Professional Documents
Culture Documents
Table of Contents
Part I User Manual
1 Who should use this guide ...................................................................................................................................
1
1
Part II Implementation Part III System Requirements Part IV Installing SafeSquid Part V Test Your Installation Part VI SafeSquid Logs Part VII SafeSquid Interface
1 Active Connections ................................................................................................................................... 2 Statistics................................................................................................................................... 3 DNS Cache ................................................................................................................................... 4 Show Headers ................................................................................................................................... 5 View Cache Entries ................................................................................................................................... 6 Connection Pool ................................................................................................................................... 7 Prefetch Queue ................................................................................................................................... 8 URL Blacklist ................................................................................................................................... 9 View Log................................................................................................................................... Entries 10 Save Settings ................................................................................................................................... 11 Load Settings ................................................................................................................................... 12 Config Section ...................................................................................................................................
Basic Behaviour URL Blacklist Access Control Profiles cProfiles FTP proxy Templates DNS Blacklists URL Filtering URL redirect Mime Filtering
2 4 8 10 12 16
18 20 24 26 28 31 32 34 35 36 37 39
.......................................................................................................................................................... 40 .......................................................................................................................................................... 45 .......................................................................................................................................................... 48 .......................................................................................................................................................... 54 .......................................................................................................................................................... 59 .......................................................................................................................................................... 67 .......................................................................................................................................................... 69 .......................................................................................................................................................... 75 .......................................................................................................................................................... 77 .......................................................................................................................................................... 81 .......................................................................................................................................................... 84
Contents
Header Filtering Cookie Control Word Filtering
II
Content Re-Write .......................................................................................................................................................... 96 Content Caching .......................................................................................................................................................... 100 Request Forwarding .......................................................................................................................................................... 105 Internet Content Adaptation Protocol (ICAP) .......................................................................................................................................................... 109 External Parser .......................................................................................................................................................... 114 Prefetching Embedded Objects .......................................................................................................................................................... 117 Pornographic Image Filter .......................................................................................................................................................... 120
Part VIII URL commands Part IX Multiple Proxy Configuration Part X Reverse Proxying Part XI Chain Squid with SafeSquid Part XII Multi-ISP networks Part XIII Using Profiles for granular Access Policies Part XIV Using Authentication for Security and Creating User Profiles Part XV Configuring PAM Index
II
User Manual
SafeSquid Administrator's Guide Version: 2.0 Produced on: Tuesday, October 14, 2008 :: 5:08:32 PM SafeSquid: Content Filtering Internet Proxy, helps you to distribute Internet Access across your enterprise network. It's vast array of features, when used wisely by a system administrator, can deliver Total Content Control and Total Access control. SafeSquid's features have been built, to serve maximum benefits when the key demands are scalability, security, and granularity. SafeSquid is offered in various Commercial editions, besides the Free Edition. This manual is not limited to users of any specific edition of SafeSquid. This manual should help you to use the feature on your installed edition, provided your edition supports the said feature.
1.1
User Manual
Implementation
The key to successful implementation of any software lies in pre-defining its use, and anticipating the results. With Software like SafeSquid that has so many possibilities, it is just too easy to get lost in the myriad of options. Ideally the implementation should begin on a piece of paper where we should decide our expectations and (if possible) how we intend to verify the effectiveness of the configuration settings in meeting our REAL objectives. As they say well-planned is half accomplished! Sample Plan How many proxies will be implemented in the enterprise? Number The Corporate Internet Use Policy needs to be defined / modified only on the Master, all the slave installations will automatically synchronize their configuration from the Master. Which will be the Master Proxy? The I.P. & hostname of the Master Proxy to be used for Browser-based administrative access administrative access. Is the proxy server multi homed? Should the Proxy listen for requests on multiple IPs & Ports? Web-Sites require an application layer security, therefore reverse proxying is used to ensure the Application Layer Security. Should SafeSquid act as a Reverse Proxy for our web-server? What are the web-sites it should reverse-proxy? Shall we change the DNS records of the web-sites? Shall we just change the IP / Port configuration of the web Port configuration of the web-server? The enterprise uses a variety of Internet Connection Service Providers, and each connection is judiciously used for a specific set of users or application. Shall we use the same Internet Connection for all kinds of Internet Access? Or shall we configure SafeSquid to use different Internet Connections based on user, or nature of access? Will SafeSquid forward the requests to another proxy, web-cache or firewall? Does the request forwarding require any Authentication? Virus Defence begins at the Internet Gateway. What Virus Scanner should we use? What Anti-Virus Software will be used to scan all the Internet Traffic? F-ProtAV / KasperskyAV / McAfee AV offer SafeSquid compatible Daemons that can be connected ONLY via Unix Sockets. So if we use any of these AV, they must Necessarily co-habit the Proxy Server.
Sophos AV / ClamAV / Avast AV offer SafeSquid compatible Daemons that can be connected via Unix Sockets OR TCP/IP Sockets. So if we use any of these AV, we have the option of installing them on a separate box on a LAN Server OR co-habit them with the Proxy Server. To negate the latency effects in case of heavy traffic, it may be useful to set the LAN connection on a 100 Mbps or higher speed. Symantec ICAP / Trend Micro ICAP / Dr. Web ICAP offer ICAP based Scan Engines, that are fully compatible to SafeSquid's ICAP client. These Engines however require, good System Resources and are designed to deliver optimum performance if located on a remote server. So if we use any of these AV, we must PREFERABLY install them on the a separate server. Since SafeSquid can be configured to use one or more of the Anti Virus Software simultaneously, we may explore the option of scanning the entire Internet traffic via more than one Anti Virus Software. Alternatively should we do this multi-AV scanning only for a few chosen Applications, or people? Or shall we just do the "battle-ready implementation" that allows us to switch to any of the above Anti-Virus software, in times of emergency. Policy settings to prevent Financial & Productivity Losses due to indiscriminate use of Internet Shall we allow people to visit only a "white-list" of trusted web-sites & URLs? Shall we allow people to visit any web-site that is not explicitly "black-listed"? How are we going to review / modify our "white-lists" / "black-lists" What are our high priority business-application web-sites? What are the security relaxations that we may permit when our users acess these web-sites? o Pop-ups, KeyWords, Banners, Activex Controls, Cookies, Header Content. What will be our bandwidth conservation policy to access these sites? o MiMe / File types that will be permitted to be uploaded / downloaded. o Speed / Volume of Uploads, Downloads. o Browsers or other web-clients that will be allowed to access the Internet. What will be our bandwidth conservation policy to access non-business-application web sites? Do we have to make any granular policy modification to accommodate Profiles of some VIP users / Applications / Time of Access? o Should we enable pre-fetching fetching of certain or all objects for one or more profiles? What kinds of Log Reports need to be generated? o How frequently should the log reports be generated? o How should the log reports be viewed and accessed? How are we going to bench-mark the performance of the hardware / software and the Internet Connection? o What will be the maximum bandwith we will utilise to accomplish each test.
Implementation
System Requirements
SafeSquid - System Requirements! Windows: SafeSquid for Windows depends upon library based functions provided by Native Windows ports of the technologies that SafeSquid for Linux uses. These are fulfilled by a few dll files, detailed below, that are included in the installation package. Linux: SafeSquid (version 4.1.1 and higher) for Linux requires an Intel Architecture Hardware with Linux Kernel 2.6 or higher, based operating system, properly installed with preferably latest updates and patches. The Minimum required hardware to get SafeSquid up and running, would be an i386 based computer with Pentium III CPU and at least 128 MB of RAM and about 40G Hard Disk. But that would really serve only academic interests! For reliable production class environments, it would be advisable to use a server class hardware. SafeSquid now has NPTL compatible design, to generate thousands of threads, to meet as many concurrent requests. In event of un-forecasted bursts of concurrent requests, SafeSquid would have to open enough number of threads, and that may require a fast CPU. To successfully accomplish the various content filtering, caching and communication related activities, it must have enough Memory. It is ideally recommended to provide about 7 to 10 Mb of RAM per user for small networks. But for environments having more than 100 users, even 5 to 7 Mb per user should be sufficient, if we can compensate by using a faster CPU. A PIII / PIV based computer with 512Mb RAM this should be adequate for a typical 20 User network, increasing the RAM to about 1G should make it serve upto 100 users. But if you are planning to use URL Blacklists, Antivirus Software, Log Analyzers also, very naturally you must compensate with adequate RAM. SafeSquid by itself has a very small memory foot-print, but you will always want to use one or more of add-ons, compatible software, etc. So it will be much better, to use systems with 1G RAM or more. Recommendations for Standard Installations SafeSquid has a very low Total Cost of Owner-ship, and a very good ROI. In the long term most users prefer to extract more out of the fixed costs, by increasing the derived results. It is therefore recommended to use Hardware that can be scaled for RAM / CPU / NICs. Choose H/W that can scale for RAM / CPU, so that you may accommodate more users, over a period of time. Use Hard Disks with good seek/read/write speed, to reduce latency in case you plan to use large content disk-caches. If you expect a large traffic to be handled, it would be a good idea to use a GigaBit NIC. To increase security, or to cater to multiple networks it would be advisable to use 2 NICs or more. System Configurations that have easily accessible Hardware drivers for Linux are absolutely preferable, and would be useful, if you plan to increase redundancy by using Clusters.
Use Linux Distributions that have a good support for Web Servers, Perl, PHP, Caching Name Servers, etc. because a variety of Log Analyzers are now available both as closed and open source, that you will surely want to use. SafeSquid servers shouldn't be requiring x-windows, so basic hardening should be enough. Sooner than later you would want to install Antivirus to scan content being transported via SafeSquid, ClamAV is free, so at least install it, unless you are sure you prefer to be secured by a commercial vendor. In such case, choose a vendor that offers ICAP based solution. If you have a Microsoft Network, then sooner or later you will want authentication to work from ADS, and in any case if you are a large network you'll alternatively want user authentication done from LDAP or RADIUS, or something else, that's available, so definitely install PAM libraries. And maybe also Winbind, that joins your SafeSquid server to Windows Network. RPMS are available for most of the software mentioned above, but quite a few are served as raw source codes, and must be compiled on your server. So it's always a good idea to install GCC & G++ on your SafeSquid Server.
System Requirements
System Libraries Provider Package Package Description libbz2.so.1 bzip2-libs bzlib libcom_err.so.2 e2fsprogs Libraries for applications using bzip2 Description : Libraries for applications using the bzip2 compression format. Utilities for managing the second extended (ext2) filesystem. Description : The e2fsprogs package contains a number of utilities for creating, checking, modifying, and correcting any inconsistencies in second extended (ext2) filesystems. E2fsprogs contains e2fsck (used to repair filesystem inconsistencies after an unclean shutdown), mke2fs (used to initialize a partition to contain an empty ext2 filesystem), debugfs (used to examine the internal structure of a filesystem, to manually repair a corrupted filesystem, or to create test cases for e2fsck), tune2fs (used to modify filesystem parameters), and most of the other core ext2fs filesystem utilities. libdl.so.2 libc.so.6 libm.so.6 libpthread.so.0 libresolv.so.1 glibc The GNU libc libraries. Description : The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets of shared libraries: the standard C library and the standard math library. Without these two libraries, a Linux system will not function. The shared libraries used by Kerberos 5. Description : Kerberos is a network authentication system. The krb5-libs package contains the shared libraries needed by Kerberos 5. If you are using Kerberos, you need to install this package. GNU C library Description : The libgcc1 package contains GCC shared libraries for gcc 3.4
libgcc_s.so.1
libgcc
libgmp.so.3
libgmp3
A GNU arbitrary precision library. Description : The gmp package contains GNU MP, a library for arbitrary precision arithmetic, signed integers operations, rational numbers and floating point numbers. GNU MP is designed for speed, for both small and very large operands. GNU MP is fast because it uses fullwords as the basic arithmetic type, it uses fast algorithms, it carefully optimizes assembly code for many CPUs\' most common inner loops, and it generally emphasizes speed over simplicity/elegance in its operations.
libstdc++.so.6
libstdc++
GNU Standard C++ Library Description : The libstdc++ package contains a rewritten standard compliant GCC Standard C++ Library
libcrypto.so.4 libssl.so.4
openssl097a
The OpenSSL toolkit Description : The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols.
libpam.so.0
pam
A security tool which provides authentication for applications Description : PAM (Pluggable Authentication Modules) is a system security tool that allows system administrators to set authentication policy without having to recompile programs that handle authentication.
libz.so.1
zlib1
The zlib compression and decompression library Description : Zlib is a general-purpose, patent-free, lossless data compression library which is used by many different programs.
System Requirements
Installing SafeSquid
Installation Procedure: Copy the downloaded safesquid.tar.gz into /usr/local/src/ cp safesquid-4.2.0-com20-free.tar.gz /usr/local/src/safesquid.tar.gz Decompress the tar file using command tar -xvzf safesquid-4.2.0-com20-free.tar.gz Creates a directory safesquid in your current working directory Change directory to SafeSquid cd safesquid/ The safesquid directory contains the installation script install. Run the script ./install The install script asks you to select one of the following 3 options Press "F" if we are doing a Fresh install Press "U" if we want to Update an existing installation Press "A" if we want to Adjust an existing conf file Press "F" for fresh installation The install script checks for dependencies and displays the status The output should be similar to "Checking Dependencies /lib/libsafe.so.2 (0xf6ffa000) libpam.so.0 => /lib/libpam.so.0 (0xf6fea000) libdl.so.2 => /lib/libdl.so.2 (0xf6fe5000) libpthread.so.0 => /lib/tls/i686/libpthread.so.0 (0xf6fd4000) libssl.so.4 => /lib/libssl.so.4 (0xf6fa0000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00bbb000) libm.so.6 => /lib/tls/i686/libm.so.6 (0xf6f7d000) libc.so.6 => /lib/tls/i686/libc.so.6 (0xf6e69000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00974000) /lib/ld-linux.so.2 (0x00b97000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x009e7000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00b1e000) libcom_err.so.2 => /lib/libcom_err.so.2 (0x009e2000) libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00afb000) libresolv.so.2 => /lib/libresolv.so.2 (0xf6e55000) libcrypto.so.4 => /lib/libcrypto.so.4 (0x00a11000) libz.so.1 => /usr/lib/libz.so.1 (0x00962000) looks okay Press any key to continue" If a missing dependency is reported, you will have to install it before you can continue.
