[SOLVED] HTTP Proxy implementation and a possible bug

[yatsura2k]

Hi,

 I recently upgraded my HTTP Proxy module from 3.0 to 3.0.2 and it seems that the way that domain-category filtering is implemented has been changed.
 Previously, the domain category lists were linked to via the Dansguardian configuration list files, so that when the user attempted to browse to a domain in
 a blocked category they were shown a friendly Dansguardian 'blocked' page explaining why they were being blocked (local admin policy) and in which
 domain category the blocked site was included.

 Now the blocked domains are added to Squid's acl configuration, so when the user attempts to browse to a domain in a blocked category they receive
 an abrupt '403 Forbidden' message from their browser, which means they cannot tell whether the site is blocked due to local policy, or whether the site itself
 is broken.

 While this change may be more efficient in operation, it is definitely a backwards step in system usability and if possible I would like to vote for a return to
  the previous implementation.

  Now for the bug report:

  I have at the top of my access-policy list, a policy for the network object 'Banned' which applies the 'Deny All' action.
  Most of the time, the 'Banned' object has no members and when this is the case http access is blocked for all sites for all users.
  The above configuration worked fine with Http Proxy module version 3.0.
  Adding a dummy member to the 'Banned' object seems to make everything work as expected.

  Regards,
  Yatsura.

[christian]

Yatsura,

I'm a bit confused with this "2 folds" post and would like to ensure my understanding is correct 
You have 2 points:
1 - due to changes in access control implementation, access to blocked domain do not report any customized page but "err 403" => I suppose you request, rather than "vote for technical implementation choice" should be "please customize error page as it was done with DanGuradian". Am I correct ?
2 - error with access control based on group membership => I don't understand what you mean. Or I rather understand something unclear to me. You have policy based on network object that is applied for all network members if this network object is empty. Is it correct? An this is fixed if you add one (even dummy) object.

[yatsura2k]

Hi Christian,

  My apologies for the '2 folds' post. Both parts were raised by the upgrade of the HTTP Proxy module.

  1. Yes, I was requesting a change to provide the user-feedback that the old version provided and which is missing in the new version.
      The actual implementation method is unimportant to me, but it was the implementation change that caused the loss of feedback.

  2. Yes, I "have policy based on network object that is applied for all network members if this network object is empty."

  >Is it correct? And this is fixed if you add one (even dummy) object.
  Yes and yes.

  Yatsura.

[christian]

Regarding Squid error page: waiting for, perhaps, some changes in Zentyal, you can still use (however not using Zentyal GUI) Squid capability to customize error pages (in /usr/share/squid/errors/)

BTW, are you using transparent proxy ?
I'm asking because as far as I understand, error should not be 403 but rather Squid related error... I've some doubt... 

[yatsura2k]

>Regarding Squid error page: waiting for, perhaps, some changes in Zentyal, you can still use (however not using Zentyal GUI) Squid capability to customize error pages (in
>/usr/share/squid/errors/)

>BTW, are you using transparent proxy ?
>I'm asking because as far as I understand, error should not be 403 but rather Squid related error... I've some doubt... 

Yes, I am using transparent proxy.
I don't know why I get 403 rather than the proper squid error - If I can resolve this, then I will be happy with the user feedback from
the squid error pages (and no need for Dansguardian error page).

I will investigate further when I have time.

Thanks,
Yatsura.

[christian]

With the use of transparent proxy, as your browser is trying to reach its destination page rather than proxy, it makes more sense that you don't get the "right" error page... My 3.0 test platform is currently not installed anymore so I can't test and check.
Feedback from Zentyal would help here.
I'll try in IRC.

[Sam Graf]

My 3.0 test machine is currently returning Zentyal's "Access Denied" page for denied domain categories under a transparent proxy. If the HTTP proxy service hasn't been manually restarted (via a server restart or the dashboard) since the update, I would try that.

[yatsura2k]

I had manually restarted the HTTP Proxy, both via the Dashboard and using the commandline, with no change in behavior.
So anyway, last night I rebooted the server - and now it works (I get the Zentyal "Access Denied" page).
Go figure.

Thanks,
Yatsura.

[christian]

Cool. Then could you please edit first post title and stamp it as [SOLVED] ?

[yatsura2k]

There is still the 'network policy with empty network object is applied to all' issue 
Any info on that ?

Yatsura

[christian]

Well, that's the drawback when one topic covers multiple points 

If, having tested it, you think this is a bug, then feel free to create a ticket.
At least you have a workaround while waiting for Zentyal to solve it 

[yatsura2k]

>Well, that's the drawback when one topic covers multiple points
Indeed. Mea Culpa.

I'll mark this topic 'solved' and open a ticket after confirming whether the bug truly exists.

Thanks,
Yatsura