HTTP Proxy Service¶
Introduction to HTTP Proxy Service¶
Zentyal uses Squid [1] as HTTP proxy, along with Dansguardian [2] for the content control.
[1] | http://www.squid-cache.org/ |
[2] | http://www.dansguardian.org/ |
HTTP Proxy configuration in Zentyal¶
To configure the HTTP Proxy go to Proxy HTTP ‣ General. You can define which mode you need the proxy to operate in Transparent Proxy; if you want to force the configured policies or use a manual configuration. In this case in Port you will establish the port for incoming connections. The default port will be 3128, other typical ports may be 8000 or 8080. Zentyal proxy will only accept connections that come from internal network interfaces, so an internal network address must be used for the web browser configuration.
The size of the cache will define the maximum disk space used to temporally store web contents. This value is set in Cache size and it is the system administrators’ decision to set the optimal value, taking into account the server’s characteristics and expected traffic.
The Default policy for the access to HTTP web contents through the proxy can be configured. This policy determines whether the web can be accessed and if the content filter is to be applied. You can choose one of the options below:
- Allow All:
- With this policy, you can allow the users to browse the web without any type of restrictions, but still have the advantages of the cache; traffic saving and better speed.
- Deny All:
- This policy totally denies all the access to the web. Even though it may seem not useful at first glance, given that you can achieve the same effect with a firewall rule, you can later establish particular policies to different objects, users and groups, therefore using this policy to deny by default and then choosing carefully what will be accepted.
- Filter:
- This policy allows the users to browse, but enables the content filtering which can deny the access to some of the web pages requested by the users.
- Authorize and.. Filter, Allow all, Deny All:
- These policies are versions of the previous policies, where authentication is required. The authentication will be explained in HTTP Proxy advanced configuration.
It is possible to select which domains will not be stored in the cache. For example, if you have local web servers, you will not speed up the access using the cache and the memory that can be used to store remote server contents is wasted. If a domain is excluded from the cache, when a request is received for this domain, the cache is ignored and only the data is forwarded from the server without storing it. These domains are defined in Cache exceptions.
After setting the global policy, more specific policies can be defined for Network objects in the HTTP Proxy ‣ Object Policy menu. Choose any of the six policies for each object; If access to the proxy from any member of the object associated with this policy occurs, it will have preference over the global policy. A network address can be contained in different objects, so it is possible to sort the object to indicate priority. Only apply the object policy with a higher priority. There is also the possibility of defining an hour range outside which access to the network object is denied. This option is only compatible with Allow or Deny policies, not with filter policies.
Blocking ads from the web¶
The HTTP proxy can block ads displayed on the web pages. This will save bandwidth and reduce distractions for the users. To use this feature, go to HTTP Proxy ‣ General and enable Ad Blocking.
The ad blocking affects all the web accesses made through the proxy.
Limiting downloads with Zentyal¶
Another configurable feature Zentyal offers is to limit the download bandwidth using network objects through the Delay Pools. To configure this go to HTTP Proxy ‣ Limit bandwidth. You can represent the Delay Pools as boxes that contain a limited amount of bandwidth; they are being filled with the time, and using the network empties them. When they are completely empty, bandwidth and download speed are limited. Bearing in mind this representation, you can configure the following values:
- Ratio:
- Maximum bandwidth that can be used once the box is empty.
- Volume:
- Maximum capacity of the box in bytes, let’s say that the box will empty if you have transmitted this number of bytes.
Zentyal allows you to limit the bandwidth using two different methods; Delay Pools class 1 and class 2. The restrictions of the class 1 have priority over class 2 restrictions; if a network object does not match with any of the limitations in the rules, non will be applied.
- Class 1 Delay Pools
- These Delay pools limit the bandwidth globally for a subnet, and allow configuration of a transferred data limit. The File size and a maximum bandwidth restriction, in Download rate. The limitation will be enabled when the data limit has been reached. These Delay Pools are a single box shared by all the network objects.
- Class 2 Delay Pools
- These Delay Pools have two types of boxes, a general one where, as in the Class 1 all the transmitted traffic is accumulated and one dedicated to each client. If a member of the subnet empties his/her box, his/her bandwidth will be limited to Client download rate, but it will not affect other clients. If they empty the shared box, all the clients will be limited to the Network download rate.
Content filtering with Zentyal¶
Zentyal supports web page filtering depending on the content. To do this global policy must be set or the specific policy of each object must be Filter or Authorize and filter.
You can define multiple filtering profiles in HTTP Proxy ‣ Filtering profiles, but if there is no specific profile for this user or object the default will be applied.
Content filtering for web pages can be achieved using different methods, including heuristic filtering, MIME type, extensions, white lists and black lists, amongst others. The final decision is - whether a specific web site can be accessed or not.
The first filter to be configured is antivirus. To use it, the Antivirus module must be installed and active. If it is enabled then HTTP traffic containing detected viruses will be blocked.
Heuristic filtering consists mainly of the analysis of the text in web pages. If the content is inappropriate (pornography, racism, violence, etc.) the filter will block access to the page. To control this process you must establish a threshold that is more or less restrictive. This is the value to be compared with the score assigned to the site. The threshold can be set in the Content filtering threshold section. You can disable this filter by choosing the value Off. Keep in mind that this analysis can block allowed pages, which is known as a false positive. This problem can be remedied by adding the domains of this site to a whitelist, but there is always the risk of a false positive with new pages.
Also the File extension filtering, the MIME type filtering and the Domain filtering options are available.
In the File extension filtering tab select which extension will be blocked. In a similar fashion in MIME type filtering you can select which MIME types are blocked and add new ones if necessary, as with extensions.
In the Domain filtering tab the filtering configuration based on domains can be found. Available sections are:
- Block domains specified only as IP, This option blocks the domains
based only on the IP address and not in the domain.
- Block not listed domains, this option blocks all the domains that
are not present in the Domain rules section or in the categories present in Domain list files and which policy is not set to Ignore.
Next are the domain lists, where domain names can be inserted and one of these policies can be chosen:
- Always allow:
- Access to the domain contents will be always allowed, all the filters are ignored.
- Always deny:
- Access to the domain contents will never be allowed.
- Filter:
- Usual rules are applied to this domain. It is useful if you have enabled the Block non listed domains option.
The work of the systems administrator can be simplified if you use classified domain lists. These lists are normally maintained by third parties and have the advantage of classifying domains by categories, allowing you to choose a policy for a entire domain category. These lists are distributed as a compressed file. Once a file has been downloaded it can be incorporated into configurations and policies set for the different categories. The policies that are available for each category are the same as those used for domains and will be applied to all the domains in the category. There is an additional policy Ignore, as the name implies, this will ignore all of this category when filtering. This is the default policy for all the categories.
Using the Advanced Security Updates in Zentyal [3], an updated database of domain categories can be automatically installed - in order to have a professional content filtering policy level.
[3] | http://store.zentyal.com/other/advanced-security.html |