9
If everything is fine, then press any key to continue The SafeSquid End-User License Agreement is displayed. The options are as follows Press "B" / "F" to move Back / Forward Press "S" when you have finished reading Read the License Agreement, or press "S" to skip and continue. The following options are displayed Press Y if you find the End-User License Acceptable Press A To Read the End-User License Again Press N if you find the End-User License NOT Acceptable and immediately abort the Installation Process Press "Y" to continue Here onwards, the install script will ask for about 28 configuration option. All option pages are self explanatory, and should not require you to make any changes. To make changes in the default option, press "C" When you have made the necessary changes, press "S" to continue with the installation. You can also press "S" on the first option screen, to install with the default option. (The settings can later be changed by editing the startup.conf file, which you will find in /opt/ safesquid/safesquid/init.d directory. The changes will take effect the next time Safesquid is restarted.) The installation starts when you press "S" The installation will pause a few times to display the status, and for confirmation. When the installation is complete, the following message is displayed Press "S" if you would like to start your safesquid now Press any other key to simply exit Press "S" to start SafeSquid You should get the following message 1. safesquid started with PID: 9659 ... ssquid is NOT LISTENING on :8080 ... 2. safesquid started with PID: 9659 ... ssquid is LISTENING on 192.168.0.30:8080 ... Process IS RUNNING So, your SafeSquid is installed and running. Now, to access the SafeSquid Interface, point the proxy setting in the browser to the SafeSquid Server's IP:PORT, e.g. 192.168.0.30:8080, and access the URL http://safesquid.cfg
Installing SafeSquid
10
output should be quite-like: ssquid 11533 81.2 33.1 1750524 1372096 ? Sl Oct13 973:01 /opt/safesquid/safesquid/safesquid root 29005 0.0 0.0 2852 704 pts/0 R+ 10:51 0:00 grep safesquid
The output should be quite-like: tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 11533/safesquid tcp 0 0 10.0.0.5:8080 192.168.10.152:3238 SYN_RECV tcp 0 0 10.0.0.5:8080 192.168.10.29:1167 SYN_RECV tcp 0 0 10.0.0.5:8080 192.168.10.127:1677 SYN_RECV tcp 0 0 10.0.0.5:8080 192.168.50.15:1864 SYN_RECV tcp 0 0 10.0.0.5:8080 192.168.10.122:2496 TIME_WAIT tcp 0 253 10.0.0.5:8080 192.168.10.18:1192 FIN_WAIT1 tcp 0 0 10.0.0.5:8080 192.168.10.132:1342 ESTABLISHED11533/safesquid tcp 1 0 10.0.0.5:8080 192.168.50.4:4999 CLOSE_WAIT 11533/safesquid
The output should be quite-like: 2008 10 14 10:54:17 [691984] request: GET http://www.ingentaconnect.com:80/css/size14.css 2008 10 14 10:54:17 [692021] network: allowed connect from 192.168.10.10 on port 8080 2008 10 14 10:54:17 [692021] security: PAM authentication succeeded for mlpbs 2008 10 14 10:54:17 [692021] network: binding outgoing connection to 10.0.0.11 2008 10 14 10:54:17 [690705] request: GET http://www.allbusiness.com:80/asset/image/icon/2984516.gif 2008 10 14 10:54:17 [691736] request: GET http://www.contentlinks.asiancerc.com:80/scwm/images/
11
arrow_down.gif 2008 10 14 10:54:17 [692013] network: 192.168.10.122 disconnected after making 2 requests 2008 10 14 10:54:17 [691763] network: binding outgoing connection to 10.0.0.21 2008 10 14 10:54:17 [692022] network: allowed connect from 192.168.10.29 on port 8080 2008 10 14 10:54:17 [692021] request: CONNECT login.yahoo.com:443 2008 10 14 10:54:17 [692005] request: GET http://www3.interscience.wiley.com:80/journal/104086741/abstract? CRETRY=1 2008 10 14 10:54:17 [692005] network: 192.168.50.12 disconnected after making 1 requests 2008 10 14 10:54:17 [692023] network: allowed connect from 192.168.50.12 on port 8080
The output should be quite-like: COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME safesquid 18934 ssquid 5u IPv4 1443628 TCP *:webcache (LISTEN) safesquid 18934 ssquid 8u IPv4 1515549 TCP linux:webcache->unreliable:2075 (ESTABLISHED) safesquid 18934 ssquid 9u IPv4 1515550 TCP linux:2535->nt5.oe2000.com:webcache (CLOSE_WAIT) safesquid 18936 ssquid 5u IPv4 1443628 TCP *:webcache (LISTEN) safesquid 18936 ssquid 8u IPv4 1515549 TCP linux:webcache->unreliable:2075 (ESTABLISHED) safesquid 18936 ssquid 9u IPv4 1515550 TCP linux:2535->nt5.oe2000.com:webcache (CLOSE_WAIT) safesquid 18937 ssquid 5u IPv4 1443628 TCP *:webcache (LISTEN)
12
SafeSquid Logs
SafeSquid Logs SafeSquid produces logs in three distinct formats. We traditionally name them as access.log (Access Log Format), extended.log (NCSA / Extended log format) and safesquid.log (Native Log Format). The path to the log files, and soft link that is created during installation, are as follows:
Log File access.log safesquid.log extended.log Path /var/log/safesquid/safesquid/access/ /var/log/safesquid/safesquid/native/ /var/log/safesquid/safesquid/extended/ Soft Link /opt/safesquid/safesquid/logs/access/ /opt/safesquid/safesquid/logs/native/ /opt/safesquid/safesquid/logs/extended/
Access Log The access.log has been traditional favorite, because it can be used by a variety of log analyzers like Calamaris, SARG, Squint, SquidTailD, etc. The reports produced by these log analyzers reveal useful details of the overall usage and the pattern of access of the application. Access Log fields: start_time_in_seconds.milliseconds elapsed_time client cachecode/status size method url username peercode/peer mime Example: 1189403858.675 654 192.168.0.21 TCP_MISS/200 246 GET http://ds.ds3ps.co.uk:80/ refer/surebrowse/operator/chat-server.xml?time=1189404101675 sudipta DIRECT/ds. ds3ps.co.uk text/xml The details of the fields in access.log are as follows:
Field Time Elapsed Time Client Cachecode/ Status Bytes Explanation UNIX time stamp as Coordinated Universal Time (UTC) seconds with a millisecond resolution. Length of time in milliseconds that the cache was busy with the transaction. The information is logged after the reply has been sent, not during the lifetime of the transaction. IP address of the requesting host. Two entries separated by a slash. Code specifies the result of the transaction: the kind of request, how it was satisfied, or in what way it failed. The second entry contains the HTTP result codes. Amount of data delivered to the client. This does not constitute the net object size,
13
because headers are also counted. Also, failed requests may deliver an error page, the size of which is also logged here. Method URL Username Request method to obtain an object, e.g. GET, POST, CONNECT. URL requested. Authenticated username Two entries separated by a slash. The first entry represents a code that explains how the request was handled, for example, by forwarding it to a peer, or returning the request to the source. The second entry contains the name of the host from which the object was requested. This host may be the origin site, a parent, or any other peer. Also note that the host name may be numerical. Mime type of the object.
Peerstatus/ Peerhost
Mime
Extended Log The extended.log (NCSA / Extended log format) records maximum details of each request handled by the proxy application. Log Analyzers like Sawmill can generate analysis reports using the extended log, and give lots more information, than the ones using access.log.
FORMAT : "UNIQUE_RECORDID" ELAPSED_TIME_IN_MSEC CLIENT_IP "USER_NAME" "CLIENT_CONNECTION_ID" [DATE_TIME_OF_REQUEST] "METHOD URL" "HTTP_STATUS_CODE" BYTES_TRANSFERRED "REFERRER_URL" "USER_AGENT" MIME_TYPE "FILTER_NAME FILTERING_REASON" "COMMA_SEPARATED_LIST_OF_PROFILES_APPLIED" "INTERFACE_IP:INTERFACE_PORT" Example: "1191586598.504-7-192.168.0.221-8080" 929 192.168.0.150 "anonymous" "7" [05/ Oct/2007:17:46:39] "GET http://updates.f-prot.com:80/cgi-bin/check-updates? run_as=check_updates&protocol=1" 200 750 "-" "FPAV_Update_Monitor/3.16f (Windows; WINNT; 2000 Professional; SP4)" text/plain "- -" "-" "192.168.0.221:8080" The details of the fields in extended.log are as follows:
Field Unique Record ID Elapsed time in milliseconds Client IP User name Client connection ID Date & time of request Explanation A unique record identifier, to prevent duplication of records when imported into SQL databases.Here in e.g. 1215419711.460 Elapsed time of the request, in milliseconds. The IP address of the requesting client. The username, (or user ID) used by the client for authentication. If no value is present, "anonymous" is substituted. The internal SafeSquid ID associated with this connection. The date and time stamp of the HTTP request.The fields in the date/time
SafeSquid Logs
14
field are [dd/MMM/yyyy:hh:mm:ss +-hhmm], where the fields are defined as follows: dd is the day of the month, MMM is the month, yyyy is the year, hh is the hour, mm is the minute, ss is the seconds. Method URL The HTTP request. The request field contains three pieces of information. The main piece is the requested resource. The request field also contains the HTTP method. The status code is the numeric code indicating the success or failure of the HTTP request. This field is a numeric field containing the number of bytes of data transferred as part of the HTTP request, not including the HTTP header. E.g. 750. The referrer is the URL of the HTTP resource that referred the user to the resource requested. "-" is substituted when there are no referrers. An HTTP client that makes HTTP requests. It is customary for an HTTP client, such as a Web browser, to identify itself by name when making an HTTP request. It is not required, but most HTTP clients do identify themselves by name. MIME-type of the requested object. E.g. text/plain. If the request get blocked, then this field contains the name of the filter, or the reason for which the request was blocked. "- -" is substituted when there are no blocks. Comma separated list of profiles that were applied to the request. "-" is substituted when no profiles are applied. IP:PORT that received the request. This can be important when SafeSquid is listening on multiple IPs or Ports.
Bytes Transferred
Referrer URL
User agent
Mime type Filter name & Filtering reason Comma separated list of profiles applied Interface IP:Interface port
Native Log This is SafeSquid's native log format. It records various functional aspects like REQUESTS, SECURITY, REDIRECT etc. that are effected by the various features and their configuration. You can control the verbosity of the Native log by specifying LOGLEVEL, as shown in the table below. The LOGLEVEL parameter affects only the SafeSquid's Native log.
Value 1 2 4 8 16 32 Process logged Requests Network URL filtering Header filtering Mime filtering Cookie filtering Value 16384 32768 65536 131072 262144 524288 Process logged Forwarding Config synchronization Antivirus External parsers ICAP DNS blacklist
15
URL blacklist URL commands Modules Security Warnings Errors Profiles Debug
So, if you wish to record only the requests set LOGLEVEL to 1, if you wish to record only caching related activities set LOGLEVEL to 2048. If you wish to record all the three activities of rewriting, limits and forwarding, you would simply set LOGLEVEL to 512 + 1024 + 16384 i.e. 17920. Similarly, if you wished to view absolutely everything (and run the risk of generating a very huge log file in a very short time!), you could set LOGLEVEL to a total of all the values in the table, i.e. 134217727 which is also the default LOGLEVEL if you simply comment the LOGLEVEL specification!. If you wished to produce just debug logs you should set the LOGLEVEL to 134217728. If you wished to record all activities and debug information, you should set the LOGLEVEL to 268435455. NOTE: Adjusting this value requires a restart of SafeSquid service.
Log rotation There obviously needs to be a control on log file size. SafeSquid executable cannot start if the size of any of the log files exceeds 2147483648 bytes (2GB).The parameter sets the maximum size in bytes for a log file, exceeding which, the logrotate (/etc/init.d/safesquid logrotate) will automatically truncate and compress all the three types of log files. The same command can be also run manually to rotate your logs in case any situation demands.
SafeSquid Logs
16
SafeSquid Interface
SafeSquid has a Browser based User Interface, that allows users to configure various features in accordance with their respective Corporate Internet Usage Policies. To configure or change configuration, you must have access to the SafeSquid Management Interface. To access the Interface, you must configure your web-browser to use the SafeSquid proxy server. For example - if you have set-up SafeSquid to listen on IP 192.168.0.130 on port 8080, then you should configure your web-browser to use proxy at 192.168.0.130 on port 8080 Now you should be able to access the User management Interface with the URLhttp://safesquid.cfg Note: To set IP and Port, you should open (Internet Explorer) Web Browser, go to Tools Menu --> Internet Options --> Connections --> LAN Settings --> select Use Proxy server option in the dialogue box then Specify your proxy servers I.P. in Address option and Port (Default 8080). You should now be able to access the URL http://safesquid.cfg to configure various Features as well as monitor them from the same window. Mozilla users should open Web Browser, go to Tools Menu--> Options--> Connection settings--> Select Manual Proxy Configuration--> Specify your Proxy servers I.P. in HTTP Proxy option and Port (Default 8080). You should now be able to access the URL http://safesquid.cfg to configure various Features as well as monitor them from the same window. Most features of SafeSquid can be set, using this SafeSquid Management Interface. The Top Menu gives you the links, and access to various features & functions as shown on the image below. This image displays the main page of Browser based SafeSquid Management Interface available with SafeSquid.
17
SafeSquid Interface
18
7.1
Active Connections
'Active connections' displays all the active connections being handled by SafeSquid proxy server at a particular instance. The image below shows the page that is displayed when user clicks on Active Connections link.
The 'Active connections' has two sub-sections - Transferring and Client Pool. Transferring subsection illustrates the requests being fulfilled, at a particular instance, and the Client Pool subsection shows all the requests, that are waiting in queue, at the very same instance i.e. these are the requests which are waiting to acquire the physical connection.
'Transferring' & 'Client Pool' sub-section Transferring subsection illustrates the requests being fulfilled, at a particular instance
19
Client ID Client ID is an auto generated identification number,which is generated for every request made by client. IP IP is the IP address of the machine in the network, that made the request, to fetch the desired web page. Requests Requests illustrate the total number of requests made by clients, which can be helpful to identify the load per requested URL/Domain. Method Method field exhibit HTTP Methods like GET, POST and CONNECT etc. Details GET: It is basically for just getting (retrieving) data. POST: Post involves things like storing or updating data, or ordering a product, or sending E-mail. CONNECT: CONNECT method is often used with a proxy that can change to being an Secure Sockets Layer tunnel. CONNECT is used for https requests. URL URL field displays the current URLs, that are requested, as well as served. Idle Idle is the field that exhibits the time, for which a request has been lying idle in the queue, waiting to get served.
SafeSquid Interface
20
7.2
Statistics
This displays Statistics on the base of the real time data, with reference to various parameters, like System, Requests, Network, DNS cache, Cache, Cache refresh, Connection- pool, Hosts, Mimes, User and IP addresses.
Statistics System System subsection display information, with respect to usage of system resources. User time: Displays the total amount of CPU time, in seconds, that SafeSquid has used. User time is CPU time spent executing the user program, rather than in kernel
21
system calls.User time is displayed in HH:MM:SS:ms. System Time: Total CPU time, in seconds, that is used in making the kernel / system calls to service SafeSquid. Unit are in HH:MM:SS:ms format. Note: The resource usage statistics depend on a 1:1 thread model. Due to the limitations of the API's used to gather this information, using other thread libraries, may result in inaccurate statistics. Memory resident: The amount of the memory used by memory resident processes of SafeSquid. These are TSRs i.e. Terminate and stay resident processes. For example, URL Blacklist loads URL Blacklists in the memory and remains in the memory till we shut down SafeSquid. Details: Memory resident means Permanently in memory. Normally, a computer does not have enough memory, to hold all the programs you use, when you want to run a program. Therefore, the operating system is obliged to free some memory by copying data or programs from main memory to a disk. This process is known as swapping. Certain programs, however, can be marked as being memory resident, which means that the operating system is not permitted to swap them out to a storage device; they will always remain in memory. Memory Shared: The amount of the memory that is occupied by the shared libraries like libstdc++, so3, libpam. This may increase or decrease depending upon Add-on modules or other software that we use in conjunction with SafeSquid. Details: Shared memory refers to a (typically) large block of Random access memory, that can be accessed by several different central processing units (CPUs) in a multiple-processor computer system. Minor Page fault: Gives the total number of minor page faults, since the startup of the SafeSquid Processes. Major Page faults: Represents the total number of the Major page faults, since the startup of the SafeSquid processes. Details: SafeSquid is a caching proxy. It may have to look inside the cache to serve contents and also some time to serve templates. Similarly, SafeSquid generates logs. SafeSquid also could be invoking other applications.So SafeSquid performs a lot of memory swapping and disk i/o. The Statistics page displays the various aspects of this activity as minor and major page faults, besides any errors if they occur. An interrupt occurs when a program requests data that is not currently in real memory. The interrupt triggers the operating system to fetch the data from a virtual memory and load it into RAM. An invalid page fault or page fault error occurs when the operating system cannot find the data in virtual memory. This usually happens when the virtual memory area, or the table that maps virtual addresses to real addresses, becomes corrupt. Minor Page faults are number of hard page faults (i.e. those required i/o). Major Page Faults are the number of times a process was swapped out of physical memory. Requests Requests subsection gives information on total number of HTTP, FTP and CONNECT requests fulfilled, since the last startup of the SafeSquid processes.This quickly tells you about the different protocols being serviced through your proxy server.
SafeSquid Interface
22
Network For administrators it is very important to know what is the amount of data that has been throughput. Network subsection gives information on Total Successful connections, Failed connections, DNS failures and Total Bytes transferred in/out of the network, since the latest startup of the SafeSquid Processes. This helps you to set various parameters in SafeSquid and System's Network settings to have improved performance. For example if you see too many DNS failures, you may need a better connectivity to your DNS servers. Similarly if you see too many failed connections and your logs say that they were genuine requests then it means that either your network is saturated or you need better ISP. DNS Cache When a request is made, its web server address is resolved from DNS Servers. SafeSquid has a DNS cache to store these resolved addresses for future use. This can dramatically reduce the latency. This section gives total number of Hit Ratio and Miss Ratio. A HIT means that the document was found in the DNS cache. A MISS, that it was not found in the DNS cache. Cache, Cache Refresh & Connection Pool This section gives total number of Hit Ratio and Miss Ratio of the Cache. A HIT means that the requested content was found in the cache. A MISS, that it was not found in the cache. Cache Refresh You can configure SafeSquid to revalidate the cached content after defined interval. If need be, SafeSquid refreshes the content and serves the relevant content to the clients, depending on the various parameters you set in the 'Cache' section. Quite a few times, SafeSquid could discover that the validity of the cached content was obsolete. This is recorded as miss in the Cache Refresh subsection. Connection Pool Connection Pool shows the number of times a connection was available to the request and the number of times it had to create a new connection for a particular request. The number of times it found the connection in the connection pool it is a hit and the number of times proxy had to establish a new connection it is considered as a miss Hosts This section shows the sites that are most frequently accessed by users, and the number of requests for a particular host along with its usage percentage. Mimes Mimes subsection display Mime types being accessed, and the usage percentage of the same. Users Users subsection displays users and their respective usage percentage, of the Proxy Services. If authentication is enabled, the users section would display usernames and the number of requests they have made, otherwise it will display anonymous.
