Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: mat1_8 on April 23, 2013, 11:49:55 am

Title: [SOLVED] How to edit access denied page?
Post by: mat1_8 on April 23, 2013, 11:49:55 am
Hi,

I am using dansguardian and would like to change the way the access denied page looks. Kindly can someone tell me the path to the html file please? Thank you
Title: Re: How to edit access denied page?
Post by: Sam Graf on April 23, 2013, 01:58:50 pm
http://forum.zentyal.org/index.php/topic,3749.0.html
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 23, 2013, 02:01:22 pm
Thanks :)
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 24, 2013, 02:54:38 pm
Hi,

Somehow I am managing to edit the access denied page. Just to be clear, the access denied page is regarding categories that are being blocked. In this case I have downloaded dansguardian blacklist and choosing which categories will be blacklisted.

The default access denied page does not show which category is being blocked. For example if I blacklist facebook.com, the access denied page does not show in which category facebook.com is (social networking). Is there a way to make an access denied page but showing which category is being blocked please? I think this may require some programming? Thanks
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 24, 2013, 04:01:21 pm
Hi,

I have found out that from Dansguardian website, its own HTML template file can display the category of the website. The problem is that if a website is blocked, the HTML error page being displayed is of Squid and not of Dansguardian (which I would like to display).

The other thing which I am thinking of is to copy the Dansguardian HTML file and use it instead of Squid HTML file. The only problem is that Squid has many languages and I am only interested in the English language. When I tried to edit the ERR_ACCESS_DENIED file, no changes were made so I think I was not editing the proper file. Kindly can someone please tell me the exact path that Squid uses by default? Thanks
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 24, 2013, 04:33:10 pm
Ok a little update. I managed to edit the actual template file being in use. The actual path is /usr/share/squid3/errors /English. I copied the dansguardian HTML file instead of the squid html file and the webpage is coming up BUT the categories are blank. Guys I really need your help in this please...has someone ever configured such thing before? Thanks
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 25, 2013, 08:24:27 am
Is there a way to pass traffic through dansgurdian (for website filtering) instead of squid please? In a sense that traffic is passing through dansguardian BUT for some reason or another the access denied page displayed is of squid and NOT of dansguardian.
Title: Re: How to edit access denied page?
Post by: christian on April 25, 2013, 08:30:16 am
has someone ever configured such thing before?

Not me... because 2.2 page does report category so I'm happy with this  ;)
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 25, 2013, 08:30:58 am
Lucky you :P lol
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 25, 2013, 08:32:36 am
The strange thing is that when the website blocks a virus such as EICAR, the category is displayed automatically by dansguardian but when another website is blocked such as facebook.com, the error page displayed is of squid without a category :S.
Title: Re: How to edit access denied page?
Post by: christian on April 25, 2013, 08:33:16 am
In a sense that traffic is passing through dansguardian BUT for some reason or another the access denied page displayed is of squid and NOT of dansguardian.

This is not "for some reason" but on purpose  ::)
What you access with your browser is Squid (HTTP proxy)
filtering in squid has been delegated (that's Zentyal design choice) to Dansguardian and result is sent back to squid which is communicating with your browser.
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 25, 2013, 08:39:19 am
Oh I see hmm now in my case I wish that it would stop at dansguardian instead of going back to squid :S.

Christian just to double check with you. I do not know how much familiar you are with Zentyal 3.0. What I have done is that I have downloaded dansgurdian blacklist, went to HTTP proxy -> categorized lists -> browsed for the zipped version of the blacklist which I have downloaded and imported the file successfully.

Then I created different filter profiles and chose which categories are blacklisted. Have I followed good procedures please? Thanks
Title: Re: How to edit access denied page?
Post by: christian on April 25, 2013, 08:46:19 am
I'm not familiar with 3.0 and can't help further.
HTTP proxy in 3.0 offer more capability and flexibility in term of filtering, indeed, but there is no technical documentation thus I'm almost blind with what happens under the hood as I don't want to do any reverse engineering with this version.

What you did looks ok. What you could check looking at guardianship and squid is whether filtering is done relying on same process for all filtering features. Is content filtering always done by Dansguadian (first point) and is it confirmed that when you import or create such list, it impact "content filtering" or is it rather URL filtering which might be done by Squid itself, therefore no category or different "error" page.

