HTTP Proxy Service

Zentyal uses Squid [1] as HTTP proxy, along with Dansguardian [2] for the content control.

[1]http://www.squid-cache.org/
[2]http://www.dansguardian.org/

HTTP Proxy configuration in Zentyal

To configure the HTTP Proxy, you will go to HTTP Proxy ‣ General Settings. You can define whether you want the proxy to work in Transparent mode to transparently enforce politics, or if it will have to be configured manually in the browsers. In the last case, using Port, you can stablish in which port the proxy is going to accept the incoming connections. The default port is TCP/3128, other typical ports are 8000 and 8080. Zentyal’s proxy only accepts incoming connections from the internal networks, so that’s what you have to configure in the client’s browser.

The cache size controls the amount of space in the disk you are going to use to temporarily store web content. It’s configured using Cache Size. You need a good estimation of the amount and type of traffic you are going to receive to optimize this parameter.

_images/general1.png

HTTP Proxy

It’s possible to configure which domains are not going to be stored in the cache. For example, if you have local web servers, you will not improve the access storing a cache and you will waste memory that could be used for storing remote elements. If a domain is in the cache exemption list, the data will be retrieved delivered directly to the browser. You can define this domains in Cache exemptions

Also, you may want to server some web pages directly from the original server, for the privacy of your users or just because they don’t operate correctly behind a proxy. For these cases, you can use the Transparent Proxy Exemptions.

The feature Enable Single Sign-On (Kerberos) will allow you to automatically validate the user, using the Kerberos ticket created at session log in. You can find more details of this authentication scheme at File sharing and authentication service.

Warning

If you are going to use automatic authentication with Kerberos, you have to enter the domain name of the server in the client’s browser configuration, never the IP address.

The HTTP Proxy is able to remove the advertisement from the web pages as well. This will save bandwidth and remove distractions, or even security threats. To use this feature you only have to enable Ad Blocking.

Access Rules

Once you have decided your general configuration for the proxy, you have to define the access rules. By default you will find a rule in HTTP Proxy ‣ Access Rules which allows all access. Similarly to the Firewall, the implicit rule is to deny, and the upper rule will have preference if several can apply to a given traffic.

_images/new_rule.png

New access rule in the proxy

Using the Time Period you can define in which moment the rule will apply, days of the week and hours. The default is all times.

The Source is a really flexible parameter, it allows you to configure if this rule will apply to an Object or to the members of a specific Group (remember that group access rules are only available if you are using a Non Transparent Proxy). You can also apply a rule to all the traffic going through the proxy.

Warning

Because of some limitation in DansGuardian it’s not possible to perform certain mixes of group-based rules and object-based rules. Zentyal’s interface will warn you if it detects one of this cases.

Again, similarly to the Firewall once the traffic has matched one of the rules, you have to specify a Decision, in the case of the Proxy you have three options:

  • Allow all: Accepts all the traffic without making any check, it still allows the user to have a web cache and the administrator to have an access log.
  • Deny all: Denies all the connection attempts to the web.
  • Apply filter profile: For each request, it will check that the contents don’t violate any of the filters defined in the profile, we will talk about the available filters in the next section.

Let’s study the following example:

_images/rule_example.png

Access rules example

Anyone will be able to access without any restriction during the weekends, because is the upper-most rule. At any other time, the requests coming from the ‘Marketing’ object will have to be approved by the filter defined in ‘strict_filter’, the request coming from the object ‘Developers’ will access without restrictions. The request not matching with any of this rules will be denied.

Filter profiles

You can filter web pages with Zentyal depending on their contents. You can define several filter profiles from HTTP Proxy ‣ Filter Profiles.

_images/profiles.png

Filter profiles for the different objects or user groups

If you go to the Configuration of one of this profiles, you can specify different criteria to adjust the content filters. In the first tab you can find the Threshold and the antivirus filters. To have the antivirus checkbox available you need to have the antivirus module installed and enabled.

_images/filter1.png

Filter configuration

This two filters are dynamic, which means that they will analyse any web page to find inappropriate content or viruses. The threshold can be adjusted to be more or less strict, this will influence the number of inappropriate words it will tolerate before rejecting a web page.

In the next tab Domains and URLs you can statically decide which domains will be allowed in this profile. You can Block sites specified only as IP to avoid bypassing the proxy by just typing IP addresses and you can also decide to Block not listed domains and URLs if you want to define a whitelist in the domain list below this options.

_images/filter3.png

Domains and URLs

Finally, at the bottom you have the list of rules, where you can specify which domains you want to accept or deny.

To use the Domain categories you need, in first place, to load a categorized domain list. You can load this list from HTTP Proxy ‣ Categorized list.

_images/cat_list.png

Categorized list

Once you have configured the list, you can choose which category will be denied from Domain Categories

_images/filter4.png

Blocking access to social networks

Using the two left tabs you can select which types of contents or files will be accepted by this profile, either using MIME types or file extensions. The MIME [3] types are a format identifier for Internet, for example application/pdf.

_images/mime.png

MIME type filter

As you can see in the image above, the column Allow allows you to configure whether the default behaviour will be to deny or to accept a given type.

[3]http://en.wikipedia.org/wiki/Mime_type

You will find a similar interface to configure allowed file extensions:

_images/filext.png

Blocking ‘.exe’ files

Bandwidth Throttling

Zentyal’s Proxy allows you to implement a flexible limit to control the bandwidth used by your users while browsing the web. This limit is based on the Token Bucket algorithms [4]. You have a bucket with a bandwidth reserve and a refilling speed. The emptying speed will depend on the user’s download. If the user uses the connection sensibly, the bucket will refill faster than he/she empties it, so there will be no penalization. If the user start to empty the bucket much faster than the refilling rate, it will empty and then he/she will have to settle with just the refilling speed.

For each bandwidth throttling rule you configure, you have two types of buckets available: global and per client. Each client will consume their personal buckets and everyone included in the object will consume the global bucket.

Tip

This type of algorithms are useful to allow medium size downloads, if they are not sustained over the time. For example, in an education context, you can allow to download PDFs, this will consume part of the bucket but will download at maximum speed. If an user tries to download using P2P, he/she will consume the bucket very quick.

_images/limit.png

Bandwidth Throttling

[4]http://en.wikipedia.org/wiki/Token_bucket