23
IP Addresses IP Address of the machines that have made requests, along with their respective usage percentage.
SafeSquid Interface
24
7.3
DNS Cache
DNS resolution is a very important part in Internet surfing. Whenever a request is made the proxy has to resolve the address of the web server. This incurs latency. Hence to reduce this latency, SafeSquid maintains DNS cache, wherein it stores all resolved DNS addresses. When another request is made for the same web site, SafeSquid can easily get the address from the DNS cache. These entries remain in the DNS Cache for 360 seconds, and then it is refreshed, i.e. after 360 seconds, Proxy has to resolve DNS again.
DNS Cache Hostname The host name of the requested page IP Address
25
The IP Address of that host. Age The Age of respective entries in the DNS cache, i.e. how long the entry has been residing in the DNS Cache.
SafeSquid Interface
26
7.4
Show Headers
This section has two subsections viz. Unfiltered and Filtered. It describes the details of the client (browser) headers. Unfiltered subsection display Type and Value of the unfiltered Headers; similarly, Filtered section display Type and Value of Filtered headers.
Show Headers Host Shows the Host Name. User-Agent The Browser that is being used. Accept
27
Shows the accepted value of the headers that are unfiltered / filtered. Accept-Language Specifies the language that is acceptable, i.e. content on pages should be displayed in specified Accept-Language. For example en-us specifies that all the pages should be specified in US English. Accept Encoding The Value of header types for which encoding should be accepted / allowed. For example: safesquid.cfg Proxy-Connection The type of connection for the Proxy Server. For example, Keep alive value, keeps the connection alive till it is exclusively switched off. Referer This is the address or URI (Unique Resource Identifier) of the document (or element within the document) from which, the URI in the request, was obtained. Referrer allows a server to generate lists of back-links to documents, for interest, logging, etc. It allows bad links to be traced for maintenance.
SafeSquid Interface
28
7.5
Figure 1
29
The Regular Expression Match section has a text box, where you can enter a regular expression or any word, using which, the corresponding matches are found from Memory Cache, as well as Disk Cache, and displayed. Figure 2 displays the result of the search for 'yimg'. The result displays the URL, size in bytes and whether the content exists in the Memory and / or Disk Cache.
Figure 2
You can also filter content on the basis of content modification date, accessed date and file size. On the basis of these filter criterion, all the urls that meet the specified criteria, are displayed below the regular expression match section. The "Delete-matches" option allows you to delete the resulting matches. Note: If you want to delete all the cache entries, leave the text box blank, select the "Delete matches" option, and click on the submit button. The details of the content can be seen by clicking on the URL of a content, as shown in Figure 3.
SafeSquid Interface
30
Figure 3 Details: MD5 Sums are 32 byte character strings that are the result of running the MD5 sum program against a particular file. Since any difference between two files results in two different strings, MD5's can be used to determine that the file or iso you downloaded is a bit-for-bit copy of the remote file or iso. If you are running one of the GNU/Linux distributions, you should already have the MD5 program installed. Epoch is an instant of time selected as a point of reference. In Linux, this time is considered as 1st January 1970. Epoch Time is the time represented in the total number of seconds from an instant of time selected as a point of reference i.e. Epoch. Hence termed as Epoch time.
31
7.6
Connection Pool
This link displays information of the current connection(s) that are being held open, in the connection pool and / or awaiting reuse. The details that are displayed are - Protocol, Host, Port, Username (if authentication is enabled) and the Age in seconds since the connection was opened.
SafeSquid Interface
32
7.7
Prefetch Queue
The Prefetching feature can be used as an 'internet accelerator'. It allows virtually any file referenced in HTML to be pre-fetched (not just images) and cached. Prefetching is a good way to improve retrieval time. It reduces resource retrievals and improves retrieval time. This link allows you to add the webpage URLs, that you would like to prefetch and cache.
These entries are reflected in active connections under the IP as 0.0.0.0 and the method as PREFETCH.
33
SafeSquid Interface
34
7.8
URL Blacklist
URL Blacklist consists of a list of thousands of domains and URLs, bifurcated in various categories, and stored in flat files. This section allows you to search these categories, to find out whether a specific Domain, URL or File is present in the URL Blacklist, and if it is, then in what category. You can search for a domain or a file, by entering your query (supports regular expression) in the corresponding text box, and clicking on the 'Submit' button. The result lists the category in which a match was found, Domains that matched the query and the paths to the matched Domains. Note: See URL Blacklist under the Config Section, for installing and configuring URL Blacklist.
35
7.9
Image 11.0.
SafeSquid Interface
36
7.10
Save Settings
When SafeSquid starts, it load the configuration file (config.xml) into the systems memory. When you make any changes to the rules / policies from the SafeSquid interface, these changes are made in the configuration file stored in the memory, and would get lost if SafeSquid service, or the server, is stopped or restarted. Use the 'Save settings' link to make the changes permanent. It copies / saves the configuration files in the memory, to the location specified in the 'Filename' field. The default path to the configuration file is /opt/safesquid/safesquid/config.xml. On successfully coping the file to the specified location, you should get a File saved message.
Image 12.0 This option can also be used to take a backup of the existing config file, before you make any changes to the original file. For example, before attempting any changes to the existing configuration, you could click on 'Save settings', and backup the original file, by specifying the 'Filename' as /opt/safesquid/safesquid/config_org.xml.
37
7.11
Load Settings
The 'Load settings' option is used, either to load and completely overwrite the existing configuration file with another, or to import rule snippets into to current configuration file. Overwrite configuration For example, suppose you make changes to the existing configuration from the interface, do not save the recent changes with the 'Save settings' option, and would want to revert back to the original configuration. To do this, just click on the 'Load settings' option. The default path is displayed in the 'Filename' field. Click on 'Submit' while leaving the 'Overwrite' option to 'Yes'. This option can also be used if you have more that one configuration files, and would like to change over to another file, in real-time, from the one that you are currently using. Note: When SafeSquid is started, it by default uses the configuration file specified in the CONFIG_FILE parameter in the startup.conf. The default value of this parameter is set as /opt/safesquid/safesquid/config.xml If you have multiple configuration files, the configuration file that you would want to be loaded on startup, should always be the one that is specified in the CONFIG_FILE parameter in the startup.conf file. The value of CONFIG_FILE can be changed by running /etc/init.d/safesquid adjust.
Import rule snippet Rule snippets are short, specific rules that are created to perform specific tasks. For example, safesearch.xml, which is available from the SafeSquid Download page, can be imported into your existing configuration file (config.xml), to enforce Google Safe Search. Similarly, porn_keypwords.xml and anonproxy.xml, are rule snippets for Keyword Filtering rules, to block porn and anonymous proxy websites. To import rule snippets, download the rule snippet file to the SafeSquid server, click on 'Load settings', specify the path of the snippet file in the 'Filename' field, change 'Overwrite' to 'No', and click on 'Submit'. If the file is successfully loaded, you should get a message 'File loaded'. Changing 'Overwrite' to 'No' adds the file being loaded into your current configuration file. Instead of downloading and copying the snippet file to the server, you can also specify the URL of the file in the 'Filename' field. For example, the URL of the safesearch.xml file is http://downloads.safesquid.net/free/general/sample_rules/safesearch.xml But since access to this file requires you to authenticate with your SafeSquid Forum ID, you can type this URL in the 'Filename' field http://username:password@downloads.safesquid.net/free/general/sample_rules/safesearch.xml Replace the username:password in the URL with your forum username and password. Note: The rule snippet get imported into the configuration file loaded in the Server's memory, and gets activated in real-time. To make the changes permanent, you need to click on 'Save settings' and save the config.xml file. The changes will be lost when SafeSquid service is restarted, if you don't save the file.
SafeSquid Interface
38
Image 13.0
39
7.12
Config Section
Config opens a drop down dialog which contains all configurable features of SafeSquid. Select any feature you want to view, configure or modify and click the submit button. When you select a feature, the page displayed, exhibits entire list of rules and current settings of that feature, which can be modified as per your requirements. Intuitive tool tips are provided for every option available on the page, to guide you through each and every option.
All the features exhibit various Options and their corresponding Values. 'Search Entries' allows you to search through all the sections for a specific option or value.
SafeSquid Interface
40
Option
Proxy hostname Temporary directory Web interface line length Connection pool size Connection pool timeout localhost /tmp 150 20 60 Submit
Value
true embedded 30 120 120 1M 500K 0 80,443 true true true true Up Down Top Bottom
Value
Yes:
No:
General section Proxy hostname The hostname of this proxy, if not defined in startup.conf. The Proxy Hostname defined during SafeSquid installation, and stored in the startup.conf, precedes this value. This needs to be configured properly for CARP (Cache Array Routing Protocol) and Web interface requests through HTTP to work. You have to give here the hostname of the proxy by which you will be accessing Web interface. If you want to access proxy by using IP address you can put the IP address of the safesquid proxy server. Give the hostname which should be defined on DNS, so that you can access it from any machine in your intranet or internet. Temporary directory The directory in which temporary files are stored. The default path is /tmp. If you want to change this, create a directory with 777 permissions, and specify the path here. Web interface line length The maximum length of a string with no spaces, until an explicit break is placed in it. This is required since lines without spaces won't wrap in a table, which may cause Web interface table formatting problem. Normally, this parameter does not require any changes.
SafeSquid Interface
42
Connection pool size The number of keep-alive connections, made to HTTP and FTP servers, to be kept in the connection pool. These connections are shared between threads. Connection pool timeout The time in seconds a connection may remain in the connection pool before being closed. This value should be increased, if Internet connection is slow. Add subsection You can granularly define a specific set of values to various content types, by creating a different Profile for each content type, in the 'Profiles' section. These profiles can then be used in this section, to allot them different values. Enabled This option allows you to enable or disable a specific rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to everything if this field is left blank Connection timeout The timeout in seconds to wait for a connection to be established before giving up. SafeSquid will wait for the specified time duration for the target server to respond. If it exceeds the specified value, SafeSquid closes the connection and sends a template to the requesting user, saying that the Connection failed. This value can be increased if the Internet connection is slow. Header timeout The timeout in seconds to wait for a client, to make the initial HTTP request by sending request headers. SafeSquid tries to get the initial headers during this time. If it fails, SafeSquid sends 'Connection failed' template to user. You can increase the time if the network connection is slow. Keepalive timeout
43
After an HTTP session is established , data must be exchanged periodically to ensure that session is still alive. The keepalive timeout defines the time in seconds that SafeSquid server should wait before closing the session. This is the timeout value for persistent connections. SafeSquid closes keepalive connections if they are idle for this amount of time. The default is 120 seconds and does not need to be changed. SafeSquid, being multi-threaded, allows the use of the same connection for multiple requests. The advantage is that less number of connections are required to be opened, for individual users, to the same server. Maximum download buffer size The maximum size in bytes of content that are buffered, for process by the Rewrite document, Keyword Filter and external programs like Anti Virus. You can define the value depending on the type of content . If you want to handle large size of data files then you can increase the value. Maximum upload buffer size The maximum size of upload content that is stored in memory for processing. Content larger that the specified value will be sent directly without processing. Having an upload buffer that is too large will cause the browser to timeout since all the data is received by SafeSquid immediately, but may take more time to process and transfer to the website. Buffer wait time The maximum time a file can be buffered before a message is sent to the client indicating it's being downloaded and for them to retry. CONNECT ports The ports on which outgoing CONNECT requests are allowed to be made. You can disable connection through proxy to certain ports , by not specifying their port numbers here. Each port or port range should be separated by a comma. Always compress mimetype A regular expression matching the MIME-Types which should always be buffered and compressed even if they wouldn't be buffered otherwise. Specify here the regular expression for MIME Type's. This will speed up the proxy process. Regular expression for MIME Type of Binary File (i.e. application/octet-stream) is ^application/octet-stream. Compress outgoing Toggle gzip or deflate encoding of outgoing processed content if the client supports it. If the proxy server is running locally, it is recommended to disable this feature. Compress incoming This option will make Safesquid attach an Accept-Encoding header that lets the Web server know that it can accept gzip and deflate content encoding, regardless of whether or not the
SafeSquid Interface
44
browser making the request supports it; if the browser doesn't support it, it will be buffered and decompressed before sending. Add X-Forwarded-For header This option will add a header allowing an upstream proxy or Web server know the IP address where the original request came from. Add Via header This option will add a header allowing an upstream proxy or Web server know which proxy server the request passed through.
45
urlblacklist section This section allows you to use a URL blacklist to restrict access to Websites based on content category. Option Enabled Policy Blacklist path Default template Submit Value Yes: Allow:
No: Deny:
/opt/safesquid/urlbl/
Allow Add Deny Add Option Enabled Comment Categories Edit Delete Clone Option Enabled Comment Profiles Categories Edit Delete Clone Value true Globally block access to the URL Blacklist categories 'adult' and 'porn' adult,porn Up Down Top Bottom Value true Block access to the URL Blacklist categories 'jobsearch' for everyone except HRD Profile !HRD jobsearch Up Down Top Bottom
SafeSquid Interface
46
urlblacklist section Enabled This option allows you to enable, or completely disable the URL Blacklist Section irrespective of the rules defined in the section Value: Yes - Enable URL Blacklist Section No - Disable URL Blacklist Section Policy Defines the Global Policy for the URL Blacklist Section Value: Allow - Allow everything, and deny ONLY the rules under the 'Deny' subsection Deny - Deny everything, and allow ONLY the rules under the 'Allow' subsection Blacklist path The path to urlblacklist database. The default path is /opt/safesquid/urlbl. Untar (unzip) the downloaded urlblacklist database here. Please note that the complete database is loaded into the system memory, when SafeSquid service starts. If you plan to use only specific categories, then copy only those category directories in this location. This will help save memory resources, which would otherwise be unnecessarily used up by unwanted categories. Default template The template to display for blocked sites. If left blank, default template is used. You can design and display custom templates. For details, check Customisable Templates Allow / Deny subsection You can define rules either under the Allow or Deny subsection, depending on the selected Policy. If Policy is Allow, you should define rules under the Deny subsection, and If Policy is Deny, you should define rules under the Allow subsection. In the above example, the Policy is Allow. Hence, rules are defined in the Deny subsection to deny access to adult, porn and jobsearch categories. Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does
47
Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every one if this field is left blank Categories A comma separated list of URL Blacklist Categories, existing in the Blacklist Path, that you want to allow / deny. Template Template to display, when this specific rule matches. If left blank, Default Template is used.
SafeSquid Interface
48
Access Restrictions
access section The access feature is used to control who can access the proxy server, and to what extent. Option Policy Value Allow:
Deny:
Submit Allow Add
Value true This default rule allows access to every users of the network with IP address and username field left blank. false config,proxy,http,transparent,connect,bypass,urlcommand Deny Add
49
'Add' Sub-Section
Option Enabled Comment Profiles IP Address PAM authentication User name Password Access Web interface Proxy requests HTTP requests Transparent proxying CONNECT requests Allow bypassing URL commands Bypass URL filtering Header filtering Mime filtering URL redirecting Cookie filtering Document rewriting External parsers Forwarding Keyword filtering DNS blacklist Limits Antivirus ICAP URL blacklist Interface username Interface password Added profiles Submit Value Yes:
No:
p p p p p p p p p p p p p p
SafeSquid Interface
50
Access Section Policy Default action to take when no matching entry is found. Defines the Global Policy for the URL Blacklist Section Value: Allow - Allow everyone, and deny ONLY the rules under the 'Deny' subsection Deny - Deny everyone, and allow ONLY the rules under the 'Allow' subsection 'Add' subsection When Policy is 'Deny', You can add rules under Allow that would explicitly result in allowing all or Specific set of conditions. This effectively allows you set a variety of intelligently and creatively defined Access Control Whitelist(s). When Policy is 'Allow', you can add rules under Deny that would explicitly result in blocking or denial of access to all or Specific set of conditions. This effectively allows you set a variety of intelligently and creatively defined Access Control Blacklist(s). Enabled This option allows you to enable or disable a specific rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles Profiles cannot be used under the Access Restrictions section. This is a dummy field. IP Address A regular expression matching the IP addresses this entry applies to. Leaving this field blank will cause the entry to match all IP addresses. You can enter a single IP (e.g. 192.168.0.25), a comma separated list of IPs (e.g. 192.168.0.25,192.168.0.29) and / or IP ranges (e.g. 192.168.0.25,192.168.0.29,192.168.0.36-192.168.0.46). When used in conjunction with username & password, it binds the user to the specified IP (s), i.e. the user is allowed access only from the specified IP(s). PAM authentication PAM is An acronym for Pluggable Authentication Modules. PAM is an authentication system that controls access to Linux System. It allows you to authenticate users from an external authenticating mechanisms like Samba, Active Directory, Radius, POP3, MySQL database, etc.
