Filtering and Proxying
From Wiki@Commgate
Contents
|
Access Control
Overview
| Web Proxy Access Control | Information |
|---|---|
| Description | Time and user-based access control for the web proxy |
| Package Name | cc-squid-acl |
| Configuration Page | Software > Proxy and Filtering > Access Control |
Time-based Access Control allows an administer to enforce time-of-day web access to users or computers (IP or MAC address) using the web proxy.
Back to top
Installation
If you did not select this module to be included during the installation process, you must first install the module.
Back to top
Configuration
Adding Time Periods
Time periods define the day of week (i.e. Monday, Tuesday ...) and the time of day (i.e. 12:00 - 13:00) that an access control rule should apply. Select Add/Edit Time Period from the webconfig tab menu to:
- display and/or edit a currently defined time period
- add a new time period definition
- delete an existing time period definition
Warning! Deleting a time period will delete any access control rule that depends on the time period definition being deleted.
In the sample screenshot below, we have created two time period definitions. The first defines a lunch break on weekdays between 12:00pm and 1:00pm (13:00). The second covers the entire day over a weekend (Saturday and Sunday).
Adding Access Control Lists
An unlimited number of access control list definitions can be created to customize precisely how users or machines on the LAN should be given access to the web via the proxy server. In the example below, a rule to allow all machines on the LAN to have access to the web during the weekend is being created. By specifying an internal IP range of 192.168.1.100 to 192.168.1.255, the IP based identification will apply this rule to all computers on the LAN receiving a DHCP lease in this IP range.
Name
A unique name identifying the access control.
ACL Type
Sets the ACL rule type - allow or deny. Allow provides web access to the user/computer...Deny forbids web access.
Time-of-Day ACL
References a unique time of day rule. The drop down menu will be empty and a link to create a new time period will be displayed if no time definitions have been created.
Restriction
Determines whether the ACL rule will apply to the time period defined or all time outside of the time period defined. For example, if you defined a time period name Lunchtime that was defined as 12:00 - 13:00 from Monday to Friday and you wanted a specific rule to apply during the lunch hour, select Within. Conversely, if you wanted a rule to be applied for all hours outside of the lunch period, you would select Outside.
Method of Identification
Depending on your proxy configuration, up to three different methods of user/machine identification are possible - username, IP address and MAC address.
Username
Username-based authentication is only available if you have User Authentication enabled. Users must provide login credentials 'and' have access to the proxy server (as defined by the user account configuration. Once logged into a proxy session, ACL rules based on username wil apply.
IP Address
To restrict web access to a particular computer or multiple computers (i.e. a computer lab), IP address based identification can be used. A single IP address or a range of IP addresses (separated by a dash) can be added. Valid entry examples include:
192.168.1.100 10.0.0.121 192.168.1.100-192.168.1.150
The IP address represents the address of the machine connecting to the proxy. Since the computer is located on the LAN segment of the network, any IP address or range listed here should be restricted to an | internal IP address or range.
MAC Address
A MAC address is a unique identifier originating from a computer's network card. MAC addresses can be a good alternative to IP addresses if an administrator does not lock down the network settings of a machine which might allow a savvy user to get around an IP address-based access control rule. A MAC address must be obtained from the machine and is dependent on the OS.
Linux
Open up a shell and type:
ifconfig eth0
Where eth0 represents the network (Ethernet) card. The MAC address for the sample sample output below comes after the HWaddr header and is 00:40:63:DA:E7:23:
Windows
To obtain the MAC address under Windows, click on the Start button and select the Run menu option. Enter cmd in the run field. Once you are at the Windows command prompt, type
ipconfig /all
and click enter. Find the MAC address next to the Physical Address field. Make sure you get the MAC address of the correct device...there may be more than one if you have both a network card and wireless networking card.
ACL Priority
New ACL rules are added to the bottom of the list...that is to say, new rules begin with the lowest priority.
The proxy server analyzes each rule in successive order...starting from the top and working through each rule. The first rule to match a true condition stops the processing and allows (or denies, depending on the rule type) access to the web.
In the example below, there are three rules...AllEmployees has the highest priority, followed by LunchHourStaff and finally (lowest priority) HourlyEmployees.
To understand priorities, it is probably easiest to follow through a few scenarios.
