HTTP Proxy advanced configuration

Configuration of filter profiles

You can configure the filter profiles in the HTTP Proxy ‣ Filter Profiles section.

_images/filter-profiles.png

Filter profiles

You can create and configure new filter profiles to be used by user groups or network objects.

The configuration options are exactly the same as those explained in the configuration of the default profile in the chapter HTTP Proxy Service, save for one important exception: it is possible to use the default profile configuration for the different values of the filter profiles. To do this, all you need to do is to click on Use default configuration.

Filter profile per object

You can choose a filter profile for a source object. The requests coming from this object will use the chosen profile instead of the default profile. This option is useful if you want to define different security policies for different computer classrooms or groups of hosts that access through Zentyal gateway. You could have, for example, a group of computers in a public access classroom that require authentication for browsing while in the offices with private hosts general network policies will be used. Or a classroom for students where the content is filtered whilst in the teachers lounge all traffic is allowed.

You can also establish filtering policies by schedule, for example, establish stricter policies on work hours.

To add this type of configurations, you must go to the HTTP Proxy ‣ Object policy and click on Add new. Policy configuration form per object will be displayed. In each policy you can specify the network Object it will be applied to, Policy, Allowed time period and Filter profile.

_images/Zentyal_politica_objeto.png

Add a new object policy

The policies are the same as you already saw in the chapter HTTP Proxy Service; you must choose Filter if you want the Filter profile to be applied.

The Allowed time period is the time during which the profile that you are configuring will be enabled. You can define the weekly hours and days for which the policy will be enabled. During other time periods, the default configuration will be applied.

To make things easier and to avoid overlaps, you are not allowed to create different policies for the same object.

User group based filtering

You can use the user groups in access control and filtering. In order to do that first you need to enable the module Users and groups in Module status. You can create a group from the menu Users and Groups ‣ Groups and add users to the system from the menu Users and Groups ‣ Users. While you are editing a group, you can choose the users that belong to it. The configuration options for users and groups are explained in detail in chapter Directory Service (LDAP).

To define user group based filtering follow these steps; first you need to use one of the options that force Authorize as a global or network object policy. These policies ensure the proxy uses a valid user identification to allow access.

Once you are able to authenticate the users, you can also establish global group policies. These policies give control over the scope of members of a specific group and assign them filter profiles other than the default profile.

Warning

A technical limitation in the HTTP authentication protocol means you cannot apply the authentication policies if the proxy is being used in transparent mode.

The group policies are managed in the HTTP Proxy ‣ Group Policy section. These only enforce control if the user can or cannot access the web. If you wish to apply a specific filter, you must set the global policy or the object policy from which they connect to Authorize and filter.

As in the case of network object policies, you can define a Policy for this group that can be either Allow or Deny. The Time period and the Filter profile are to be applied in case the host from which the user authenticates has a filter policy or a policy has already been established in the global configuration.

_images/global-group-policy.png

Global group policy

The priority of each group policy is reflected by its position in the list (the higher on the list, the higher the priority). The priority is important because when you have users that belong to several groups, they will only be affected by the policies of the group with the highest priority.

User group based filtering for objects

Filtering policies per network objects have priority over the general proxy policy and global group policies.

In addition, if you have chosen a policy with authorisation, you can also define policies per group. As with the global group policies, these policies only affect the access and not filtering. Filtering will be determined by the policy of the object to which they belong. Likewise, the policies with authentication cannot be deployed if you’re using proxy in transparent mode.

Finally, it is important to notice that you cannot assign filtering profiles to groups in object policies. Therefore, a group will apply the filtering profile established in its global group policy, independent of the network object from which it accesses the proxy.

You can add these policies from the Group policy column, HTTP Proxy ‣ Object Policy list.

_images/object-group-policy.png

Object policies