user manual v2
TRANSCRIPT
© 2008 Office Efficiencies (India) Pvt. Ltd.
Total Access Control Total Content Control
Granular
Scalable
Manageable
I
© 2008 Office Efficiencies (India) Pvt. Ltd.
Table of ContentsPart I User Manual 1
................................................................................................................................... 11 Who should use this guide
Part II Implementation 2
Part III System Requirements 4
Part IV Installing SafeSquid 8
Part V Test Your Installation 10
Part VI SafeSquid Logs 12
Part VII SafeSquid Interface 16
................................................................................................................................... 181 Active Connections
................................................................................................................................... 202 Statistics
................................................................................................................................... 243 DNS Cache
................................................................................................................................... 264 Show Headers
................................................................................................................................... 285 View Cache Entries
................................................................................................................................... 316 Connection Pool
................................................................................................................................... 327 Prefetch Queue
................................................................................................................................... 348 URL Blacklist
................................................................................................................................... 359 View Log Entries
................................................................................................................................... 3610 Save Settings
................................................................................................................................... 3711 Load Settings
................................................................................................................................... 3912 Config Section
.......................................................................................................................................................... 40Basic Behaviour
.......................................................................................................................................................... 45URL Blacklist
.......................................................................................................................................................... 48Access Control
.......................................................................................................................................................... 54Profiles
.......................................................................................................................................................... 59cProfiles
.......................................................................................................................................................... 64Define user limits
.......................................................................................................................................................... 67FTP proxy
.......................................................................................................................................................... 69Templates
.......................................................................................................................................................... 75DNS Blacklists
.......................................................................................................................................................... 77URL Filtering
.......................................................................................................................................................... 81URL redirect
.......................................................................................................................................................... 84Mime Filtering
IIContents
II© 2008 Office Efficiencies (India) Pvt. Ltd.
.......................................................................................................................................................... 87Header Filtering
.......................................................................................................................................................... 90Cookie Control
.......................................................................................................................................................... 94Word Filtering
.......................................................................................................................................................... 96Content Re-Write
.......................................................................................................................................................... 100Content Caching
.......................................................................................................................................................... 105Request Forwarding
.......................................................................................................................................................... 109Internet Content Adaptation Protocol (ICAP)
.......................................................................................................................................................... 114External Parser
.......................................................................................................................................................... 117Prefetching Embedded Objects
.......................................................................................................................................................... 120Pornographic Image Filter
Part VIII URL commands 122
Part IX Multiple Proxy Configuration 125
Part X Reverse Proxying 128
Part XI Chain Squid with SafeSquid 130
Part XII Multi-ISP networks 132
Part XIII Using Profiles for granular Access Policies 133
Part XIV Using Authentication for Security and CreatingUser Profiles 139
Part XV Configuring PAM 142
Index 0
1
© 2008 Office Efficiencies (India) Pvt. Ltd.
1 User Manual
SafeSquid® Administrator's GuideVersion: 2.0Produced on: Tuesday, October 14, 2008 :: 5:08:32 PM
SafeSquid®: Content Filtering Internet Proxy, helps you to distribute Internet Access across yourenterprise network. It's vast array of features, when used wisely by a system administrator, candeliver Total Content Control and Total Access control.
SafeSquid®'s features have been built, to serve maximum benefits when the key demands are -scalability, security, and granularity.
SafeSquid® is offered in various Commercial editions, besides the Free Edition.This manual is not limited to users of any specific edition of SafeSquid®.This manual should help you to use the feature on your installed edition, provided your editionsupports the said feature.
1.1 Who should use this guide
This Guide is intended, for the users who have already installed, or would like to install, SafeSquid®.It will help the users - to set-up the Proxy Server with the desired Edition, and to configure thefeatures of SafeSquid® to make its optimum use.
This guide takes you onto the journey of knowledge, of setting up a secure Internet Proxy.This guide intends to reduce your efforts, and helps to optimize the use of Internet Facility.
This guide illustrates all the features of SafeSquid® and their behavioral basics.This guide should improve your understanding of - the underlying problems, your requirements,and to construct your corporate policies in order to avail the optimum out of the availableresources.To mention a few of these: Multi Proxy Setup, Profile Management, User Access Restrictions, URLBlacklists, URL Filter, DNS blacklists, Document Rewrite, Header Filtering, Caching, CookieFiltering, Virus Scanning, Image Filtering, Mime Filtering, Log analyzers, Keyword Filtering etc.
This guide will acquaint you with the Browser based User Interface.You will use it to configure and administer the features of SafeSquid®.
Hopefully, this guide is simple & understandable, and serves the purpose of those, wishing to gainknowledge for the optimum use of SafeSquid®.It intends to be useful, to naïve as well as experienced technicians.
The readers of this guide are requested to report any errors and suggestions for improvement.The readers can post their views, on the SafeSquid® forum available on the SafeSquid® website– http://www.safesquid.com/
User Manual 2
© 2008 Office Efficiencies (India) Pvt. Ltd.
2 Implementation
The key to successful implementation of any software lies in pre-defining its use, and anticipatingthe results. With Software like SafeSquid® that has so many possibilities, it is just too easy to getlost in the myriad of options.
Ideally the implementation should begin on a piece of paper where we should decide ourexpectations and (if possible) how we intend to verify the effectiveness of the configurationsettings in meeting our REAL objectives.
As they say well-planned is half accomplished!
Sample Plan
How many proxies will be implemented in the enterprise?
· Number
The Corporate Internet Use Policy needs to be defined / modified only on the Master, allthe slave installations will automatically synchronize their configuration from the Master.Which will be the Master Proxy?
· The I.P. & hostname of the Master Proxy to be used for Browser-basedadministrative access administrative access.
· Is the proxy server multi homed?· Should the Proxy listen for requests on multiple IPs & Ports?
Web-Sites require an application layer security, therefore reverse proxying is used toensure the Application Layer Security.Should SafeSquid act as a Reverse Proxy for our web-server?
· What are the web-sites it should reverse-proxy?· Shall we change the DNS records of the web-sites?· Shall we just change the IP / Port configuration of the web Port configuration of the
web-server?
The enterprise uses a variety of Internet Connection Service Providers, and eachconnection is judiciously used for a specific set of users or application.Shall we use the same Internet Connection for all kinds of Internet Access?
· Or shall we configure SafeSquid to use different Internet Connections based on user,or nature of access?
· Will SafeSquid forward the requests to another proxy, web-cache or firewall?· Does the request forwarding require any Authentication?
Virus Defence begins at the Internet Gateway. What Virus Scanner should we use?What Anti-Virus Software will be used to scan all the Internet Traffic?
· F-ProtAV / KasperskyAV / McAfee AV offer SafeSquid compatible Daemons that canbe connected ONLY via Unix Sockets.So if we use any of these AV, they must Necessarily co-habit the Proxy Server.
3
© 2008 Office Efficiencies (India) Pvt. Ltd.
· Sophos AV / ClamAV / Avast AV offer SafeSquid compatible Daemons that can beconnected via Unix Sockets OR TCP/IP Sockets.So if we use any of these AV, we have the option of installing them on a separatebox on a LAN Server OR co-habit them with the Proxy Server.To negate the latency effects in case of heavy traffic, it may be useful to set the LANconnection on a 100 Mbps or higher speed.
· Symantec ICAP / Trend Micro ICAP / Dr. Web ICAP offer ICAP based Scan Engines,that are fully compatible to SafeSquid's ICAP client.These Engines however require, good System Resources and are designed to deliveroptimum performance if located on a remote server.So if we use any of these AV, we must PREFERABLY install them on the a separateserver.
Since SafeSquid can be configured to use one or more of the Anti Virus Softwaresimultaneously, we may explore the option of scanning the entire Internet traffic viamore than one Anti Virus Software.
· Alternatively should we do this multi-AV scanning only for a few chosen Applications,or people?
· Or shall we just do the "battle-ready implementation" that allows us to switch to anyof the above Anti-Virus software, in times of emergency.
Policy settings to prevent Financial & Productivity Losses due to indiscriminate use ofInternet
· Shall we allow people to visit only a "white-list" of trusted web-sites & URLs?· Shall we allow people to visit any web-site that is not explicitly "black-listed"?· How are we going to review / modify our "white-lists" / "black-lists"· What are our high priority business-application web-sites?· What are the security relaxations that we may permit when our users acess these
web-sites? o Pop-ups, KeyWords, Banners, Activex Controls, Cookies, Header Content.
· What will be our bandwidth conservation policy to access these sites? o MiMe / File types that will be permitted to be uploaded / downloaded. o Speed / Volume of Uploads, Downloads. o Browsers or other web-clients that will be allowed to access the Internet.
· What will be our bandwidth conservation policy to access non-business-applicationweb sites?
· Do we have to make any granular policy modification to accommodate Profiles ofsome VIP users / Applications / Time of Access? o Should we enable pre-fetching fetching of certain or all objects for one ormore profiles?
· What kinds of Log Reports need to be generated? o How frequently should the log reports be generated? o How should the log reports be viewed and accessed?
· How are we going to bench-mark the performance of the hardware / software andthe Internet Connection? o What will be the maximum bandwith we will utilise to accomplish each test.
Implementation 4
© 2008 Office Efficiencies (India) Pvt. Ltd.
3 System Requirements
SafeSquid - System Requirements!
Windows: SafeSquid for Windows depends upon library based functions provided by NativeWindows ports of the technologies that SafeSquid for Linux uses. These are fulfilled by a fewdll files, detailed below, that are included in the installation package.
Linux: SafeSquid (version 4.1.1 and higher) for Linux requires an Intel ArchitectureHardware with Linux Kernel 2.6 or higher, based operating system, properly installed withpreferably latest updates and patches.
The Minimum required hardware to get SafeSquid up and running, would be an i386 basedcomputer with Pentium III CPU and at least 128 MB of RAM and about 40G Hard Disk. Butthat would really serve only academic interests!
For reliable production class environments, it would be advisable to use a server classhardware. SafeSquid now has NPTL compatible design, to generate thousands of threads, tomeet as many concurrent requests. In event of un-forecasted bursts of concurrent requests,SafeSquid would have to open enough number of threads, and that may require a fast CPU.To successfully accomplish the various content filtering, caching and communication relatedactivities, it must have enough Memory. It is ideally recommended to provide about 7 to 10Mb of RAM per user for small networks. But for environments having more than 100 users,even 5 to 7 Mb per user should be sufficient, if we can compensate by using a faster CPU.
A PIII / PIV based computer with 512Mb RAM this should be adequate for a typical 20 Usernetwork, increasing the RAM to about 1G should make it serve upto 100 users.But if you are planning to use URL Blacklists, Antivirus Software, Log Analyzers also, verynaturally you must compensate with adequate RAM.
SafeSquid by itself has a very small memory foot-print, but you will always want touse one or more of add-ons, compatible software, etc. So it will be much better, touse systems with 1G RAM or more.
Recommendations for Standard Installations
SafeSquid® has a very low Total Cost of Owner-ship, and a very good ROI. In the long termmost users prefer to extract more out of the fixed costs, by increasing the derived results. Itis therefore recommended to use Hardware that can be scaled for RAM / CPU / NICs.
· Choose H/W that can scale for RAM / CPU, so that you may accommodate more users,over a period of time.
· Use Hard Disks with good seek/read/write speed, to reduce latency in case you plan touse large content disk-caches.
· If you expect a large traffic to be handled, it would be a good idea to use a GigaBit NIC.To increase security, or to cater to multiple networks it would be advisable to use 2NICs or more.
· System Configurations that have easily accessible Hardware drivers for Linux areabsolutely preferable, and would be useful, if you plan to increase redundancy by usingClusters.
5
© 2008 Office Efficiencies (India) Pvt. Ltd.
· Use Linux Distributions that have a good support for Web Servers, Perl, PHP, CachingName Servers, etc. because a variety of Log Analyzers are now available both as closedand open source, that you will surely want to use.
· SafeSquid servers shouldn't be requiring x-windows, so basic hardening should beenough.
· Sooner than later you would want to install Antivirus to scan content being transportedvia SafeSquid, ClamAV is free, so at least install it, unless you are sure you prefer to besecured by a commercial vendor. In such case, choose a vendor that offers ICAP basedsolution.
· If you have a Microsoft Network, then sooner or later you will want authentication towork from ADS, and in any case if you are a large network you'll alternatively want userauthentication done from LDAP or RADIUS, or something else, that's available, sodefinitely install PAM libraries. And maybe also Winbind, that joins your SafeSquidserver to Windows Network.
· RPMS are available for most of the software mentioned above, but quite a few areserved as raw source codes, and must be compiled on your server. So it's always agood idea to install GCC & G++ on your SafeSquid Server.
System Requirements 6
© 2008 Office Efficiencies (India) Pvt. Ltd.
Software Dependencies (Windows)
System Libraries Package Description
libeay32.dll libeay32.dll contains encryption functions which allow for coded communications over networks. Thisfile is open source and is used in many open source programs to help with SSL communication.
libssl32.dll libssl32.dll is a OpenSSL Shared Library belonging to The OpenSSL Toolkit from The OpenSSL Project, http://www.openssl.org/
nsldap32v50.dll nsldap32v50.dll provides the LDAP connectivity to ADS / LDAP servers. It is used by many programsfor LDAP authentication.
pthreadVC2.dll pthreadVC2.dll is Posix Threads Implementation for Windows environment. Many software that have amulti-threaded architecture, and originally created for Linux, use this.
zlib.dll zlib.dll provides the compression / decompression functions for safesquid. zlib was written by Jean-loup Gailly (compression) and Mark Adler (decompression).
Software Dependencies (Linux)
System Libraries Provider Package Package Description
libbz2.so.1 bzip2-libs
bzlib
Libraries for applications using bzip2
Description : Libraries for applications using the bzip2 compression format.
libcom_err.so.2 e2fsprogs Utilities for managing the second extended (ext2) filesystem.
Description : The e2fsprogs package contains a number of utilities for creating,checking, modifying, and correcting any inconsistencies in second extended(ext2) filesystems. E2fsprogs contains e2fsck (used to repair filesysteminconsistencies after an unclean shutdown), mke2fs (used to initialize a partitionto contain an empty ext2 filesystem), debugfs (used to examine the internalstructure of a filesystem, to manually repair a corrupted filesystem, or to createtest cases for e2fsck), tune2fs (used to modify filesystem parameters), and mostof the other core ext2fs filesystem utilities.
libdl.so.2libc.so.6libm.so.6libpthread.so.0libresolv.so.1
glibc The GNU libc libraries.
Description : The glibc package contains standard libraries which are used bymultiple programs on the system. In order to save disk space and memory, aswell as to make upgrading easier, common system code is kept in one place andshared between programs. This particular package contains the most importantsets of shared libraries: the standard C library and the standard math library.Without these two libraries, a Linux system will not function.
libgssapi_krb5.so.2libk5crypto.so.3libkrb5.so.3
krb5-libs The shared libraries used by Kerberos 5.
Description : Kerberos is a network authentication system. The krb5-libs packagecontains the shared libraries needed by Kerberos 5. If you are using Kerberos,you need to install this package.
libgcc_s.so.1 libgcc GNU C library
Description : The libgcc1 package contains GCC shared libraries for gcc 3.4
7
© 2008 Office Efficiencies (India) Pvt. Ltd.
libgmp.so.3 libgmp3 A GNU arbitrary precision library.
Description : The gmp package contains GNU MP, a library for arbitrary precisionarithmetic, signed integers operations, rational numbers and floating pointnumbers. GNU MP is designed for speed, for both small and very large operands.GNU MP is fast because it uses fullwords as the basic arithmetic type, it uses fastalgorithms, it carefully optimizes assembly code for many CPUs\' most commoninner loops, and it generally emphasizes speed over simplicity/elegance in itsoperations.
libstdc++.so.6 libstdc++ GNU Standard C++ Library
Description : The libstdc++ package contains a rewritten standard compliantGCC Standard C++ Library
libcrypto.so.4libssl.so.4
openssl097a The OpenSSL toolkit
Description : The OpenSSL toolkit provides support for secure communicationsbetween machines. OpenSSL includes a certificate management tool and sharedlibraries which provide various cryptographic algorithms and protocols.
libpam.so.0 pam A security tool which provides authentication for applications
Description : PAM (Pluggable Authentication Modules) is a system security toolthat allows system administrators to set authentication policy without having torecompile programs that handle authentication.
libz.so.1 zlib1 The zlib compression and decompression library
Description : Zlib is a general-purpose, patent-free, lossless data compressionlibrary which is used by many different programs.
System Requirements 8
© 2008 Office Efficiencies (India) Pvt. Ltd.
4 Installing SafeSquid
Installation Procedure:
Copy the downloaded safesquid.tar.gz into /usr/local/src/
cp safesquid-4.2.0-com20-free.tar.gz /usr/local/src/safesquid.tar.gz
Decompress the tar file using command -
tar -xvzf safesquid-4.2.0-com20-free.tar.gz
Creates a directory safesquid in your current working directoryChange directory to SafeSquid
cd safesquid/
The safesquid directory contains the installation script install.Run the script
./install
The install script asks you to select one of the following 3 options -
Press "F" if we are doing a Fresh installPress "U" if we want to Update an existing installationPress "A" if we want to Adjust an existing conf file
Press "F" for fresh installationThe install script checks for dependencies and displays the statusThe output should be similar to -
"Checking Dependencies/lib/libsafe.so.2 (0xf6ffa000)libpam.so.0 => /lib/libpam.so.0 (0xf6fea000)libdl.so.2 => /lib/libdl.so.2 (0xf6fe5000)libpthread.so.0 => /lib/tls/i686/libpthread.so.0 (0xf6fd4000)libssl.so.4 => /lib/libssl.so.4 (0xf6fa0000)libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00bbb000)libm.so.6 => /lib/tls/i686/libm.so.6 (0xf6f7d000)libc.so.6 => /lib/tls/i686/libc.so.6 (0xf6e69000)libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00974000)/lib/ld-linux.so.2 (0x00b97000)libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x009e7000)libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00b1e000)libcom_err.so.2 => /lib/libcom_err.so.2 (0x009e2000)libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00afb000)libresolv.so.2 => /lib/libresolv.so.2 (0xf6e55000)libcrypto.so.4 => /lib/libcrypto.so.4 (0x00a11000)libz.so.1 => /usr/lib/libz.so.1 (0x00962000)
looks okayPress any key to continue"
If a missing dependency is reported, you will have to install it before you can continue.
9
© 2008 Office Efficiencies (India) Pvt. Ltd.
If everything is fine, then press any key to continue
The SafeSquid End-User License Agreement is displayed.The options are as follows -
Press "B" / "F" to move Back / ForwardPress "S" when you have finished reading
Read the License Agreement, or press "S" to skip and continue.
The following options are displayed -
Press Y if you find the End-User License AcceptablePress A To Read the End-User License AgainPress N if you find the End-User License NOT Acceptableand immediately abort the Installation Process
Press "Y" to continue
Here onwards, the install script will ask for about 28 configuration option.All option pages are self explanatory, and should not require you to make any changes.To make changes in the default option, press "C"When you have made the necessary changes, press "S" to continue with the installation.You can also press "S" on the first option screen, to install with the default option.(The settings can later be changed by editing the startup.conf file, which you will find in /opt/safesquid/safesquid/init.d directory.The changes will take effect the next time Safesquid is restarted.)
The installation starts when you press "S"The installation will pause a few times to display the status, and for confirmation.When the installation is complete, the following message is displayed -
Press "S" if you would like to start your safesquid nowPress any other key to simply exit
Press "S" to start SafeSquidYou should get the following message -
1. safesquid started with PID: 9659 ... ssquid is NOT LISTENING on :8080 ...2. safesquid started with PID: 9659 ... ssquid is LISTENING on 192.168.0.30:8080 ... ProcessIS RUNNING
So, your SafeSquid is installed and running.
Now, to access the SafeSquid Interface, point the proxy setting in the browser to the SafeSquidServer's IP:PORT, e.g. 192.168.0.30:8080, and access the URL http://safesquid.cfg
Installing SafeSquid 10
© 2008 Office Efficiencies (India) Pvt. Ltd.