51
If this option is selected, clients will be required to authenticate with the proxy and PAM will be used to authenticate the username and password. This option will work only if the proxy is configured and compiled with PAM support. For details about configuring. Check Working with PAM for details. User name With PAM Selected: If PAM is selected, this field is used to specify a username on the authenticating mechanism. If left blank, it allows any username that exists on the authenticating mechanism. Since this field option is a regular expression, you can also specify multiple usernames, separated with pipe, that exist on the authenticating mechanism. This is useful if you would like to allow only specific users to access SafeSquid or would like to create a group profile. For example, if you would like to allow only usernames john, ali & sean, you should enter (john|ali|sean) in this field. Another thing to note is that if you specify any IP(s) in the 'IP Address' field, the user(s) will be allowed access only from the specified IP(s). If the IP Address field is blank, the user(s) will be allowed access from any IP. Without PAM Selected: Without PAM, this field can be used to create usernames. For creating a username, simply enter the username in this field, and password in the 'Password' field. Entering a username and password, will cause an authentication challenge when a user tries to access SafeSquid. Now, the user will be allowed access only if supplies the entered username and password. Another thing to note is that if you specify any IP(s) in the 'IP Address' field, this user will be allowed access only from the specified IP(s). If the IP Address field is blank, the user will be allowed access from any IP. Leaving this field blank will allow access with authentication. Password With PAM Selected: If PAM is selected, this field should be left blank, since the password for the specified user (s) is verified from the authentication mechanism. Without PAM Selected: Without PAM selected, this is where you specify the password for the user specified in the 'Username' field. Access The Access field allows you to select the types of request a user is allowed to make:
Allowed access to the SafeSquid Management Interface (http:// safesquid.cfg) Allowed to make regular proxy requests.
SafeSquid Interface
52
HTTP requests: Transparent proxying: CONNECT requests: Allow bypassing: URL commands:
Allowed to make regular HTTP requests to proxy (for Web interface and other redirect requests set in the SafeSquid proxy). Allowed to make transparent proxy requests (must be allowed to make HTTP requests as well). Allowed to make CONNECT requests. Allowed to use the special xx--bypass URL command to bypass filters. Allowed to use the special xx-- URL commands. Check Use URL Commands for details
Bypass This section allows you to bypass VIP users from the effects of the listed filter sections. This can also be useful in diagnosing a denial event. The filter sections that can be bypassed are URL Filter Header Filter Mime Filter URL Redirecting Cookie Filter Document Rewrite External Parsers Forwarding Keyword Filter DNS Blacklist Limits Antivirus ICAP URL blacklist Interface username This field, along with Interface password, can be used to secure access to the SafeSquid Interface (http://safesquid.cfg). Users will have to give the specified Interface username and password, to get access to the interface. It can also be used to give different username and password to administrators, when there are more than one administrators managing the proxy Interface password Password for 'Interface username' field. Added profiles This is where you 'create' a profile for users, to identify or classify them and give further access rights. For example, if you wanted to identify IP addresses 192.168.0.5-192.168.0.15 as
53
'accounts' department, you specify the IP range in the 'IP address' field and in the 'Added profiles' you should mention 'Accounts'. With PAM enabled, you can create a group of users, by specifying a pipe separated list of usernames existing on the authenticating mechanism, e.g. (john|ali|sean), and specifying the group name, e.g. Accounts, in the Added Profiles field. Without PAM, you will have to create a separate rule for each user, with username and password, and specify the group each belongs to in the Added Profiles field. The value of Added Profiles field is then used in the 'Profiles' and other filter sections, to collectively allow or deny access to various content, to the users. Check Profiled Internet Access for details
SafeSquid Interface
54
7.12.4 Profiles
SafeSquid's Profiles feature allows you to accommodate the demands of extremely granular rules for Internet Access privileges and restrictions. The 'Profiles' section allows you to very precisely define situations. Each situation, thus defined is referred to as a Profile. Each Profile can be defined (or bound) by a programmable set of conditional parameters. Profiles are used as a conditional parameter in almost all of the various filtering sections in SafeSquid. You can thus ensure that filtering action happens exactly, as required. Check Profiled Internet Access that explains the use of Profiles for granular Internet access The parameters that are available for defining a profile are explained below.
No:
p p p p p
to January to 0 to Sunday to 0 to 0
Absolute:
55
'Add' Subsection The following parameters can be used to define a profile: Enabled This option allows you to enable or disable a specific profile. Value: Yes - Enable this profile No - Disable this profile Comment A comment for future reference explaining what this rule does Profiles A comma separated list of previously created profile(s) (either in Access Restriction or in Profiles section), to which this rule should apply. Applies globally if left blank. Protocol A regular expression matching the protocol this entry applies to, e.g. ^ftp$, ^http$, etc. Applies to all protocols if left blank. Host A regular expression matching the host's this entry applies to, e.g. (example.com|mysite. com|yousite.com). Applies to all hosts if left blank. File A regular expression matching the file (the part of a URL that succeeds the hostname) this entry applies to, e.g. (cgi-bin|\?) will apply to queries in a URL. Applies to everything if left blank. Mime type A regular expression matching the MIME-type this entry applies to, e.g. "^image/" will match will match all image files. Applies to all MIME-types if left blank. MIME-type matching is done after receiving the server header, so it may only be used for certain features; header filtering, cache refresh policy, and cache store selection are done before the server header is received. Port range list A comma seperated list of ports or port ranges this entry applies to, e.g. a value "80,2125" means port 80 and port rgae from 21 to 25. Applies to all ports if left blank. URL Command A comma seperated list of URL commands which will activate this entry. Applies to all
SafeSquid Interface
56
commands if left blank. Check Use URL Commands for details Proxy host A regular expression matching the proxy hosts this entry applies to. This is useful when sharing a configuration file between several SafeSquid proxy servers or instances in MultiProxy or Multi-Instance scenario. Applies to all hosts if left blank. Request header pattern A regular expression pattern matching the request header's this entry applies to, e.g. Mozilla/4.0.* MSIE.* matches a request from Internet Explorer. Applies to all patterns if left blank. Response header pattern. A regular expression pattern matching the response headers this entry applies to. Applies to all patterns if left blank. Month range The range of months within which this entry is active, e.g. January to March will keep this profile active from January through March. Applies to all months if left blank. Day range The range of days within which this entry is active, e.g. 5 to 15 will keep this profile active from 5th through 15th. Applies to all days if left blank. Weekday range The range of weekdays within which this entry is active, e.g. Monday to Thursday will keep this profile active from Monday through Thursday. Applies to all weekdays if left blank. Hour range The range of hours within which this entry is active, e.g. 9 to 12 will keep this profile active from 9 hrs through 12 hrs. Applies to all hours if left blank. Minute range The range of minutes within which this entry is active. This can be used in conjunction with Hour Range, e.g. if the hour range is 9 to 12 and minute range is 15 to 30, then the profile will remain active from 9:15 through 12:30. Applies to every minute if left blank. Time match mode The time match mode option allows you to specify how a time is matched, if you specify multiple ranges. Value: Absolute - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17, then selecting 'Absolute' Time Match Mode, will match any time starting Monday, 9AM and ending Friday, 5PM.
57
All ranges - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17, then selecting 'All ranges' Time Match Mode, will match any time between 9AM to 5PM, on all weekdays from Monday to Friday. Added profiles This is where you specify (or create) what profile should be applied if the specified situation matches. See examples below. Removed profiles This field can be used to remove a profile from a situation, or exclude a situation from being applied a profile. See example below.
Example #1 Suppose you wanted to allow access only to a few sites to the 'Accounts' profile (which is created in Access Restriction Section - see Access Control), while allowing any / all sites sites to the 'VIP' profile. To match these situations, you will need to add 2 profiles in the Profiles section, like this -
Profile 1
Option Enabled Comment Profiles Host Time match mode Added profiles Value true This profile specifies the sites allowed to 'Accounts' group Accounts (firstsite.com|secondsite.net|thirdsite.org) absolutetime allowed_sites
Profile 2
Option Enabled Comment Profiles Time match mode Added profiles Value true This profile specifies the sites allowed to 'VIP' group Accounts absolutetime allowed_sites
Please note that the fields that are not mentioned above are blank. So, the first rule says that, if the request already carries the profile 'Accounts', and the request is for either abc.com, def.com or ghi.com, then give is another profile 'allowed_sites'. Similarly, the second rule says that, if the request already carries the profile 'VIP', and the
SafeSquid Interface
request is for any site (Host field is blank), then give it another profile 'allowed_site'.
58
Next, you will go to the 'URL filter' section. Select Policy as 'Allow'. Now, since the policy is allow, you should add a rule under the Deny subsection, like this -
The above rule says that deny everything, EXCEPT / but NOT (!) the request that carry 'allowed_sites' profile. Now, all the requests from VIP will carry the profile 'allowed_sites', while requests from 'Accounts', ONLY for abc.com, def.com or ghi.com, will carry 'allowed_sites' profile. Effectivly, 'VIP' will be able to access any site, while 'Accounts', only the specified sites. Example #2 Now suppose you wanted to allow 'Accounts' to access xyz.com, but only during lunch hours from 13 hrs to 14 hrs. To define this situation, you can add another rule under the Profiles section, like this -
Option Enabled Comment Profiles Host Hour range Time match mode Added profiles
Value true Time restricted access Accounts xyz.com 13,14 absolutetime allowed_sites
The above rule says that, if the request already carries the profile 'Accounts', AND the request is for xyz.com, AND the time of the day is between 13 hrs to 14 hrs, then give the request 'allowed_sites' profile. You can similarly define situations, or create profiles, by using one or multiple parameters like Protocol, File, Mime type, Port range list, URL Command, Proxy host, Request header pattern & Response header pattern.
59
7.12.5 cProfiles
cProfiles allows you to ADD/Remove Profiles, depending upon the potential nature of the content served, by the web-site. cProfiles queries SafeSquid's Content Categorization Service (CCS) *, to determine if a web-site belongs to one or more categories. The determination is actually a score of probability: for example: a score of 1 ==> the site definitely does not belong to the queried category, a score of 100 ==> the site most definitely belongs to this category. Now based on the determination, you can ADD / Remove Profiles, and thus take necessary actions, via the various filters like URL Filter, Mime-Filter, etc. cProfiles stores the results, in a high-speed memory based (volatile) cache, to ensure quick response for often accessed websites. * CCS maintains a categorized database of web-sites. The categorization has been done on the basis of availability of content of certain category, at the web-site. cProfiles uses the standard DNS protocol to communicate with CCS, thus the query results will be stored (non-volatile) in all the en-route caching nameservers. Thus query results should be quickly accessible to you even across restarts.
cProfiles section
Value Yes:
No:
Option Enabled Comment Categories list Score Range Added profiles Edit Delete Clone
Value true Identify websites belonging to porn category porn 2-100 category-porn Up Down Top Bottom
SafeSquid Interface
'Add' under 'Entries for processing cProfiles'
Option Enabled Comment Profiles Category List ads content adult content adult_education content arts content chat content drugs content education content fileshare content finance content gambling content games content government content hacking content hate content highrisk content housekeeping content instantmessaging content jobs content leisure content mail content multimedia content Score Range Added profiles Removed profiles Submit 2-100 Value Yes:
60
No:
p p p p p p p p p p p p p p p p p p p p p
cProfiles section Enabled This option allows you to enable, or completely disable the URL Blacklist Section irrespective of the rules defined in the section
61
Value: Yes - Enable cProfiles Section No - Disable cProfiles Section Cache Size Specify the number of query responses that should be cached by cProfiles. cProfiles will create an equivalent high-speed memory based (volatile) cache, to ensure quick response for often accessed web-sites. Caution #1: Use a realistic number that approximately equals the number of different web-sites visited by users in your enterprise. A number between 1000 - 10000 should generally serve most enterprise networks. Caution #2: The current cache will be destroyed and a new one re-created. Therefore, kindly do not make changes here, too often. Enterprise Identity Specify your Enterprise Identity key here. This key is required to activate cProfiles. Enterprise Identity key can be obtained by subscribing to SafeSquid CSS service. Enterprise Identity is unique and allows CCS to sort, the web-sites that were requested by your enterprise. Thus the CCS can prioritize the web-sites that must be classified, to serve your enterprise better. Caution: The Enterprise Identity is a unique key, that must never be shared between networks / enterprises, to ensure proper results from CCS. 'Add' under 'Entries for processing cProfiles' section Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every one if this field is left blank Category List Comma separated list of categories that must be checked on the CCS. By default, all available categories are listed, when you add a new rule. The following categories are currently available: ads, adult, adult_education, arts, chat, drugs, education, fileshare,
SafeSquid Interface
62
finance, gambling, games, government, hacking, hate, highrisk, housekeeping, instantmessaging, jobs, leisure, mail, multimedia, news, porn, proxy, searchengines, shopping, social, sports, systemutils, travel, business. You may either create a separate rule for the categories that you would want to identify, or include a comma separated list of multiple categories in a single rule. Score Range Specify the score range for a positive match. cProfiles will query the SafeSquid's Content Categorisation Service (CCS) to determine, the probability of content nature to belong to the above mentioned categories. The probability could be between 1 and 100. a score of 1 = the site definitely does not belong to the queried category a score of 100 = the site most definitely belongs to this category. So, if you set the score range to 2-100, then entries created below for Added Profiles or Removed Profiles, will be applied only if the scored value is more than 1. Added profiles Comma separated list of profiles that will be Added to the connection, if the selected categories have a positive match. These profiles can then be used in various filters like URL Filter, Mime-Filter, etc. to take desired action. Removed profiles A comma separated list of profiles to remove when the selected categories have a positive match. If any of these profiles have been already applied to the connection by any other Profile rules, they will be removed.
Example: Suppose you wanted to globally block 'porn' category, and restrict 'Accounts' profiles from accessing 'jobsearch' category. Create the following rules in the cProfiles section: cProfiles Section
Option Enabled Comment Category List Score Range Added profiles Value true Identify websites under 'porn' category porn 2-100 blocked-category
63
Next, go to the URL filter section and add the following rule under Deny subsection (Presuming that Policy is Allow).
The first rule applies 'blocked-category' profile to all the requests, for which there is a positive match, under the 'porn' category. This rule applies to every body, since the 'Profiles' field is blank. The second rule applies 'blocked-category' profile to all the requests, for which there is a positive match, under the 'josearch' category. This rule applies only to 'Accounts' profile. The rule defined under URL filter section, blocks all requests with blocked-category profile.
