##1. Missed part of the squidguard configuration:
```
run update webproxy blacklists
set service webproxy listen-address 192.168.122.15 disable-transparent
set service webproxy listen-address 192.168.122.15 port '3128'
set service webproxy url-filtering squidguard default-action 'block'
set service webproxy url-filtering squidguard rule 1 block-category 'social_networks'
set service webproxy url-filtering squidguard rule 1 source-group social
set service webproxy url-filtering squidguard source-group social address '192.168.122.0/24'
```
Get configuration:
```
[email protected]# sudo cat /etc/squidguard/squidGuard.conf
### generated by service_webproxy.py ###
dbhome /opt/vyatta/etc/config/url-filtering/squidguard/db
logdir /var/log/squid
rewrite safesearch {
s@(.*\.google\..*/(custom|search|images|groups|news)?.*q=.*)@\1\&safe=active@i
s@(.*\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i
s@(.*\.yahoo\..*/search.*p=.*)@\1\&vm=r@i
s@(.*\.live\..*/.*q=.*)@\1\&adlt=strict@i
s@(.*\.msn\..*/.*q=.*)@\1\&adlt=strict@i
s@(.*\.bing\..*/search.*q=.*)@\1\&adlt=strict@i
log rewrite.log
}
acl {
default {
pass local-ok-default !in-addr none
redirect 302:http://block.vyos.net
}
}
```
Expected configuration:
```
vyos@r12-lts# sudo cat /etc/squidguard/squidGuard.conf
#
# autogenerated by vyatta-update-webproxy.pl
#
dbhome /opt/vyatta/etc/config/url-filtering/squidguard/db
logdir /var/log/squid
rewrite safesearch {
s@(.*\.google\..*/(custom|search|images|groups|news)?.*q=.*)@\1\&safe=active@i
s@(.*\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i
s@(.*\.yahoo\..*/search.*p=.*)@\1\&vm=r@i
s@(.*\.live\..*/.*q=.*)@\1\&adlt=strict@i
s@(.*\.msn\..*/.*q=.*)@\1\&adlt=strict@i
s@(.*\.bing\..*/search.*q=.*)@\1\&adlt=strict@i
log rewrite.log
}
src social-1 {
ip 192.168.122.0/24
}
dest local-ok-default {
domainlist local-ok-default/domains
}
dest local-ok-url-default {
urllist local-ok-url-default/urls
}
dest local-ok-1 {
domainlist local-ok-1/domains
}
dest local-ok-url-1 {
urllist local-ok-url-1/urls
}
dest social_networks-1 {
domainlist social_networks/domains
urllist social_networks/urls
}
acl {
social-1 {
pass local-ok-1 !in-addr !social_networks-1 all
}
default {
pass local-ok-default !in-addr none
redirect 302:http://block.vyos.net
}
}
```
##2. bug permission error
```
vyos@r1-roll# set service webproxy url-filtering squidguard rule 1 block-category 'social_networks'
ls: cannot access '/opt/vyatta/etc/config/url-filtering/squidguard/db//*': Permission denied
```
##3. Node address should be /multi
```
set service webproxy url-filtering squidguard source-group social address 192.0.2.0/24
set service webproxy url-filtering squidguard source-group social address 203.0.113.0/24
```
https://github.com/vyos/vyos-1x/blob/adca504a2c5cd60be46a741ab3aef83fa4dfe4cf/interface-definitions/service_webproxy.xml.in#L496-L517
##4. There is no "source-group" in template
```
set service webproxy url-filtering squidguard source-group
```
https://github.com/vyos/vyos-1x/blob/current/data/templates/squid/squidGuard.conf.tmpl
##5. No any options for "rule options" in template
```
vyos@r1-roll# set service webproxy url-filtering squidguard rule 1
Possible completions:
+ allow-category
Category to allow
allow-ipaddr-url
Allow IP address URLs
+ block-category
Category to block
default-action
Default action (default: allow)
enable-safe-search
Enable safe-mode search on popular search engines
+ local-block Local site to block
+ local-block-keyword
Local keyword to block
+ local-block-url
Local URL to block
+ local-ok Local site to allow
+ local-ok-url Local URL to allow
+ log Log block category
redirect-url Redirect URL for filtered websites
source-group Source-group for this rule [REQUIRED]
time-period Time-period for this rule
```
##6 "acl localhost" and "acl to_localhost" generated in squid by default (builtin to squid3)
So we don't need to declare it again in the template http://www.squid-cache.org/Versions/v3/3.2/cfgman/acl.html
```
Sep 9 11:45:33 r1-roll (squid-1): WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'
Sep 9 11:45:33 r1-roll (squid-1): WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable
Sep 9 11:45:33 r1-roll (squid-1): WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
Sep 9 11:45:33 r1-roll (squid-1): WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'
Sep 9 11:45:33 r1-roll (squid-1): WARNING: because of this '127.0.0.1' is ignored to keep splay tree searching predictable
Sep 9 11:45:33 r1-roll (squid-1): WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
Sep 9 11:45:33 r1-roll (squid-1): WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) '127.0.0.0/8'
Sep 9 11:45:33 r1-roll (squid-1): WARNING: because of this '127.0.0.0/8' is ignored to keep splay tree searching predictable
Sep 9 11:45:33 r1-roll (squid-1): WARNING: You should probably remove '127.0.0.0/8' from the ACL named 'to_localhost'
Sep 9 11:45:33 r1-roll (squid-1): WARNING: (B) '127.0.0.0/8' is a subnetwork of (A) '127.0.0.0/8'
Sep 9 11:45:33 r1-roll (squid-1): WARNING: because of this '127.0.0.0/8' is ignored to keep splay tree searching predictable
Sep 9 11:45:33 r1-roll (squid-1): WARNING: You should probably remove '127.0.0.0/8' from the ACL named 'to_localhost'
```
https://github.com/vyos/vyos-1x/blob/4d2201eed00ac4780d0196abf53dd9b7cb943a09/data/templates/squid/squid.conf.tmpl#L3-L4
##7. Old directive "redirect_program"
url_rewrite_program replaces redirect_program
http://www.squid-cache.org/Doc/config/url_rewrite_program/
https://github.com/vyos/vyos-1x/blob/310eb1b527047211ae236c6415fee51f15a0fa57/data/templates/squid/squid.conf.tmpl#L104