5 Test Your Installation
Testing on server side
Command to check SafeSquid is running on server
Command:
ps waux | grep safesquid
output should be quite-like:
ssquid 11533 81.2 33.1 1750524 1372096 ? Sl Oct13 973:01 /opt/safesquid/safesquid/safesquid
root 29005 0.0 0.0 2852 704 pts/0 R+ 10:51 0:00 grep safesquid
Command to be sure that SafeSquid is listening on port 8080
Command:
netstat -anp | grep :8080
The output should be quite-like:
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 11533/safesquidtcp 0 0 10.0.0.5:8080 192.168.10.152:3238 SYN_RECV -tcp 0 0 10.0.0.5:8080 192.168.10.29:1167 SYN_RECV -tcp 0 0 10.0.0.5:8080 192.168.10.127:1677 SYN_RECV -tcp 0 0 10.0.0.5:8080 192.168.50.15:1864 SYN_RECV -tcp 0 0 10.0.0.5:8080 192.168.10.122:2496 TIME_WAIT -tcp 0 253 10.0.0.5:8080 192.168.10.18:1192 FIN_WAIT1 -tcp 0 0 10.0.0.5:8080 192.168.10.132:1342 ESTABLISHED11533/safesquidtcp 1 0 10.0.0.5:8080 192.168.50.4:4999 CLOSE_WAIT 11533/safesquid
Command to check how SafeSquid is handling requests
Command:
tail -f /opt/safesquid/safesquid/logs/native/safesquid.log
The output should be quite-like:
2008 10 14 10:54:17 [691984] request: GET http://www.ingentaconnect.com:80/css/size14.css2008 10 14 10:54:17 [692021] network: allowed connect from 192.168.10.10 on port 80802008 10 14 10:54:17 [692021] security: PAM authentication succeeded for mlpbs2008 10 14 10:54:17 [692021] network: binding outgoing connection to 10.0.0.112008 10 14 10:54:17 [690705] request: GET http://www.allbusiness.com:80/asset/image/icon/2984516.gif2008 10 14 10:54:17 [691736] request: GET http://www.contentlinks.asiancerc.com:80/scwm/images/
11
© 2008 Office Efficiencies (India) Pvt. Ltd.
arrow_down.gif2008 10 14 10:54:17 [692013] network: 192.168.10.122 disconnected after making 2 requests2008 10 14 10:54:17 [691763] network: binding outgoing connection to 10.0.0.212008 10 14 10:54:17 [692022] network: allowed connect from 192.168.10.29 on port 80802008 10 14 10:54:17 [692021] request: CONNECT login.yahoo.com:4432008 10 14 10:54:17 [692005] request: GET http://www3.interscience.wiley.com:80/journal/104086741/abstract?CRETRY=12008 10 14 10:54:17 [692005] network: 192.168.50.12 disconnected after making 1 requests2008 10 14 10:54:17 [692023] network: allowed connect from 192.168.50.12 on port 8080
Command to check how SafeSquid is running on port 8080
Command:
lsof -i :8080
The output should be quite-like:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAMEsafesquid 18934 ssquid 5u IPv4 1443628 TCP *:webcache (LISTEN)safesquid 18934 ssquid 8u IPv4 1515549 TCP linux:webcache->unreliable:2075 (ESTABLISHED)safesquid 18934 ssquid 9u IPv4 1515550 TCP linux:2535->nt5.oe2000.com:webcache (CLOSE_WAIT)safesquid 18936 ssquid 5u IPv4 1443628 TCP *:webcache (LISTEN)safesquid 18936 ssquid 8u IPv4 1515549 TCP linux:webcache->unreliable:2075 (ESTABLISHED)safesquid 18936 ssquid 9u IPv4 1515550 TCP linux:2535->nt5.oe2000.com:webcache (CLOSE_WAIT)safesquid 18937 ssquid 5u IPv4 1443628 TCP *:webcache (LISTEN)
Test Your Installation 12
© 2008 Office Efficiencies (India) Pvt. Ltd.
6 SafeSquid Logs
SafeSquid Logs
SafeSquid produces logs in three distinct formats.We traditionally name them as access.log (Access Log Format), extended.log (NCSA /Extended log format) and safesquid.log (Native Log Format).The path to the log files, and soft link that is created during installation, are as follows:
Log File Path Soft Link
access.log /var/log/safesquid/safesquid/access/ /opt/safesquid/safesquid/logs/access/
safesquid.log /var/log/safesquid/safesquid/native/ /opt/safesquid/safesquid/logs/native/
extended.log /var/log/safesquid/safesquid/extended/ /opt/safesquid/safesquid/logs/extended/
Access Log
The access.log has been traditional favorite, because it can be used by a variety of loganalyzers like Calamaris, SARG, Squint, SquidTailD, etc.The reports produced by these log analyzers reveal useful details of the overall usage andthe pattern of access of the application.
Access Log fields:start_time_in_seconds.milliseconds elapsed_time client cachecode/status size method urlusername peercode/peer mime
Example:1189403858.675 654 192.168.0.21 TCP_MISS/200 246 GET http://ds.ds3ps.co.uk:80/refer/surebrowse/operator/chat-server.xml?time=1189404101675 sudipta DIRECT/ds.ds3ps.co.uk text/xml
The details of the fields in access.log are as follows:
Field Explanation
TimeUNIX time stamp as Coordinated Universal Time (UTC) seconds with a millisecondresolution.
ElapsedTime
Length of time in milliseconds that the cache was busy with the transaction. Theinformation is logged after the reply has been sent, not during the lifetime of thetransaction.
Client IP address of the requesting host.
Cachecode/Status
Two entries separated by a slash. Code specifies the result of the transaction: the kindof request, how it was satisfied, or in what way it failed. The second entry contains theHTTP result codes.
Bytes Amount of data delivered to the client. This does not constitute the net object size,
13
© 2008 Office Efficiencies (India) Pvt. Ltd.
because headers are also counted. Also, failed requests may deliver an error page, thesize of which is also logged here.
Method Request method to obtain an object, e.g. GET, POST, CONNECT.
URL URL requested.
Username Authenticated username
Peerstatus/Peerhost
Two entries separated by a slash. The first entry represents a code that explains howthe request was handled, for example, by forwarding it to a peer, or returning therequest to the source. The second entry contains the name of the host from which theobject was requested. This host may be the origin site, a parent, or any other peer. Alsonote that the host name may be numerical.
Mime Mime type of the object.
Extended Log
The extended.log (NCSA / Extended log format) records maximum details of each requesthandled by the proxy application.Log Analyzers like Sawmill can generate analysis reports using the extended log, and givelots more information, than the ones using access.log.
FORMAT :"UNIQUE_RECORDID" ELAPSED_TIME_IN_MSEC CLIENT_IP "USER_NAME""CLIENT_CONNECTION_ID" [DATE_TIME_OF_REQUEST] "METHOD URL""HTTP_STATUS_CODE" BYTES_TRANSFERRED "REFERRER_URL" "USER_AGENT" MIME_TYPE"FILTER_NAME FILTERING_REASON" "COMMA_SEPARATED_LIST_OF_PROFILES_APPLIED""INTERFACE_IP:INTERFACE_PORT"
Example:"1191586598.504-7-192.168.0.221-8080" 929 192.168.0.150 "anonymous" "7" [05/Oct/2007:17:46:39] "GET http://updates.f-prot.com:80/cgi-bin/check-updates?run_as=check_updates&protocol=1" 200 750 "-" "FPAV_Update_Monitor/3.16f (Windows;WINNT; 2000 Professional; SP4)" text/plain "- -" "-" "192.168.0.221:8080"
The details of the fields in extended.log are as follows:
Field Explanation
Unique Record IDA unique record identifier, to prevent duplication of records when importedinto SQL databases.Here in e.g. 1215419711.460
Elapsed time inmilliseconds
Elapsed time of the request, in milliseconds.
Client IP The IP address of the requesting client.
User nameThe username, (or user ID) used by the client for authentication. If no valueis present, "anonymous" is substituted.
Client connection ID The internal SafeSquid ID associated with this connection.
Date & time of request The date and time stamp of the HTTP request.The fields in the date/time
SafeSquid Logs 14
© 2008 Office Efficiencies (India) Pvt. Ltd.
field are [dd/MMM/yyyy:hh:mm:ss +-hhmm], where the fields are defined asfollows:dd is the day of the month, MMM is the month, yyyy is the year, hh is thehour, mm is the minute, ss is the seconds.
Method URLThe HTTP request. The request field contains three pieces of information.The main piece is the requested resource. The request field also contains theHTTP method.
HTTP Status CodeThe status code is the numeric code indicating the success or failure of theHTTP request.
Bytes TransferredThis field is a numeric field containing the number of bytes of datatransferred as part of the HTTP request, not including the HTTP header. E.g.750.
Referrer URLThe referrer is the URL of the HTTP resource that referred the user to theresource requested. "-" is substituted when there are no referrers.
User agent
An HTTP client that makes HTTP requests. It is customary for an HTTP client,such as a Web browser, to identify itself by name when making an HTTPrequest. It is not required, but most HTTP clients do identify themselves byname.
Mime type MIME-type of the requested object. E.g. text/plain.
Filter name & Filteringreason
If the request get blocked, then this field contains the name of the filter, orthe reason for which the request was blocked. "- -" is substituted when thereare no blocks.
Comma separated listof profiles applied
Comma separated list of profiles that were applied to the request. "-" issubstituted when no profiles are applied.
Interface IP:Interfaceport
IP:PORT that received the request. This can be important when SafeSquid islistening on multiple IPs or Ports.
Native Log
This is SafeSquid's native log format.It records various functional aspects like REQUESTS, SECURITY, REDIRECT etc. that areeffected by the various features and their configuration.You can control the verbosity of the Native log by specifying LOGLEVEL, as shown in thetable below.The LOGLEVEL parameter affects only the SafeSquid's Native log.
Value Process logged Value Process logged
1 Requests 16384 Forwarding
2 Network 32768 Config synchronization
4 URL filtering 65536 Antivirus
8 Header filtering 131072 External parsers
16 Mime filtering 262144 ICAP
32 Cookie filtering 524288 DNS blacklist
15
© 2008 Office Efficiencies (India) Pvt. Ltd.
64 Redirections 1048576 URL blacklist
128 Templates 2097152 URL commands
256 Keyword filtering 4194304 Modules
512 Rewriting 8388608 Security
1024 Limits 16777216 Warnings
2048 Caching 33554432 Errors
4096 Prefetching 67108864 Profiles
8192 ICP 134217728 Debug
So, if you wish to record only the requests set LOGLEVEL to 1, if you wish to record onlycaching related activities set LOGLEVEL to 2048.If you wish to record all the three activities of rewriting, limits and forwarding, you wouldsimply set LOGLEVEL to 512 + 1024 + 16384 i.e. 17920.Similarly, if you wished to view absolutely everything (and run the risk of generating a veryhuge log file in a very short time!), you could set LOGLEVEL to a total of all the values in thetable, i.e. 134217727 which is also the default LOGLEVEL if you simply comment theLOGLEVEL specification!.If you wished to produce just debug logs you should set the LOGLEVEL to 134217728.If you wished to record all activities and debug information, you should set the LOGLEVEL to268435455.
NOTE: Adjusting this value requires a restart of SafeSquid service.
Log rotation
There obviously needs to be a control on log file size. SafeSquid executable cannot start ifthe size of any of the log files exceeds 2147483648 bytes (2GB).The parameter sets themaximum size in bytes for a log file, exceeding which, the logrotate (/etc/init.d/safesquidlogrotate) will automatically truncate and compress all the three types of log files. The samecommand can be also run manually to rotate your logs in case any situation demands.
SafeSquid Logs 16
© 2008 Office Efficiencies (India) Pvt. Ltd.
7 SafeSquid Interface
SafeSquid® has a Browser based User Interface, that allows users to configure various featuresin accordance with their respective Corporate Internet Usage Policies.
To configure or change configuration, you must have access to the SafeSquid® ManagementInterface. To access the Interface, you must configure your web-browser to use the SafeSquid®proxy server.
For example - if you have set-up SafeSquid to listen on IP 192.168.0.130 on port 8080, then youshould configure your web-browser to use proxy at 192.168.0.130 on port 8080
Now you should be able to access the User management Interface with the URL-http://safesquid.cfg
Note:To set IP and Port, you should open (Internet Explorer) Web Browser, go to Tools Menu -->Internet Options --> Connections --> LAN Settings --> select Use Proxy server option in thedialogue box then Specify your proxy server’s I.P. in Address option and Port (Default 8080).
You should now be able to access the URL http://safesquid.cfg to configure various Features aswell as monitor them from the same window.
Mozilla users should open Web Browser, go to Tools Menu--> Options--> Connection settings-->Select Manual Proxy Configuration--> Specify your Proxy server’s I.P. in HTTP Proxy option andPort (Default 8080). You should now be able to access the URL http://safesquid.cfg to configurevarious Features as well as monitor them from the same window.
Most features of SafeSquid® can be set, using this SafeSquid® Management Interface.The Top Menu gives you the links, and access to various features & functions as shown on theimage below.This image displays the main page of Browser based SafeSquid® Management Interface availablewith SafeSquid®.
17
© 2008 Office Efficiencies (India) Pvt. Ltd.
SafeSquid Interface 18
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.1 Active Connections
'Active connections' displays all the active connections being handled by SafeSquid® proxy serverat a particular instance.The image below shows the page that is displayed when user clicks on Active Connections link.
The 'Active connections' has two sub-sections - Transferring and Client Pool.
Transferring subsection illustrates the requests being fulfilled, at a particular instance, and theClient Pool subsection shows all the requests, that are waiting in queue, at the very sameinstance i.e. these are the requests which are waiting to acquire the physical connection.
'Transferring' & 'Client Pool' sub-section
Transferring subsection illustrates the requests being fulfilled, at a particular instance
19
© 2008 Office Efficiencies (India) Pvt. Ltd.
Client ID
Client ID is an auto generated identification number,which is generated for every requestmade by client.
IP
IP is the IP address of the machine in the network, that made the request, to fetch thedesired web page.
Requests
Requests illustrate the total number of requests made by clients, which can be helpful toidentify the load per requested URL/Domain.
Method
Method field exhibit HTTP Methods like GET, POST and CONNECT etc.
Details
GET: It is basically for just getting (retrieving) data.
POST: Post involves things like storing or updating data, or ordering a product, or sendingE-mail.
CONNECT: CONNECT method is often used with a proxy that can change to being anSecure Sockets Layer tunnel. CONNECT is used for https requests.
URL
URL field displays the current URLs, that are requested, as well as served.
Idle
Idle is the field that exhibits the time, for which a request has been lying idle in the queue,waiting to get served.
SafeSquid Interface 20
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.2 Statistics
This displays Statistics on the base of the real time data, with reference to various parameters,like System, Requests, Network, DNS cache, Cache, Cache refresh, Connection- pool, Hosts,Mimes, User and IP addresses.
Statistics
System
System subsection display information, with respect to usage of system resources.
User time: Displays the total amount of CPU time, in seconds, that SafeSquid® hasused. User time is CPU time spent executing the user program, rather than in kernel
21
© 2008 Office Efficiencies (India) Pvt. Ltd.
system calls.User time is displayed in HH:MM:SS:ms.
System Time: Total CPU time, in seconds, that is used in making the kernel / system callsto service SafeSquid®. Unit are in HH:MM:SS:ms format.
Note: The resource usage statistics depend on a 1:1 thread model. Due to the limitationsof the API's used to gather this information, using other thread libraries, may result ininaccurate statistics.
Memory resident: The amount of the memory used by memory resident processes ofSafeSquid®. These are TSRs i.e. Terminate and stay resident processes. For example, URLBlacklist loads URL Blacklists in the memory and remains in the memory till we shut downSafeSquid®.Details: Memory resident means Permanently in memory. Normally, a computer does nothave enough memory, to hold all the programs you use, when you want to run a program.Therefore, the operating system is obliged to free some memory by copying data orprograms from main memory to a disk. This process is known as swapping. Certainprograms, however, can be marked as being memory resident, which means that theoperating system is not permitted to swap them out to a storage device; they will alwaysremain in memory.
Memory Shared: The amount of the memory that is occupied by the shared libraries likelibstdc++, so3, libpam. This may increase or decrease depending upon Add-on modules orother software that we use in conjunction with SafeSquid®.Details: Shared memory refers to a (typically) large block of Random access memory, thatcan be accessed by several different central processing units (CPUs) in amultiple-processor computer system.
Minor Page fault: Gives the total number of minor page faults, since the startup of theSafeSquid® Processes.
Major Page faults: Represents the total number of the Major page faults, since thestartup of the SafeSquid® processes.Details: SafeSquid® is a caching proxy. It may have to look inside the cache to servecontents and also some time to serve templates. Similarly, SafeSquid® generates logs.SafeSquid® also could be invoking other applications.So SafeSquid® performs a lot ofmemory swapping and disk i/o. The Statistics page displays the various aspects of thisactivity as minor and major page faults, besides any errors if they occur. An interruptoccurs when a program requests data that is not currently in real memory. The interrupttriggers the operating system to fetch the data from a virtual memory and load it intoRAM. An invalid page fault or page fault error occurs when the operating system cannotfind the data in virtual memory. This usually happens when the virtual memory area, orthe table that maps virtual addresses to real addresses, becomes corrupt. Minor Pagefaults are number of hard page faults (i.e. those required i/o). Major Page Faults are thenumber of times a process was swapped out of physical memory.
Requests
Requests subsection gives information on total number of HTTP, FTP and CONNECTrequests fulfilled, since the last startup of the SafeSquid® processes.This quickly tells youabout the different protocols being serviced through your proxy server.
SafeSquid Interface 22
© 2008 Office Efficiencies (India) Pvt. Ltd.
Network
For administrators it is very important to know what is the amount of data that has beenthroughput. Network subsection gives information on Total Successful connections, Failedconnections, DNS failures and Total Bytes transferred in/out of the network, since thelatest startup of the SafeSquid® Processes. This helps you to set various parameters inSafeSquid® and System's Network settings to have improved performance. For example ifyou see too many DNS failures, you may need a better connectivity to your DNS servers.Similarly if you see too many failed connections and your logs say that they were genuinerequests then it means that either your network is saturated or you need better ISP.
DNS Cache
When a request is made, its web server address is resolved from DNS Servers.SafeSquid® has a DNS cache to store these resolved addresses for future use. This candramatically reduce the latency. This section gives total number of Hit Ratio and MissRatio. A HIT means that the document was found in the DNS cache. A MISS, that it wasnot found in the DNS cache.
Cache, Cache Refresh & Connection Pool
This section gives total number of Hit Ratio and Miss Ratio of the Cache. A HIT means thatthe requested content was found in the cache. A MISS, that it was not found in the cache.
Cache Refresh
You can configure SafeSquid® to revalidate the cached content after defined interval. Ifneed be, SafeSquid® refreshes the content and serves the relevant content to the clients,depending on the various parameters you set in the 'Cache' section. Quite a few times,SafeSquid® could discover that the validity of the cached content was obsolete. This isrecorded as miss in the Cache Refresh subsection.
Connection Pool
Connection Pool shows the number of times a connection was available to the request andthe number of times it had to create a new connection for a particular request. Thenumber of times it found the connection in the connection pool it is a hit and the numberof times proxy had to establish a new connection it is considered as a miss
Hosts
This section shows the sites that are most frequently accessed by users, and the numberof requests for a particular host along with its usage percentage.
Mimes
Mimes subsection display Mime types being accessed, and the usage percentage of thesame.
Users
Users subsection displays users and their respective usage percentage, of the ProxyServices. If authentication is enabled, the users section would display usernames and thenumber of requests they have made, otherwise it will display anonymous.
23
© 2008 Office Efficiencies (India) Pvt. Ltd.
IP Addresses
IP Address of the machines that have made requests, along with their respective usagepercentage.
SafeSquid Interface 24
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.3 DNS Cache
DNS resolution is a very important part in Internet surfing. Whenever a request is made the proxyhas to resolve the address of the web server. This incurs latency. Hence to reduce this latency,SafeSquid® maintains DNS cache, wherein it stores all resolved DNS addresses. When anotherrequest is made for the same web site, SafeSquid® can easily get the address from the DNScache. These entries remain in the DNS Cache for 360 seconds, and then it is refreshed, i.e. after360 seconds, Proxy has to resolve DNS again.
DNS Cache
Hostname
The host name of the requested page
IP Address
25
© 2008 Office Efficiencies (India) Pvt. Ltd.
The IP Address of that host.
Age
The Age of respective entries in the DNS cache, i.e. how long the entry has been residingin the DNS Cache.
SafeSquid Interface 26
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.4 Show Headers
This section has two subsections viz. Unfiltered and Filtered. It describes the details of the client(browser) headers. Unfiltered subsection display Type and Value of the unfiltered Headers;similarly, Filtered section display Type and Value of Filtered headers.
Show Headers
Host
Shows the Host Name.
User-Agent
The Browser that is being used.
Accept
27
© 2008 Office Efficiencies (India) Pvt. Ltd.
Shows the accepted value of the headers that are unfiltered / filtered.
Accept-Language
Specifies the language that is acceptable, i.e. content on pages should be displayed inspecified Accept-Language. For example “en-us” specifies that all the pages should bespecified in US English.
Accept –Encoding
The Value of header types for which encoding should be accepted / allowed.For example: safesquid.cfg
Proxy-Connection
The type of connection for the Proxy Server. For example, Keep alive value, keeps theconnection alive till it is exclusively switched off.
Referer
This is the address or URI (Unique Resource Identifier) of the document (or element withinthe document) from which, the URI in the request, was obtained.Referrer allows a server to generate lists of back-links to documents, for interest, logging,etc. It allows bad links to be traced for maintenance.
SafeSquid Interface 28
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.5 View Cache Entries
SafeSquid has a multi-tier cache. This section gives Information related to the Cache volumes. Itdisplays the list of Cache files, and give users the option to search through, and if required,selectively delete them using "Delete Matches" option.
The Cache Information section gives information for Memory Cache and Disk Cache Volumes. Itshows the total number of objects, the total size of those objects in Bytes, and the percentage oftotal Cache used. It also displays the path of the various Disk Cache Volume(s).