Saturday - since it is a weekend, and through the creation of the AllEmployees rules, all IP address on the LAN have be defined in the creation of the ACL, all computers on the LAN will have access to the web, regardless of MAC or username based ACL's and regardless of whether it is lunch hour (i.e. 12pm - 1pm) or not. In this case, the first rule (All Employees) applies (returns true) and processing of further rules is not performed.
Monday @ 12:15pm - All users who are using computers whose IP's have been added to the LunchHourlyEmployees IP list will have access to the web.
Monday @ 1:15pm - All users who are using computers whose IP's have been added to the HourlyEmployees IP list will be denied access to the web. This is because the third rule is applied since the first two rules did not return a true statement. Any user who is using a computer whose IP is not listed in the HourlyEmployees rule will be allowed access to the web.
By default, if no ACL rules return true (i.e. are executed as allow/deny) a user is allowed access to the web. To apply a blanket block rule, create an IP range ACL using the deny type along with a time definition from 00:00 - 24:00.
Use the up and down arrows on the ACL Summary page to bump the priority of any ACL rule you create in order to enforce time of day web access.
Troubleshooting
Links
Squid Proxy website
Back to top
Banner Ad and Pop-up Blocker
Overview
| Banner Ad and Pop-up Blocker | Information |
|---|---|
| Description | The software blocks banner ads and popups at the gateway. |
| Package Name | cc-privox |
| Configuration Page | Software > Proxy and Filtering > Web Proxy |
The software filters cookies, ads, banners, pop-ups, and other unwanted Internet content.
Back to top
Configuration
If you use CommGate server as a gateway, you can configure the banner ad blocker in transparent mode. In other words, it is not necessary to change the settings for all the web browsers on the PCs on your network.
- Step 1 - Install the required Web Proxy server
- Step 2 - From Web Proxy's web-based administration page, set the proxy to transparent mode.
- Step 3 - From Banner Ad administration page, enable banner ad blocker integration.
Links
Content Filter
Overview
| Content Filter | Information |
|---|---|
| Description | A smart and robust web content filter. |
| Package Name | cc-dansguardian-av |
| Configuration Page | Software > Proxy and Filtering > Content Filter |
The content filtering software blocks inappropriate websites from the end user. The software can also be used to enforce company policies; for instance, blocking personal webmail sites like Hotmail can decrease lost productivity at the office.
The filter engine uses a variety of methods including phrase matching, URL filtering and black/white lists. Although the fitler works effectively 'out-of-the-box', for best results, we recommend subscribing to a service level the includes the 'Content Filter Update' service (see Services link below). By keeping your blacklist up-to-date, you will be providing your LAN with the most effective blocking solution against the 'churn' of sites that change daily.
Back to top
Services
New sites appear, old sites disappear and current sites move around. By enabling the Content Filter Updates service, you will receive regular updates to the filter lists. See website for more details.
Back to top
Installation
If you did not select this module to be included during the installation process, you must first install the module.
Back to top
Configuration
The web-based administration tool gives you access to a number of configuration settings. The filter must be run in parallel with the Web Proxy server.
It is important to understand the implications of running the content filter with a web proxy server configured to run in standard mode.
Standard Mode In standard mode, the web proxy operates on port 3128 and the content filter operates on port 8080. You must change the settings of all the web-browsers located on the local network to point to one of the above ports in order to take advantage of proxy or filtering services. If users have the technical knowledge and have access to the browser settings on their local machine, they could potentially by-pass the proxy server and have full access to content on the Internet.
Transparent Mode In transparent mode, all requests from the local network automatically pass through the web proxy cache. The settings for the local machines do not need to be changed. By-passing the proxy is not possible by changing browser settings on the local machine. Obviously, this is the preferred configuration.
Content Filter Update Service
If you have a subscription to the "Content Filter Blacklist Update" service, you can check to make sure the update service is active. If the update service is activated, you will see a screen capture similar to that shown below.
Updates are pulled or pushed automaticaly approximately every week.
Configure Advanced Filtering
Banned File Extensions / Banned MIME Types
Banned File ExtensionsBanning specific file extensions is a useful tool for limiting content available to users on the LAN. It can also greatly decrease the chances of users unwittingly downloading and running 'arbitrary' code downloaded from the Internet which could potentially contain viruses, spyware of other malicious code.
By checking a box next to an extension, you are disallowing filtered users from accessing this file type. If you wish an extension to be blocked and it is not listed in the available list, add it to the list using the "Add a new extension type" form.