SafeSquid Interface
64
No:
Deny:
to to to to to January 0 Sunday 0 0
p p p p p
0 0 0 0
Absolute:
All ranges:
p p
Submit
65
Limits 'Add' subsection The following parameters can be used to define rules for setting various user limits: Enabled This option allows you to enable or disable a specific rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of previously created profile(s) (either in Access Restriction or in Profiles section), to which this rule should apply. Applies globally if left blank. Action The action to take when this entry matches. If set to Deny - any request falling into the specified time range is blocked, otherwise the request is allowed. Select Allow if you desire to set a limit on the amount of data that can be transferred, or the number of requests that can be made. Further access will later be denied, when the limit is reached. Template The template, or message, that should be displayed on a users screen when access is denied due to this rule. This template is only sent if the page was blocked due to the time restrictions. Default template is used if this field is left blank. See Customizable Templates for details about templates Month range The range of months within which this entry is active, e.g. January to March will keep this profile active from January through March. Applies to all months if left blank Day range The range of days within which this entry is active, e.g. 5 to 15 will keep this profile active from 5th through 15th. Applies to all days if left blank. Weekday range The range of weekdays within which this entry is active, e.g. Monday to Thursday will keep this profile active from Monday through Thursday. Applies to all weekdays if left blank. Hour range
SafeSquid Interface
66
The range of hours within which this entry is active, e.g. 9 to 12 will keep this profile active from 9 hrs through 12 hrs. Applies to all hours if left blank. Minute range The range of minutes within which this entry is active. This can be used in conjunction with Hour Range, e.g. if the hour range is 9 to 12 and minute range is 15 to 30, then the profile will remain active from 9:15 through 12:30. Applies to every minute if left blank. Download transfer limit The amount of download in bytes that would be allowed during the specified time. No limit if left blank. Upload transfer limit The amount of upload in bytes that would be allowed during the specified time. No limit if left blank. Request limit The number of requested that would be allowed during the specified time. No limit if left blank. Download rate The maximum download transfer rate (speed or QoS) that should be allowed. Maximum available if left blank. Time match mode The time match mode option allows you to specify how a time is matched, if you specify multiple ranges. Value: Absolute - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17, then selecting 'Absolute' Time Match Mode, will match any time starting Monday, 9AM and ending Friday, 5PM. All ranges - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17, then selecting 'All ranges' Time Match Mode, will match any time between 9AM to 5PM, on all weekdays from Monday to Friday. Flags The following flags are used to define, or fine tune, the rule Limit cache transfers: apply the rule even when the content is being served from the cache Per-request limit: confine transfer limit to each single request. E.g. if you set Download transfer limit as 5MB, each and every matching request will be allowed 5MB Group limit: share transfer limit between all matching connections. E.g. if you set Download transfer limit as 5MB, it will be shared between all the matching connections
67
FTP Section
ftp section FTP connection options. Option Passive mode Timeout Anonymous login Anonymous password Sort order Sort field Ascending: Value Yes:
No:
Descending:
Date:
Submit
FTP Section The following parameters are available for configuration in the FTP Section Passive mode Use passive mode for FTP transfers; this is useful if you are behind a firewall that prevents the FTP server from opening a connection to you. Options: Yes: Select Passive Mode No: Do not select Passive Mode Timeout Time in seconds to wait for a response for commands sent to the FTP server. Anonymous login The login name to use when none is explicitly given in the URL. Anonymous password The password to use when none is explicitly given in the URL.
SafeSquid Interface
68
Sort order The order in which FTP directory listings are sorted. Options: Ascending: Sort directory listing in ascending order Descending: Sort directory listing in descending order Sort field The field by which FTP directory listings are sorted. Options: None : Do not sort by any field Name : Sort by Name field Size : Sort by size Date : Sort by date
69
7.12.8 Templates
Templates are used throughout Safesquid as a replacement for pages which can't be displayed due to filtering, error, or other conditions. SafeSquid comes with the following default templates:
Template blocked nodns badrequest badresponse nofile nocache noconnect noaccess badprotocol badauth maxbandwidth maxrequests proxy.pac nterface.css Condition Page blocked DNS lookup failed Malformed HTTP header from client Malformed HTTP header from server File not found Cache file not found when browsing in offline mode Connection failed Access denied Protocol not implemented Authorization failed (when forwarding through SOCKS4) Bandwidth limit exceeded Request limit exceeded A script to configure the browser to use the proxy. Web interface stylesheet
These templates can be viewed from http://safesquid.cfg/template/blocked (template name) You can replace the default templates with your own customized templates (SafeSquid Advanced Edition and all Composite Editions, including the free Composite Edition 20). Customized templates can be really useful, when you would want the error messages to be displayed in a language other than English. It can also be used to display your company logo, warning or message like 'If you feel this site was unnecessarily blocked, please notify the administrator on helpdisk@mycompany.com'. A template may not necessarily be an html, but can be almost about anything like an audio file, flash file or an executable. It can be used to invoke a file for a specific condition. For example, SafeSquid has 3 built-in templates - tinygif (a 1x1 transparent gif image), checkeredgif (a 4x4 gray and transparent checkered pattern), and tinyswf (an empty flash animation). The checkeredgif template is used by default, to replace images that it blocked by the Pornographic Image Filter add-on module that is used to block pornographic images in real time. So, when the page is displayed to a user, a block of checkered boxes is displayed instead of the blocked image. There are several variables that can be used in templates if the parsable option is selected which will be replaced with information about the request currently being handled. These variable can be used to generate content in real time. The variables are:
SafeSquid Interface
Variable @AVSCANNER@ @CATEGORY@ @HTTP_METHOD@ @HTTP_HOST@ @HTTP_FILE@ @HTTP_PORT@ @UPLOADLIMIT@ @IP@ @INTERFACE@ @IMAGESCORE@ Description The name of Antivirus Scanner used The Category of Blacklist used Method used to request file The Host to which HTTP request was made to File HTTP request was made for Port HTTP request was made to. The Limit given to Upload a file IP address of client making request IP address of the interface the client connected to Score for Individual Images
70
@IMAGETHRESHOLD The cut-off value from which Image is decided as good or @ bad(porn) @PORT@ @SIZE@ @TRANSFERRED@ @USERNAME@ @URL@ @VERSION@ @VIRUSNAME@ PORT the client connected to Amount of value going to transferred Amount of value transferred already The username authentication by which the user logs on after
The full URL (the same as @HTTP_METHOD@:// @HTTP_HOST@:@HTTP_PORT@@HTTP_FILE@) The proxy server version The name of the Virus detected
The Template Section in the SafeSquid Interface, allows you to configure customized templates
Customisable Templates
Option Path
Template Add
No:
No:
Submit
Templates section The following parameters are available for configuration in the Templates Section Path The directory path on the server where the template files are located Add Add a custom template 'Add' subsection The following parameters are available for configuration in the 'Add' subsection Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every one if this field is left blank Name The name by which this template should be referred to in other sections.
SafeSquid Interface
72
File The name of the file in template directory, to be used with this template Mime type The MIME-type of the template file. When using an executable, this is send in the HTTP response header. Response code The response code to use when sending the template. Leave blank to use internal default. Type Specify the type of template. Options: File: The content of the file will be sent as template. Executable: The file is executed, and whatever it writes on STDOUT, is sent as the template. Parsable If this option is selected, all variables in the template will be substituted.
Example: In this example we will replace the default template displayed when a site is blocked by URL Filter section. Let us presume that this file is called filter.html, and it's content is as below filter.html
<html> <head> <title>site is blocked</title> </head> <body style="color: rgb(255, 255, 255); background-color: rgb(255, 0, 0);" link="#000099" alink="#000099" vlink="#990099"> <div style="text-align: center; font-family: Verdana;"> <h1>The site @HTTP_HOST@ is blocked </h1> </div> </body> </html>
73
Now, copy this file to the directory /opt/safesquid/safesquid/template/ on the SafeSquid Server. Next, from the SafeSquid Interface (http://safesquid.cfg) go to Config => Template. Click on 'Add' under the template subsection and add the following rule -
SafeSquid Interface
74
No:
No:
Submit
Next, go to Config => URL filter, and change the value of 'Default template' to 'filter'
url-filtering section This section filters the URLs based on the host name and file path. Option Enabled Policy Default template Value Yes: filter Submit
Allow:
No: Deny:
Now, when you visit a website that is blocked by URL filter, you will see the new template, instead of the default. Remember to save the changed setting by clicking on 'Save setting' from the top menu in the SafeSquid Interface.
75
No:
dnsbl section The following parameters are available for configuration in the DNS Blacklist Section Enabled This option allows you to enable or disable the DNS blacklist section . Value: Yes - Enable DNS blacklist section
SafeSquid Interface
76
No - Disable DNS blacklist section Template The template to send when domain is blocked. Domain The domain to use for making queries. For example, the domain to use the services from dnsbl.org is in.dnsbl.org. You can also use any other service that provides similar service. Blocked IP addresses A comma separated list of IP addresses (or responses - see table above), from in.dnsbl.org, that you would like to block access to. For example, if you would like to block access to domains listed under "Fraud" and "Botnet Activity / Malware", type 127.0.0.3,127.0.0.8 here.
77
url-filtering section
This section filters the URLs based on their host name and file path. Option Enabled Policy Default template Submit Value
Allow Add
Deny Add
Value true SAMPLE rule to block specific websites (rapidshare.de|orkut.com|myspace.com) Up Down Top Bottom
Value true SAMPLE rule to block specific profiles disallowed_query,ad_servers,banners Up Down Top Bottom
SafeSquid Interface
78
No:
mime-filtering section Enabled This option allows you to enable, or completely disable the URL Filtering Section irrespective of the rules defined in the section Value: Yes - Enable Mime filtering Section No - Disable Mime filtering Section Policy Defines the Global Policy for the URL Filtering Section Value: Allow - Allow everything, and deny ONLY the rules under the 'Deny' subsection Deny - Deny everything, and allow ONLY the rules under the 'Allow' subsection Default template The template to display for blocked sites. If left blank, default template is used. You can design and display custom templates. For details, check Customisable Templates 'Add' under Allow / Deny subsection You can define rules either under the Allow or Deny subsection, depending on the selected Policy. If Policy is Allow, you should define rules under the Deny subsection, and If Policy is Deny, you should define rules under the Allow subsection. In the above example, the Policy is Allow. Hence, rules are defined in the Deny subsection to deny access to specific content. Enabled This option allows you to enable or disable a rule.
79
Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Host A regular expression matching the host on which this rule should apply. You can define multiple hosts seperated with pipe. E.g. (safesquid.com|yoursite.org|mysite.net). Leave this field blank to apply to all hosts. File You can further fine tune the rule by specifying a regular expression for the file part contained in a URL, to restrict access to only specific file / folder on the hosts mentioned in the Host field (applies to all if Host field is left blank). E.g. if you would like to restrict access to ads or banners on mysite.com, specify mysite.com in Host and /ad(|s|v|(|_) banner(|s))/ in the File field. This will block access only to mysite.com/ad/ or mysite.com/ ads/ or mysite.com/adv/ or mysite.com/banner/ or mysite.com/banners/ IP ranges A comma separated list of requesting IPs and / or IP ranges on which this rule to apply. E. g. 192.168.0.10-192.168.0.20,192.168.0.25-192.168.0.29,192.168.0.33 Template This field can be used to send a customized template, instead of the default template, when a URL is blocked specifically due to this rule.
Example:
Suppose you wanted to restrict the 'Accounts' group from accessing some specific web sites. Create the following rule in the Profiles section: Profiles Section
Option Enabled Comment Value true This profile is used in URL filter to restrict 'Accounts' group from accessing the specified sites.
SafeSquid Interface
80
Next, go to the URL filter section and add the following rule under Deny subsection (Presuming that Policy is Allow).
The first rule defines that when users with 'Accounts' profile, request for the sites specified in Host field, give that request another profile - Blocked-Site. This rule only defines the situation, and does not do any blocking. The second rule, defined under URL filter section, blocks all requests with Blocked-Site profile.
81
redirect section The redirect feature allows you to redirect requests. Option Enabled Value Yes:
No:
No:
No:
Applies to
Both:
redirect section Enabled This option allows you to enable, or completely disable the URL Redirect Section irrespective of the rules defined in the section Value:
SafeSquid Interface
82
Yes - Enable URL Redirect Section No - Disable URL Redirect Section 'Add' under Redirect subsection Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank URL A regular expression matching the URL you wish to redirect. The URL will always be in the form "protocol://host/file" or "/file" for HTTP requests. This may be trailed with a / followed by flag characters like in Perl to modify options used to compile the regular expression, and must be, if a / is used anywhere else in the regular expression. Redirect The URL to redirect to. It may contain back references to strings captured using parenthesis in the URL pattern. This can be in the form "protocol://host/file" or "/file" if you wish to send a relative URL when redirecting a URL in the Location: header. If this option is left blank, no action will be taken against requests matching the URL Port The port to redirect to. If left blank, the same port to which the original request was made, is used. 302 redirect If yes, a 302 redirect is used; otherwise the new host is connected to directly and the new file is requested. A 302 redirect should always be used when possible to ensure relative links and images are correct. Options The following options are available to control how the URL should be handled: Encode URL - Encode the new URL. Decode URL before - Decode the URL before attempting to match it with the regular expression.
83
Decode URL after - Decode the new URL after matching. Applies to Select whether the redirection applies to requested URL's, the Location header when a remote site sends a 302 redirect, or both.
Example: SafeSquid automatically produces the auto-configure-script proxy.pac (Proxy Auto Configuration) file, that clients can use to automatically configure the proxy server. This file can also be used by WPAD (Web Proxy Automatic Discovery) protocol, which allows automatic discovery of Proxy servers. The following redirect rule will redirect any client request for proxy.pac file to the default SafeSquid proxy.pac file.
Value true This will send a template when /proxy.pac is requested to configure the browser to use the proxy ^/proxy.pac$ /safesquid.cfg/template/proxy.pac false url
SafeSquid Interface
84
mime-filtering section The mime feature allows you to filter content based on it's MIME-type. Option Enabled Policy Default template Value
Allow Add Deny Add Option Enabled Comment File Edit Delete Clone Option Enabled Comment Mime type Edit Delete Clone Value true A SAMPLE rule that blocks downloads of files by mime type. (^audio/|^video/) Up Down Top Bottom Value true A SAMPLE rule that blocks downloads of files by file extension. \.(exe|mp3|avi|wmv|wma|mpeg|zip|tar|gz)$ Up Down Up Down
85
Option Enabled Comment Profiles Host File Mime type Template Submit Value Yes:
No:
mime-filtering section Enabled This option allows you to enable, or completely disable the Mime filtering Section irrespective of the rules defined in the section Value: Yes - Enable Mime filtering Section No - Disable Mime filtering Section Policy Defines the Global Policy for the Mime filtering Section Value: Allow - Allow everything, and deny ONLY the rules under the 'Deny' subsection Deny - Deny everything, and allow ONLY the rules under the 'Allow' subsection Default template The template to display for blocked sites. If left blank, default template is used. You can design and display custom templates. For details, check Customisable Templates 'Add' under Allow / Deny subsection You can define rules either under the Allow or Deny subsection, depending on the selected Policy. If Policy is Allow, you should define rules under the Deny subsection, and If Policy is Deny, you should define rules under the Allow subsection. In the above example, the Policy is Allow. Hence, rules are defined in the Deny subsection to deny access to specific content. Enabled This option allows you to enable or disable a rule. Value:
SafeSquid Interface
86
Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Host A regular expression matching the host on which this rule should apply. You can define multiple hosts separated with pipe. E.g. (safesquid.com|yoursite.org|mysite.net). Leave this field blank to apply to all hosts. File You can further fine tune the rule by specifying a regular expression for the file part contained in a URL. Leave blank to match everything. Mime Type A regular expression matching the MIME-types this rule applies to, e.g. ^audio/, ^video/, application/octet-stream, etc. Matches all MIME-types if left blank. Template This field can be used to send a customized template, instead of the default template, when a URL is blocked specifically due to this rule.
87
header-filtering section The header feature allows you to control what headers are passed from your browser to websites. In additional to the allow and deny actions in some other sections, there is an insert action which will add a new header onto the ones sent by your browser; for these entries, the Type and Value options are plain text. Option Enabled Policy Value Yes: Allow:
No: Deny:
Submit
No:
header-filtering section
SafeSquid Interface
88
Enabled This option allows you to enable, or completely disable the Header filtering Section, irrespective of the rules defined in the section Value: Yes - Enable Header filtering Section No - Disable Header filtering Section Policy Defines the Global Policy for the Header filtering Section Value: Allow - Allow everything, and deny ONLY the rules under the 'Deny' subsection Deny - Deny everything, and allow ONLY the rules under the 'Allow' subsection 'Add' under Allow / Deny / Insert subsection You can add rules under Deny that would explicitly remove header content from All and / or Specific set of server and / or client requests. This effectively allows you set a variety of intelligently and creatively defined Privacy Blacklist(s). You can add rules under Allow that would explicitly allow header content within All and / or Specific set of server and / or client requests. This effectively allows you set a variety of intelligently and creatively defined Privacy Whitelist(s) You can also define rules under the 'Insert' subsection, to insert additional information in the headers sent by your browser. Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Type A regular expression matching the header types this entry applies to; leave blank to match everything (header's are in the form "Type: value") Value A regular expression matching the header value, this entry applies to; leave blank to
89
match everything. Applies to The types of headers that will be affected by this rule.SafeSquid supports header control in both - server side and client side headers.