Or wait for someone having investigated this deeper ;)
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 25, 2013, 08:50:29 am
Hmm it makes sense well I think have to wait for someone to respond then. Right now I am still experimenting so if I manage will post and update thanks :)
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 25, 2013, 11:44:45 am
Anyone?
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 26, 2013, 07:59:33 am
Bump
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 26, 2013, 01:44:54 pm
Christian don't know if you're reading this but apparently the configuration done from Zentyal affects squid rather than Dansguardian. In other words the blacklists categories are listed in the squid configuration file instead of Dansguardian. This means I think I need to edit the way Zentyal works?
Title: Re: How to edit access denied page?
Post by: christian on April 26, 2013, 02:05:32 pm
yes I'm indeed reading  ;D

So this is what I guess few posts before  8)
This means that you have to customize both Squid and Dansguardian
- Dansguardian for content filtering
- Squid for blacklists (but you may not get any category here if this concept is not handled by Squid)
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 26, 2013, 02:08:51 pm
Exactly which means that I want Dansguardian to do both content filtering and blacklists. For example if I go to facebook.com which is blacklisted by the category social networking, first it will be checked by Dansguardian and if it is OK, it will be passed on to Squid. If it is not, it is stopped by Dansguardian telling the user access denied + which category that website is.

Also not to forget in my configuration I have groups, users and time restrictions :S. In the GUI of Zentyal it is very easy to do but to do them manually in Dansguardian its going to take some time :S.

Title: Re: How to edit access denied page?
Post by: christian on April 26, 2013, 02:20:02 pm
Not being Zentyal 3.0 expert, I'm afraid I can't really help further (I'm not running it)
If this is designed so that list of denied pages is managed by Squid, you can't do that in Dansguardian.

Strange however.
Let me have a look and I'll come back to you here.
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 26, 2013, 02:21:27 pm
Thanks a lot Christian you always help me out I appreciate that :)
Title: Re: How to edit access denied page?
Post by: christian on April 26, 2013, 02:37:10 pm
indeed, adding rule in "domain category" adds ACL in squid.conf

So you have 2 choices, as far as I understand:
- either you try to hack deeply Zentyal so that domain and URL control is delegated to Dansguardian (I would not do this without closer investigation
- or, easier, you lightly hack squid.conf to display custom error page when acl controlling social networking is involved (using deny_info ERR_PAGE_NAME acl_name) syntax (http://www.squid-cache.org/Doc/config/deny_info/)

However if you have a lot of different categories and do want to stick on this approach, this can be painful or at least heavy.
Title: Re: How to edit access denied page?
Post by: christian on April 26, 2013, 02:41:32 pm
One additional comment so that there is no confusion:
I was not aiming that having Dansguardian using Shallalist would be complex nor heavy. What I meant to say is that Zentyal GUI is, for what I understand, not built to achieve this thus if you want to do this still using GUI, this might be heavy.
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 26, 2013, 02:51:26 pm
Hmm right so that's why this topic was moved to addons then. Well hopefully an update would be done to have this "problem" solved. Christian in a later post you told me that in Zentyal 2.0, when a website is blocked, you are given the category right? Is there a way that I could download it please? I don't think the update will be done immediately since it could take time for developers and at least I could work with Zentyal 2.0. Thanks
Title: Re: How to edit access denied page?
Post by: christian on April 26, 2013, 02:57:17 pm
Hmm right so that's why this topic was moved to addons then.

I suppose  ;)
I would have suggested to assess whether my proposal is fully valid or not... but you're welcome to tell us once done isn't it  ;D

Quote
Christian in a later post you told me that in Zentyal 2.0, when a website is blocked, you are given the category right? Is there a way that I could download it please?

When I wrote this, I didn't realize that "filtering" feature was split in 3.0 and misunderstood your expectation.
In 2.x, this "categorized domain" concept doesn't even exist. So better for you to stay with 3.0 if you need this feature.

Title: Re: How to edit access denied page?
Post by: Sam Graf on April 26, 2013, 03:05:13 pm
Well hopefully an update would be done to have this "problem" solved.

If this is a "problem" the more appropriate places to take it up would be either the idea tracker (http://ideas.zentyal.org/) or the bug tracker (http://trac.zentyal.org/newticket). If this is a preference issue and you want to work out a solution and share it with others, this forum is the place to start.
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 26, 2013, 03:15:51 pm
Hmm I do not know if I will be able to do this since it is quite heavy as Christian explained :(. It would be a really great feature in Zentyal especially since editing the code manually is very difficult since you need to be careful.