Banned MIME Types
Similarly, MIME types instruct a browser to utilize certain applications in order to display content encoding. Security exploits in the applications themselves can be used to infiltrate a computer. MIME types checked in the "Banned MIME Types" form will not be allowed to pass through the firewall and to the computer making the request on the LAN, providing a more secure environment.
Banned Site List / Exempt Site List
Banned Site List Sites entered in the "Banned Site List" will be banned, regardless of the site's content, or whether the site is on one of the blacklists.
Exempt Site List Sites entered in the "Exempt Site List" will be allowed, regardless of the site's content. Use this form if content on a site triggers a 'false positive' that you wish to override.
Banned User IP List / Exempt User IP List
If you have some or all of your worktations configured to use static IP addresses, you can configure individual workstations' access to the web.
Banned User IP List
Here you can configure LAN IP addresses that will be completely blocked from accessing the web. You can either add IP addresses individually or add groups as defined below.
Exempt User IP List
Here you can configure LAN IP addresses that will be granted completely unfiltered access to the web. You can either add IP addresses individually or add groups as defined below.
Groups
You can configure groups of IP addresses to simplify and organize workstation access to the web. For example in an educational environment you can add all administrator/staff IP addresses to a Staff group and add them to the Exempt User IP List.
Weighted Phrasing
The content filter system uses phrase lists to calculate a score for every web page. You can fine tune your content filter scoring by specifying which phrase lists to use.
In general you will want the phrase lists you select here to correspond with the blacklists you are using. At a minimum you will want to include the proxies phraselist to prevent your users from bypassing the filter.
Note that more weighted phrases activated for the content filter mean that the filter will take more time to look at each page. It is recommended that if you are using a low powered server, you limit the number of weighted phrase lists you use and instead use more blacklists.
If you have problems with some of the phraselists - that they're either blocking too strictly or not enough, please send information to phrasemaster AT dansguardian DOT org.
Blacklists
The content filter system uses black lists to block specific web sites. You can fine tune your content filter black lists by specifying which lists to use. Note that these lists are updated weekly by the Content Filter Update Service if you have subscribed to that service.
If you have problems with some of the phraselists - that they're either blocking too strictly or not enough, please submit your changes in the following form.
Configure Filter
Language - If your native language is supported by the DansGuardian contnet filter, you can configure the filter to use your language when displaying block reports to your users and error messages.
Sensitivity Level - The sensitivity level is an arbitrary scale that allows 'coarse' adjustment of the phrase filter sensitivity. Increasing the sensitivity level means that fewer bad phrases/words will cause the filter to block the page.
PICS Level - An Internet standard for rating web content. This setting will prove to be of minor significance as sites self-administrate this parameter. As a general rule, the recommendation is to disable this setting.
Reporting Level - Five options are available to customize what a user 'sees' when the filter blocks a page:
- Stealth Mode - Site is not blocked...User's IP and site is logged (/var/log/dansguardian/access.log)
- Access Denied - User's browser will receive an 'Access Denied' in place of the web page.
- Short Report - A short error message 'bubble' will be displayed like the one below
- Full Report - Same as above, but the weighted limit and actual value will be displayed (useful for fine-tuning the system).
- Custom Report - Uses the customizable HTML template located at /etc/dansguardian/languages/[language] where language is the language you have selected in the setting above. The HTML template file is template.html and the default en_US language folder is /etc/dansguardian/languages/ukenglish.
Block IP Domains - Used to prevent users from circumnavigating the URL-based portion of the filter by using IP addresses instead of URL's. Pages will still be filtered based on the other filtering mechanisms: weightedphrases, mime types, file extensions etc.
Blanket Block - Most restrictive setting. All sites will be blocked with the exception of those listed in the exempt list. Useful for kiosks/public terminals where a browser is used to access a company site etc.
Back to top
Troubleshooting
Web Sites Are Not Rendering Properly
Many web pages will pull elements of the page (images, scripts, etc.) from many different web servers. Some of these servers may get blocked by the content filter, but the rest of the web page will pass through just fine. The result can look like a broken web page. Example: the Yahoo web site pulls graphics from their yimg.com servers (owned by Yahoo). You can find a lot of pornography on the yimg.com servers, so it will often get listed in blacklists.