SafeSquid Interface
90
cookie-filtering section The cookies feature allows you to choose which hosts your browser is allowed to send and receive cookies to and from. Option Enabled Policy Value Yes: Allow:
No: Deny:
Submit
No:
to
January
to to to to to
January
Sunday
Sunday
Out:
Both:
Absolute:
91
cookie-filtering section Enabled This option allows you to enable, or completely disable the Cookie filtering Section, irrespective of the rules defined in the section Value: Yes - Enable Cookie filtering Section No - Disable Cookie filtering Section Policy Defines the Global Policy for the Cookie filtering Section Value: Allow - Allow everything, and deny ONLY the rules under the 'Deny' subsection Deny - Deny everything, and allow ONLY the rules under the 'Allow' subsection 'Add' under Allow / Deny subsection You can add rules under Deny that would explicitly result in blocking or denial of cookie transfer to all or specific set of conditions. This effectively allows you to set a variety of intelligently and creatively defined Cookie Transfer Blacklist(s). You can add rules under Allow that would explicitly result in acceptance or allowance of cookie transfer to all or specific set of conditions. This effectively allows you set a variety of intelligently and creatively defined Cookie Transfer Whitelist(s). Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Expiry year range The cookie expiry year range this entry applies to. Expiry month range
SafeSquid Interface
92
The cookie expiry month range this entry applies to. Expiry day range The cookie expiry day range this entry applies to. Expiry weekday range The cookie expiry weekday range this entry applies to. Expiry hour range The cookie expiry hour range this entry applies to. Expiry minute range The cookie expiry minute range this entry applies to. Domain A regular expression matching the cookie's domain attribute this entry applies to. Path A regular expression matching the cookie's path attribute this entry applies to. Direction The direction of the cookie this entry applies to; can be either in (Set-cookie sent by website), out (Cookie sent by browser), or both. Time match mode The time match mode option allows you to specify how a time is matched, if you specify multiple ranges. Value: Absolute - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17, then selecting 'Absolute' Time Match Mode, will match any time starting Monday, 9AM and ending Friday, 5PM. All ranges - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17, then selecting 'All ranges' Time Match Mode, will match any time between 9AM to 5PM, on all weekdays from Monday to Friday.
93
SafeSquid Interface
94
keywords-filtering section
Value Yes:
No:
Submit
keyword Add
No:
95
This option allows you to enable, or completely disable the keyword filter Section, irrespective of the rules defined in the section Value: Yes - Enable keyword filter Section No - Disable keyword filter Section Threshold The number the total score must equal or exceed, until it is blocked. Template The template to display for blocked sites. If left blank, default template is used. You can design and display custom templates. For details, check Customisable Templates 'Add' under keyword subsection Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Mime type A regular expression matching the mime-types this entry applies to, e.g. text, html, javascript. It is highly advisable that you set this to some mime-type, otherwise all files will be checked. If you're unsure, set this to "text/". Keyword A regular expression matching words or expressions in the body of the document, considered inappropriate. E.g. (sex|sexy|porn|pornography) Score The score allotted to this entry. When the defined keyword matches, this score is added to the total score. This can be a positive or a negative integer.
SafeSquid Interface
96
rewrite section
Option Enabled
Value Yes:
No:
Submit
Rewrite Add
No:
Applies to
p p p
Submit
97
This option allows you to enable, or completely disable the Rewrite document Section, irrespective of the rules defined in the section Value: Yes - Enable Rewrite document Section No - Disable Rewrite document Section 'Add' under Rewrite subsection Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank MIME type A regular expression matching the MIME-type this entry applies to. This must be filled with some Mime-type, otherwise the rewrite rule will be applied to every downloaded file, which is almost certainly not what you want. To have it applied to web pages, fill this field with "text/html". Pattern A regular expression pattern matching the area of text inside the file to modify. If this field is left blank, and the host, file, or mime-type options aren't, this will be the last entry matched for sites matching the host, file, and mime-type. This may be trailed with a / followed by flag characters like in Perl to modify options used to compile the regular expression, and must be if a / is used anywhere else in the regular expression. Replace The replacement text to use in place of the area of text matching the pattern; it may contain back references to strings captured using parenthesis in the pattern. A back reference to a captured string is in the form "$#", where # is a number from 1-9; "$0" will be replaced with the entire area of text matching the regular expression. Escape sequences may be used to represent unprintable characters, they are "\n" (newline), "\r" (carrier return), and "\t" (tab). To use a backslash as part of the replacement text, precede it with another backslash. Applies to
SafeSquid Interface
98
This option is to select what the rewrite rule applies to; the options are: Client header - Rewrite the client header; this happens before SafeSquid parses it. So be careful not to remove any headers needed to handle the request properly. The Mime-type option serves no purpose for this. Server header - Rewrite the header from the remote web server; same conditions from client header apply. Body - Rewrite the body of the webpage or file. POST data - Rewrite POST/PUT data sent when submitting a form or uploading a file.
Example: The following example is for blocking ActiveX codes from specific websites Create the following rule in the Profiles section: Profiles Section
Option Enabled Comment Host Time match mode Value true This profile is used in Rewrite document section to block ActiveX from specified sites. (firstsite.com|secondsite.net|thirdsite.org) absolutetime
Next, go to the Rewrite document section and add the following rule: Rewrite document section
Option Enabled Comment Profiles MIME type Pattern Replace Applies to Value true This rule will replace ActiveX codes in web pages from hosts specified in Block-ActiveX profile, in Profiles section Block-ActiveX text/html <object[^>]*>(.*)</object> <b><font color="blue" > SafeSquid </font> restricting <font color="red" > Active X </font> download</b> body
This will replace ActiveX codes in web pages from the specified hosts, and replace them with the following:
99
SafeSquid restricting Active X download You can also do the reverse, by allowing ActiveX only from specific web site, while blocking it from the rest. To do that, created a profile, e.g. 'Trusted-Websites' in the profiles section, and specify the web sites in the 'Host' field. Next, in the Rewrite document section, instead of entering 'BlockActiveX' in the 'Profiles' field, enter '!Trusted-Websites'. The '!' here means 'NOT'. Effectively, the Rewrite document rule will apply to all web sites, EXCEPT the ones specified in 'Trusted-Websites' profile.
SafeSquid Interface
100
cache section
Option Enabled Violate RFC Memory cache size Memory free extra Minimum file size Maximum file size Prefetch window ICP port ICP timeout Store balance method journal size Clean Interval
Value Yes: Yes: 50M 200M 0 1M 30 0 1000 Fill size: Fill percent: 128 30 Submit
No: No:
Store Add Option Enabled Comment Path Maximum disk size Disk free extra MD5 integrity check Edit Delete Clone Value false This is the default path of cache directory /var/cache/safesquid 1G 250M false Up Down Refresh Add Top Bottom
101
Option Enabled Cachable Minimum age Maximum age Revalidate age Last-Modified time factor Edit Delete Clone Value true true 1800 2592000 1259000 10 Up Down Top Bottom
No:
No:
Submit
No:
No:
cache section Enabled This option allows you to enable, or completely disable the Caching Section, irrespective of the rules defined in the section Value:
SafeSquid Interface
102
Yes - Enable Caching Section No - Disable Caching Section Violate RFC This option will cause the proxy server to violate some rules in the HTTP RFC to help improve cache performance. Specifically, when a website requests that the file not be cached with the No-Cache directive in the Cache-Control header, the proxy will cache it anyways but always validate it with an If-Modified-Since conditional request. Memory cache size The maximum size in bytes of the memory cache. Memory free extra The number of additional bytes to free up when the memory is cleaned. Minimum file size The minimum file size in bytes of any cached file. Maximum file size The maximum file size in bytes of any cached file; if set to 0, no maximum file size is imposed. Prefetch window This option can be used to specify the time period after a file is pre-fetched, in which it will be exempt from any refresh or expiry rules. ICP port The UDP port to listen for ICP packets on. You can change as per your configuration. ICP timeout The timeout in milliseconds for response ICP packets. Store balance method This option controls how a file goes into selected storage directory, when you define multiple storage volumes. Fill size - will select the storage directory with the least total bytes used Fill percent - will select the storage directory with the lowest percentage of space used. journal size The maximum size in bytes of the journal Clean Interval Interval time in seconds after which the content in the Memory Cache is dumped into the disk storage.
103
'Add' under Store subsection You can add one or more locations under "Store" that would be used for physically storing the content for caching. Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Path The directory where cached files are stored. Maximum disk size The amount of space that should be used to store cached files in this directory. Disk free extra When the cache is cleaned, this additional amount will be freed as well. This option can be useful to prevent the cache from getting evicted too often, which can hurt performance. MD5 integrity check It performs MD5 check on cache files when saving them and loading them from disk. This ensures that corrupted cache files don't get used. 'Add' under Refresh subsection You can add / modify the rules under "Refresh" that would enforce your policies for renewing or refreshing the contents in the cache, to ensure that the users are served with content that is 'fresh enough'. This effectively allows you to intelligently and creatively manipulate the bandwidth usage. Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule
SafeSquid Interface
104
Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Cachable Whether or not requests matching this entry are cached. Minimum age The minimum age of any file must be according to the Last-Modified header before it is cached. Maximum age The maximum age of any cached file before it must be revalidated. This overrides any given expiry time. Revalidate age The maximum age of any cached file that didn't include any headers indicating when it should expire before it must be revalidated. If set to 0, all cached files whose expiry time is uncertain will be verified. If no "Last-Modified" header is received to calculate the percent of age freshness, the cached file is always revalidated. Last-Modified time factor The percentage of time between the date given in the Last-Modified header and the current time, a cached file is considered fresh after downloading.
105
forward section
No: No:
Submit
Forward Add Option Enabled Comment Proxy Port ICP peer type ICP port Type Applies to Edit Delete Clone Value true sample rule for forwarding parent_proxy 3128 none 0 HTTP HTTP,FTP,CONNECT Up Down Top Bottom
SafeSquid Interface
106
No:
SOCK4:
SOCKS5:
Connect:
p p p
forward section Enabled This option allows you to enable or completely disable the Forwarding Section, irrespective of the rules defined in the section Value: Yes - Enable Forwarding Section No - Disable Forwarding Section Enable CARP This option allows you to enable or disable the use of CARP Value: Yes - Enable CARP No - Disable CARP CARP hash size The maximum value of CARP hash set on the peer proxies. Otherwise decrease this value for greater redundancy of cached files. If the peer is Squid set this value to 0. 'Add' under Forward subsection You can add unique rules to deal with different proxies, profiles, requests in this subsection.
107
Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Proxy The hostname or IP address of the proxy to forward through. If this is left blank, and the host or file options aren't, no action will be taken for requests matching the host and file. If the Proxy is the same as the server's own hostname, the entry is ignored. This makes it easier to have a configuration file shared between several proxy servers. User name The user name to use if the proxy requires authentication. Password The password for the User name used Domain The NT domain when using the NTLM authentication protocol. Port The port number of the proxy to forward through. ICP peer type The peering relationship of this proxy. None - The ICP protocol will not be used with this proxy Parent - This proxy is a Parent. When no peer has the cached file, it will still be requested from a parent, so that it is cached for other peer proxy servers. Sibling - This proxy is a Sibling. Files are requested from it only when it has a cached copy. ICP port The UDP port ICP packets are sent on to this proxy.
SafeSquid Interface
108
Type The type of proxy the requests are being forwarded to: HTTP: This is a HTTP proxy. SOCKS4: This is a SOCKS4 firewall. SOCKS5: This is a SOCKS5 firewall. Connect: The connect method will be used through the HTTP proxy. Applies to What type of requests should be forwarded: HTTP requests: Forward HTTP requests FTP requests: Forward FTP requests CONNECT requests: Forward CONNECT requests
109
SafeSquid Interface
110
ICAP server, allowing the server to modify or redirect Web requests or responses. When an ICAP server is installed in an FTP system, every transaction is piped through the ICAP server, allowing virus and content filtering software to operate on the content.
ICAP section
Option Enabled
Value Yes:
No:
Submit
ICAP Add
No:
p p
Submit
ICAP section Enabled This option allows you to enable or completely disable the ICAP Section, irrespective of the rules defined in the section Value: Yes - Enable ICAP Section No - Disable ICAP Section 'Add' under ICAP subsection Enabled
111
This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Host The Host name or IP address of the ICAP Server. File The file to request from the ICAP server. Port The port of the ICAP server Applies to Which part of the HTTP request this entry applies to: Requests: The ICAP server will be used to modify or satisfy requests. Responses: The ICAP server will be used to modify responses.
Examples: In all the examples below, it is presumed that the IP of the ICAP server is 192.168.0.175 and they are listening on port 1344. The profile 'virus_scan' is used in all examples, to ensure that only the files that require virus scanning are sent to the ICAP server. This profile is created in the "Profiles' section. The sample rule is as follows:
SafeSquid Interface
Profiles Section
Option Enabled Comment File Value true The following file types will be scanned for viruses (386|ADE|ADP|ADT|APP|ASP|BAS|BAT|BIN|BTM|CBT| CHM|CLA|CLASS|CMD|COM|CPL|CRT|CSC|CSS|DLL| DOC|DOT|DRV|EML|EMAIL|EXE|FON|HLP|HTA|HTM| HTML|INF|INI|INS|ISP|JS|JSE|LIB|LNK|MDB|MDE| MHT|MHTM|MHTML|MP3|MSO|MSC|MSI|MSP|MST| OBJ|OCX|OV\?|PCD|PGM|PIF|PPT|PRC|REG|RTF|SCR| SCT|SHB|SHS|SMM|SYS|URL|VB|VBE|VBS|VXD|WSC| WSF|ZIP|GZ|RAR|WSH|XL\?) absolutetime virus_scan
112
2. Using Kaspersky ICAP Server for virus-scan of incoming and outgoing content Rule for scanning incoming content
Option Enabled Comment Profiles Host File Port Applies to Value true Configuration for using Kaspersky ICAP to virus-scan incoming content virus_scan 192.168.0.175 /respmod 1344 responses
113
Rule for scanning outgoing content - GET / POST
Option Enabled Comment Profiles Host File Port Applies to Value true Configuration for using Kaspersky ICAP to virus-scan outgoing content virus_scan 192.168.0.175 //av/reqmod 1344 requests
2. Using Symantec ICAP Server for virus-scan of incoming and outgoing content
Option Enabled Comment Profiles Host File Port Applies to Value true Configurations for using Symantec ICAP to virus-scan incoming & outgoing content virus_scan 192.168.0.175 /respmod 1344 responses
SafeSquid Interface
114
external section
Option Enabled
Value Yes:
No:
Submit
External Add
No:
File:
Requests Responses
p p p p
Yes:
No:
Submit
external section Enabled This option allows you to enable, or completely disable the Rewrite document Section, irrespective of the rules defined in the section Value: Yes - Enable External parsers Section No - Disable External parsers Section
115
'Add' under External subsection Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Executable The path to the executable. If no absolute path is specified, the path as given in the PATH environment variable is searched. You have to specify the path in this option i.e. /opt/ safesquid/script/external.sh. Any number of arguments can be passed by separating them by spaces. If you're using a temporary file as the method to pass the contents of the file, it's path will be the last argument. When the program is executed, several environment variables are set to reflect the properties of the file being handled, they are: VERSION HTTP_METHOD HTTP_HOST HTTP_FILE HTTP_PORT IP INTERFACE PORT The proxy server version Method used to request the file Host HTTP request was made to File HTTP request was made for Port HTTP request was made to IP address of client making request IP address of the interface the client connected to Port the client connected to
Additionally, for every header received from the remote website and set by a client, an environment variable is set. All the environment variables for the server's headers start with SERVER_, and the client's start with CLIENT_; All '-' (dashes) in the header type are converted to '_' (underscores), and all characters are in uppercase. If an executable returns with a non-zero status code, the original content is returned. Type The method to be used to pass the content to the external program. The options are:
SafeSquid Interface
116
Pipe: Content is piped to the program's STDIN File: Content is stored in a temporary file and it's path is passed as the last argument. Applies to Select whether the external parser is used on request header or response header or both. Requests - Use on request headers. Responses - Use on response headers. When both options are selected, it uses on both, request and response headers. Run once per session Run external parser for every request in a session until it returns a non-zero status code. This is useful for performing authentication through an external program. Send header Which header(s), if any, to send to the external program before sending the body. The options are: Request headers: Send request headers Response headers: Send response headers The response header option only applies to external programs that process the response. If both headers are selected, the request header is sent first.