Figure 1
29
© 2008 Office Efficiencies (India) Pvt. Ltd.
The Regular Expression Match section has a text box, where you can enter a regular expression orany word, using which, the corresponding matches are found from Memory Cache, as well as DiskCache, and displayed. Figure 2 displays the result of the search for 'yimg'. The result displays theURL, size in bytes and whether the content exists in the Memory and / or Disk Cache.
Figure 2
You can also filter content on the basis of content modification date, accessed date and file size.On the basis of these filter criterion, all the urls that meet the specified criteria, are displayedbelow the regular expression match section.
The "Delete-matches" option allows you to delete the resulting matches.
Note: If you want to delete all the cache entries, leave the text box blank, select the "Deletematches" option, and click on the submit button.
The details of the content can be seen by clicking on the URL of a content, as shown in Figure 3.
SafeSquid Interface 30
© 2008 Office Efficiencies (India) Pvt. Ltd.
Figure 3
Details:
MD5 Sums are 32 byte character strings that are the result of running the MD5 sum programagainst a particular file. Since any difference between two files results in two different strings,MD5's can be used to determine that the file or iso you downloaded is a bit-for-bit copy of theremote file or iso. If you are running one of the GNU/Linux distributions, you should already havethe MD5 program installed.
Epoch is an instant of time selected as a point of reference. In Linux, this time is considered as1st January 1970.Epoch Time is the time represented in the total number of seconds from an instant of timeselected as a point of reference i.e. Epoch. Hence termed as Epoch time.
31
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.6 Connection Pool
This link displays information of the current connection(s) that are being held open, in theconnection pool and / or awaiting reuse.
The details that are displayed are - Protocol, Host, Port, Username (if authentication is enabled)and the Age in seconds since the connection was opened.
SafeSquid Interface 32
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.7 Prefetch Queue
The Prefetching feature can be used as an 'internet accelerator'. It allows virtually any filereferenced in HTML to be pre-fetched (not just images) and cached. Prefetching is a good way toimprove retrieval time. It reduces resource retrievals and improves retrieval time.
This link allows you to add the webpage URLs, that you would like to prefetch and cache.
These entries are reflected in active connections under the IP as 0.0.0.0 and the method as“PREFETCH”.
33
© 2008 Office Efficiencies (India) Pvt. Ltd.
SafeSquid Interface 34
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.8 URL Blacklist
URL Blacklist consists of a list of thousands of domains and URLs, bifurcated in various categories,and stored in flat files. This section allows you to search these categories, to find out whether aspecific Domain, URL or File is present in the URL Blacklist, and if it is, then in what category.
You can search for a domain or a file, by entering your query (supports regular expression) in thecorresponding text box, and clicking on the 'Submit' button. The result lists the category in whicha match was found, Domains that matched the query and the paths to the matched Domains.
Note: See URL Blacklist under the Config Section, for installing and configuring URL Blacklist.
35
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.9 View Log Entries
'View log entries' displays a blow-by-blow account of recent activities.It can be used to monitor all transactions, track specific transactions, check events for troubleshooting, and check for errors, warnings and advices.
The 'Regular Expression match' field allows you to search for specific events, using regularexpressions.
'Log Buffer size' allows you to specify the number of entries from the log, that you would want tosee at a time.
The Clear option lets you clear the whole buffer, or the entries filtered with the 'RegularExpression match' option.
Image 11.0.
SafeSquid Interface 36
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.10 Save Settings
When SafeSquid starts, it load the configuration file (config.xml) into the systems memory. Whenyou make any changes to the rules / policies from the SafeSquid interface, these changes aremade in the configuration file stored in the memory, and would get lost if SafeSquid service, orthe server, is stopped or restarted. Use the 'Save settings' link to make the changes permanent.It copies / saves the configuration files in the memory, to the location specified in the 'Filename'field. The default path to the configuration file is /opt/safesquid/safesquid/config.xml.
On successfully coping the file to the specified location, you should get a “File saved “ message.
Image 12.0
This option can also be used to take a backup of the existing config file, before you make anychanges to the original file.
For example, before attempting any changes to the existing configuration, you could click on'Save settings', and backup the original file, by specifying the 'Filename' as/opt/safesquid/safesquid/config_org.xml.
37
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.11 Load Settings
The 'Load settings' option is used, either to load and completely overwrite the existingconfiguration file with another, or to import rule snippets into to current configuration file.
Overwrite configurationFor example, suppose you make changes to the existing configuration from the interface, do notsave the recent changes with the 'Save settings' option, and would want to revert back to theoriginal configuration. To do this, just click on the 'Load settings' option. The default path isdisplayed in the 'Filename' field. Click on 'Submit' while leaving the 'Overwrite' option to 'Yes'.
This option can also be used if you have more that one configuration files, and would like tochange over to another file, in real-time, from the one that you are currently using.
Note: When SafeSquid is started, it by default uses the configuration file specified in theCONFIG_FILE parameter in the startup.conf.The default value of this parameter is set as /opt/safesquid/safesquid/config.xmlIf you have multiple configuration files, the configuration file that you would want to be loaded onstartup, should always be the one that is specified in the CONFIG_FILE parameter in thestartup.conf file.The value of CONFIG_FILE can be changed by running /etc/init.d/safesquid adjust.
Import rule snippetRule snippets are short, specific rules that are created to perform specific tasks. For example,safesearch.xml, which is available from the SafeSquid Download page, can be imported into yourexisting configuration file (config.xml), to enforce Google Safe Search. Similarly,porn_keypwords.xml and anonproxy.xml, are rule snippets for Keyword Filtering rules, to blockporn and anonymous proxy websites.
To import rule snippets, download the rule snippet file to the SafeSquid server, click on 'Loadsettings', specify the path of the snippet file in the 'Filename' field, change 'Overwrite' to 'No', andclick on 'Submit'. If the file is successfully loaded, you should get a message 'File loaded'.Changing 'Overwrite' to 'No' adds the file being loaded into your current configuration file.
Instead of downloading and copying the snippet file to the server, you can also specify the URL ofthe file in the 'Filename' field.For example, the URL of the safesearch.xml file is http://downloads.safesquid.net/free/general/sample_rules/safesearch.xmlBut since access to this file requires you to authenticate with your SafeSquid Forum ID, you cantype this URL in the 'Filename' field -
http://username:[email protected]/free/general/sample_rules/safesearch.xml
Replace the username:password in the URL with your forum username and password.
Note: The rule snippet get imported into the configuration file loaded in the Server's memory,and gets activated in real-time.To make the changes permanent, you need to click on 'Save settings' and save the config.xml file.The changes will be lost when SafeSquid service is restarted, if you don't save the file.
SafeSquid Interface 38
© 2008 Office Efficiencies (India) Pvt. Ltd.
Image 13.0
39
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12 Config Section
Config opens a drop down dialog which contains all configurable features of SafeSquid®.Select any feature you want to view, configure or modify and click the submit button.When you select a feature, the page displayed, exhibits entire list of rules and current settings ofthat feature, which can be modified as per your requirements. Intuitive tool tips are provided forevery option available on the page, to guide you through each and every option.
All the features exhibit various Options and their corresponding Values. 'Search Entries' allowsyou to search through all the sections for a specific option or value.
SafeSquid Interface 40
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.1 Basic Behaviour
The "General" section in the SafeSquid Interface allows you to configure options that affect theoverall operation of the proxy server. These options mainly depend on your networkinfrastructure, like availability of Internet resources, network resources, network traffic, etc.
'Profiles' allow you to very granularly configure the way various content is processed, dependingon the content type, like text, application, embedded, etc.
The options in this section must be very carefully set, as they most comprehensively affect yourimplementations of SafeSquid.
general section
The global section gives access to configuration options that affect the overall operation of the proxy server.
Option
Proxy hostname localhost
Temporary directory /tmp
Web interface line length 150
Connection pool size 20
Connection pool timeout 60
Submit
General
Add
Option Value
Enabled true
Profiles embedded
Connection timeout 30
Header timeout 120
Keepalive timeout 120
Maximum download buffer size 1M
Maximum upload buffer size 500K
Buffer wait time 0
CONNECT ports 80,443
Compress outgoing true
Compress incoming true
Add X-Forwarded-For header true
Add Via header true
Edit Delete Clone Up Down Top Bottom
41
© 2008 Office Efficiencies (India) Pvt. Ltd.
'Add' in General Section
Option Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
Connection timeout 10
Header timeout 60
Keepalive timeout 120
Maximum download buffer size 10M
Maximum upload buffer size 500K
Buffer wait time
CONNECT ports
Always compress mimetype
Compress outgoing Yes: ¢ No: ¤
Compress incoming Yes: ¢ No: ¤
Add X-Forwarded-For header Yes: ¢ No: ¤
Add Via header Yes: ¢ No: ¤
Submit
General section
Proxy hostname
The hostname of this proxy, if not defined in startup.conf. The Proxy Hostname defined duringSafeSquid installation, and stored in the startup.conf, precedes this value. This needs to beconfigured properly for CARP (Cache Array Routing Protocol) and Web interface requeststhrough HTTP to work. You have to give here the hostname of the proxy by which you will beaccessing Web interface. If you want to access proxy by using IP address you can put the IPaddress of the safesquid proxy server. Give the hostname which should be defined on DNS, sothat you can access it from any machine in your intranet or internet.
Temporary directory
The directory in which temporary files are stored. The default path is /tmp. If you want tochange this, create a directory with 777 permissions, and specify the path here.
Web interface line length
The maximum length of a string with no spaces, until an explicit break is placed in it. This isrequired since lines without spaces won't wrap in a table, which may cause Web interface tableformatting problem. Normally, this parameter does not require any changes.
SafeSquid Interface 42
© 2008 Office Efficiencies (India) Pvt. Ltd.
Connection pool size
The number of keep-alive connections, made to HTTP and FTP servers, to be kept in theconnection pool. These connections are shared between threads.
Connection pool timeout
The time in seconds a connection may remain in the connection pool before being closed. Thisvalue should be increased, if Internet connection is slow.
Add subsection
You can granularly define a specific set of values to various content types, by creating adifferent Profile for each content type, in the 'Profiles' section. These profiles can then be used inthis section, to allot them different values.
Enabled
This option allows you to enable or disable a specific rule.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies to everythingif this field is left blank
Connection timeout
The timeout in seconds to wait for a connection to be established before giving up. SafeSquidwill wait for the specified time duration for the target server to respond. If it exceeds thespecified value, SafeSquid closes the connection and sends a template to the requesting user,saying that the Connection failed. This value can be increased if the Internet connection is slow.
Header timeout
The timeout in seconds to wait for a client, to make the initial HTTP request by sending requestheaders. SafeSquid tries to get the initial headers during this time. If it fails, SafeSquid sends'Connection failed' template to user. You can increase the time if the network connection is slow.
Keepalive timeout
43
© 2008 Office Efficiencies (India) Pvt. Ltd.
After an HTTP session is established , data must be exchanged periodically to ensure thatsession is still alive. The keepalive timeout defines the time in seconds that SafeSquid servershould wait before closing the session. This is the timeout value for persistent connections.SafeSquid closes keepalive connections if they are idle for this amount of time. The default is120 seconds and does not need to be changed. SafeSquid, being multi-threaded, allows theuse of the same connection for multiple requests. The advantage is that less number ofconnections are required to be opened, for individual users, to the same server.
Maximum download buffer size
The maximum size in bytes of content that are buffered, for process by the Rewrite document,Keyword Filter and external programs like Anti Virus. You can define the value depending on thetype of content . If you want to handle large size of data files then you can increase the value.
Maximum upload buffer size
The maximum size of upload content that is stored in memory for processing. Content largerthat the specified value will be sent directly without processing. Having an upload buffer that istoo large will cause the browser to timeout since all the data is received by SafeSquidimmediately, but may take more time to process and transfer to the website.
Buffer wait time
The maximum time a file can be buffered before a message is sent to the client indicating it'sbeing downloaded and for them to retry.
CONNECT ports
The ports on which outgoing CONNECT requests are allowed to be made. You can disableconnection through proxy to certain ports , by not specifying their port numbers here. Each portor port range should be separated by a comma.
Always compress mimetype
A regular expression matching the MIME-Types which should always be buffered andcompressed even if they wouldn't be buffered otherwise. Specify here the regular expression forMIME Type's. This will speed up the proxy process. Regular expression for MIME Type of BinaryFile (i.e. application/octet-stream) is ^application/octet-stream.
Compress outgoing
Toggle gzip or deflate encoding of outgoing processed content if the client supports it. If theproxy server is running locally, it is recommended to disable this feature.
Compress incoming
This option will make Safesquid attach an Accept-Encoding header that lets the Web serverknow that it can accept gzip and deflate content encoding, regardless of whether or not the
SafeSquid Interface 44
© 2008 Office Efficiencies (India) Pvt. Ltd.
browser making the request supports it; if the browser doesn't support it, it will be buffered anddecompressed before sending.
Add X-Forwarded-For header
This option will add a header allowing an upstream proxy or Web server know the IP addresswhere the original request came from.
Add Via header
This option will add a header allowing an upstream proxy or Web server know which proxyserver the request passed through.
45
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.2 URL Blacklist
This section allows you to use a URL blacklist obtained from www.urlblacklist.com to restrictaccess to websites based on content category like porn, adult, webmail, jobsearch,entertainment, etc. The site www.urlblacklist.com maintains a well categorized list of various web-sites and pages. This is an excellent resource for an administrator seeking to granularly enforce acorporate policy that allows or disallows only certain kinds of web-sites to be accessible by specificusers, groups or networks.
The Commercial Edition of SafeSquid® and all Composite Editions, including the Free CompositeEdition 20 allows the administrators to use urlblacklist very easily and with a desired level ofsophistication. You can use this feature by downloading the trial urlblacklist database fromurlblacklist.com.
urlblacklist section
This section allows you to use a URL blacklist to restrict access to Websites based on content category.
Option Value
Enabled Yes: ¤ No: ¢
Policy Allow: ¤ Deny: ¢
Blacklist path /opt/safesquid/urlbl/
Default template
Submit
Allow
Add
Deny
Add
Option ValueEnabled trueComment Globally block access to the URL Blacklist categories 'adult' and 'porn'Categories adult,porn
Edit Delete Clone Up Down Top Bottom
Option ValueEnabled trueComment Block access to the URL Blacklist categories 'jobsearch' for everyone
except HRD ProfileProfiles !HRDCategories jobsearch
Edit Delete Clone Up Down Top Bottom
SafeSquid Interface 46
© 2008 Office Efficiencies (India) Pvt. Ltd.
urlblacklist section
Enabled
This option allows you to enable, or completely disable the URL Blacklist Sectionirrespective of the rules defined in the section
Value:Yes - Enable URL Blacklist SectionNo - Disable URL Blacklist Section
Policy
Defines the Global Policy for the URL Blacklist Section
Value:Allow - Allow everything, and deny ONLY the rules under the 'Deny' subsectionDeny - Deny everything, and allow ONLY the rules under the 'Allow' subsection
Blacklist path
The path to urlblacklist database. The default path is /opt/safesquid/urlbl. Untar (unzip)the downloaded urlblacklist database here. Please note that the complete database isloaded into the system memory, when SafeSquid service starts. If you plan to use onlyspecific categories, then copy only those category directories in this location. This will helpsave memory resources, which would otherwise be unnecessarily used up by unwantedcategories.
Default template
The template to display for blocked sites. If left blank, default template is used. You candesign and display custom templates. For details, check Customisable Templates
Allow / Deny subsection
You can define rules either under the Allow or Deny subsection, depending on the selectedPolicy. If Policy is Allow, you should define rules under the Deny subsection, and If Policy isDeny, you should define rules under the Allow subsection. In the above example, thePolicy is Allow. Hence, rules are defined in the Deny subsection to deny access to adult,porn and jobsearch categories.
Enabled
This option allows you to enable or disable a rule.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does
47
© 2008 Office Efficiencies (India) Pvt. Ltd.
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies toevery one if this field is left blank
Categories
A comma separated list of URL Blacklist Categories, existing in the Blacklist Path, that youwant to allow / deny.
Template
Template to display, when this specific rule matches. If left blank, Default Template isused.
SafeSquid Interface 48
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.3 Access Control
'Access Restrictions' section allows you to control who can access the proxy server, and to whatextent. This is where you define who is allowed to access SafeSquid, from where, whether theuser should be authenticated, by what method, etc. You also define the profile of a user here,which will then be used in other sections to control his access.
Access Restrictionsaccess section
The access feature is used to control who can access the proxy server, and to what extent.
Option Value
Policy Allow: ¢ Deny: ¤
Submit
Allow
Add
Option ValueEnabled trueComment This default rule allows access to every users of the network with IP address and
username field left blank.PAM authentication falseAccess config,proxy,http,transparent,connect,bypass,urlcommand
Deny
Add
49
© 2008 Office Efficiencies (India) Pvt. Ltd.
'Add' Sub-SectionOption Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
IP Address
PAM authentication
User name
Password
Access Web interface þProxy requests þHTTP requests þTransparent proxying þCONNECT requests þAllow bypassing þURL commands þ
Bypass URL filtering pHeader filtering pMime filtering pURL redirecting pCookie filtering pDocument rewriting pExternal parsers pForwarding pKeyword filtering pDNS blacklist pLimits pAntivirus pICAP pURL blacklist p
Interface username
Interface password
Added profiles
Submit
SafeSquid Interface 50
© 2008 Office Efficiencies (India) Pvt. Ltd.
Access Section
Policy
Default action to take when no matching entry is found. Defines the Global Policy for theURL Blacklist Section
Value:Allow - Allow everyone, and deny ONLY the rules under the 'Deny' subsectionDeny - Deny everyone, and allow ONLY the rules under the 'Allow' subsection
'Add' subsection
When Policy is 'Deny', You can add rules under Allow that would explicitly result in allowingall or Specific set of conditions. This effectively allows you set a variety of intelligently andcreatively defined Access Control Whitelist(s). When Policy is 'Allow', you can add rulesunder Deny that would explicitly result in blocking or denial of access to all or Specific setof conditions. This effectively allows you set a variety of intelligently and creatively definedAccess Control Blacklist(s).
Enabled
This option allows you to enable or disable a specific rule.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does
Profiles
Profiles cannot be used under the Access Restrictions section. This is a dummy field.
IP Address
A regular expression matching the IP addresses this entry applies to. Leaving this fieldblank will cause the entry to match all IP addresses. You can enter a single IP (e.g.192.168.0.25), a comma separated list of IPs (e.g. 192.168.0.25,192.168.0.29) and / orIP ranges (e.g. 192.168.0.25,192.168.0.29,192.168.0.36-192.168.0.46).When used in conjunction with username & password, it binds the user to the specified IP(s), i.e. the user is allowed access only from the specified IP(s).
PAM authentication
PAM is An acronym for Pluggable Authentication Modules. PAM is an authentication systemthat controls access to Linux System. It allows you to authenticate users from an externalauthenticating mechanisms like Samba, Active Directory, Radius, POP3, MySQL database,etc.
51
© 2008 Office Efficiencies (India) Pvt. Ltd.
If this option is selected, clients will be required to authenticate with the proxy and PAMwill be used to authenticate the username and password. This option will work only if theproxy is configured and compiled with PAM support. For details about configuring.Check Working with PAM for details.
User name
With PAM Selected:If PAM is selected, this field is used to specify a username on the authenticatingmechanism.If left blank, it allows any username that exists on the authenticating mechanism.Since this field option is a regular expression, you can also specify multiple usernames,separated with pipe, that exist on the authenticating mechanism. This is useful if youwould like to allow only specific users to access SafeSquid or would like to create a groupprofile. For example, if you would like to allow only usernames john, ali & sean, you shouldenter (john|ali|sean) in this field.
Another thing to note is that if you specify any IP(s) in the 'IP Address' field, the user(s)will be allowed access only from the specified IP(s). If the IP Address field is blank, theuser(s) will be allowed access from any IP.
Without PAM Selected:Without PAM, this field can be used to create usernames. For creating a username, simplyenter the username in this field, and password in the 'Password' field. Entering a usernameand password, will cause an authentication challenge when a user tries to accessSafeSquid. Now, the user will be allowed access only if supplies the entered username andpassword.
Another thing to note is that if you specify any IP(s) in the 'IP Address' field, this user willbe allowed access only from the specified IP(s). If the IP Address field is blank, the userwill be allowed access from any IP.Leaving this field blank will allow access with authentication.
Password
With PAM Selected:If PAM is selected, this field should be left blank, since the password for the specified user(s) is verified from the authentication mechanism.
Without PAM Selected:Without PAM selected, this is where you specify the password for the user specified in the'Username' field.
Access
The Access field allows you to select the types of request a user is allowed to make:
Web interface: Allowed access to the SafeSquid Management Interface (http://safesquid.cfg)
Proxy requests: Allowed to make regular proxy requests.
SafeSquid Interface 52
© 2008 Office Efficiencies (India) Pvt. Ltd.
HTTP requests: Allowed to make regular HTTP requests to proxy (for Web interfaceand other redirect requests set in the SafeSquid proxy).
Transparentproxying:
Allowed to make transparent proxy requests (must be allowed tomake HTTP requests as well).
CONNECTrequests:
Allowed to make CONNECT requests.