Web browsers provide a quick way to view all the elements on a web page. In Firefox, for example, you can select on Tools - Page Info in the menu and then click on Links to see all the page elements. This can be useful when you need to whitelist a web site and related web sites.
Back to top
Links
DansGuardian website
URLBlacklist.com
Back to top
Web Proxy
Overview
| Web Proxy | Information |
|---|---|
| Description | Web proxy cache server. |
| Package Name | cc-squid |
| Configuration Page | Software > Proxy and Filtering > Web Proxy |
Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP. The software not only saves bandwidth and speeds up access time, but also gives administrators the ability to track web usage in the daily report.
Back to top
Installation
If you did not select this module to be included during the installation process, you must first install the module.
Back to top
Configuration
General Settings
Maximum Cache Size
The maximum size on your hard disk to use for the proxy server cache.
Maximum Object Size
Any file (image, web page, PDF, etc) above the maximum object size will still go through the proxy but will not be cached. Large files (for instance, a movie file) can take up a lot of space in your proxy cache. If you have a cache size of 2 Gb and two people happen to download 1 Gb files at the same time, then these two files would replace everthing else in your cache. You can limit the maximum object size to prevent this situation.
Maximum Download File Size
If you want to limit downloads of large files (for instance, movies) you can set a maximum size. Any file above this limit will get blocked.
Reset Cache
Use the reset cache button to delete all the files currently stored by the web proxy server.
Mode
Transparent Mode
With transparent mode enabled, your web proxy will intercept web traffic automatically. In this mode, it is not necessary to configure proxy server settings in your web browser. However, the nature of the web proxy protocol means there are some important limitations to consider with transparent mode:
- User Authentication must not be used
- Secure web sites (HTTPS) do not pass through the proxy
If you require user authentication and/or secure web proxying, you must use non-transparent mode and configure proxy settings in your web browser. In non-transparent mode, your proxy server settings should be set to port 8080 if the content filter is in use, otherwise it should be set to port 3128.
Content Filter
The web proxy and content filter work together to filter web traffic on your network. If you plan on using the content filter, make sure this feature is enabled. If you are using non-transparent mode, make sure you update your web browser proxy settings to connect to port 8080 (content filtering).
Banner and Pop-up Filter
Enabling the banner and pop-up filter will block unwanted pop-ups and advertisements on the web.
User Authentication
With user authentication enabled, all users will require a username and password to access the web.
Web Site Bypass
In some circumstances, you may need to by-pass the proxy server when it is running in transparent mode. Typically, this is required for web sites that are not proxy-friendly (notably, older Microsoft IIS web servers send invalid web server responses -- these responses may not get through the proxy server).
Example: Tivo personal video recorders (PVRs) are unable to connect via a proxy server. Adding Tivo's network 204.176.0.0/14 to the proxy by-pass list solves the issue.
Web Browser Configuration
In non-transparent mode, you must change the settings on all the web browsers running on your local network. The following describes the steps for configuring Internet Explorer, but other browsers have similar procedures. In Internet Explorer
- Click on Tools in the menu bar
- Select Internet Options
- Click on the Connections tab
- Click on the LAN Settings button
In the Proxy Server settings box, specify your gateway's IP address (default: 192.168.1.1) and the proxy port -- 8080 if you have the content filter enabled, 3128 if you do not have the content filter enabled.
Reports
The Web Proxy Report includes statistics on top sites, number of hits, usage by LAN IP address, daily traffic size, and more. You can view the report from the web-based administration tool.
Back to top
FTP Proxy
From the Squid Web Proxy FAQ:
Question: Can I make my regular FTP clients use a Squid cache?
Answer: It's not possible. Squid only accepts HTTP requests.
Back to top
Troubleshooting
Web Browser Settings
If you see the message A configuration issue with your web browser settings was detected, please make sure your browser settings match your proxy server configuration.
Back to top
Secure Web Sites and Transparent Mode
Many users wonder why it is not possible to proxy secure web sites (HTTPS) in transparent mode. Here's why. When you configure your web browser with proxy server settings, the browser changes its behavior and talks to the proxy server in a special way. This changes makes it becomes possible to send HTTPS requests through the proxy.
In transparent mode, the web proxy silently hijacks the web request. The web browser is completely unaware that a proxy server exists and does not change its behavior. The nature of HTTPS means that the web server connection is already encrypted by the time the proxy server gets involved!
Back to top