Example: See article Use External Parsers To Authenticate Only Specific Web Sites for a complete example.
117
Value Yes:
No:
Submit
Prefetch Add
No:
prefetch section Enabled This option allows you to enable, or completely disable the Rewrite document Section, irrespective of the rules defined in the section Value: Yes - Enable Prefetching Section No - Disable Prefetching Section Threads
SafeSquid Interface
118
The number of threads to run in the background for prefetching files. Safesquid needs to be restarted for this setting to take effect. Queue size The size of the prefetch queue. Host limit The maximum number of queued prefetches per host. 'Add' under Prefetch subsection Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does. Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank. Tag name The HTML tag the attribute is in. Tag attribute The HTML tag attribute holding the URL to be prefetched. Attribute pattern A regular expression matching the attribute value this entry applies to. Maximum file size The maximum size of the prefetched file, set to 0 for unlimited. Recursion level If the URL leads to another HTML page, this is the depth, links will be followed. Setting to 0 causes links to be followed indefinitely.
Example:
119
An example for those unfamiliar with HTML, images and embedded objects that are inserted into the Webpage using HTML tags. An HTML tag may look something like this:
<IMG SRC="cool.jpg"> The 'IMG' part is the TAG name, the 'SRC' part is an attribute, and the "cool.jpg" part is an attribute value. Safesquid can parse HTML code and extract URL's from given tag's and attributes. Example: you wish to prefetch any embedded shockwave flash files, after quickly looking at the HTML of a Webpage that has embedded flash animations you discover it typically, uses the following HTML code:
<embed src="/ani.swf" wmode="opaque" name="newsticker" quality="high" scale="exactfit" bgcolor="#293381" width="770" height="25" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer"></embed> So the HTML tag is 'embed', and the tag attribute is 'src' Wait though... there's a problem! how can SafeSquid know this is an embedded shockwave flash animation and not something else? There is the 'type' attribute as well, but Safesquid can only match one attribute per tag. What we can do is use the Attribute Pattern option in the entry to narrow this down a bit. Shockwave flash files have a .swf extension, as seen in the src attribute value "/ani.swf", so we can fill in the attribute pattern option with a regular expression matching only files with a .swf extension, like "\.swf$".
SafeSquid Interface
120
imgfilter section
Value Yes:
No:
/opt/safesquid/modules/imgfilter/imgfilter
Submit
No:
Imgfilter section Enabled This option allows you to enable, or completely disable the Image filter Section, irrespective of the rules defined in the section
121
Value: Yes - Enable Image filter Section No - Disable Image filter Section Library path The path where the Image Filter Libraries are stored Default template The template to display for blocked images, when a template is not defined in a rule under 'Image filters' subsection. If left blank, default template is used. 'Add' under Image filters subsection Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does. Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank. Threshold Image filter allocates a score to the images that it analyzes. -10.0 is unlikely to be porn whereas 0.0 is very likely. You can fine tune the filter by defining the threshold score limit here. You can create multiple rules, with different threshold limits for different profiles. Template Template to display, when an image is blocked. If left blank, the Template defined under the imgfilter section is used.
SafeSquid Interface
122
URL commands
SafeSquid has powerful remote management features. The Browser-based GUI lets you configure the way you Internet is used in your network. URL Commands allow you to test the functionalities and verify your configurations - REMOTELY. URL commands can be used to show information about a webpage and to bypass certain features. For proxy requests, URL commands are prefixed onto the hostname of the website. For example, ' http://xx--bypass.www.somesite.com" would bypass all the filters that might be applying on www.somesite.com. Bypassing is useful to work around sites that are having problems with some types of filtering. You can grant or remove the right to use URL commands to a user, in 'Access Restrictions' section. See Access Control for details. The other URL commands are:
Command xx--fresh xx--raw xx--cookies xx--mime xx--headers xx--score xx--diff xx--htmltree xx--process xx--offline xx--filter xx--cache xx--profiles Description Fetch fresh copy of file from website, instead of using cache. Sometimes the cache refresh logic gets things wrong. Show raw file (HTML), on FTP directory lists it'll show the raw listing Display cookies sent to and received from website Show matching mime entry for requested URL Show headers sent by browser and received from website Show score for page when doing keyword filtering This will show the diff-like output of the changes made by the rewrite feature to a website, useful for debugging regular expression patterns Debug HTML parser when prefetching. It'll show a parsed HTML tree. Useful for people wanting to debug their HTML Bypass the maxbuffer setting and buffer/process the file anyways, so if someone wants to scan a large file for virsues they can use this Browse in offline mode, only cached files can be viewed.. and cache files won't be validated if they're stale Display any matching filter entry for requested URL Display information about a cached file Display a list of enabled profiles Make an https SSL request from a non-SSL client, also can be used to process HTTPS content (remove banners, scan viruses) i.e. http://xx--https.www.cibc.com would be the same as https://www.cibc.com these 2 features are designed to work together: Pre-fetch a file in the background without downloading it to the client. Display a template instead of the requested file This one is neat when forwarding to another proxy, this will make the proxy connect back to safesquid and safesquid will display the headers that would have been passed onto the website... The purpose is to serve someone who wishes to surf anonymously through open proxies. They can see if the website can still identify them.
xx--https
xx--prefetch xx--template
xx--proxytest
The xx--bypass command can be used with additional options to selectively bypass (or unbypass) most features.
123
xx--bypass[OPTIONS] OPTIONS is a string of letters representing the features. Here are the available options:
Option f h m r c w e p k d a i Description url filtering header filtering (both client and server) mime filtering URL redirection cookie filtering rewriting external parser (both request and response) forwarding keyword filtering dns blacklist antivirus scanning ICAP
A + or - symbol can be used to change between bypassing and un-bypassing, if the feature was bypassed in the Access Restrictions section entry. some examples: http://xx--bypass[fh].www.slashdot.org <-- bypasses URL and header filtering http://xx--bypass[e-i].www.safesquid.com <-- bypass external programs and UN-bypass ICAP http://xx--bypass.www.exn.ca <-- bypass everything
For regular HTTP requests (such as when the proxy is being used to redirect HTTP requests), an extra path element is added to the front of the requested file with the URL command inside; for example, "http://xx--proxyip:port/bypass./somefile". URL commands are not only taken from the request URL, but also from the Referer header sent by your browser as well; this allows them to work for images and files loaded from a website a URL command was used on. Additionally, URL commands are automatically prefixed to the Location: header sent back when a 302 redirect is received or when a redirect rule that sends a 302 redirect matches. Below is a list of all available URL commands and a description of what they do. There's a few other things to note: when a URL command is used on a site that sends back a 302 redirect, the URL command is added to the URL in the Location header, so that the URL command still applies when the browser follows the redirect. when a request is made that has a URL command in the Referer header but not in the URL (like when someone clicks a link on a page they used a URL command on), the proxy will send a 302 redirect to the same URL but with URL commands. This makes it possible to continuously browse with features bypassed. URL commands are also extracted from the Host header, so they work when the proxy server is transparent.
URL commands
124
URL commands are also prefixed to URL's sent by the Redirect feature, well.. except if 'bypass' or 'bypass[r]' is used since the redirect feature would be bypassed.
125
126
Config synchronization allows a 'slave' proxy to match it's configuration to a 'master' proxy, and to update it's configuration automatically when it detects changes made to the master. Using config synchronization in Safesquid is surprisingly easy. A Master server can be set up in the normal way you would set up a stand alone server, and the only additional step that needs to be taken is - to ensure every slave proxy is covered by an access rule, which allows it to access the Web interface. Now, for every slave proxy, while installing SafeSquid, just mention the IP:PORT or FQDN:PORT of the Master server, in the "MASTER =" parameter (option 16/28 in version 4.1.1). This automatically configures the server to 'pull' configuration parameters from the Master server. The synchronization interval can be specified in the SYNCTIME parameter. If this parameter is not modified, or if left blank, SafeSquid selects the default SYNCTIME of 60 seconds You can also edit the startup.conf (found in /opt/safesquid/safesquid/init.d/ directory) file of an exiting server, and modify the MASTER and SYNCTIME parameter. There are some additional command line options which you may need to use, they are: -H - specify the proxy's own hostname, instead of using the one in the configuration file... reason should be obvious, you don't want every proxy having the same hostname, especially when using CARP. -I - the interval, in seconds, between synchronization attemps with the master.
127
-L - specify the interface and port to listen for connections on, this is used in addition to the configuration gathered from the master. -S - a comma-seperated list of section names which are synchronized, when used other sections won't be synchronized. -E - a comma-seperated list of section names which aren't synchrnozed, when used other sections will be synchronized. When using config synchronization, you may also specify a configuration file in the command line which is loaded before config synchronization is performed. This is useful if you wish to exclude some sections from being synchronized and load them from a file instead. The 'Proxy host' option in Profile entries can be used to have separate configuration options for specific slaves.
128
10
Reverse Proxying
A Reverse proxy is a proxy server which sits between a Web server and the rest of the internet, filtering content provided by your Web server for clients. Safesquid can work in this manner by using transparent proxying and redirecting. The advantage of using SafeSquid as a reverse proxy, is it's content filtering features. Just as you can use SafeSquid to control user access to the internet, in reverse proxy mode, you can be used use to control who can access what on your web server from the outside world, and thus secure your web server. A few examples Allow only authenticated access to specific content Create groups of users and allow different access rights Enhance security by accepting requests only from specific browsers, like IE & Firefox Virus scan content being uploaded to the web server Use as a Load Balancer by redirecting requests to multiple web servers. Easily redirect requests to another server, when the original server requires maintenance down-time. Dynamically generate or modify content in real-time Easily manage rules with browser-based GUI To set a reverse proxy, simply have SafeSquid listen on the interface and port in place of your Web server. Configure the Web server to listen on a different port, and redirect all requests made to the proxy server to the Web server using a redirect entry. For a simple example, create the following rule in 'URL Redirecting' section, to redirect request to your web server: (For a detailed description about URL Redirecting, see URL Redirect)
Option Enabled Comment Profiles URL Redirect Port 302 redirect Options
Value Yes:
No:
.* http://webserver/$1 80 Yes:
No:
p p
Submit
You will also need to ensure there is an access entry that matches all clients that will be
129
connecting to your Web server, and you should also restrict access to the bare miniumum (HTTP requests and Transparent requests). Reverse proxying can be combined with other features to perform many other tricks, such as creating a gateway between an intranet and the internet by using URL redirection, and rewriting to make URL's valid outside the intranet.
Reverse Proxying
130
11
Option Enabled Comment Proxy Port ICP peer type ICP port Type Applies to
Value true This rule forwards request to Squid 192.168.0.175 3128 None 0 HTTP HTTP,FTP,CONNECT
Now, if you would also like to use ICP to share cache content with Squid, you could also include the ICP entry in the same rule, like this -
Option Enabled Comment Proxy Port ICP peer type ICP port Type Applies to
Value true This rule forwards request to Squid 192.168.0.175 3128 Parent 3130 HTTP HTTP,FTP,CONNECT
Case 2:
131
To have Squid forward requests to Safesquid, which is listening on 192.168.0.170 Port 8080, edit squid.conf file and add the following line to that: cache_peer 192.168.0.170 parent 8080 0
132
12
Multi-ISP networks
SafeSquid has an option in 'Network Settings', to add new interface for outgoing connection. This is useful in networks where you need to split the load between different ISPs. It can also be useful to switch different ISPs due to slow net connection or discontinuity. This can be accomplished by following way: You wish to 1. Forward outgoing request of the user group 'Accounts' and 'Finance' to ISP whose connection is on interface with IP 192.168.0.175 2. Forward outgoing request of the user group IT and System to ISP whose connection is on interface with IP 192.168.0.180 Then, in 'Network Settings' section, add the following rules under the 'Interface' subsection -
Value true This rule forwards request to IP 192.168.0.175 Accounts,Finance 192.168.0.175 Up Down Top Bottom
Value true This rule forwards request to IP 192.168.0.180 IT,System 192.168.0.180 Up Down Top Bottom
Save settings after creating these rules by clicking on 'Save settings' in the top menu. And also restart the SafeSquid service by giving command /etc/init.d/safesquid restart Note: Profiles like 'Accounts', 'Finance' etc. are defined in the 'Access Restrictions' section Check Access Control for a detailed explanation.
133
13
134
useful. Each request is matched against the various rules in the Access Restrictions and Profiles Section. If all the specified conditional parameters (entries) of a rule match the request, then the list of profiles (specified in the Added Profiles text-box are included in the Profiles List (array) for that request. Similarly, if a rule in the Profiles Section has a list of profiles specified in the Removed Profiles text-box, then these profiles are deleted from the array. SafeSquid, thus builds an internal Profiles Array for each connection. SafeSquid ensures that a profile name is uniquely listed in the array. Each of the filters, uniquely processes a connection, based on the conditional parameters specified as entries in the various rules in the filters. Almost all Filters have Profiles as a conditional parameter. Thus by appropriately creating a profile and then, specifying them as a conditional parameter in any rule of any any Filtering Section, you can either subject or immunize the connection from a Filtering Rule. In the rest of the discussion unless, I specifically mention Profiles Section, you may presume that I am referring to Profiles as - an entity, created by making appropriate entry in the "Added Profiles" text-box, or deleted by specifying in the "Removed Profiles" text-box. You may therefore very safely think of Profiles as - "quite like tickets, labels or tokens ", that can be given or taken away, and filters as inspectors that process requests, depending upon the profiles applied or carried by that connection. I very strongly suggest, that you should review the list of conditional parameters available to create a profile and thus define a situation. To do so access the SafeSquid's WebGUI, click the "Config" link on the top menu, select the "Profiles" Option on the drop-down menu. SafeSquid is generally shipped with a set of sample rules in the Profile Section , click on the edit menu, to view the list of entries that have been specified or left blank. Pass your mouse, lazily over the names besides each of configuration text-boxes, check-boxes etc. A tool-tip should now be presenting you with contextual information about that entry, that may be used as a conditional parameter. Did you notice that the list of conditional parameters is pretty huge (monstrous?). But don't let that overwhelm you - because you can simply leave options blank, if they do not seem to be a conditional parameter, that distinguishes the situation, that you desire to Profile. I will try to help you understand, by a few practical examples, and to keep things lucid, I will omit the entries in any rule, that are supposed, to be left blank. I will also try to focus on the logic but, avoid the discussing reasons, about why one would want to create such rules. I guess an example would help here. Example #1
In an enterprise: Joseph, Ali, Radha and Sam, are employed in the Marketing department John, Shyam, Bill and Sagar are employed in the Finance department The corporate policy stated that: The Marketing people may access web-sites using any Internet Client or browser of their choice The Finance people were restricted to use only FireFox So, let's see how we would enter the rules into the various sections, to derive the necessary configuration:
135
Rules in Access Restriction Section:
Option Enabled Comment PAM User name Added profiles Option Enabled Comment PAM User name Added profiles
Value true This rule creates the Access Profile of Joseph, Ali, Radha and Sam, and profiles them as "Marketing" true (Joseph|Ali|Radha|Sam) Marketing Value true This rule creates the Access Profile of John, Shyam, Bill and Sagar, and profiles them as "Finance" true (John|Shyan|Bill|Sagar) Finance
Option Enabled Comment Added profiles Option Enabled Comment Removed profiles Option Enabled Comment Removed profiles
Value true This rule creates and applies the Profile "Unacceptable_Client" to everybody Unacceptable_Client Value true This rule removes the Profile Unacceptable_Client for "Finance" users, but only when they use FireFox Unacceptable_Client Value true This rule removes the Profile "Unacceptable_Client" for "Marketing" users. Unacceptable_Client
Rules in URL Filter Section: (The Global Policy Set to Allow, and the following rule created in the Deny Sub-section)
136
Value true This rule Blocks / denies Internet access to all "Unacceptable_Client" Unacceptable_Client
In the above set of rules, I actually made use of the Comment fields, to explain the logic, of creating the rules. The profiles by themselves do not dictate any denial of access, the denial of access or blocking is an activity executed by the various filters. We had to eventually instruct the Url Filter to deny access to "unacceptable internet clients ". In the above example, the policy was about the nature of Internet Clients being used by people. So we logically profiled what constitutes or precisely defines the "Unacceptable_Client ". And then we created a single rule in URL Filter to deny access to all "Unacceptable_Client ". I hope that, you noticed that we identified the use of FireFox, was by using the entry for Request Header Pattern as a conditional parameter and removed the profile "Unacceptable_Client ", when it matched the PCRE (Perl Compatible Regular Expression)" .*FireFox.* ".The creation of PCRE, is a little off-topic, and we will discuss it, within another topic. Did you notice, that in the above configuration, the third and last rule in the Profiles Section explicitly removes the profile "Unacceptable_Client ", for the "Marketing" users. So what would happen, in case we added more rules in the Access Restriction Section , to profile users from other functional business groups? And what if the policies needed an alteration in future, to ensure, that the Internet Clients used by even the "Marketing" users, needs some regulation? I suppose you also appreciate the fact that, verification of this conditional parameter, is possible, only because, the browser (FireFox) used as the Internet Client, includes User_Agent Parameters in its request headers. There are a host of applications that are available, that allow you to spoof, this. For example, I could modify the "User-Agent" String of Internet Explorer to include the word FireFox! Because from the security perspective, it now seems so obvious, that we have left gaping holes! But I am pretty sure that, you should be able to modify the above rules-set to plug any such holes. Remember, rules can always be written, or modified to precisely deliver the results demanded by the policies. Much of the frustration faced by firewall rule makers, like you & I, would be because of situations left uncovered, or ambiguities contained in the policies. The best way to deal with the things therefore is - to note down the policies on a piece of paper, and logically dissect them with an open mind (stimulated by a cup of coffee!). The other primary reason for frustrations would be, inadequate information about the overall, benefits desired, by any policy.