Allow bypassing: Allowed to use the special xx--bypass URL command to bypassfilters.
URL commands: Allowed to use the special xx-- URL commands. Check Use URLCommands for details
Bypass
This section allows you to bypass VIP users from the effects of the listed filter sections.This can also be useful in diagnosing a denial event.The filter sections that can be bypassed are -· URL Filter· Header Filter· Mime Filter· URL Redirecting· Cookie Filter· Document Rewrite· External Parsers· Forwarding· Keyword Filter· DNS Blacklist· Limits· Antivirus· ICAP· URL blacklist
Interface username
This field, along with Interface password, can be used to secure access to the SafeSquidInterface (http://safesquid.cfg). Users will have to give the specified Interface usernameand password, to get access to the interface.
It can also be used to give different username and password to administrators, when thereare more than one administrators managing the proxy
Interface password
Password for 'Interface username' field.
Added profiles
This is where you 'create' a profile for users, to identify or classify them and give furtheraccess rights.
For example, if you wanted to identify IP addresses 192.168.0.5-192.168.0.15 as
53
© 2008 Office Efficiencies (India) Pvt. Ltd.
'accounts' department, you specify the IP range in the 'IP address' field and in the 'Addedprofiles' you should mention 'Accounts'.
With PAM enabled, you can create a group of users, by specifying a pipe separated list ofusernames existing on the authenticating mechanism, e.g. (john|ali|sean), and specifyingthe group name, e.g. Accounts, in the Added Profiles field.
Without PAM, you will have to create a separate rule for each user, with username andpassword, and specify the group each belongs to in the Added Profiles field.
The value of Added Profiles field is then used in the 'Profiles' and other filter sections, tocollectively allow or deny access to various content, to the users.
Check Profiled Internet Access for details
SafeSquid Interface 54
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.4 Profiles
SafeSquid's Profiles feature allows you to accommodate the demands of extremely granular rulesfor Internet Access privileges and restrictions. The 'Profiles' section allows you to very preciselydefine situations. Each situation, thus defined is referred to as a Profile. Each Profile can bedefined (or bound) by a programmable set of conditional parameters. Profiles are used as aconditional parameter in almost all of the various filtering sections in SafeSquid. You can thusensure that filtering action happens exactly, as required.
Check Profiled Internet Access that explains the use of Profiles for granular Internet access
The parameters that are available for defining a profile are explained below.
Profiles 'Add' subsectionOption Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
Protocol
Host
File
Mime type
Port range list
URL Command
Proxy host
Request header pattern
Response header pattern
Month range p active January to January
Day range p active 0 to 0
Weekday range p active Sunday to Sunday
Hour range p active 0 to 0
Minute range p active 0 to 0
Time match mode Absolute: ¤ All ranges: ¢
Added profiles
Removed profiles
Submit
55
© 2008 Office Efficiencies (India) Pvt. Ltd.
'Add' Subsection
The following parameters can be used to define a profile:
Enabled
This option allows you to enable or disable a specific profile.
Value:Yes - Enable this profileNo - Disable this profile
Comment
A comment for future reference explaining what this rule does
Profiles
A comma separated list of previously created profile(s) (either in Access Restriction or inProfiles section), to which this rule should apply. Applies globally if left blank.
Protocol
A regular expression matching the protocol this entry applies to, e.g. ^ftp$, ^http$, etc.Applies to all protocols if left blank.
Host
A regular expression matching the host's this entry applies to, e.g. (example.com|mysite.com|yousite.com). Applies to all hosts if left blank.
File
A regular expression matching the file (the part of a URL that succeeds the hostname) thisentry applies to, e.g. (cgi-bin|\?) will apply to queries in a URL. Applies to everything if leftblank.
Mime type
A regular expression matching the MIME-type this entry applies to, e.g. "^image/" willmatch will match all image files. Applies to all MIME-types if left blank.MIME-type matching is done after receiving the server header, so it may only be used forcertain features; header filtering, cache refresh policy, and cache store selection are donebefore the server header is received.
Port range list
A comma seperated list of ports or port ranges this entry applies to, e.g. a value "80,21-25" means port 80 and port rgae from 21 to 25. Applies to all ports if left blank.
URL Command
A comma seperated list of URL commands which will activate this entry. Applies to all
SafeSquid Interface 56
© 2008 Office Efficiencies (India) Pvt. Ltd.
commands if left blank. Check Use URL Commands for details
Proxy host
A regular expression matching the proxy hosts this entry applies to. This is useful whensharing a configuration file between several SafeSquid proxy servers or instances in Multi-Proxy or Multi-Instance scenario. Applies to all hosts if left blank.
Request header pattern
A regular expression pattern matching the request header's this entry applies to, e.g.Mozilla/4.0.* MSIE.* matches a request from Internet Explorer. Applies to all patterns if leftblank.
Response header pattern.
A regular expression pattern matching the response headers this entry applies to. Appliesto all patterns if left blank.
Month range
The range of months within which this entry is active, e.g. January to March will keep thisprofile active from January through March. Applies to all months if left blank.
Day range
The range of days within which this entry is active, e.g. 5 to 15 will keep this profile activefrom 5th through 15th. Applies to all days if left blank.
Weekday range
The range of weekdays within which this entry is active, e.g. Monday to Thursday will keepthis profile active from Monday through Thursday. Applies to all weekdays if left blank.
Hour range
The range of hours within which this entry is active, e.g. 9 to 12 will keep this profile activefrom 9 hrs through 12 hrs. Applies to all hours if left blank.
Minute range
The range of minutes within which this entry is active. This can be used in conjunction withHour Range, e.g. if the hour range is 9 to 12 and minute range is 15 to 30, then the profilewill remain active from 9:15 through 12:30. Applies to every minute if left blank.
Time match mode
The time match mode option allows you to specify how a time is matched, if you specifymultiple ranges.
Value:Absolute - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17,then selecting 'Absolute' Time Match Mode, will match any time starting Monday, 9AM andending Friday, 5PM.
57
© 2008 Office Efficiencies (India) Pvt. Ltd.
All ranges - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17,then selecting 'All ranges' Time Match Mode, will match any time between 9AM to 5PM, onall weekdays from Monday to Friday.
Added profiles
This is where you specify (or create) what profile should be applied if the specified situationmatches.See examples below.
Removed profiles
This field can be used to remove a profile from a situation, or exclude a situation frombeing applied a profile.See example below.
Example #1
Suppose you wanted to allow access only to a few sites to the 'Accounts' profile (which is createdin Access Restriction Section - see Access Control), while allowing any / all sites sites to the 'VIP'profile. To match these situations, you will need to add 2 profiles in the Profiles section, like this -
Profile 1
Option Value
Enabled true
Comment This profile specifies the sites allowed to 'Accounts' group
Profiles Accounts
Host (firstsite.com|secondsite.net|thirdsite.org)
Time match mode absolutetime
Added profiles allowed_sites
Profile 2
Option Value
Enabled true
Comment This profile specifies the sites allowed to 'VIP' group
Profiles Accounts
Time match mode absolutetime
Added profiles allowed_sites
Please note that the fields that are not mentioned above are blank. So, the first rule says that, ifthe request already carries the profile 'Accounts', and the request is for either abc.com, def.comor ghi.com, then give is another profile 'allowed_sites'.
Similarly, the second rule says that, if the request already carries the profile 'VIP', and the
SafeSquid Interface 58
© 2008 Office Efficiencies (India) Pvt. Ltd.
request is for any site (Host field is blank), then give it another profile 'allowed_site'.
Next, you will go to the 'URL filter' section. Select Policy as 'Allow'. Now, since the policy is allow,you should add a rule under the Deny subsection, like this -
Option Value
Enabled true
Comment Block everything, except 'allowed_site' profile
Profiles !allowed_site
The above rule says that deny everything, EXCEPT / but NOT (!) the request that carry'allowed_sites' profile.Now, all the requests from VIP will carry the profile 'allowed_sites', while requests from'Accounts', ONLY for abc.com, def.com or ghi.com, will carry 'allowed_sites' profile. Effectivly,'VIP' will be able to access any site, while 'Accounts', only the specified sites.
Example #2
Now suppose you wanted to allow 'Accounts' to access xyz.com, but only during lunch hours from13 hrs to 14 hrs. To define this situation, you can add another rule under the Profiles section, likethis -
Option Value
Enabled true
Comment Time restricted access
Profiles Accounts
Host xyz.com
Hour range 13,14
Time match mode absolutetime
Added profiles allowed_sites
The above rule says that, if the request already carries the profile 'Accounts', AND the request isfor xyz.com, AND the time of the day is between 13 hrs to 14 hrs, then give the request'allowed_sites' profile.
You can similarly define situations, or create profiles, by using one or multiple parameters likeProtocol, File, Mime type, Port range list, URL Command, Proxy host, Request header pattern &Response header pattern.
59
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.5 cProfiles
cProfiles allows you to ADD/Remove Profiles, depending upon the potential nature of the contentserved, by the web-site. cProfiles queries SafeSquid's Content Categorization Service (CCS)*, to determine if a web-site belongs to one or more categories. The determination is actually ascore of probability: for example:
· a score of 1 ==> the site definitely does not belong to the queried category,· a score of 100 ==> the site most definitely belongs to this category.
Now based on the determination, you can ADD / Remove Profiles, and thus take necessaryactions, via the various filters like URL Filter, Mime-Filter, etc. cProfiles stores the results, in ahigh-speed memory based (volatile) cache, to ensure quick response for often accessed web-sites.
* CCS maintains a categorized database of web-sites. The categorization has been done on thebasis of availability of content of certain category, at the web-site. cProfiles uses the standard DNS protocol to communicate with CCS, thus the query results will be stored (non-volatile) in allthe en-route caching nameservers. Thus query results should be quickly accessible to you evenacross restarts.
cProfiles section
Option Value
Enabled Yes: ¤ No: ¢
Cache Size 1000
Enterprise Identity 0101-1408-1b0b-123f-1711-05@ircmpvef
Submit
Entries for processing cProfiles
Add
Option Value
Enabled true
Comment Identify websites belonging to porn category
Categories list porn
Score Range 2-100
Added profiles category-porn
Edit Delete Clone Up Down Top Bottom
SafeSquid Interface 60
© 2008 Office Efficiencies (India) Pvt. Ltd.
'Add' under 'Entries for processing cProfiles'Option Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
Category List ads content padult content padult_education content parts content pchat content pdrugs content peducation content p
fileshare content p
finance content p
gambling content p
games content p
government content p
hacking content p
hate content p
highrisk content p
housekeeping content p
instantmessaging content p
jobs content p
leisure content p
mail content p
multimedia content pScore Range 2-100
Added profiles
Removed profiles
Submit
cProfiles section
Enabled
This option allows you to enable, or completely disable the URL Blacklist Sectionirrespective of the rules defined in the section
61
© 2008 Office Efficiencies (India) Pvt. Ltd.
Value:Yes - Enable cProfiles SectionNo - Disable cProfiles Section
Cache Size
Specify the number of query responses that should be cached by cProfiles. cProfiles willcreate an equivalent high-speed memory based (volatile) cache, to ensure quickresponse for often accessed web-sites.
Caution #1: Use a realistic number that approximately equals the number of differentweb-sites visited by users in your enterprise. A number between 1000 - 10000 shouldgenerally serve most enterprise networks.
Caution #2: The current cache will be destroyed and a new one re-created. Therefore,kindly do not make changes here, too often.
Enterprise Identity
Specify your Enterprise Identity key here. This key is required to activate cProfiles.Enterprise Identity key can be obtained by subscribing to SafeSquid CSS service.Enterprise Identity is unique and allows CCS to sort, the web-sites that were requestedby your enterprise. Thus the CCS can prioritize the web-sites that must be classified, toserve your enterprise better.
Caution: The Enterprise Identity is a unique key, that must never be shared betweennetworks / enterprises, to ensure proper results from CCS.
'Add' under 'Entries for processing cProfiles' section
Enabled
This option allows you to enable or disable a rule.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies toevery one if this field is left blank
Category List
Comma separated list of categories that must be checked on the CCS. By default, allavailable categories are listed, when you add a new rule. The following categories arecurrently available: ads, adult, adult_education, arts, chat, drugs, education, fileshare,
SafeSquid Interface 62
© 2008 Office Efficiencies (India) Pvt. Ltd.
finance, gambling, games, government, hacking, hate, highrisk, housekeeping,instantmessaging, jobs, leisure, mail, multimedia, news, porn, proxy, searchengines,shopping, social, sports, systemutils, travel, business.You may either create a separate rule for the categories that you would want to identify,or include a comma separated list of multiple categories in a single rule.
Score Range
Specify the score range for a positive match. cProfiles will query the SafeSquid's Content Categorisation Service (CCS) to determine, the probability of content natureto belong to the above mentioned categories. The probability could be between 1 and100.
· a score of 1 = the site definitely does not belong to the queried category· a score of 100 = the site most definitely belongs to this category.
So, if you set the score range to 2-100, then entries created below for Added Profiles orRemoved Profiles, will be applied only if the scored value is more than 1.
Added profiles
Comma separated list of profiles that will be Added to the connection, if the selectedcategories have a positive match. These profiles can then be used in various filters likeURL Filter, Mime-Filter, etc. to take desired action.
Removed profiles
A comma separated list of profiles to remove when the selected categories have apositive match. If any of these profiles have been already applied to the connection byany other Profile rules, they will be removed.
Example:
Suppose you wanted to globally block 'porn' category, and restrict 'Accounts' profiles fromaccessing 'jobsearch' category.Create the following rules in the cProfiles section:
cProfiles Section
Option Value
Enabled true
Comment Identify websites under 'porn' category
CategoryList
porn
ScoreRange
2-100
Addedprofiles
blocked-category
63
© 2008 Office Efficiencies (India) Pvt. Ltd.
Option Value
Enabled true
Comment Identify websites under 'jobsearch' category
Profiles Accounts
CategoryList
jobsearch
Score Range 2-100
Addedprofile
blocked-category
Next, go to the URL filter section and add the following rule under Deny subsection (Presumingthat Policy is Allow).
URL filter - Deny subsection
Option Value
Enabled true
Comment This rule blocks access to 'blocked-category'profile
Profiles blocked-category
The first rule applies 'blocked-category' profile to all the requests, for which there is a positivematch, under the 'porn' category. This rule applies to every body, since the 'Profiles' field isblank.
The second rule applies 'blocked-category' profile to all the requests, for which there is apositive match, under the 'josearch' category. This rule applies only to 'Accounts' profile.
The rule defined under URL filter section, blocks all requests with blocked-category profile.
SafeSquid Interface 64
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.6 Define user limits
The SafeSquid Limits feature allows you to define User Limits, for accessing content from theInternet. You can create rules to limit the maximum size of individual files that are fetched fromthe Internet. These rules can also pre-set the speed-limits at which the content may be accessed.Rules that set limits to the nature of content being accessed during specific time-periods, can alsobe set.
Limits 'Add' subsectionOption Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
Action Allow: ¤ Deny: ¢
Template
Month range p active January to January
Day range p active 0 to 0
Weekday range p active Sunday to Sunday
Hour range p active 0 to 0
Minute range p active 0 to 0
Download transfer limit 0
Upload transfer limit 0
Request limit 0
Download rate 0
Time match mode Absolute: ¤ All ranges: ¢
Flags
Limit cache transfers pPer-request limit pGroup limit p
Submit
65
© 2008 Office Efficiencies (India) Pvt. Ltd.
Limits 'Add' subsection
The following parameters can be used to define rules for setting various user limits:
Enabled
This option allows you to enable or disable a specific rule.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does
Profiles
A comma separated list of previously created profile(s) (either in Access Restriction or inProfiles section), to which this rule should apply. Applies globally if left blank.
Action
The action to take when this entry matches. If set to Deny - any request falling into thespecified time range is blocked, otherwise the request is allowed. Select Allow if you desireto set a limit on the amount of data that can be transferred, or the number of requeststhat can be made. Further access will later be denied, when the limit is reached.
Template
The template, or message, that should be displayed on a users screen when access isdenied due to this rule. This template is only sent if the page was blocked due to the timerestrictions. Default template is used if this field is left blank.See Customizable Templates for details about templates
Month range
The range of months within which this entry is active, e.g. January to March will keep thisprofile active from January through March. Applies to all months if left blank
Day range
The range of days within which this entry is active, e.g. 5 to 15 will keep this profile activefrom 5th through 15th. Applies to all days if left blank.
Weekday range
The range of weekdays within which this entry is active, e.g. Monday to Thursday will keepthis profile active from Monday through Thursday. Applies to all weekdays if left blank.
Hour range
SafeSquid Interface 66
© 2008 Office Efficiencies (India) Pvt. Ltd.
The range of hours within which this entry is active, e.g. 9 to 12 will keep this profile activefrom 9 hrs through 12 hrs. Applies to all hours if left blank.
Minute range
The range of minutes within which this entry is active. This can be used in conjunction withHour Range, e.g. if the hour range is 9 to 12 and minute range is 15 to 30, then the profilewill remain active from 9:15 through 12:30. Applies to every minute if left blank.
Download transfer limit
The amount of download in bytes that would be allowed during the specified time. No limitif left blank.
Upload transfer limit
The amount of upload in bytes that would be allowed during the specified time. No limit ifleft blank.
Request limit
The number of requested that would be allowed during the specified time. No limit if leftblank.
Download rate
The maximum download transfer rate (speed or QoS) that should be allowed. Maximumavailable if left blank.
Time match mode
The time match mode option allows you to specify how a time is matched, if you specifymultiple ranges.
Value:Absolute - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17,then selecting 'Absolute' Time Match Mode, will match any time starting Monday, 9AM andending Friday, 5PM. All ranges - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17,then selecting 'All ranges' Time Match Mode, will match any time between 9AM to 5PM, onall weekdays from Monday to Friday.
Flags
The following flags are used to define, or fine tune, the rule· Limit cache transfers: apply the rule even when the content is being served from
the cache· Per-request limit: confine transfer limit to each single request. E.g. if you set
Download transfer limit as 5MB, each and every matching request will be allowed5MB
· Group limit: share transfer limit between all matching connections. E.g. if you setDownload transfer limit as 5MB, it will be shared between all the matchingconnections
67
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.7 FTP proxy
SafeSquid is a very powerful FTP proxy and can very neatly get you the the contents of FTPservices, directories and contents. The FTP section lets you configure how the FTP connections are
established, and results displayed.
FTP Sectionftp section
FTP connection options.
Option Value
Passive mode Yes: ¤ No: ¢
Timeout
Anonymous login
Anonymous password
Sort order Ascending: ¤ Descending: ¢
Sort field None: ¢ Name: ¤ Size: ¢ Date: ¢
Submit
FTP Section
The following parameters are available for configuration in the FTP Section
Passive mode
Use passive mode for FTP transfers; this is useful if you are behind a firewall that preventsthe FTP server from opening a connection to you.
Options:Yes: Select Passive ModeNo: Do not select Passive Mode
Timeout
Time in seconds to wait for a response for commands sent to the FTP server.
Anonymous login
The login name to use when none is explicitly given in the URL.
Anonymous password
The password to use when none is explicitly given in the URL.
SafeSquid Interface 68
© 2008 Office Efficiencies (India) Pvt. Ltd.
Sort order
The order in which FTP directory listings are sorted.
Options:Ascending: Sort directory listing in ascending orderDescending: Sort directory listing in descending order
Sort field
The field by which FTP directory listings are sorted.
Options:None : Do not sort by any fieldName : Sort by Name fieldSize : Sort by sizeDate : Sort by date
69
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.8 Templates
Templates are used throughout Safesquid as a replacement for pages which can't be displayeddue to filtering, error, or other conditions.SafeSquid comes with the following default templates:
Template Condition
blocked Page blocked
nodns DNS lookup failed
badrequest Malformed HTTP header from client
badresponse Malformed HTTP header from server
nofile File not found
nocacheCache file not found when browsing in offlinemode
noconnect Connection failed
noaccess Access denied
badprotocol Protocol not implemented
badauthAuthorization failed (when forwarding throughSOCKS4)
maxbandwidth Bandwidth limit exceeded
maxrequests Request limit exceeded
proxy.pacA script to configure the browser to use theproxy.
nterface.css Web interface stylesheet
These templates can be viewed from http://safesquid.cfg/template/blocked (template name)
You can replace the default templates with your own customized templates (SafeSquid AdvancedEdition and all Composite Editions, including the free Composite Edition 20). Customizedtemplates can be really useful, when you would want the error messages to be displayed in alanguage other than English. It can also be used to display your company logo, warning ormessage like 'If you feel this site was unnecessarily blocked, please notify the administrator [email protected]'.
A template may not necessarily be an html, but can be almost about anything like an audio file,flash file or an executable. It can be used to invoke a file for a specific condition. For example,SafeSquid has 3 built-in templates - tinygif (a 1x1 transparent gif image), checkeredgif (a 4x4gray and transparent checkered pattern), and tinyswf (an empty flash animation). Thecheckeredgif template is used by default, to replace images that it blocked by the PornographicImage Filter add-on module that is used to block pornographic images in real time. So, when thepage is displayed to a user, a block of checkered boxes is displayed instead of the blocked image.
