Topic: different actions.. local access vs. remote access

[Craig Jensen]

Hi

Squidguard 3.0 is running on my personal server.  I have access remotely to the server-manager.  I get completely different results when I access the squidguard panel remotely as opposed to within my local network as follows:

When adding domains (or anything for that matter) to the untrusted list within the panel I get these results (a. and b. below).

     a. from within my lan on a client machine, I get long delays (up to 10 seconds) in completing the addition and I get the page...

 Action canceled
Internet Explorer was unable to link to the Web page you requested. The page might be temporarily unavailable.

The process is completed successfully and the addition is indicated in the 'view' page.

    b. from remote access to the server-manager, I get a page indicating that' " whatever domain" has successfully been added to the untrusted list' (paraphrasing) and it occurs within only a few seconds.  And, of course the addition is successfull.

What would cause there to be such a different action and is there a way to 'fix' it?

Craig Jensen

[Abe Loveless]

Craig,

How are your LAN clients configured?  Are they configured to go through the Proxy server (Port 3128) or are you using the transparent proxy?

My guess is that your clients are connecting through the proxy.  Each time you add/remove items from the custom list, the Squid proxy service gets restarted to force it to re-read the lists.  So, since you're going through the Proxy server... and the server gets restarted, your connection is lost.  A refresh brings the page right back up to the server-manager.

When connecting remotely, or from anywhere that doesn't specifically connect through the Proxy port... you won't notice the Squid service restarting, since you're just connecting through http.

Does that make sense?

Let me know if this isn't what's happening on your systems.

Thanks,
Abe

[Craig Jensen]

That DOES make sense Abe.  I 'thought' I was connecting through
transparent proxy, but what you have explained makes plenty of sense.

My lan is merely connecting from the e-smith server with a switch in
between.  I made no specific changes from the default setup as far as
local network is concerned.

Everything you described makes it sound right though.  I just couldn't
figure out why I got the error page "action canceled" here at home and
yet it all looked so pretty from my work or anywhere on the internet.

For your school accounts do you use the transparent proxy or
otherwise for their lan connection?

--
Best regards,
 Craig

[Abe Loveless]

It really depends on the application, and what the individual schools want to use.

A couple schools are using the Squid Authentication modules from http://linux06.chez.tiscali.fr/ which requires that the browsers point to the Squid Proxy.

Most, though, opt for the ease of use with Transparent proxy.  Most schools just install a server in Gateway mode, install squidguard and SARG, and turn on DHCP and insert it above their networks.  Then set the clients to pull from DHCP... doesn't get much easier.  

Also, I believe DansGuardian requires the clients to connect through the proxy port, as well.  I do have several schools that have been opting to go that route, via dungog.net's DansGuardian addon.

Hope that helps,
Abe

[jose velez]

I use the same setup Abe is using for wireless internet in my neighborhood.

Any way to force Squidguard to use the user id instead of the IP address.  Some PC are used by different users and some could have less restrictions.

[Abe Loveless]

Currently, there's no built-in way to create different Access Lists and assign different users to them.

You could do this by creating a couple custom template fragments for /etc/squid/squid.conf and assign users/groups to the appropriate access lists.  Then you could use the Squid Authentication module that I mentioned above... and provide users with the appropriate username/passwords for the appropriate category.

But, this requires that you force all users to logon, and you will have to manually configure users/passwords for each user... so it may not be feasible.

There may be other options, but this is the first one that came to mind.

[jose velez]

I am forcing everybody to login with Vicent proxy already.  It is one way to avoid un-authorized users  and I check with SARG for any un-authorized user.  

I am using D-link access point in each user also with WEP.  I have a very good range with 13dbi antennas and relay points due to changing topography.  

the internet service is also wireless using Motorola Canopy radios.  I am also using Vicent QOS to limit bandwidth to 256Kb on the dlink access points