The Profiles can be built to very precisely define situations, by subjecting them to a variety of conditional parameters. And then by applying the profile in to one or more rules in an appropriate filter, we can always define the restrictions or relaxations. Selecting the filter requires a little creativity and understanding of web-technologies.
Example #2
One of the most popular situations, that people request for rules is for blocking access to personal email services like yahoo, hotmail, gmail etc. However the request is always suffixed
137
with a few clauses, that - people should be able to access the basic search engine services offered by these web-sites; queries based on certain kinds words should be prevented some of these queries should be universally prevented, while some queries should be permitted to only certain people; etc.. etc.. We can use PCRE to denote all hosts belonging to a group of web-sites, including their various sub-domains, or genuinely child web-sites. Carefully look at the use of site1 and site2 in this expression: (.*\.|^)(site1|site2)(\.[^.]{2}\.[^.]{2,4}|\.[^.]{3,4})$ This expression matches all of the following sites: site1.com site1.co.uk site1.info www.site1.com child.site1.com site2.com site2.co.uk site2.info www.site2.com child.site2.com
In fact it covers all possible combinations, to cover a layman's reference to "site1" or "site2" Moreover you could expand the list of sites covered by simply modifying the above expression. So, the following PCRE covers all web-sites of yahoo, hotmail and gmail: (.*\.|^)(yahoo|hotmail|gmail)(\.[^.]{2}\.[^.]{2,4}|\.[^.]{3,4})$ (For the moment do not, stress too much to understand the use of characters like ". ""$ ""^" in the expression.) I could now create a profile called Personal_Emails like this: Rules in Profiles Section:
Value true This rule applies "Personal_Emails" profile to all web-sites of yahoo, hotmail and gmail (.*\.|^)(yahoo|hotmail|gmail)(\.[^.]{2}\.[^.]{2,4}|\.[^.]{3,4})$ Personal_Emails
Rules in Cookie Filter Section: (The Global Policy Set to Allow, and the following rule created in the Deny Sub-section)
Value true This rule blocks cookie exchanges with "Personal_Emails" Both
This time I chose Cookie Filter, because I know that you cannot log into http web-sites, if your cookies are disabled! And who would want to visit personal email sites, but not log in!! But then since, the web-site is not entirely blocked, the users can very conveniently use the other services,
138
From security perspective, I would use making rules (like we just made above), to create a privacy blanket for my users. For example I could create a profile for all web-sites belonging to doubleclick and block all cookies travelling between my users and to to these sites. But then I suppose you are now quite conversant with Profiles, and should be able to translate, any of your corporate policies. The only problem (probably) would be PCRE.
139
14
140
* Radio-Button to enable / disable PAM * And a whole lot of check-boxes. Just move the mouse over the names that identify each of these check-boxes, and a relevant "ToolTip" will appear to tell you, more about that check-box. For the matter of lucidity and flow of the present discussion, let's just ignore these check-boxes. The Text boxes that we mentioned above are very important in our discussion here, besides the radio-buttons for PAM. The parameters that identify a request are constituted by what you set in the Text boxes for I.P. Addresses, User name, Password. The logic is simple - leaving any option blank, is equivalent to making it "irrelevant". Let me help you with some examples here:
Set the radio-button for PAM to "NO" leave I.P. Address - blank. Set User name to "test" and password to "zebra" This instructs, safesquid to send an authentication challenge to every user irrespective of the source I.P. address. And ONLY if the this challenge is responded with username "test" and password "zebra", the request is considered as "allowed" or "acceptable".
Now, if you wished to further narrow the scope of this acceptability, by narrowing it down to an I. P. address, repeat the steps in the above example, but this time, instead of leaving the I.P. address - blank, set it to an I.P. address. I guess, now if you wished to distinguish an "acceptable" request as a combination of I.P. address: 192.168.0.1, username "test" and password "zebra", you shouldn't have a problem, right? Broadening the scope to a range of I.P. address is also easily done. Suppose you wished to allow requests coming from an array of I.P. Addresses like - 192.168.0.1, 192.168.0.3, and all between 192.168.0.110 to 192.168.0.160, fill in the the I.P. Address text-box as: 192.168.0.1, 192.168.0.3, 192.168.0.110-192.168.0.160 Simple isn't it? Ok, so now you are ready to understand the relevance of the fourth text-box "Added Profiles" (continue to ignore the other text box called "Profiles"). Notice, that the "Added Profiles" is at the very last in the dialog. You can enter a comma separated list of tags, in the "Added Profiles Text Box. These tags can be just about any logical words, that commonly identifies one or more rules. These could be usergroups or work-functions of people. Let me try to help you understand this with the an example. Ramesh, Joseph and John belong to Accounts department, and are supposed to make internet access only from their respective workstations, that have I.P. address 192.168.0.1, 192.168.0.2, & 192.168.0.3. We would like to create common filtering and other rules that can be set in the various other sections of SafeSquid. So we will now create three rules as follows:
141
Option Enabled Comment IP Address User name Password Added profiles Option Enabled Comment IP Address User name Password Added profiles Option Enabled Comment IP Address User name Password Added profiles
Value true This rule creates the Access Profile of Ramesh 192.168.0.1 Ramesh apple Accounts Value true This rule creates the Access Profile of Joseph 192.168.0.2 Joseph mango Accounts Value true This rule creates the Access Profile of John 192.168.0.3 John banana Accounts
Notice that in the above example, we maintained the "Added Profiles: Accounts" as a common, factor. This instructs SafeSquid to "profile" all internet requests made by Ramesh, Joseph and John as "Accounts". Now in any other section of SafeSquid, if you wished the filter-rule to affect John, Ramesh or Joseph, simply enter "Accounts" in the text-box named Profiles, in those sections (Not in the Access Restriction). In this discussion, I have consciously held back on discussing the effects of setting PAM to YES. Setting PAM to Yes makes SafeSquid talk to the PAM sub-system for validating the user's identity. To put things simply you would set PAM to YES, if you do not wish to maintain huge lists passwords within the SafeSquid configuration system. That is generally the way to live, when you have a large number of individuals in an enterprise, that must be served by SafeSquid. But then of course, you must first set the PAM Configurations for SafeSquid.
142
15
Configuring PAM
Identity management begins with authenticating a user's username and password. In a large enterprise you would have already established an identity management system. PAM (Pluggable Authenticating Mechanism) is a very popular UNIX based technology, and a standard sub-system of the common and popularly used Linux distributions. PAM, by itself is quite a sizeable subject, and a very mature technology. It serves various needs and applications are built to meet a variety of permutations and combinations. To maintain the lucidity of our discussions here, I will restrict the discussions to only relevant areas. PAM allows any service to easily communicate with a variety of Identity Management systems. The benefits of this are enormous. The most important benefit is - the username/password storage is not required to be done within the various applications, that the users are permitted to use. To keep our discussion contextual, here-further we will refer to an Identity Management System as an Authentication Service. An Authentication Service could be typically a Microsoft Windows SMB / AD service, or any other form of LDAP like OpenLDAP. It could also be a RADIUS server or an SQL Database. SafeSquid is intrinsically "PAM-aware". The principal feature of the PAM approach is that the nature of the authentication is dynamically configurable. In other words, you are free to choose how SafeSquid will authenticate users. This dynamic configuration is set by the contents of the single Linux-PAM configuration file /etc/pam.conf. Alternatively, the configuration for each PAMaware service can be set by individual configuration files located in the /etc/pam.d/ directory. The presence of this directory will cause Linux-PAM to ignore /etc/pam.conf. Linux-PAM separates the tasks of authentication into four independent management groups: account management; authentication manage- ment; password management; and session management. The configuration file lists the tasks in an appropriate sequence, and the name of the PAM library that will be called to accomplish the task. SafeSquid requires only authentication and account to be configured. From the point of view of the SafeSquid application, it is not of primary importance to understand the internal behavior of the Linux-PAM library. These libraries are popularly referred to as modules. The important point to recognize is that the configuration file(s) define the connection between applications (services like SafeSquid) and the pluggable authentication modules (PAMs) that perform the actual authentication tasks. PAM modules are readily available to verify username-password combinations from various authenticating services. A variety of PAM Modules are freely distributed. So you can judiciously decide the suitable module, depending upon the Authenticating Service, that you intend to use. To prevent configuration errors, please do check out if whether your chosen PAM module performs the Authenticate (auth) and/or Account tasks, and the correct usage for each of the respective tasks. Some PAM modules are very simple and straight forward to use. But there are some that require a lot of elaborate configuration, that involves some additional configuration files, and /or system configuration. SafeSquid 4.1.x and higher allow you to specify the name of the file in the /etc/pam.d directory, that must be used. This setting can be done only as an option in the command-line, when SafeSquid is started. In earlier versions it was fixed as "safesquid". To maintain the relevance of this discussion for users of older versions of SafeSquid, I will refer to /etc/pam.d/safesquid as the pam-configuration file. So when you want your user's username/password combination to be
143
verified by an Authenticating System, you would begin with appropriately configuring the /etc/ pam.d/safesquid file. Look at the contents of a typical pam-configuration file:
############ CONFIGURATION EXAMPLE1 /etc/pam.d/safesquid ############ #%PAM-1.0 # This enables authentication of users created in the local system auth required pam_unix.so shadow ## This is a pretty standard directive and needs to be changed only in a very few special cases account sufficient pam_permit.so ############ END OF FILE ############
Notice, that we could enter comments, to record the purpose of each directive, for posterity. pam_unix module allows verification of username/password, of all user accounts created on a Linux / Unix server. pam_permit.so is a positive dummy, i.e. it simply responds with "success" for anything. Therefore it is quite obvious that the above PAM configuration file was created to very simply validate if a username/password was appropriate. This configuration file would be interpreted as follows: Authenticate (auth) the username/password using pam_unix PAM module. This authentication should be compulsorily required, and failure should be considered, as failure of the Authenticate task. The pam_unix PAM module should be used with an additional argument, "shadow" Validate if the user has a valid account using the pam_permit PAM module. This validation should be considered as sufficient for the success of the Account task.
Note - Both the tasks Authenticate and Account must be successfully accomplished for a username/password. Failure of either is enough for SafeSquid to refuse access. PAM has another interesting benefit to offer - Module Stacking. This allows you to extract some excellent benefits for enhanced security. Suppose you wished to allow access to any of the users, whose username/ password was stored on a Windows Domain Controller, or a Radius Server, or on the local linux host. The pam-configuration file would look quite like this:
############ CONFIGURATION EXAMPLE2 /etc/pam.d/safesquid ############ #%PAM-1.0 # This enables authentication of users created in the local system auth sufficient pam_unix.so shadow
Configuring PAM
auth sufficient pam_smb_auth.so auth sufficient pam_radius.so
144
## This is a pretty standard directive and needs to be changed only in a very few special cases account sufficient pam_permit.so ############ END OF FILE ############
Notice that, in the above example we are using "auth sufficient" instead of "auth required", that was used in the previous example. This configuration file would be interpreted as follows: First Authenticate the username/password with pam_unix PAM module. If this is successfully done, then consider this as sufficient, and do not bother to authenticate the validity of the username/password with the remaining PAM modules listed for auth. If the validation with pam_unix PAM module fails, due to any reason, including inappropriate username/password, attempt to validate using pam_smb_auth PAM module. If this results in success, then simply skip any further validation in the "auth" list, else attempt to validate using the pam_radius PAM module. This effectively ensures that if the username/password is deemed valid by any one of the authenticating services - local host, or Windows Domain Controller, or the RADIUS server, then the "auth" task is successfully accomplished. Of-course, the "account" list needs to be additionally validated successfully. But then as I mentioned earlier, pam_permit PAM module is a dummy positive, so effectively unimportant.
You could surely use a more potent PAM module instead of pam_permit, that I have used in the above examples, to strengthen security, so that the tasks listed in the "account" list are more than trivia. I guess, having read so much of the above, you are more keen, to learn, how it would help you as an Application Manager for SafeSquid. So let me immediately take the discussion towards that, by analysing a situation and working out the solution with you. Suppose Joseph, Ali, Radha and Sam, belong to "Marketing" Department, in an enterprise. We would like to create a common profile for all of them, and then apply various filters and rules just to that one profile , so that it effectively applies to all these four people. In a previous discussion I had explained, how we could create a common profile for a number of people, by creating rules in the Access Restriction section, from SafeSquid's WebGUI. In that example we had consistently set PAM to NO. But now let me show, you how setting PAM to YES, reduces your works. As in those examples in Access Restriction, we set the Global Policy to Deny, and Add a rule in the Allow sub-section as follows:
145
Value true This rule creates the Access Profile of Joseph, Ali, Radha and Sam, and profiles them as "Marketing" true (Joseph|Ali|Radha|Sam) Marketing
Note, we merely listed the names of these four users in a (rather peculiar looking) PCRE format. And left the text-box meant for Passwords, as blank. Since it is quite topical, and a novice (to PCRE) reader might be a little upset, I will explain the PCRE (Perl Compatible Regular Expression) formatted list, that we have used here.
(Joseph|Ali|Radha|Sam) simply translates to Match if it is Joseph or Ali or Radha or Sam. You could simply add to this list as many usernames as you wish, just separated by the pipes - '|"
You could even create more such rules for people belonging to other job functions like Finance, or HR, etc. You could even create more than one rule to profile people belonging to the same department. You would want to to do that when there too many people in a department, and accommodating all of them within the same list would look rather unreadable or inelegant. You could even translate functional hierarchies, into setting web-access profiles, that are partially common, while providing additional privileges or constraints. Yes you would use the property of applying multiple profiles to people. Let me help you here with an example set of rules, created within the same configuration:
Option Enabled Comment PAM User name Added profiles Option Enabled Comment PAM User name Added profiles
Value true This rule creates the Access Profile of Joseph, Ali, Radha and Sam, and profiles them as "Marketing" true (Joseph|Ali|Radha|Sam) Marketing Value true This rule creates the Access Profile of John, Shyam, Bill and Sagar, and profiles them as "Marketing" true (John|Shyan|Bill|Sagar) Marketing,Night_staff,Instant_Messengers_Disallowed
Did you notice that the rules created above, covered eight people from the Marketing
Configuring PAM
146
Department? They applied the profile "Marketing" to all these eight people; and also applied additional profiles - "Night_staff" and "Instant_Messengers_Disallowed" to John, Shyam, Bill and Sagar. So far, so good. Using your preferred authentication service with shouldn't be much of a task, for you, right? NO!! The real challenge with PAM actually begins here! As I mentioned above, there are various PAM modules available to use a variety of Authenticating Services. But each of these modules may require simple to very intricate additional configuration. This configuration could be as simple as providing with an argument like "shadow" for the pam_unix in the above example. But it could also be fairly more complex, involving other configuration files specifically relevant to the PAM module or maybe even some other additional services installed on the system.
147