There are several variables that can be used in templates if the parsable option is selected whichwill be replaced with information about the request currently being handled. These variable canbe used to generate content in real time. The variables are:
SafeSquid Interface 70
© 2008 Office Efficiencies (India) Pvt. Ltd.
Variable Description
@AVSCANNER@ The name of Antivirus Scanner used
@CATEGORY@ The Category of Blacklist used
@HTTP_METHOD@ Method used to request file
@HTTP_HOST@ The Host to which HTTP request was made to
@HTTP_FILE@ File HTTP request was made for
@HTTP_PORT@ Port HTTP request was made to.
@DOWNLOADLIMIT@ The Limit given to Downloading
@UPLOADLIMIT@ The Limit given to Upload a file
@IP@ IP address of client making request
@INTERFACE@ IP address of the interface the client connected to
@IMAGESCORE@ Score for Individual Images
@IMAGETHRESHOLD@
The cut-off value from which Image is decided as good orbad(porn)
@PORT@ PORT the client connected to
@SIZE@ Amount of value going to transferred
@TRANSFERRED@ Amount of value transferred already
@USERNAME@ The username by which the user logs on afterauthentication
@URL@ The full URL (the same as @HTTP_METHOD@://@HTTP_HOST@:@HTTP_PORT@@HTTP_FILE@)
@VERSION@ The proxy server version
@VIRUSNAME@ The name of the Virus detected
The Template Section in the SafeSquid Interface, allows you to configure customized templates
Customisable Templates
Option Value
Path /opt/safesquid/safesquid/templates
Submit
Template
Add
71
© 2008 Office Efficiencies (India) Pvt. Ltd.
'Add' Sub SectionOption Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
Name
File
Mime type
Response code
Type File: ¤ Executable: ¢
Parsable Yes: ¤ No: ¢
Submit
Templates section
The following parameters are available for configuration in the Templates Section
Path
The directory path on the server where the template files are located
Add
Add a custom template
'Add' subsection
The following parameters are available for configuration in the 'Add' subsection
Enabled
This option allows you to enable or disable a rule.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies to every one if this field is left blank
Name
The name by which this template should be referred to in other sections.
SafeSquid Interface 72
© 2008 Office Efficiencies (India) Pvt. Ltd.
File
The name of the file in template directory, to be used with this template
Mime type
The MIME-type of the template file. When using an executable, this is send in the HTTP response header.
Response code
The response code to use when sending the template. Leave blank to use internal default.
Type
Specify the type of template.
Options:File: The content of the file will be sent as template.Executable: The file is executed, and whatever it writes on STDOUT, is sent as the template.
Parsable
If this option is selected, all variables in the template will be substituted.
Example:
In this example we will replace the default template displayed when a site is blocked by URL Filtersection. Let us presume that this file is called filter.html, and it's content is as below -
filter.html
<html>
<head><title>site is blocked</title></head><bodystyle="color: rgb(255, 255, 255); background-color:rgb(255, 0, 0);"link="#000099" alink="#000099" vlink="#990099"><div style="text-align: center; font-family: Verdana;"><h1>The site @HTTP_HOST@ is blocked </h1></div></body>
</html>
73
© 2008 Office Efficiencies (India) Pvt. Ltd.
Now, copy this file to the directory /opt/safesquid/safesquid/template/ on the SafeSquid Server.Next, from the SafeSquid Interface (http://safesquid.cfg) go to Config => Template.Click on 'Add' under the template subsection and add the following rule -
SafeSquid Interface 74
© 2008 Office Efficiencies (India) Pvt. Ltd.
Template 'Add' subsectionOption Value
Enabled Yes: ¤ No: ¢
Comment Template for URL FIlter Section
Profiles
Name filter
File filter.html
Mime type text/html
Response code 404
Type File: ¤ Executable: ¢
Parsable Yes: ¤ No: ¢
Submit
Next, go to Config => URL filter, and change the value of 'Default template' to 'filter'
url-filtering section
This section filters the URLs based on the host name and file path.
Option Value
Enabled Yes: ¤ No: ¢
Policy Allow: ¤ Deny: ¢
Default template filter
Submit
Now, when you visit a website that is blocked by URL filter, you will see the new template, insteadof the default.Remember to save the changed setting by clicking on 'Save setting' from the top menu in theSafeSquid Interface.
75
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.9 DNS Blacklists
The DNS-bl is a co-operative effort by DNS providers across the internet to deny DNS service toknown spam domains. in.dnsbl.org allows making nslookup queries to identify if a particulardomain has been listed for fraud, Spamming, illegal content, malware, etc.
For example, if we had to find out if somesite.example.com has been listed on dnsbl, we simplyhave to do an nslookup for somesite.example.com.in.dnsbl.org. If this domain is listed, theresponse would be one of 127.0.0.2-8, depending on the category under which it is listed.
The categories are:
Response Category
127.0.0.2 UCE
127.0.0.3 Fraud
127.0.0.4 Spam Promo
127.0.0.5 Illegal Content
127.0.0.6 Pre-emptive
127.0.0.7 Improper List Practices
127.0.0.8 Botnet Activity / Malware
Check http://dnsbl.org/ for details.
DNS Blacklist Section
dnsbl section
DNS blacklist services use a DNS server to allow people to lookup domains of known abusive servers.
Option Value
Enabled Yes: ¤ No: ¢
Template
Domain in.dnsbl.org
Blocked IP addresses 127.0.0.1,127.0.0.2,127.0.0.3,127.0.0.4,127.0.0.5
Submit
dnsbl section
The following parameters are available for configuration in the DNS Blacklist Section
Enabled
This option allows you to enable or disable the DNS blacklist section .
Value:Yes - Enable DNS blacklist section
SafeSquid Interface 76
© 2008 Office Efficiencies (India) Pvt. Ltd.
No - Disable DNS blacklist section
Template
The template to send when domain is blocked.
Domain
The domain to use for making queries. For example, the domain to use the services from dnsbl.org isin.dnsbl.org. You can also use any other service that provides similar service.
Blocked IP addresses
A comma separated list of IP addresses (or responses - see table above), from in.dnsbl.org, that youwould like to block access to. For example, if you would like to block access to domains listed under"Fraud" and "Botnet Activity / Malware", type 127.0.0.3,127.0.0.8 here.
77
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.10 URL Filtering
URL filter section can be used to block access to URLs based on ther host name and / or file path.If the URL is denied, an error page template is sent to the web browser.
URL filter can not only be used to block access to specific websites, but it can also be used to veryeffectively and granularly block specific objects like banners and advertisement, search enginequeries, URLs containing specific words like 'sex' or 'mail', and access to IMs and Chats like YahooMessenger, Google Talk, Rediff Bol, etc.
url-filtering section
This section filters the URLs based on their host name and file path.
Option Value
Enabled Yes: ¤ No: ¢
Policy Allow: ¤ Deny: ¢
Default template
Submit
Allow
Add
Deny
Add
Option Value
Enabled true
Comment SAMPLE rule to block specific websites
File (rapidshare.de|orkut.com|myspace.com)
Edit Delete Clone Up Down Top Bottom
Option Value
Enabled true
Comment SAMPLE rule to block specific profiles
Mime type disallowed_query,ad_servers,banners
Edit Delete Clone Up Down Top Bottom
SafeSquid Interface 78
© 2008 Office Efficiencies (India) Pvt. Ltd.
'Add' under Allow / Deny SubsectionOption Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
Host
File
Mime type
Template
Submit
mime-filtering section
Enabled
This option allows you to enable, or completely disable the URL Filtering Sectionirrespective of the rules defined in the section
Value:Yes - Enable Mime filtering SectionNo - Disable Mime filtering Section
Policy
Defines the Global Policy for the URL Filtering Section
Value:Allow - Allow everything, and deny ONLY the rules under the 'Deny' subsectionDeny - Deny everything, and allow ONLY the rules under the 'Allow' subsection
Default template
The template to display for blocked sites. If left blank, default template is used. You candesign and display custom templates. For details, check Customisable Templates
'Add' under Allow / Deny subsection
You can define rules either under the Allow or Deny subsection, depending on the selectedPolicy. If Policy is Allow, you should define rules under the Deny subsection, and If Policy isDeny, you should define rules under the Allow subsection. In the above example, thePolicy is Allow. Hence, rules are defined in the Deny subsection to deny access to specificcontent.
Enabled
This option allows you to enable or disable a rule.
79
© 2008 Office Efficiencies (India) Pvt. Ltd.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies toevery thing if this field is left blank
Host
A regular expression matching the host on which this rule should apply. You can definemultiple hosts seperated with pipe. E.g. (safesquid.com|yoursite.org|mysite.net). Leavethis field blank to apply to all hosts.
File
You can further fine tune the rule by specifying a regular expression for the file partcontained in a URL, to restrict access to only specific file / folder on the hosts mentioned inthe Host field (applies to all if Host field is left blank). E.g. if you would like to restrictaccess to ads or banners on mysite.com, specify mysite.com in Host and /ad(|s|v|(|_)banner(|s))/ in the File field. This will block access only to mysite.com/ad/ or mysite.com/ads/ or mysite.com/adv/ or mysite.com/banner/ or mysite.com/banners/
IP ranges
A comma separated list of requesting IPs and / or IP ranges on which this rule to apply. E.g. 192.168.0.10-192.168.0.20,192.168.0.25-192.168.0.29,192.168.0.33
Template
This field can be used to send a customized template, instead of the default template,when a URL is blocked specifically due to this rule.
Example:
Suppose you wanted to restrict the 'Accounts' group from accessing some specific web sites.Create the following rule in the Profiles section:
Profiles Section
Option Value
Enabled true
Comment This profile is used in URL filter to restrict'Accounts' group from accessing the specifiedsites.
SafeSquid Interface 80
© 2008 Office Efficiencies (India) Pvt. Ltd.
Profiles Accounts
Host (firstsite.com|secondsite.net|thirdsite.org)
Time matchmode
absolutetime
Added profiles Blocked-Site
Next, go to the URL filter section and add the following rule under Deny subsection (Presumingthat Policy is Allow).
URL filter - Deny subsection
Option Value
Enabled true
Comment This rule blocks access to 'Blocked-Site' profile
Profiles Blocked-Site
The first rule defines that when users with 'Accounts' profile, request for the sites specified in Hostfield, give that request another profile - Blocked-Site. This rule only defines the situation, anddoes not do any blocking. The second rule, defined under URL filter section, blocks all requestswith Blocked-Site profile.
81
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.11 URL redirect
URL Redirect allows you to redirect client requests to defined targets, which may or may not bewhat the client requested. This feature is a very popular and should be used with some
imagination and logic to get the best results.
redirect section
The redirect feature allows you to redirect requests.
Option Value
Enabled Yes: ¤ No: ¢
Submit
Redirect
Add
'Add' under Redirect SubsectionOption Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
URL
Redirect
Port 0
302 redirect Yes: ¢ No: ¤
Options Encode URL pDecode URL before pDecode URL after p
Applies to Location header: ¢ URL: ¢ Both: ¤
Submit
redirect section
Enabled
This option allows you to enable, or completely disable the URL Redirect Sectionirrespective of the rules defined in the section
Value:
SafeSquid Interface 82
© 2008 Office Efficiencies (India) Pvt. Ltd.
Yes - Enable URL Redirect SectionNo - Disable URL Redirect Section
'Add' under Redirect subsection
Enabled
This option allows you to enable or disable a rule.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies toevery thing if this field is left blank
URL
A regular expression matching the URL you wish to redirect. The URL will always be in theform "protocol://host/file" or "/file" for HTTP requests. This may be trailed with a / followedby flag characters like in Perl to modify options used to compile the regular expression,and must be, if a / is used anywhere else in the regular expression.
Redirect
The URL to redirect to. It may contain back references to strings captured usingparenthesis in the URL pattern. This can be in the form "protocol://host/file" or "/file" ifyou wish to send a relative URL when redirecting a URL in the Location: header. If thisoption is left blank, no action will be taken against requests matching the URL
Port
The port to redirect to. If left blank, the same port to which the original request was made,is used.
302 redirect
If yes, a 302 redirect is used; otherwise the new host is connected to directly and the newfile is requested. A 302 redirect should always be used when possible to ensure relativelinks and images are correct.
Options
The following options are available to control how the URL should be handled:
Encode URL - Encode the new URL.Decode URL before - Decode the URL before attempting to match it with the regularexpression.
83
© 2008 Office Efficiencies (India) Pvt. Ltd.
Decode URL after - Decode the new URL after matching.
Applies to
Select whether the redirection applies to requested URL's, the Location header when aremote site sends a 302 redirect, or both.
Example:
SafeSquid automatically produces the auto-configure-script proxy.pac (Proxy Auto Configuration)file, that clients can use to automatically configure the proxy server. This file can also be used byWPAD (Web Proxy Automatic Discovery) protocol, which allows automatic discovery of Proxyservers. The following redirect rule will redirect any client request for proxy.pac file to the defaultSafeSquid proxy.pac file.
Option Value
Enabled true
Comment This will send a template when /proxy.pac is requested toconfigure the browser to use the proxy
URL ^/proxy.pac$
Redirect /safesquid.cfg/template/proxy.pac
302 redirect false
Applies to url
SafeSquid Interface 84
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.12 Mime Filtering
The Mime filtering section allows you to filter content based on its Mime type.
mime-filtering section
The mime feature allows you to filter content based on it's MIME-type.
Option Value
Enabled Yes: ¤ No: ¢
Policy Allow: ¤ Deny: ¢
Defaulttemplate
Allow
Add
Deny
Add
Option Value
Enabled true
Comment A SAMPLE rule that blocks downloads of files by file extension.
File \.(exe|mp3|avi|wmv|wma|mpeg|zip|tar|gz)$
Edit Delete Clone Up Down Up Down
Option Value
Enabled true
Comment A SAMPLE rule that blocks downloads of files by mime type.
Mime type (^audio/|^video/)
Edit Delete Clone Up Down Top Bottom
'Add' under Allow / Deny Subsection
85
© 2008 Office Efficiencies (India) Pvt. Ltd.
Option Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
Host
File
Mime type
Template
Submit
mime-filtering section
Enabled
This option allows you to enable, or completely disable the Mime filtering Sectionirrespective of the rules defined in the section
Value:Yes - Enable Mime filtering SectionNo - Disable Mime filtering Section
Policy
Defines the Global Policy for the Mime filtering Section
Value:Allow - Allow everything, and deny ONLY the rules under the 'Deny' subsectionDeny - Deny everything, and allow ONLY the rules under the 'Allow' subsection
Default template
The template to display for blocked sites. If left blank, default template is used. You candesign and display custom templates. For details, check Customisable Templates
'Add' under Allow / Deny subsection
You can define rules either under the Allow or Deny subsection, depending on the selectedPolicy. If Policy is Allow, you should define rules under the Deny subsection, and If Policy isDeny, you should define rules under the Allow subsection. In the above example, thePolicy is Allow. Hence, rules are defined in the Deny subsection to deny access to specificcontent.
Enabled
This option allows you to enable or disable a rule.
Value:
SafeSquid Interface 86
© 2008 Office Efficiencies (India) Pvt. Ltd.
Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies toevery thing if this field is left blank
Host
A regular expression matching the host on which this rule should apply. You can definemultiple hosts separated with pipe. E.g. (safesquid.com|yoursite.org|mysite.net). Leavethis field blank to apply to all hosts.
File
You can further fine tune the rule by specifying a regular expression for the file partcontained in a URL. Leave blank to match everything.
Mime Type
A regular expression matching the MIME-types this rule applies to, e.g. ^audio/, ^video/,application/octet-stream, etc. Matches all MIME-types if left blank.
Template
This field can be used to send a customized template, instead of the default template,when a URL is blocked specifically due to this rule.
87
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.13 Header Filtering
Header filtering allows you to control what headers are passed from your browser to websites. Inadditional to the allow and deny actions, there is an insert action which will add a new headeronto the ones sent by your browser. For these entries, the Type and Value options are plain text.
For detailed syntax and semantics of standard HTTP/1.1 header fields, refer to this link
header-filtering section
The header feature allows you to control what headers are passed from your browser to websites. Inadditional to the allow and deny actions in some other sections, there is an insert action which will adda new header onto the ones sent by your browser; for these entries, the Type and Value options areplain text.
Option Value
Enabled Yes: ¤ No: ¢
Policy Allow: ¤ Deny: ¢
Submit
Allow
Add
Deny
Add
Insert
Add
'Add' under Allow / Deny / Insert Subsection
Option Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
Type
Value
Applies to Client header pServer header p
Submit
header-filtering section
SafeSquid Interface 88
© 2008 Office Efficiencies (India) Pvt. Ltd.
Enabled
This option allows you to enable, or completely disable the Header filtering Section,irrespective of the rules defined in the section
Value:Yes - Enable Header filtering SectionNo - Disable Header filtering Section
Policy
Defines the Global Policy for the Header filtering Section
Value:Allow - Allow everything, and deny ONLY the rules under the 'Deny' subsectionDeny - Deny everything, and allow ONLY the rules under the 'Allow' subsection
'Add' under Allow / Deny / Insert subsection
You can add rules under Deny that would explicitly remove header content from All and /or Specific set of server and / or client requests. This effectively allows you set a variety ofintelligently and creatively defined Privacy Blacklist(s).You can add rules under Allow that would explicitly allow header content within All and / orSpecific set of server and / or client requests. This effectively allows you set a variety ofintelligently and creatively defined Privacy Whitelist(s)You can also define rules under the 'Insert' subsection, to insert additional information inthe headers sent by your browser.
Enabled
This option allows you to enable or disable a rule.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies toevery thing if this field is left blank
Type
A regular expression matching the header types this entry applies to; leave blank to matcheverything (header's are in the form "Type: value")
Value
A regular expression matching the header value, this entry applies to; leave blank to
89
© 2008 Office Efficiencies (India) Pvt. Ltd.
match everything.
Applies to
The types of headers that will be affected by this rule.SafeSquid supports header control inboth - server side and client side headers.
SafeSquid Interface 90
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.14 Cookie Control
Cookie Filter allows you to choose which hosts, the browsers are allowed to send and receivecookies to and from.
Cookies: Persistent Client-State HTTP Cookies are files containing information about visitors to aweb site (e.g. user name and preferences). This information is provided by the user during thefirst visit to a web server. The server records this information in a text file and stores this file onthe visitor's hard drive. When the visitor accesses the same web site again the server looks forthe cookie and configures itself based on the information provided.
cookie-filtering section
The cookies feature allows you to choose which hosts your browser is allowed to send and receivecookies to and from.
Option Value
Enabled Yes: ¤ No: ¢
Policy Allow: ¤ Deny: ¢
Submit
Allow
Add
Deny
Add
'Add' under Allow / Deny SubsectionOption Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
Expiry year range p active to
Expiry month range p active January to January
Expiry day range p active to
Expiry weekday range p active Sunday to Sunday
Expiry hour range p active to
Expiry minute range p active to
Domain
Path
Direction In: ¢ Out: ¢ Both: ¤
Time match mode Absolute: ¤ All ranges: ¢
Submit
91
© 2008 Office Efficiencies (India) Pvt. Ltd.
cookie-filtering section
Enabled
This option allows you to enable, or completely disable the Cookie filtering Section,irrespective of the rules defined in the section
Value:Yes - Enable Cookie filtering SectionNo - Disable Cookie filtering Section
Policy
Defines the Global Policy for the Cookie filtering Section
Value:Allow - Allow everything, and deny ONLY the rules under the 'Deny' subsectionDeny - Deny everything, and allow ONLY the rules under the 'Allow' subsection
'Add' under Allow / Deny subsection
You can add rules under Deny that would explicitly result in blocking or denial of cookietransfer to all or specific set of conditions. This effectively allows you to set a variety ofintelligently and creatively defined Cookie Transfer Blacklist(s). You can add rules underAllow that would explicitly result in acceptance or allowance of cookie transfer to all orspecific set of conditions. This effectively allows you set a variety of intelligently andcreatively defined Cookie Transfer Whitelist(s).
Enabled
This option allows you to enable or disable a rule.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies toevery thing if this field is left blank
Expiry year range
The cookie expiry year range this entry applies to.
Expiry month range
SafeSquid Interface 92
© 2008 Office Efficiencies (India) Pvt. Ltd.
The cookie expiry month range this entry applies to.
Expiry day range
The cookie expiry day range this entry applies to.
Expiry weekday range
The cookie expiry weekday range this entry applies to.
Expiry hour range
The cookie expiry hour range this entry applies to.
Expiry minute range
The cookie expiry minute range this entry applies to.
Domain
A regular expression matching the cookie's domain attribute this entry applies to.
Path
A regular expression matching the cookie's path attribute this entry applies to.
Direction
The direction of the cookie this entry applies to; can be either in (Set-cookie sent bywebsite), out (Cookie sent by browser), or both.
Time match mode
The time match mode option allows you to specify how a time is matched, if you specifymultiple ranges.
Value:Absolute - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17,then selecting 'Absolute' Time Match Mode, will match any time starting Monday, 9AM andending Friday, 5PM. All ranges - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17,then selecting 'All ranges' Time Match Mode, will match any time between 9AM to 5PM, onall weekdays from Monday to Friday.