At least by this way I know that the thing is coming from Zentyal rather than from my configuration. Unfortunately I do not have so much knowledge of programming because in that case I would try to amend the code myself and post an update on this forum. If I can be of any help do not hesitate to contact me thanks :)
Title: Re: How to edit access denied page?
Post by: Sam Graf on April 26, 2013, 03:20:57 pm
It would be a really great feature in Zentyal...

Then the best option is to suggest it in the idea tracker. That way you can still contribute to the project (by making a formal proposal for a new feature) without writing a single line of code.
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 26, 2013, 03:24:30 pm
Will be posting that now Sam :)
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 26, 2013, 04:42:45 pm
Hi Christian, I have installed zentyal 2.2 just to test and at least it is showing a text box category but it shows as N/A. I am attaching a screenshot :). Thanks
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 26, 2013, 04:43:53 pm
Just to add, I have done the same as zentyal 3.0, ie, downloaded the blacklist from dansguardian website and chose which categories are denied and which are allowed. Than assigned the filer profile to the group.
Title: Re: How to edit access denied page?
Post by: christian on April 26, 2013, 04:55:02 pm
OK, so I need to look back at 2.2  ;)
On my side, I confirm that is you hack squid.conf adding deny_info, Zentyal does display custom error page of your choice.

For the time being, I did some dirty but quick hack directly in /usr/share/zentyal/stubs/squid

Code: [Select]
deny_info ERR_LIST shalllist~dc~socialnet~dom
deny_info ERR_LIST shalllist~dc~socialnet~urls

then I added custom page (ERR_LIST) in /usr/share/squid3/errors/templates/

restarted Squid and when I try to access facebook, my customized error page is displayed.

So if you do it manually, this is really painful but as squid.conf is built when HTTP proxy start, with some development skill (that I don't have even spending hours at this :-[) you can generate squid conf that will, like building ACL, add the deny_info directive.

Next step is to point to the right custom page pragmatically but this should not be an issue.
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 27, 2013, 08:11:23 am
Hi Christian,

Thanks for your response :). OK so by that way at least we know that it is possible to display the category of the website being blocked. The only disadvantage as you said is that it takes a long time to do.

Today I am going to install Zentyal 2.2 at home and try to figure out how to display the category. I do not mind using a previous version as long as it works correctly :). At least in version 2.2, the category is present but it is set to N/A and I am assuming it could be easier with this version rather than v3. What do you think? Thanks and happy weekend :)
Title: Re: How to edit access denied page?
Post by: christian on April 27, 2013, 08:24:53 am
I think that the category concept here is somewhat external to any control engine (would it be DansGuardian or Squid) as this is "only" a way of classifying URLs and domains.
What it does at he end, at least in Squid, is to deny list of domain but these domains are by no mean "stamped" with any category, reason why Squid can't show it.

Again assuming my understanding is correct, if you decide to build your own list with different categorization, it will work exactly the same.
What you can do it to show, in your custom error page, the ACL or rule denying access (this is what I suggest with my above example).

This is for Squid.

For Dansguardian's based implementation, I didn't investigate as this is not manageable using Zentyal GUI.

Last but not least I don't think you will get anything better with 2.2  :-\
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 27, 2013, 08:30:18 am
Hi Christian,

Well actually I am not going to build my own categorized list and sorry if I was understood that way. I am always going to make use of the blacklist file downloaded from Dansguardian website. In fact in both v3 and v2 I have imported this file.

Don't know if that makes a difference but, ie, using the blacklist file from Dansguardian or building one yourself? Thanks
Title: Re: How to edit access denied page?
Post by: christian on April 27, 2013, 08:56:03 am
No need to apologize, in fact I was not clear on my side.
What I meant to say is that category is something external to URL or domain.
e.g. your blacklist shows facebook as "social networking" while you could (I'm not saying you will), if you were building your own list, classify it as "extremely useful tool".

There is no intrinsic category and, this is my main point, what you get at the end is only a list of domain or URL associated to Squid ACL rule. This is the only tangible information you can display, for what I understand.
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 27, 2013, 09:20:55 am
Oh right I got a clear picture of what you're saying which makes good sense. Well at this stage all I could do is try to change some settings maybe I get something don't know. That's why such feature has to be added to Zentyal because as I have explained in the contribute section (ideas), is that either the Squid HTML is edited to display the category or else edit Zentyal source code so that from the GUI once you are doing categories and that, you will be actually editing Dansguardian instead of Squid. Reason being is that Dansguardian displays the category.
Title: Re: How to edit access denied page?
Post by: christian on April 27, 2013, 09:34:39 am
Again, I might be wrong but what I understand is that Dansguardian displays category for content filtering which is different:
- once page is accessed, content is analysed and then classified depending on matching rules.
- Dansguardian basically displays matching and may prevent access.

