HTTP Proxy Service¶

HTTP Proxy configuration in Zentyal¶

To configure the HTTP Proxy, go to HTTP Proxy ‣ General Settings. You can define whether the proxy works in Transparent mode to transparently enforce established policies, or if it will have to be configured manually in the browsers. In any case, using Port, you can establish in which port the proxy is going to accept the incoming connections. The default port is ‘TCP/3128‘, other typical ports are 8000 and 8080.

Another configuration option in the same section is the Cache Size, which defines the maximum disk space used to temporarily store web content. It is up to each administrator to decide what the optimal size is, taking into account the characteristics of the server and the expected traffic.

You also have the Enable Single Sign-On (Kerberos) option in this section. This feature allows your users to authenticate automatically using Kerberos tickets generated when logging into the domain. You can find more information about user authentication in the Domain Controller and Directory Services chapter.

General configuration of the HTTP Proxy

It is possible to configure which domains are not going to be stored in the cache. For example, if you have local web servers, you will not improve the access by using the cache and you will waste memory that could be used for storing remote elements. If a domain is in the cache exemption list, when a request to that domain is received, the cache will be ignored and the data will be returned directly without storing it. You can define these domains in Cache exemptions

Also, it might be interesting that certain pages are not served through the proxy, but that the client establishes the connection directly to the original server. This might be for the privacy of your users or just because the pages will not operate correctly behind a proxy. For these cases, you can use the Transparent Proxy Exemptions.

HTTP Proxy caching configuration

Access Rules¶

Once you have defined your general proxy configuration, you have to define the access rules. If you go to HTTP Proxy ‣ Access Rules, you can see that the default rule is to allow all access.

New access rule in the proxy

Time Period:

Allows to define in which moment the rule will apply, days of the week and hours. The default is at all times.

Source:

Allows to configure if this rule will apply to the members of a Zentyal Object, a Group of Users or to all the traffic going through the proxy. To be able to select ‘Groups of Users‘, you must have the Domain Controller and Directory Services module configured. Also, this feature is only available in the Commercial Zentyal Editions.

Decision:

Again, similarly to the Firewall, once the traffic has matched one of the rules, you have to specify a Decision. In the case of Proxy, you have three options:

• Allow all: Accepts all the traffic without doing any verification. Even so, it still allows the user to have a web cache and the administrator to have an access log.
• Deny all: Denies all the connection attempts to the web.
• Apply filter profile: Zentyal will check each request with the rules defined in the profile. You can find more about the filter profiles in the next section.

Let’s see the following example:

An example of HTTP proxy access rules

Nobody will be able to access during the weekends, because it is the first (uppermost) rule. During the work days, the requests coming from the ‘devs‘ group can access without restrictions. Finally, the requests coming from the ‘marketing‘ group can access only on work days from 08:00 to 15:00 and in addition, all the requests will have to go through the filters and policies defined in the ‘Profile_Marketing‘ profile.

Filter profiles¶

You can filter web pages with Zentyal depending on their contents. You can define multiple filter profiles from HTTP Proxy ‣ Filter Profiles.

Filter profiles for the different objects or user groups

If you go to the Configuration of one of these profiles, you can specify different criteria to adjust the content filters. In the first tab you can find the Content filter threshold and the antivirus filters.

General configuration of a filter profile

These two filters are dynamic, which means that they will scan any web page for inappropriate content or viruses. The content filter threshold can be adjusted to be more or less strict, this will influence the number of inappropriate words it will tolerate before rejecting a web page.

In the next tab Domains and URLs, you can statically decide which domains will be allowed in this profile. You can decide to Block sites specified only as IP, to avoid bypassing the proxy by just typing IP addresses. The option Block not listed domains and URLs allows you to decide if the list of domains below behaves as a blacklist or a whitelist, that is, if the default behavior will be to accept or deny an unlisted page.

Configuration of Domains and URLs

Finally, at the bottom, you have the list of rules to specify the domains that you want to accept or deny.

Domains and URLs to accept or to deny

To use the Domain categories, first you need to upload a categorized domain list. You can configure the domain list for proxy from HTTP Proxy ‣ Categorized Lists. Here you can upload a file which contains a list of URLs grouped by categories to be used by filters like SquidGuardian [4] or E2guardian [5]. For this example you can download a list of URLs from Shallalist [6].

Categorized list

Once you have configured the list, you can choose which category will be denied or allowed from the Domain Categories tab.

Managing the different categories

In the two remaining tabs you can select the types of content or files that will be accepted by this profile. You can either use MIME types or file extensions. MIME [7] types are a format identifier for Internet, for example application/zip.

MIME type filter

Finally, you will find a similar interface to configure downloadable file extensions through your HTTP proxy:

Blocking ‘.bat’ and ‘.bin’ files

HTTPS block by domain¶

Although the Proxy cannot analyze the content of the HTTPS traffic since it is encrypted, Zentyal implements an integration with the firewall to block outgoing packets addressed to port 443 that contain a specific domain name. This functionality is only available in the Commercial Zentyal Editions.

To enable this feature, go to HTTP Proxy ‣ Filter Profiles, create a new profile or edit an existing one and simply check the Block HTTPS traffic by domain box inside the Domains and URLs tab.

After saving changes, any domain with Deny decision that you add to the list below, will be blocked. You can see an example below:

Block HTTPS traffic by domain

Bandwidth Throttling¶

Zentyal’s Proxy allows you to implement a flexible limit to control the bandwidth used by your users. This limit is based on the Token Bucket algorithms [8]. In these algorithms you have a bucket with a reserve (in our case, of bandwidth) and a refilling speed. The emptying speed depends on the user’s downloads. If the user makes reasonable use of the connection, the bucket will refill faster than he/she empties it, so there will be no penalization. If the user starts to empty the bucket much faster than the refilling rate, it will emptied and then the user will have to settle with just the refilling speed.

For each bandwidth throttling rule you configure for a specific object, you have two types of buckets available: global for the object and per client. Within the object, each client will consume from their personal buckets and everyone included in the object will consume from the global bucket.

Bandwidth Throttling

In the example screenshot, each of the individual users of the Marketing object has a bucket of 50MB. If they spend it completely, the web connection will work at maximum 30KB/s until they stop downloading for a time. Once empty, it will take approximately 28 minutes for the bucket to return to 50MB. The example does not configure a global bucket for the object.