93
© 2008 Office Efficiencies (India) Pvt. Ltd.
SafeSquid Interface 94
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.15 Word Filtering
Keyword Filtering allows you to block pages which may contain inappropriate content, using aweighed keyword scoring system. When the host, file, mime-type, and keyword in an entrymatches, it's score is added to the total score; when that total score exceeds the threshold, thepage is deemed inappropriate and blocked.
This is a very intelligent method of blocking websites, belonging a specific category, like porn,without depending on any databases like URL Blacklist. For details, see Identifying and blockingPornography web-sites
Although SafeSquid is bundled with Keyword Filtering rules to block porn websites, you can alsodownload the rule snippet from the Downloads page.
keywords-filtering section
Option Value
Enabled Yes: ¤ No: ¢
Threshold
Template
Submit
keyword
Add
'Add' under keyword Subsection
Option Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
Mime type
Keyword
Score
Submit
keywords-filtering section
Enabled
95
© 2008 Office Efficiencies (India) Pvt. Ltd.
This option allows you to enable, or completely disable the keyword filter Section,irrespective of the rules defined in the section
Value:Yes - Enable keyword filter SectionNo - Disable keyword filter Section
Threshold
The number the total score must equal or exceed, until it is blocked.
Template
The template to display for blocked sites. If left blank, default template is used. You candesign and display custom templates. For details, check Customisable Templates
'Add' under keyword subsection
Enabled
This option allows you to enable or disable a rule.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies toevery thing if this field is left blank
Mime type
A regular expression matching the mime-types this entry applies to, e.g. text, html,javascript. It is highly advisable that you set this to some mime-type, otherwise all fileswill be checked. If you're unsure, set this to "text/".
Keyword
A regular expression matching words or expressions in the body of the document,considered inappropriate. E.g. (sex|sexy|porn|pornography)
Score
The score allotted to this entry. When the defined keyword matches, this score is added tothe total score. This can be a positive or a negative integer.
SafeSquid Interface 96
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.16 Content Re-Write
Content Re-Write (Rewrite document) is a very powerful feature that must be used with extremecare. This feature allows you to use regular expressions to modify the contents of web pages,files, the client header, and server header in real time. It can be used to remove content likeAcitveX, JavaScript, etc., from non-trusted websites, before serving the page to users.
rewrite section
Option Value
Enabled Yes: ¤ No: ¢
Submit
Rewrite
Add
'Add' under Rewrite SubsectionOption Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
MIME type
Pattern
Replace
Applies to Client header pServer header pBody þPOST data p
Submit
rewrite section
Enabled
97
© 2008 Office Efficiencies (India) Pvt. Ltd.
This option allows you to enable, or completely disable the Rewrite document Section,irrespective of the rules defined in the section
Value:Yes - Enable Rewrite document SectionNo - Disable Rewrite document Section
'Add' under Rewrite subsection
Enabled
This option allows you to enable or disable a rule.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies toevery thing if this field is left blank
MIME type
A regular expression matching the MIME-type this entry applies to. This must be filled withsome Mime-type, otherwise the rewrite rule will be applied to every downloaded file, whichis almost certainly not what you want. To have it applied to web pages, fill this field with"text/html".
Pattern
A regular expression pattern matching the area of text inside the file to modify. If this fieldis left blank, and the host, file, or mime-type options aren't, this will be the last entrymatched for sites matching the host, file, and mime-type. This may be trailed with a /followed by flag characters like in Perl to modify options used to compile the regularexpression, and must be if a / is used anywhere else in the regular expression.
Replace
The replacement text to use in place of the area of text matching the pattern; it maycontain back references to strings captured using parenthesis in the pattern. A backreference to a captured string is in the form "$#", where # is a number from 1-9; "$0" willbe replaced with the entire area of text matching the regular expression. Escapesequences may be used to represent unprintable characters, they are "\n" (newline),"\r" (carrier return), and "\t" (tab). To use a backslash as part of the replacement text,precede it with another backslash.
Applies to
SafeSquid Interface 98
© 2008 Office Efficiencies (India) Pvt. Ltd.
This option is to select what the rewrite rule applies to; the options are:
Client header - Rewrite the client header; this happens before SafeSquid parses it. So becareful not to remove any headers needed to handle the request properly. The Mime-typeoption serves no purpose for this.
Server header - Rewrite the header from the remote web server; same conditions fromclient header apply.
Body - Rewrite the body of the webpage or file.
POST data - Rewrite POST/PUT data sent when submitting a form or uploading a file.
Example:
The following example is for blocking ActiveX codes from specific websites
Create the following rule in the Profiles section:
Profiles Section
Option Value
Enabled true
Comment This profile is used in Rewrite document section to blockActiveX from specified sites.
Host (firstsite.com|secondsite.net|thirdsite.org)
Time matchmode
absolutetime
Added profiles Block-ActiveX
Next, go to the Rewrite document section and add the following rule:
Rewrite document section
Option Value
Enabled true
Comment This rule will replace ActiveX codes in web pages from hostsspecified in Block-ActiveX profile, in Profiles section
Profiles Block-ActiveX
MIME type text/html
Pattern <object[^>]*>(.*)</object>
Replace <b><font color="blue" > SafeSquid </font> restricting<font color="red" > Active X </font> download</b>
Applies to body
This will replace ActiveX codes in web pages from the specified hosts, and replace them with thefollowing:
99
© 2008 Office Efficiencies (India) Pvt. Ltd.
SafeSquid restricting Active X download
You can also do the reverse, by allowing ActiveX only from specific web site, while blocking it fromthe rest. To do that, created a profile, e.g. 'Trusted-Websites' in the profiles section, and specifythe web sites in the 'Host' field. Next, in the Rewrite document section, instead of entering 'Block-ActiveX' in the 'Profiles' field, enter '!Trusted-Websites'. The '!' here means 'NOT'. Effectively, theRewrite document rule will apply to all web sites, EXCEPT the ones specified in 'Trusted-Websites'profile.
SafeSquid Interface 100
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.17 Content Caching
Content Caching improves bandwidth efficiency. A page or file, when requested by a user, isserved to the user and a copy of it is also maintained locally in the cache. So, when a request ismade to fetch the same page or file, it is served with the local copy, instead of 'a fresh fetch'.SafeSquid has a very neat, efficient and manageable Content Caching system.
cache section
Option Value
Enabled Yes: ¤ No: ¢
Violate RFC Yes: ¢ No: ¤
Memory cache size 50M
Memory free extra 200M
Minimum file size 0
Maximum file size 1M
Prefetch window 30
ICP port 0
ICP timeout 1000
Store balance method Fill size: ¢ Fill percent: ¤
journal size 128
Clean Interval 30
Submit
Store
Add
Option Value
Enabled false
Comment This is the default path of cache directory
Path /var/cache/safesquid
Maximum disk size 1G
Disk free extra 250M
MD5 integrity check false
Edit Delete Clone Up Down Top Bottom
Refresh
Add
101
© 2008 Office Efficiencies (India) Pvt. Ltd.
Option Value
Enabled true
Cachable true
Minimum age 1800
Maximum age 2592000
Revalidate age 1259000
Last-Modified time factor 10
Edit Delete Clone Up Down Top Bottom
'Add' under Store SubsectionOption Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
path
Maximum disk size 0
Disk free extra 0
MD5 integrity check Yes: ¢ No: ¤
Submit
'Add' under Refresh SubsectionOption Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
Cachable Yes: ¤ No: ¢
Minimum age 0
Maximum age 0
Revalidate age 0
Last-Modified time factor 0
Submit
cache section
Enabled
This option allows you to enable, or completely disable the Caching Section, irrespective ofthe rules defined in the section
Value:
SafeSquid Interface 102
© 2008 Office Efficiencies (India) Pvt. Ltd.
Yes - Enable Caching SectionNo - Disable Caching Section
Violate RFC
This option will cause the proxy server to violate some rules in the HTTP RFC to helpimprove cache performance. Specifically, when a website requests that the file not becached with the “No-Cache” directive in the Cache-Control header, the proxy will cache itanyways but always validate it with an If-Modified-Since conditional request.
Memory cache size
The maximum size in bytes of the memory cache.
Memory free extra
The number of additional bytes to free up when the memory is cleaned.
Minimum file size
The minimum file size in bytes of any cached file.
Maximum file size
The maximum file size in bytes of any cached file; if set to 0, no maximum file size isimposed.
Prefetch window
This option can be used to specify the time period after a file is pre-fetched, in which it willbe exempt from any refresh or expiry rules.
ICP port
The UDP port to listen for ICP packets on. You can change as per your configuration.
ICP timeout
The timeout in milliseconds for response ICP packets.
Store balance method
This option controls how a file goes into selected storage directory, when you definemultiple storage volumes.Fill size - will select the storage directory with the least total bytes usedFill percent - will select the storage directory with the lowest percentage of space used.
journal size
The maximum size in bytes of the journal
Clean Interval
Interval time in seconds after which the content in the Memory Cache is dumped into thedisk storage.
103
© 2008 Office Efficiencies (India) Pvt. Ltd.
'Add' under Store subsection
You can add one or more locations under "Store" that would be used for physically storingthe content for caching.
Enabled
This option allows you to enable or disable a rule.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies toevery thing if this field is left blank
Path
The directory where cached files are stored.
Maximum disk size
The amount of space that should be used to store cached files in this directory.
Disk free extra
When the cache is cleaned, this additional amount will be freed as well. This option can beuseful to prevent the cache from getting evicted too often, which can hurt performance.
MD5 integrity check
It performs MD5 check on cache files when saving them and loading them from disk. Thisensures that corrupted cache files don't get used.
'Add' under Refresh subsection
You can add / modify the rules under "Refresh" that would enforce your policies forrenewing or refreshing the contents in the cache, to ensure that the users are served withcontent that is 'fresh enough'. This effectively allows you to intelligently and creativelymanipulate the bandwidth usage.
Enabled
This option allows you to enable or disable a rule.
Value:Yes - Enable this ruleNo - Disable this rule
SafeSquid Interface 104
© 2008 Office Efficiencies (India) Pvt. Ltd.
Comment
A comment for future reference explaining what this rule does
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies toevery thing if this field is left blank
Cachable
Whether or not requests matching this entry are cached.
Minimum age
The minimum age of any file must be according to the Last-Modified header before it iscached.
Maximum age
The maximum age of any cached file before it must be revalidated. This overrides anygiven expiry time.
Revalidate age
The maximum age of any cached file that didn't include any headers indicating when itshould expire before it must be revalidated. If set to 0, all cached files whose expiry timeis uncertain will be verified. If no "Last-Modified" header is received to calculate thepercent of age freshness, the cached file is always revalidated.
Last-Modified time factor
The percentage of time between the date given in the Last-Modified header and thecurrent time, a cached file is considered fresh after downloading.
105
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.18 Request Forwarding
The Forwarding section allows you to selectively forward requests through another proxy, SOCKS4or SOCKS5 firewalls.
SafeSquid also supports CARP & ICP Protocols.
CARP (Cache Array Routing Protocol):The Cache Array Routing Protocol (CARP) is used in load-balancing HTTP requests across multipleproxy cache servers. It works by generating a hash for each URL requested. A different hash isgenerated for each URL and by splitting the hash namespace into equal (or unequal parts, ifuneven load is intended) the overall number of requests can be distributed to multiple servers.
ICP (Internet Caching Protocol):The Internet Cache Protocol (ICP) is a protocol used for coordinating web caches. Its purpose is tofind out the most appropriate location to retrieve a requested object from in the situation wheremultiple caches are in use at a single site. The goal is to use the caches as efficiently as possible,and to minimize the number of remote requests to the originating server. Hierarchically, a queriedcache can either be a parent, a child, a sibling.
forward section
Option Value
Enabled Yes: ¤ No: ¢
Enable CARP Yes: ¢ No: ¤
CARP hash size
Submit
Forward
Add
Option Value
Enabled true
Comment sample rule for forwarding
Proxy parent_proxy
Port 3128
ICP peer type none
ICP port 0
Type HTTP
Applies to HTTP,FTP,CONNECT
Edit Delete Clone Up Down Top Bottom
SafeSquid Interface 106
© 2008 Office Efficiencies (India) Pvt. Ltd.
'Add' under Forward SubsectionOption Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
Proxy
User name
Password
Domain
Port 0
ICP peer type None: ¤ Parent: ¢ Sibling: ¢
ICP port
Type HTTP: ¤ SOCK4: ¢ SOCKS5: ¢ Connect: ¢
Applies to HTTP requests pFTP requests pCONNECT requests p
Submit
forward section
Enabled
This option allows you to enable or completely disable the Forwarding Section, irrespectiveof the rules defined in the section
Value:Yes - Enable Forwarding SectionNo - Disable Forwarding Section
Enable CARP
This option allows you to enable or disable the use of CARPValue:Yes - Enable CARPNo - Disable CARP
CARP hash size
The maximum value of CARP hash set on the peer proxies. Otherwise decrease this valuefor greater redundancy of cached files. If the peer is Squid set this value to 0.
'Add' under Forward subsection
You can add unique rules to deal with different proxies, profiles, requests in thissubsection.
107
© 2008 Office Efficiencies (India) Pvt. Ltd.
Enabled
This option allows you to enable or disable a rule.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies toevery thing if this field is left blank
Proxy
The hostname or IP address of the proxy to forward through. If this is left blank, and thehost or file options aren't, no action will be taken for requests matching the host and file. Ifthe Proxy is the same as the server's own hostname, the entry is ignored. This makes iteasier to have a configuration file shared between several proxy servers.
User name
The user name to use if the proxy requires authentication.
Password
The password for the User name used
Domain
The NT domain when using the NTLM authentication protocol.
Port
The port number of the proxy to forward through.
ICP peer type
The peering relationship of this proxy.
None - The ICP protocol will not be used with this proxy
Parent - This proxy is a Parent. When no peer has the cached file, it will still be requestedfrom a parent, so that it is cached for other peer proxy servers.
Sibling - This proxy is a Sibling. Files are requested from it only when it has a cachedcopy.
ICP port
The UDP port ICP packets are sent on to this proxy.
SafeSquid Interface 108
© 2008 Office Efficiencies (India) Pvt. Ltd.
Type
The type of proxy the requests are being forwarded to:
HTTP: This is a HTTP proxy.
SOCKS4: This is a SOCKS4 firewall.
SOCKS5: This is a SOCKS5 firewall.
Connect: The connect method will be used through the HTTP proxy.
Applies to
What type of requests should be forwarded:
HTTP requests: Forward HTTP requests
FTP requests: Forward FTP requests
CONNECT requests: Forward CONNECT requests
109
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.19 Internet Content Adaptation Protocol (ICAP)
ICAP is a protocol designed to off-load specific Internet-based content to dedicated servers,thereby freeing up resources and standardizing the way in which features are implemented. Forexample, a server that handles only language translation is inherently more efficient than anystandard Web server performing many additional tasks.
ICAP concentrates on leveraging edge-based devices (proxies and caches) to help deliver value-added services. At the core of this process is a cache that will proxy all client transactions and willprocess them through ICAP Web servers. These ICAP servers are focused on a specific function,for example, add insertion, virus scanning, content translation, language translation, or contentfiltering. Off-loading value-added services from Web servers to ICAP servers allows those sameweb servers to be scaled according to raw HTTP throughput versus having to handle these extratasks.
ICAP in its most basic form is a "lightweight" HTTP based remote procedure call protocol.In other words, ICAP allows its clients to pass HTTP based (HTML) messages (Content) to ICAPservers for adaptation. Adaptation refers to performing the particular value added service(content manipulation) for the associated client request/response.
How does ICAP work in SafeSquid?The ICAP feature enables the proxy server to use an ICAP server to perform request modification,request satisfaction, or response modification to any request or response. When enabled, whatbasically happens is this:
For request modification:- client sends request to proxy server.- proxy server forwards request to the ICAP server, ICAP server will respond with a possiblymodified request header.- proxy server will use that modified request header to process the request.
This allows the ICAP server to do things like redirection, header filtering, etc.
For request satisfaction:- client sends request to proxy server.- proxy server forwards request to ICAP server, ICAP server will respond with a _response_header and possibly a response body.- proxy server will pass that response header and body onto the client, the request will not befurther processed.
This allows the ICAP server to do things like URL blocking, etc.
For response modification:- client sends request to proxy server.- proxy requests file from web server (or uses cached response). - proxy server forwardsresponse header and body to ICAP server, ICAP server will respond with a possibly modifiedresponse header and body.- proxy server will then send the possibly modified response header and body to the client.
This allows the ICAP server to do things like virus scanning, content modification, blockinappropriate content, etc.When an ICAP server is installed with a caching system, every transaction is piped through the
SafeSquid Interface 110
© 2008 Office Efficiencies (India) Pvt. Ltd.
ICAP server, allowing the server to modify or redirect Web requests or responses.When an ICAP server is installed in an FTP system, every transaction is piped through the ICAPserver, allowing virus and content filteringsoftware to operate on the content.
ICAP section
Option Value
Enabled Yes: ¤ No: ¢
Submit
ICAP
Add
'Add' under ICAP SubsectionOption Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
Host
File
Port
Applies to Requests pResponses p
Submit
ICAP section
Enabled
This option allows you to enable or completely disable the ICAP Section, irrespective of therules defined in the section
Value:Yes - Enable ICAP SectionNo - Disable ICAP Section
'Add' under ICAP subsection
Enabled
111
© 2008 Office Efficiencies (India) Pvt. Ltd.
This option allows you to enable or disable a rule.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies toevery thing if this field is left blank
Host
The Host name or IP address of the ICAP Server.
File
The file to request from the ICAP server.
Port
The port of the ICAP server
Applies to
Which part of the HTTP request this entry applies to:
Requests: The ICAP server will be used to modify or satisfy requests.
Responses: The ICAP server will be used to modify responses.
Examples:
In all the examples below, it is presumed that the IP of the ICAP server is 192.168.0.175 andthey are listening on port 1344.The profile 'virus_scan' is used in all examples, to ensure that only the files that require virusscanning are sent to the ICAP server. This profile is created in the "Profiles' section. The samplerule is as follows:
SafeSquid Interface 112
© 2008 Office Efficiencies (India) Pvt. Ltd.
Profiles Section
Option Value
Enabled true
Comment The following file types will be scanned for viruses
File (386|ADE|ADP|ADT|APP|ASP|BAS|BAT|BIN|BTM|CBT|CHM|CLA|CLASS|CMD|COM|CPL|CRT|CSC|CSS|DLL|DOC|DOT|DRV|EML|EMAIL|EXE|FON|HLP|HTA|HTM|HTML|INF|INI|INS|ISP|JS|JSE|LIB|LNK|MDB|MDE|MHT|MHTM|MHTML|MP3|MSO|MSC|MSI|MSP|MST|OBJ|OCX|OV\?|PCD|PGM|PIF|PPT|PRC|REG|RTF|SCR|SCT|SHB|SHS|SMM|SYS|URL|VB|VBE|VBS|VXD|WSC|WSF|ZIP|GZ|RAR|WSH|XL\?)
Time match mode absolutetime
Added profiles virus_scan
1. Using Dr. Web's ICAP Server for virus-scan of incoming content
Option Value
Enabled true
Comment Configurations for using Dr. Web ICAP server
Profiles virus_scan
Host 192.168.0.175
File /respmod
Port 1344
Applies to responses
2. Using Kaspersky ICAP Server for virus-scan of incoming and outgoing content
Rule for scanning incoming content
Option Value
Enabled true
Comment Configuration for using Kaspersky ICAP to virus-scanincoming content
Profiles virus_scan
Host 192.168.0.175
File /respmod
Port 1344
Applies to responses
113
© 2008 Office Efficiencies (India) Pvt. Ltd.
Rule for scanning outgoing content - GET / POST
Option Value
Enabled true
Comment Configuration for using Kaspersky ICAP to virus-scanoutgoing content
Profiles virus_scan
Host 192.168.0.175
File //av/reqmod
Port 1344
Applies to requests
2. Using Symantec ICAP Server for virus-scan of incoming and outgoing content
Option Value
Enabled true
Comment Configurations for using Symantec ICAP to virus-scanincoming & outgoing content
Profiles virus_scan
Host 192.168.0.175
File /respmod
Port 1344
Applies to responses
SafeSquid Interface 114
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.20 External Parser
External Parsers allows you to use any program or script to parse the contents of a file. Theexternal parser must send a complete HTTP request or response header, which will override theones sent by the browser or Web server. If no body is sent after the header, the original bodywith modified headers is used.
external section
Option Value
Enabled Yes: ¤ No: ¢
Submit
External
Add
'Add' under Rewrite SubsectionOption Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
Executable
Type Pipe: ¤ File: ¢
Applies to Requests pResponses p
Run once per session Yes: ¤ No: ¢
Send header Request header pResponse header p
Submit
external section
Enabled
This option allows you to enable, or completely disable the Rewrite document Section,irrespective of the rules defined in the section
Value:Yes - Enable External parsers SectionNo - Disable External parsers Section
115
© 2008 Office Efficiencies (India) Pvt. Ltd.
'Add' under External subsection
Enabled
This option allows you to enable or disable a rule.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies toevery thing if this field is left blank
Executable
The path to the executable. If no absolute path is specified, the path as given in the PATHenvironment variable is searched. You have to specify the path in this option i.e. /opt/safesquid/script/external.sh.