Squid domain category ACL can't even know what your list really means. This is only a list with some ACL name that makes sense for you (only) and hopefully for Zentyal web interface too.
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 29, 2013, 11:05:16 am
Hi Christian,

Did not have that much time this weekend to view the configuration. Now I am working on it (v2.2) and I think its better when compared to v3. The reason is that in v2.2, it makes use of squid for time restrictions and dansguardian to block websites. In fact I went to /etc/dansguardian/lists and chose one of the lists, which in my case was bannedsitelist3 and the configuration is listed in the screenshot.

So apparently the system works this way (the way that I am seeing it) - it first checks if the particular website is permitted via the categories which are blacklisted; if it is blacklisted it stops the user from continuing and displays access denied WITHOUT the category; if it is not blacklisted, it checks with squid regarding the time restriction.

So basically as you have said Christian is that I want to tell dansguardian somehow that if website X is being blocked by category Y, display category Y. Right now it is only stopping on blocking because it does not have the right "coding" to display the category (that which I want to focus on).
Title: Re: How to edit access denied page?
Post by: mat1_8 on April 29, 2013, 11:51:55 am
SUCCESS!!!!!!! Its finally working :D

OK here is what I have done (based on my configuration):

1) First I went to the following path - /etc/dansguardian/extralists/strict_filter/archives/blacklist2/blacklists/ecommerce

2) Then I went to domains file

3) Once I went to the domains file, you could see a whole list of domains and in this point we are interested that if a user goes into any of such domains, the cateory ecommerce will be displayed.

4) The solution is that at the top of the list you will have to write the following - #listcategory: "ecommerce"

5) Close, save and restart dansguardian and viola should work :)

The only trouble thing is that you have to do this for every category that you want to block such as ecommerce, news etc....

Title: Re: [SOLVED] How to edit access denied page?
Post by: mat1_8 on April 30, 2013, 01:30:19 pm
A little update on the previous post....when one restarts Zentyal, all configuration will be lost!!
Title: Re: [SOLVED] How to edit access denied page?
Post by: christian on April 30, 2013, 01:43:59 pm
I'm glad you finally found answer to your initial problem.
Reason why changes are not kept after reboot or service start is described here (http://doc.zentyal.org/en/develop.html#advanced-service-customisation).
Title: Re: [SOLVED] How to edit access denied page?
Post by: mat1_8 on April 30, 2013, 01:49:13 pm
Thanks Christian will try that out :). I have posted another topic regarding time restrictions since it works differently when compared to v3. I really appreciate if you could help me out please and sorry for bothering you. Thanks for your patience
Title: Re: How to edit access denied page?
Post by: mat1_8 on May 08, 2013, 08:10:45 am
OK, so I need to look back at 2.2  ;)
On my side, I confirm that is you hack squid.conf adding deny_info, Zentyal does display custom error page of your choice.

For the time being, I did some dirty but quick hack directly in /usr/share/zentyal/stubs/squid

Code: [Select]
deny_info ERR_LIST shalllist~dc~socialnet~dom
deny_info ERR_LIST shalllist~dc~socialnet~urls

then I added custom page (ERR_LIST) in /usr/share/squid3/errors/templates/

restarted Squid and when I try to access facebook, my customized error page is displayed.

So if you do it manually, this is really painful but as squid.conf is built when HTTP proxy start, with some development skill (that I don't have even spending hours at this :-[) you can generate squid conf that will, like building ACL, add the deny_info directive.

Next step is to point to the right custom page pragmatically but this should not be an issue.

Hi Christian,

Thinking about what you have said to me about the deny_info.

I went to /usr/share/zentyal/stubs/squid but there is a long list of code. Where should I put the deny_info lines please? I have a long list to make so I am going to try them out :). Thanks
Title: Re: [SOLVED] How to edit access denied page?
Post by: christian on May 08, 2013, 08:46:40 am
I'm currently away, far from my server with no remote access.
I'll look at this on Friday when I'm back.
In the meantime, Squid documentation may help. These "deny" drirectives are part of ACL
Title: Re: [SOLVED] How to edit access denied page?
Post by: mat1_8 on May 08, 2013, 08:48:35 am
Thanks Christian will check it out :)