topic:
[image]
This kind of action is enabled only for topic into the Support category
Happy support!
1 Like