Any number of arguments can be passed by separating them by spaces. If you're using atemporary file as the method to pass the contents of the file, it's path will be the lastargument. When the program is executed, several environment variables are set to reflectthe properties of the file being handled, they are:
VERSION The proxy server version
HTTP_METHOD Method used to request the file
HTTP_HOST Host HTTP request was made to
HTTP_FILE File HTTP request was made for
HTTP_PORT Port HTTP request was made to
IP IP address of client making request
INTERFACE IP address of the interface the client connected to
PORT Port the client connected to
Additionally, for every header received from the remote website and set by a client, anenvironment variable is set. All the environment variables for the server's headers startwith SERVER_, and the client's start with CLIENT_; All '-' (dashes) in the header type areconverted to '_' (underscores), and all characters are in uppercase. If an executablereturns with a non-zero status code, the original content is returned.
Type
The method to be used to pass the content to the external program. The options are:
SafeSquid Interface 116
© 2008 Office Efficiencies (India) Pvt. Ltd.
Pipe: Content is piped to the program's STDINFile: Content is stored in a temporary file and it's path is passed as the last argument.
Applies to
Select whether the external parser is used on request header or response header or both.
Requests - Use on request headers.Responses - Use on response headers.
When both options are selected, it uses on both, request and response headers.
Run once per session
Run external parser for every request in a session until it returns a non-zero status code.This is useful for performing authentication through an external program.
Send header
Which header(s), if any, to send to the external program before sending the body.The options are:
Request headers: Send request headersResponse headers: Send response headers
The response header option only applies to external programs that process the response.If both headers are selected, the request header is sent first.
Example:
See article Use External Parsers To Authenticate Only Specific Web Sites for a complete example.
117
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.21 Prefetching Embedded Objects
The Prefetching feature can be used as an 'internet accelerator'. It allows virtually any filereferenced in HTML to be pre-fetched, not just images, and cached. Prefetching is a good way toimprove retrieval time. It reduces resource retrievals and improves retrieval time. The targetrange is wider than that of both, mirroring and caching.
prefetch section
Option Value
Enabled Yes: ¤ No: ¢
Threads
Queue size
Host limit
Submit
Prefetch
Add
'Add' under Prefetch SubsectionOption Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
Tag name
Tag attribute
Attribute pattern
Maximum file size 0
Recursion level 1
Submit
prefetch section
Enabled
This option allows you to enable, or completely disable the Rewrite document Section,irrespective of the rules defined in the section
Value:Yes - Enable Prefetching SectionNo - Disable Prefetching Section
Threads
SafeSquid Interface 118
© 2008 Office Efficiencies (India) Pvt. Ltd.
The number of threads to run in the background for prefetching files. Safesquid needs tobe restarted for this setting to take effect.
Queue size
The size of the prefetch queue.
Host limit
The maximum number of queued prefetches per host.
'Add' under Prefetch subsection
Enabled
This option allows you to enable or disable a rule.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does.
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies toevery thing if this field is left blank.
Tag name
The HTML tag the attribute is in.
Tag attribute
The HTML tag attribute holding the URL to be prefetched.
Attribute pattern
A regular expression matching the attribute value this entry applies to.
Maximum file size
The maximum size of the prefetched file, set to 0 for unlimited.
Recursion level
If the URL leads to another HTML page, this is the depth, links will be followed. Setting to0 causes links to be followed indefinitely.
Example:
119
© 2008 Office Efficiencies (India) Pvt. Ltd.
An example for those unfamiliar with HTML, images and embedded objects that are inserted intothe Webpage using HTML tags. An HTML tag may look something like this:
<IMG SRC="cool.jpg">
The 'IMG' part is the TAG name, the 'SRC' part is an attribute, and the "cool.jpg" part is anattribute value.
Safesquid can parse HTML code and extract URL's from given tag's and attributes.
Example: you wish to prefetch any embedded shockwave flash files, after quickly looking at theHTML of a Webpage that has embedded flash animations you discover it typically, uses thefollowing HTML code:
<embed src="/ani.swf" wmode="opaque" name="newsticker" quality="high" scale="exactfit"bgcolor="#293381" width="770" height="25" type="application/x-shockwave-flash"pluginspage="http://www.macromedia.com/go/getflashplayer"></embed>
So the HTML tag is 'embed', and the tag attribute is 'src'
Wait though... there's a problem! how can SafeSquid know this is an embedded shockwave flashanimation and not something else?There is the 'type' attribute as well, but Safesquid can only match one attribute per tag.
What we can do is use the Attribute Pattern option in the entry to narrow this down a bit.Shockwave flash files have a .swf extension, as seen in the src attribute value "/ani.swf", so wecan fill in the attribute pattern option with a regular expression matching only files with a .swfextension, like "\.swf$".
SafeSquid Interface 120
© 2008 Office Efficiencies (India) Pvt. Ltd.
7.12.22 Pornographic Image Filter
Image filter allows you to block pornographic images from websites and webmails, by analyzingthe graphical content of an image, in real time, and block all suspicious images, so that a blankbox is displayed in place of the blocked image. Although it is only about 80%-90% accurate, itacts as a good deterrent.
This is a commercially distributed add-on plug-in and works with SafeSquid Advanced Edition andall Composite Editions, including the FREE Composite Edition 20.This is a closed binary add-on module.
The Trial version of Pornographic Image Filter can be downloaded from the Downloads page.
The details for installing Pornographic Image Filter has been described in THIS TOPIC
imgfilter section
Option Value
Enabled Yes: ¤ No: ¢
Library path /opt/safesquid/modules/imgfilter/imgfilter
Default template
Submit
Image filters
Add
'Add' under Image filters SubsectionOption Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
Threshold
Template
Submit
Imgfilter section
Enabled
This option allows you to enable, or completely disable the Image filter Section,irrespective of the rules defined in the section
121
© 2008 Office Efficiencies (India) Pvt. Ltd.
Value:Yes - Enable Image filter SectionNo - Disable Image filter Section
Library path
The path where the Image Filter Libraries are stored
Default template
The template to display for blocked images, when a template is not defined in a rule under'Image filters' subsection. If left blank, default template is used.
'Add' under Image filters subsection
Enabled
This option allows you to enable or disable a rule.
Value:Yes - Enable this ruleNo - Disable this rule
Comment
A comment for future reference explaining what this rule does.
Profiles
A comma separated list of Profiles on which this rule should apply. The rule applies toevery thing if this field is left blank.
Threshold
Image filter allocates a score to the images that it analyzes. -10.0 is unlikely to be pornwhereas 0.0 is very likely. You can fine tune the filter by defining the threshold score limithere. You can create multiple rules, with different threshold limits for different profiles.
Template
Template to display, when an image is blocked. If left blank, the Template defined underthe imgfilter section is used.
SafeSquid Interface 122
© 2008 Office Efficiencies (India) Pvt. Ltd.
8 URL commands
SafeSquid has powerful remote management features. The Browser-based GUI lets you configurethe way you Internet is used in your network. URL Commands allow you to test the functionalitiesand verify your configurations - REMOTELY.
URL commands can be used to show information about a webpage and to bypass certain features.For proxy requests, URL commands are prefixed onto the hostname of the website. For example, 'http://xx--bypass.www.somesite.com" would bypass all the filters that might be applying onwww.somesite.com. Bypassing is useful to work around sites that are having problems with sometypes of filtering. You can grant or remove the right to use URL commands to a user, in 'AccessRestrictions' section. See Access Control for details.
The other URL commands are:
Command Description
xx--freshFetch fresh copy of file from website, instead of using cache. Sometimes the cache refresh logic gets thingswrong.
xx--raw Show raw file (HTML), on FTP directory lists it'll show the raw listing
xx--cookies Display cookies sent to and received from website
xx--mime Show matching mime entry for requested URL
xx--headers Show headers sent by browser and received from website
xx--score Show score for page when doing keyword filtering
xx--diffThis will show the diff-like output of the changes made by the rewrite feature to a website, useful fordebugging regular expression patterns
xx--htmltreeDebug HTML parser when prefetching. It'll show a parsed HTML tree. Useful for people wanting to debugtheir HTML
xx--processBypass the maxbuffer setting and buffer/process the file anyways, so if someone wants to scan a large filefor virsues they can use this
xx--offline Browse in offline mode, only cached files can be viewed.. and cache files won't be validated if they're stale
xx--filter Display any matching filter entry for requested URL
xx--cache Display information about a cached file
xx--profiles Display a list of enabled profiles
xx--https
Make an https SSL request from a non-SSL client, also can be used to process HTTPS content (removebanners, scan viruses)i.e. http://xx--https.www.cibc.com would be the same as https://www.cibc.com these 2 features aredesigned to work together:
xx--prefetch Pre-fetch a file in the background without downloading it to the client.
xx--template Display a template instead of the requested file
xx--proxytest
This one is neat when forwarding to another proxy, this will make the proxy connect back to safesquid andsafesquid will display the headers that would have been passed onto the website... The purpose is to servesomeone who wishes to surf anonymously through open proxies. They can see if the website can stillidentify them.
The xx--bypass command can be used with additional options to selectively bypass (or unbypass)most features.
123
© 2008 Office Efficiencies (India) Pvt. Ltd.
xx--bypass[OPTIONS]OPTIONS is a string of letters representing the features.
Here are the available options:
Option Description
f url filtering
h header filtering (both client and server)
m mime filtering
r URL redirection
c cookie filtering
w rewriting
e external parser (both request and response)
p forwarding
k keyword filtering
d dns blacklist
a antivirus scanning
i ICAP
A + or - symbol can be used to change between bypassing and un-bypassing, if the feature wasbypassed in the Access Restrictions section entry.
some examples:http://xx--bypass[fh].www.slashdot.org <-- bypasses URL and header filteringhttp://xx--bypass[e-i].www.safesquid.com <-- bypass external programs and UN-bypass ICAPhttp://xx--bypass.www.exn.ca <-- bypass everything
For regular HTTP requests (such as when the proxy is being used to redirect HTTP requests), anextra path element is added to the front of the requested file with the URL command inside; forexample, "http://xx--proxyip:port/bypass./somefile". URL commands are not only taken from therequest URL, but also from the Referer header sent by your browser as well; this allows them towork for images and files loaded from a website a URL command was used on. Additionally, URLcommands are automatically prefixed to the Location: header sent back when a 302 redirect isreceived or when a redirect rule that sends a 302 redirect matches. Below is a list of all availableURL commands and a description of what they do.
There's a few other things to note:· when a URL command is used on a site that sends back a 302 redirect, the URL command is
added to the URL in the Location header, so that the URL command still applies when thebrowser follows the redirect.
· when a request is made that has a URL command in the Referer header but not in the URL(like when someone clicks a link on a page they used a URL command on), the proxy willsend a 302 redirect to the same URL but with URL commands. This makes it possible tocontinuously browse with features bypassed.
· URL commands are also extracted from the Host header, so they work when the proxyserver is transparent.
URL commands 124
© 2008 Office Efficiencies (India) Pvt. Ltd.
· URL commands are also prefixed to URL's sent by the Redirect feature, well.. except if'bypass' or 'bypass[r]' is used since the redirect feature would be bypassed.
125
© 2008 Office Efficiencies (India) Pvt. Ltd.
9 Multiple Proxy Configuration
SafeSquid has a unique Multi Proxy, or Master-Slave, configuration. If your enterprise requiresmultiple proxies across its global networks, you can enjoy the convenience of SafeSquid's uniqueMaster-Slave deployment architecture. You just have to set policies on the Master & all the slaveswill automatically synchronize themselves, to your policies on the master. You can even createunique policies for any of the slave proxies. Master-Slave configuration can be used in both, asingle Gateway scenario to forward all request to the Master server; or in a distributed scenario,with independent Internet connections.
Master-Slave in Single Gateway scenario
Master-Slave in distributed network scenario
Multiple Proxy Configuration 126
© 2008 Office Efficiencies (India) Pvt. Ltd.
Config synchronization allows a 'slave' proxy to match it's configuration to a 'master' proxy, and toupdate it's configuration automatically when it detects changes made to the master.
Using config synchronization in Safesquid is surprisingly easy.
A Master server can be set up in the normal way you would set up a stand alone server, and theonly additional step that needs to be taken is - to ensure every slave proxy is covered by anaccess rule, which allows it to access the Web interface.
Now, for every slave proxy, while installing SafeSquid, just mention the IP:PORT or FQDN:PORT ofthe Master server, in the "MASTER =" parameter (option 16/28 in version 4.1.1). Thisautomatically configures the server to 'pull' configuration parameters from the Master server. Thesynchronization interval can be specified in the SYNCTIME parameter. If this parameter is notmodified, or if left blank, SafeSquid selects the default SYNCTIME of 60 seconds
You can also edit the startup.conf (found in /opt/safesquid/safesquid/init.d/ directory) file of anexiting server, and modify the MASTER and SYNCTIME parameter.
There are some additional command line options which you may need to use, they are:
-H - specify the proxy's own hostname, instead of using the one in the configuration file... reasonshould be obvious, you don't want every proxy having the same hostname, especially when usingCARP.-I - the interval, in seconds, between synchronization attemps with the master.
127
© 2008 Office Efficiencies (India) Pvt. Ltd.
-L - specify the interface and port to listen for connections on, this is used in addition to theconfiguration gathered from the master.-S - a comma-seperated list of section names which are synchronized, when used other sectionswon't be synchronized.-E - a comma-seperated list of section names which aren't synchrnozed, when used othersections will be synchronized.
When using config synchronization, you may also specify a configuration file in the command linewhich is loaded before config synchronization is performed. This is useful if you wish to excludesome sections from being synchronized and load them from a file instead.
The 'Proxy host' option in Profile entries can be used to have separate configuration options forspecific slaves.
Multiple Proxy Configuration 128
© 2008 Office Efficiencies (India) Pvt. Ltd.
10 Reverse Proxying
A Reverse proxy is a proxy server which sits between a Web server and the rest of the internet,filtering content provided by your Web server for clients. Safesquid can work in this manner byusing transparent proxying and redirecting.
The advantage of using SafeSquid as a reverse proxy, is it's content filtering features. Just as youcan use SafeSquid to control user access to the internet, in reverse proxy mode, you can be useduse to control who can access what on your web server from the outside world, and thus secureyour web server.
A few examples -· Allow only authenticated access to specific content· Create groups of users and allow different access rights· Enhance security by accepting requests only from specific browsers, like IE & Firefox· Virus scan content being uploaded to the web server· Use as a Load Balancer by redirecting requests to multiple web servers.· Easily redirect requests to another server, when the original server requires maintenance
down-time.· Dynamically generate or modify content in real-time· Easily manage rules with browser-based GUI
To set a reverse proxy, simply have SafeSquid listen on the interface and port in place of yourWeb server. Configure the Web server to listen on a different port, and redirect all requests madeto the proxy server to the Web server using a redirect entry.
For a simple example, create the following rule in 'URL Redirecting' section, to redirect request toyour web server:(For a detailed description about URL Redirecting, see URL Redirect)
Option Value
Enabled Yes: ¤ No: ¢
Comment
Profiles
URL .*
Redirect http://webserver/$1
Port 80
302 redirect Yes: ¢ No: ¤Options Encode URL p
Decode URL before pDecode URL after p
Applies to Location header: ¤ URL: ¢ Both: ¢
Submit
You will also need to ensure there is an access entry that matches all clients that will be
129
© 2008 Office Efficiencies (India) Pvt. Ltd.
connecting to your Web server, and you should also restrict access to the bare miniumum (HTTPrequests and Transparent requests).
Reverse proxying can be combined with other features to perform many other tricks, such ascreating a gateway between an intranet and the internet by using URL redirection, and rewritingto make URL's valid outside the intranet.
Reverse Proxying 130
© 2008 Office Efficiencies (India) Pvt. Ltd.
11 Chain Squid with SafeSquid
For various reasons, it may be desirable to use Safesquid in conjunction with Squid.
This can be accomplished in two ways:(!) You may either have SafeSquid forward requests to Squid, or (2) have Squid forward requests to SafeSquid.Although it shouldn't matter, historically it has always worked better to have SafeSquid forward toSquid.
Case 1:
If you wish to forward requests from Safesquid to Squid, create a new forward entry with theProxy and Port options filled with the hostname and port of Squid. Remember that SafeSquidwon't forward to it's own host - so you will need to use your-IP instead of localhost if Squid isrunning locally and you're using the default configuration.
Suppose Squid is listening on 192.168.0.175 Port 3128. Create the following rule under'Forwarding' section:
Option Value
Enabled true
Comment This rule forwards request to Squid
Proxy 192.168.0.175
Port 3128
ICP peer type None
ICP port 0
Type HTTP
Applies to HTTP,FTP,CONNECT
Now, if you would also like to use ICP to share cache content with Squid, you could also includethe ICP entry in the same rule, like this -
Option Value
Enabled true
Comment This rule forwards request to Squid
Proxy 192.168.0.175
Port 3128
ICP peer type Parent
ICP port 3130
Type HTTP
Applies to HTTP,FTP,CONNECT
Case 2:
131
© 2008 Office Efficiencies (India) Pvt. Ltd.
To have Squid forward requests to Safesquid, which is listening on 192.168.0.170 Port 8080, editsquid.conf file and add the following line to that:
cache_peer 192.168.0.170 parent 8080 0
Chain Squid with SafeSquid 132
© 2008 Office Efficiencies (India) Pvt. Ltd.
12 Multi-ISP networks
SafeSquid has an option in 'Network Settings', to add new interface for outgoing connection.This is useful in networks where you need to split the load between different ISPs. It can also beuseful to switch different ISPs due to slow net connection or discontinuity.This can be accomplished by following way:
You wish to -
1. Forward outgoing request of the user group 'Accounts' and 'Finance' to ISP whoseconnection is on interface with IP 192.168.0.175
2. Forward outgoing request of the user group IT and System to ISP whose connection is oninterface with IP 192.168.0.180
Then, in 'Network Settings' section, add the following rules under the 'Interface' subsection -
Option Value
Enabled true
Comment This rule forwards request to IP 192.168.0.175
Profile Accounts,Finance
IP 192.168.0.175
Edit Delete Clone Up Down Top Bottom
Option Value
Enabled true
Comment This rule forwards request to IP 192.168.0.180
Profile IT,System
IP 192.168.0.180
Edit Delete Clone Up Down Top Bottom
Save settings after creating these rules by clicking on 'Save settings' in the top menu. And also restart the SafeSquid service by giving command
/etc/init.d/safesquid restart
Note: Profiles like 'Accounts', 'Finance' etc. are defined in the 'Access Restrictions' section Check Access Control for a detailed explanation.
133
© 2008 Office Efficiencies (India) Pvt. Ltd.
13 Using Profiles for granular Access Policies
SafeSquid is generally hosted in large enterprises or environments, to exploit its various filteringcapabilities, besides simply providing a reliable mechanism of access to the WWW. In suchenterprises, it is very natural that people would be expected to access the web for reasons thatare partly similar, and for some reasons that are entirely unique to certain users or groups ofusers. It is impossible to think of a world, that would be governed by the same set of logic, thatdecides what's acceptable and what's not. SafeSquid's Content Filtering and Access Controlsystem derives its reputation from it's configuration schema, that provides unlimited possibilitiesfor re-configurable logic. This re-configurable logic allows enterprises, to build their InternetAccess Policies, unmindful of the way filtering technologies are actually implemented.
SafeSquid's configuration allows you to - very precisely define the situations. Each situation, thusdefined is referred to as a Profile. Each Profile can be defined (or bound) by a programmable setof conditional parameters. Profiles are used as a conditional parameter in almost all of the variousfiltering sections in SafeSquid. You can thus ensure that filtering action happens exactly, asrequired.
SafeSquid's Profiles feature allows you to accommodate the demands of extremely granular rulesfor Internet Access privileges and restrictions. Rest assured you will be able to deal with mostcomplex situation, as long as you can accurately defining a situation, and thus properly Profile asituation.
When you access the SafeSquid Web-GUI, notice the "Added Profiles" text-box in the AccessRestriction Section and the Profiles Section. The Profiles are created by specifying (commaseparated list) them, as "Added Profiles" in rules, in either of these sections. Both of thesesections allow you to apply the profile as a result of matching of the various entries (conditionalparameters) specified in each rule. The general rule is, if an entry is left blank, then it istranslated as "not considered ", or "anything ", or "immaterial ".
In our discussions about setting up user authentication, I showed to you - how, we could use the"Added Profiles ", in the Access Restrictions Section to create profiles that denote common and/orunique attributes for people. And we could then, use these as Profiles in the various filtering rules.We could similarly create Profiles in the Profiles Section.
The Access Restrictions Section allows you to apply (add) Profiles based on user's identity(username/password; I.P. Address). Obviously the applied Profiles would not change unless thesame user re-authenticated, using a new identity.
