HTTP Proxy Service

Introduction to HTTP Proxy Service

Zentyal uses Squid [1] as HTTP proxy, along with Dansguardian [2] for the content control.

[1]http://www.squid-cache.org/
[2]http://www.dansguardian.org/

HTTP Proxy configuration in Zentyal

To configure the HTTP Proxy go to Proxy HTTP ‣ General. You can define which mode you need the proxy to operate in Transparent Proxy; if you want to force the configured policies or use a manual configuration. In this case in Port you will establish the port for incoming connections. The default port will be 3128, other typical ports may be 8000 or 8080. Zentyal proxy will only accept connections that come from internal network interfaces, so an internal network address must be used for the web browser configuration.

The size of the cache will define the maximum disk space used to temporally store web contents. It is set in Cache size and it is a system administrator decision to decide the optimal value, taking into account the server’s characteristics and expected traffic.

Here the Default policy for the access to HTTP web contents through the proxy can be configured. This policy determines whether the web can be accessed and if the content filter is to be applied. You can choose one of the options below:

Allow All:
With this policy, you can allow the users to browse the web without any type of restrictions, but still have the advantages of the cache; traffic saving and better speed.
Deny All:
This policy totally denies all the access to the web. Even though it may seem not useful at a first view, given that you can achieve the same effect with a firewall rule, you can later establish particular policies to different objects, users and groups, therefore using this policy to deny by default and then choosing carefully what will be accepted.
Filter:
This policy allows the users to navigate, but activates the content filtering which can deny the access to some of the web pages requested by the users.
Authorize and.. Filter, Allow all, Deny All:
These policies are versions of the previous policies, where authentication is required. The authentication will be explained in HTTP Proxy advanced configuration.
_images/general1.png

HTTP Proxy

It is possible to select which domains won’t be stored in the cache. For example, if you have local web servers, you will not speed up the access using the cache and memory that can be used to store remote server contents is wasted. If a domain is excluded from the cache, when a request is received for this domain, the cache is ignored and only the data is forwarded from the server without storing it. These domains are defined in Cache exceptions.

After setting the global policy, more specific policies can be defined for Network objects in the menu HTTP Proxy ‣ Object Policy. Choose any of the six policies for each object; If access to the proxy from any member of the object associated with this policy occurs, it will have preference over the global policy. A network address can be contained in different objects, so it’s possible to sort the object to indicate priority. Only apply the object policy with a higher priority. There is also the possibility of defining a hour range outside which access to the network object is denied. This option is only compatible with Allow or Deny policies, not with filter policies.

_images/03-proxy.png

Object Policies

Limiting downloads with Zentyal

Another configurable characteristic with Zentyal is to limit the download bandwidth using network objects through the Delay Pools. For configuring this go to HTTP Proxy ‣ Limit bandwidth. You can represent the Delay Pools as boxes that contain a limited amount of bandwidth; they are being filled with the time, and using the network empties them. When they are completely empty, bandwidth and download speed is limited. Bearing in mind this representation, the configurable values can be tested:

Ratio:
Maximum bandwidth that can be used once the box is empty.
Volume:
Maximum capacity of the box in bytes, let’s say that the box will empty if you have transmitted this number of bytes.

With Zentyal bandwidth can be limited using two different methods; Delay Pools class 1 and class 2. The restrictions of the class 1 have priority over class 2 restrictions; if a network object does not match with any of the limitations in the rules, non will be applied.

Class 1 Delay Pools
These limit the bandwidth globally for a subnet, and allow configuration of a transferred data limit. The Maximum network size and a maximum bandwidth restriction, in Network ratio. The limitation will be activated when the data limit has been reached. These Delay Pools are a single box shared by all the network objects.
Class 2 Delay Pools
These Delay Pools have two types of boxes, a general one where, as in the Class 1 all the transmitted traffic is accumulated and one dedicated to each client. If a member of the subnet empties his box, his bandwidth will be limited to Client Ratio, but it will not affect other clients. If they empty the shared box, all the clients will be limited to the Ratio.
_images/Zentyal_delay_pool.png

Bandwidth limit

Content filtering with Zentyal

Zentyal supports web page filtering depending on the content. To do so, it is required that a global policy is set or the specific policy of each object that is accessing to be Filter or Authorize and filter.

You can define multiple filtering profiles in HTTP Proxy ‣ Filtering profiles, but if there is no specific profile for this user or object the default will be applied.

_images/proxy-filter-profiles-list.png

Filtering profiles.

Content filtering for web pages can be achieved using different methods, including heuristic filtering, MIME type, extensions, white lists and black lists, amongst others. The final decision is - whether a specific web site can be accessed or not.

The first filter to be configured is antivirus. In order to use it the Antivirus module must be installed and active. If it’s activated then HTTP traffic containing detected viruses will be blocked.

Heuristic filtering consists mainly of the analysis of the text in web pages. If the content is inappropriate (pornography, racism, violence, etc.) the filter will block access to the page. To control this process establish a threshold of more or less restrictive. This is the value to be compared with the score assigned to the site. The threshold can be set in the section Content filtering threshold. You can disable this filter by choosing the value Off. Keep in mind that this analysis can block allowed pages, which is known as a false positive. This problem can be remedied by adding the domains of this site to a whitelist, but there is always the risk of a false positive with new pages.

Also available are the File extension filtering, the MIME type filtering and the Domain filtering.

_images/04-proxy-mime.png

Filtering profile

In the tab File extension filtering select which extension will be blocked. In a similar fashion in MIME type filtering you can select which MIME types are blocked and add new ones if necessary, as with extensions.

In the tab Domain filtering the filtering configuration based on domains can be found. Selections available are:

  • Block domains specified only as IP, This option blocks the domains

    based only on the IP address and not in the domain.

  • Block not listed domains, this option blocks all the domains that

    are not present in the section Domain rules or in the categories present in Domain list files and which policy is not set to Ignore.

Next are the domain lists, where domain names can be inserted and one of these policies can be chosen:

Always allow:
Access to the domain contents will be always allowed, all the filters are ignored.
Always deny:
Access to the domain contents will never be allowed.
Filter:
Usual rules are applied to this domain. It is useful if you have activated the option Block non listed domains.
_images/05-proxy-domains.png

Domain filtering

The work of the systems administrator can be simplified if you use classified domain lists. These lists are normally maintained by third parties and have the advantage of classifying domains by categories, allowing you to choose a policy for a entire domain category. These lists are distributed as a compressed file. Once a file has been downloaded it can be incorporated into configurations and policies set for the different categories. The policies that are available for each category are the same as those used for domains and will be applied to all the domains in the category. There is an additional policy Ignore, as the name implies, this will ignore all of this category when filtering. This is the default policy for all the categories.

_images/domain-list-categories.png

Category list

Using the Advanced Security Updates in Zentyal [3], an updated database of domain categories can be automatically installed - in order to have a professional content filtering policy level.

[3]http://store.zentyal.com/other/advanced-security.html