A situation may not always be completely defined by - who's making the request, or the source ofthe request. The rules in Profiles Section help you to apply (add or remove profiles) based onconditional parameters like the the source of the content or target, the nature of content, time ofthe day etc. A profile applied by any previous rule can also be used as a conditional parameter! Todo so, simply list them in the "Profiles" text-box. Each of the rules in the Profiles Section , ismatched against a request, and if the conditional parameters set in the rule's various enteredparameters (entries), the profiles specified in the "Added Profiles" entry is / are applied.Profiles specified in the "Removed Profiles" text-box entry would be removed, if any previouslyapplied rule had set it.
Understanding the creation and application of "Profiles" is the most essential part of overallSafeSquid's filtering configuration. Understanding how the Profiles work, internally, could be quite
Using Profiles for granular Access Policies 134
© 2008 Office Efficiencies (India) Pvt. Ltd.
useful. Each request is matched against the various rules in the Access Restrictions and ProfilesSection. If all the specified conditional parameters (entries) of a rule match the request, then thelist of profiles (specified in the Added Profiles text-box are included in the Profiles List (array) forthat request. Similarly, if a rule in the Profiles Section has a list of profiles specified in theRemoved Profiles text-box, then these profiles are deleted from the array. SafeSquid, thus buildsan internal Profiles Array for each connection. SafeSquid ensures that a profile name is uniquelylisted in the array. Each of the filters, uniquely processes a connection, based on the conditionalparameters specified as entries in the various rules in the filters. Almost all Filters have Profiles asa conditional parameter. Thus by appropriately creating a profile and then, specifying them as aconditional parameter in any rule of any any Filtering Section, you can either subject or immunizethe connection from a Filtering Rule.
In the rest of the discussion unless, I specifically mention Profiles Section, you may presume thatI am referring to Profiles as - an entity, created by making appropriate entry in the "AddedProfiles" text-box, or deleted by specifying in the "Removed Profiles" text-box. You may thereforevery safely think of Profiles as - "quite like tickets, labels or tokens ", that can be given or takenaway, and filters as inspectors that process requests, depending upon the profiles applied orcarried by that connection.
I very strongly suggest, that you should review the list of conditional parameters available tocreate a profile and thus define a situation. To do so access the SafeSquid's WebGUI, click the"Config" link on the top menu, select the "Profiles" Option on the drop-down menu. SafeSquid isgenerally shipped with a set of sample rules in the Profile Section , click on the edit menu, to viewthe list of entries that have been specified or left blank. Pass your mouse, lazily over the namesbesides each of configuration text-boxes, check-boxes etc. A tool-tip should now be presentingyou with contextual information about that entry, that may be used as a conditional parameter.
Did you notice that the list of conditional parameters is pretty huge (monstrous?). But don't letthat overwhelm you - because you can simply leave options blank, if they do not seem to be aconditional parameter, that distinguishes the situation, that you desire to Profile. I will try to helpyou understand, by a few practical examples, and to keep things lucid, I will omit the entries inany rule, that are supposed, to be left blank. I will also try to focus on the logic but, avoid thediscussing reasons, about why one would want to create such rules.
I guess an example would help here.
Example #1
In an enterprise:
Joseph, Ali, Radha and Sam, are employed in the Marketing department John, Shyam, Bill and Sagar are employed in the Finance department
The corporate policy stated that: The Marketing people may access web-sites using any Internet Client or browser of theirchoice The Finance people were restricted to use only FireFox
So, let's see how we would enter the rules into the various sections, to derive the necessaryconfiguration:
135
© 2008 Office Efficiencies (India) Pvt. Ltd.
Rules in Access Restriction Section:
Option Value
Enabled true
Comment This rule creates the Access Profile of Joseph, Ali, Radha and Sam, and profiles themas "Marketing"
PAM true
User name (Joseph|Ali|Radha|Sam)
Added profiles Marketing
Option Value
Enabled true
Comment This rule creates the Access Profile of John, Shyam, Bill and Sagar, and profiles themas "Finance"
PAM true
User name (John|Shyan|Bill|Sagar)
Added profiles Finance
Rules in Profiles Section:
Option Value
Enabled true
Comment This rule creates and applies the Profile "Unacceptable_Client" to everybody
Added profiles Unacceptable_Client
Option Value
Enabled true
Comment This rule removes the Profile Unacceptable_Client for "Finance" users, but only whenthey use FireFox
Removed profiles Unacceptable_Client
Option Value
Enabled true
Comment This rule removes the Profile "Unacceptable_Client" for "Marketing" users.
Removed profiles Unacceptable_Client
Rules in URL Filter Section: (The Global Policy Set to Allow, and the following rule created in the Deny Sub-section)
Using Profiles for granular Access Policies 136
© 2008 Office Efficiencies (India) Pvt. Ltd.
Option Value
Enabled true
Comment This rule Blocks / denies Internet access to all "Unacceptable_Client"
Profiles Unacceptable_Client
In the above set of rules, I actually made use of the Comment fields, to explain the logic, ofcreating the rules. The profiles by themselves do not dictate any denial of access, the denial of access orblocking is an activity executed by the various filters. We had to eventually instruct the Url Filterto deny access to "unacceptable internet clients ". In the above example, the policy was about thenature of Internet Clients being used by people. So we logically profiled what constitutes orprecisely defines the "Unacceptable_Client ". And then we created a single rule in URL Filter todeny access to all "Unacceptable_Client ". I hope that, you noticed that we identified the use ofFireFox, was by using the entry for Request Header Pattern as a conditional parameter andremoved the profile "Unacceptable_Client ", when it matched the PCRE (Perl Compatible RegularExpression)" .*FireFox.* ".The creation of PCRE, is a little off-topic, and we will discuss it, withinanother topic.
Did you notice, that in the above configuration, the third and last rule in the Profiles Sectionexplicitly removes the profile "Unacceptable_Client ", for the "Marketing" users. So what wouldhappen, in case we added more rules in the Access Restriction Section , to profile users fromother functional business groups? And what if the policies needed an alteration in future, toensure, that the Internet Clients used by even the "Marketing" users, needs some regulation? Isuppose you also appreciate the fact that, verification of this conditional parameter, is possible,only because, the browser (FireFox) used as the Internet Client, includes User_Agent Parametersin its request headers. There are a host of applications that are available, that allow you to spoof,this. For example, I could modify the "User-Agent" String of Internet Explorer to include the wordFireFox! Because from the security perspective, it now seems so obvious, that we have left gapingholes! But I am pretty sure that, you should be able to modify the above rules-set to plug anysuch holes. Remember, rules can always be written, or modified to precisely deliver the resultsdemanded by the policies. Much of the frustration faced by firewall rule makers, like you & I,would be because of situations left uncovered, or ambiguities contained in the policies. The bestway to deal with the things therefore is - to note down the policies on a piece of paper, andlogically dissect them with an open mind (stimulated by a cup of coffee!). The other primaryreason for frustrations would be, inadequate information about the overall, benefits desired, byany policy.
The Profiles can be built to very precisely define situations, by subjecting them to a variety ofconditional parameters. And then by applying the profile in to one or more rules in an appropriatefilter, we can always define the restrictions or relaxations. Selecting the filter requires a littlecreativity and understanding of web-technologies.
Example #2
One of the most popular situations, that people request for rules is for blocking access topersonal email services like yahoo, hotmail, gmail etc. However the request is always suffixed
137
© 2008 Office Efficiencies (India) Pvt. Ltd.
with a few clauses, that - people should be able to access the basic search engine services offeredby these web-sites; queries based on certain kinds words should be prevented some of thesequeries should be universally prevented, while some queries should be permitted to only certainpeople; etc.. etc..
We can use PCRE to denote all hosts belonging to a group of web-sites, including their varioussub-domains, or genuinely child web-sites. Carefully look at the use of site1 and site2 in thisexpression:
(.*\.|^)(site1|site2)(\.[^.]{2}\.[^.]{2,4}|\.[^.]{3,4})$ This expression matches all of the following sites:
site1.com site1.co.uk site1.info www.site1.com child.site1.com site2.com site2.co.uk site2.info www.site2.com child.site2.com
In fact it covers all possible combinations, to cover a layman's reference to "site1" or "site2" Moreover you could expand the list of sites covered by simply modifying the aboveexpression. So, the following PCRE covers all web-sites of yahoo, hotmail and gmail:
(.*\.|^)(yahoo|hotmail|gmail)(\.[^.]{2}\.[^.]{2,4}|\.[^.]{3,4})$
(For the moment do not, stress too much to understand the use of characters like ". ""$ ""^"in the expression.)
I could now create a profile called Personal_Emails like this:
Rules in Profiles Section:
Option Value
Enabled true
Comment This rule applies "Personal_Emails" profile to all web-sites of yahoo, hotmail andgmail
Host (.*\.|^)(yahoo|hotmail|gmail)(\.[^.]{2}\.[^.]{2,4}|\.[^.]{3,4})$
Added profiles Personal_Emails
Rules in Cookie Filter Section: (The Global Policy Set to Allow, and the following rule created in the Deny Sub-section)
Option Value
Enabled true
Comment This rule blocks cookie exchanges with "Personal_Emails"
Direction Both
This time I chose Cookie Filter, because I know that you cannot log into http web-sites, if yourcookies are disabled! And who would want to visit personal email sites, but not log in!! But thensince, the web-site is not entirely blocked, the users can very conveniently use the other services,
Using Profiles for granular Access Policies 138
© 2008 Office Efficiencies (India) Pvt. Ltd.
that do not require any identification or authentication, like logins.
From security perspective, I would use making rules (like we just made above), to create aprivacy blanket for my users. For example I could create a profile for all web-sites belonging todoubleclick and block all cookies travelling between my users and to to these sites.
But then I suppose you are now quite conversant with Profiles, and should be able to translate,any of your corporate policies. The only problem (probably) would be PCRE.
139
© 2008 Office Efficiencies (India) Pvt. Ltd.
14 Using Authentication for Security and Creating UserProfiles
Authentication is the key to web-security. Typically you might consider authentication, as the veryfirst layer of your security. Authenticating the internet access, prevents spy-ware, malware,adware from exploiting your Internet Gateway.
It also ensures that the "names" of the users show-up in the logs, instead of just IP-addresses,which can be so conveniently spoofed. And that can make - reviewing the log reports, so muchmore convenient!
But most importantly, SafeSquid's Authentication mechanism sets the Access Restrictions, andcreates the access profiles of the various users. The groups of users whose Internet Access canbe broadly considered identical, can be given a common profile.
You can start to configure, SafeSquid's authentication system by making appropriateconfigurations in the Access Restriction Section.
The Access Restriction Section has three subsections:
* The Global Allow / Deny Policy setting; * Allow Sub-Section set of entries; * Deny Sub-Section set of entries.
As you would expect in a typical FireWall:
* Setting global policy to Allow, means you would consider all request sources to be acceptable, while you would specificallydefine the unacceptable sources in the "Deny" Sub-Section. * Setting global policy to Deny, means you would consider all request sources to be unacceptable, while you would specificallydefine the acceptable sources in the "Allow" Sub-Section.
The rules are followed in a top-down hierarchy, and the first rule that matches a request'sparameters, gets applied.
As a thumb-rule, start by setting Global Policy to Deny. Don't worry, you can still (and very easily) allow all or specific sources of requests, to beacceptable.
Now consider adding a rule. Since we, have set the global policy to Deny, very obviously, therules created in the "Allow" Sub-Section, will be relevant and applicable. Clicking on the Add linkin the Allow Sub-Section, will present you with a Dialog, where you can now define theparameters, that would identify a request that should be allow. The important things to noticehere are the:
* When you lazily move the mouse over the various things printed, on the dialog box, littleTool-Tips appear, that tell you about the significance of each option and settable element. * Text boxes for I.P. Addresses, User name, Password, Added Profiles. (There's also a text-boxnamed "Profile", but just ignore it)
Using Authentication for Security and Creating User Profiles 140
© 2008 Office Efficiencies (India) Pvt. Ltd.
* Radio-Button to enable / disable PAM * And a whole lot of check-boxes. Just move the mouse over the names that identify each ofthese check-boxes, and a relevant "ToolTip" will appear to tell you, more about that check-box.For the matter of lucidity and flow of the present discussion, let's just ignore these check-boxes.
The Text boxes that we mentioned above are very important in our discussion here, besides theradio-buttons for PAM.The parameters that identify a request are constituted by what you set in the Text boxes for I.P.Addresses, User name, Password.
The logic is simple - leaving any option blank, is equivalent to making it "irrelevant".
Let me help you with some examples here:
Set the radio-button for PAM to "NO" leave I.P. Address - blank. Set User name to "test" and password to "zebra"
This instructs, safesquid to send an authentication challenge to every user irrespective of thesource I.P. address. And ONLY if the this challenge is responded with username "test" andpassword "zebra", the request is considered as "allowed" or "acceptable".
Now, if you wished to further narrow the scope of this acceptability, by narrowing it down to an I.P. address, repeat the steps in the above example, but this time, instead of leaving the I.P.address - blank, set it to an I.P. address.
I guess, now if you wished to distinguish an "acceptable" request as a combination of I.P.address: 192.168.0.1, username "test" and password "zebra", you shouldn't have a problem,right?
Broadening the scope to a range of I.P. address is also easily done. Suppose you wished to allowrequests coming from an array of I.P. Addresses like - 192.168.0.1, 192.168.0.3, and all between192.168.0.110 to 192.168.0.160, fill in the the I.P. Address text-box as: 192.168.0.1,192.168.0.3, 192.168.0.110-192.168.0.160Simple isn't it?
Ok, so now you are ready to understand the relevance of the fourth text-box "Added Profiles"(continue to ignore the other text box called "Profiles").Notice, that the "Added Profiles" is at the very last in the dialog. You can enter a commaseparated list of tags, in the "Added Profiles Text Box. These tags can be just about any logicalwords, that commonly identifies one or more rules. These could be usergroups or work-functionsof people. Let me try to help you understand this with the an example.
Ramesh, Joseph and John belong to Accounts department, and are supposed to make internetaccess only from their respective workstations, that have I.P. address 192.168.0.1, 192.168.0.2,& 192.168.0.3. We would like to create common filtering and other rules that can be set in thevarious other sections of SafeSquid.
So we will now create three rules as follows:
141
© 2008 Office Efficiencies (India) Pvt. Ltd.
Option Value
Enabled true
Comment This rule creates the Access Profile of Ramesh
IP Address 192.168.0.1
User name Ramesh
Password apple
Added profiles Accounts
Option Value
Enabled true
Comment This rule creates the Access Profile of Joseph
IP Address 192.168.0.2
User name Joseph
Password mango
Added profiles Accounts
Option Value
Enabled true
Comment This rule creates the Access Profile of John
IP Address 192.168.0.3
User name John
Password banana
Added profiles Accounts
Notice that in the above example, we maintained the "Added Profiles: Accounts" as a common,factor. This instructs SafeSquid to "profile" all internet requests made by Ramesh, Joseph andJohn as "Accounts". Now in any other section of SafeSquid, if you wished the filter-rule to affectJohn, Ramesh or Joseph, simply enter "Accounts" in the text-box named Profiles, in those sections(Not in the Access Restriction).
In this discussion, I have consciously held back on discussing the effects of setting PAM to YES.Setting PAM to Yes makes SafeSquid talk to the PAM sub-system for validating the user's identity.To put things simply -
you would set PAM to YES, if you do not wish to maintain huge lists passwords within theSafeSquid configuration system.
That is generally the way to live, when you have a large number of individuals in an enterprise,that must be served by SafeSquid. But then of course, you must first set the PAM Configurationsfor SafeSquid.
Using Authentication for Security and Creating User Profiles 142
© 2008 Office Efficiencies (India) Pvt. Ltd.
15 Configuring PAM
Identity management begins with authenticating a user's username and password. In a largeenterprise you would have already established an identity management system. PAM (PluggableAuthenticating Mechanism) is a very popular UNIX based technology, and a standard sub-systemof the common and popularly used Linux distributions. PAM, by itself is quite a sizeable subject,and a very mature technology. It serves various needs and applications are built to meet a varietyof permutations and combinations. To maintain the lucidity of our discussions here, I will restrictthe discussions to only relevant areas.
PAM allows any service to easily communicate with a variety of Identity Management systems.The benefits of this are enormous. The most important benefit is - the username/passwordstorage is not required to be done within the various applications, that the users are permitted touse. To keep our discussion contextual, here-further we will refer to an Identity ManagementSystem as an Authentication Service. An Authentication Service could be typically a MicrosoftWindows SMB / AD service, or any other form of LDAP like OpenLDAP. It could also be a RADIUSserver or an SQL Database.
SafeSquid is intrinsically "PAM-aware". The principal feature of the PAM approach is that thenature of the authentication is dynamically configurable. In other words, you are free to choosehow SafeSquid will authenticate users. This dynamic configuration is set by the contents of thesingle Linux-PAM configuration file /etc/pam.conf. Alternatively, the configuration for each PAM-aware service can be set by individual configuration files located in the /etc/pam.d/ directory. Thepresence of this directory will cause Linux-PAM to ignore /etc/pam.conf.
Linux-PAM separates the tasks of authentication into four independent management groups:account management; authentication manage- ment; password management; and sessionmanagement. The configuration file lists the tasks in an appropriate sequence, and the name ofthe PAM library that will be called to accomplish the task. SafeSquid requires only authenticationand account to be configured.
From the point of view of the SafeSquid application, it is not of primary importance to understandthe internal behavior of the Linux-PAM library. These libraries are popularly referred to as -modules. The important point to recognize is that the configuration file(s) define the connectionbetween applications (services like SafeSquid) and the pluggable authentication modules (PAMs)that perform the actual authentication tasks.
PAM modules are readily available to verify username-password combinations from variousauthenticating services. A variety of PAM Modules are freely distributed. So you can judiciouslydecide the suitable module, depending upon the Authenticating Service, that you intend to use.To prevent configuration errors, please do check out if whether your chosen PAM module performsthe Authenticate (auth) and/or Account tasks, and the correct usage for each of the respectivetasks. Some PAM modules are very simple and straight forward to use. But there are some thatrequire a lot of elaborate configuration, that involves some additional configuration files, and /orsystem configuration.
SafeSquid 4.1.x and higher allow you to specify the name of the file in the /etc/pam.d directory,that must be used. This setting can be done only as an option in the command-line, whenSafeSquid is started. In earlier versions it was fixed as "safesquid". To maintain the relevance ofthis discussion for users of older versions of SafeSquid, I will refer to /etc/pam.d/safesquid as thepam-configuration file. So when you want your user's username/password combination to be
143
© 2008 Office Efficiencies (India) Pvt. Ltd.
verified by an Authenticating System, you would begin with appropriately configuring the /etc/pam.d/safesquid file. Look at the contents of a typical pam-configuration file:
############ CONFIGURATION EXAMPLE1 /etc/pam.d/safesquid############
#%PAM-1.0
# This enables authentication of users created in the local systemauth required pam_unix.so shadow
## This is a pretty standard directive and needs to be changed only in a very few special casesaccount sufficient pam_permit.so
############ END OF FILE ############
Notice, that we could enter comments, to record the purpose of each directive, for posterity.pam_unix module allows verification of username/password, of all user accounts created on aLinux / Unix server.pam_permit.so is a positive dummy, i.e. it simply responds with "success" for anything. Thereforeit is quite obvious that the above PAM configuration file was created to very simply validate if ausername/password was appropriate.
This configuration file would be interpreted as follows:
Authenticate (auth) the username/password using pam_unix PAM module.This authentication should be compulsorily required, and failure should be considered, asfailure of the Authenticate task.The pam_unix PAM module should be used with an additional argument, "shadow"
Validate if the user has a valid account using the pam_permit PAM module.This validation should be considered as sufficient for the success of the Account task.
Note - Both the tasks Authenticate and Account must be successfully accomplished for ausername/password. Failure of either is enough for SafeSquid to refuse access. PAM has anotherinteresting benefit to offer - Module Stacking. This allows you to extract some excellent benefitsfor enhanced security. Suppose you wished to allow access to any of the users, whose username/password was stored on a Windows Domain Controller, or a Radius Server, or on the local linuxhost. The pam-configuration file would look quite like this:
############ CONFIGURATION EXAMPLE2 /etc/pam.d/safesquid############
#%PAM-1.0
# This enables authentication of users created in the local systemauth sufficient pam_unix.so shadow
Configuring PAM 144
© 2008 Office Efficiencies (India) Pvt. Ltd.
auth sufficient pam_smb_auth.soauth sufficient pam_radius.so
## This is a pretty standard directive and needs to be changed only in a very few special casesaccount sufficient pam_permit.so
############ END OF FILE ############
Notice that, in the above example we are using "auth sufficient" instead of "auth required", thatwas used in the previous example.This configuration file would be interpreted as follows:
First Authenticate the username/password with pam_unix PAM module.If this is successfully done, then consider this as sufficient, and do not bother to authenticatethe validity of the username/password with the remaining PAM modules listed for auth.If the validation with pam_unix PAM module fails, due to any reason, including inappropriateusername/password, attempt to validate using pam_smb_auth PAM module. If this results insuccess, then simply skip any further validation in the "auth" list, else attempt to validateusing the pam_radius PAM module.
This effectively ensures that if the username/password is deemed valid by any one of theauthenticating services - local host, or Windows Domain Controller, or the RADIUS server,then the "auth" task is successfully accomplished.
Of-course, the "account" list needs to be additionally validated successfully. But then as Imentioned earlier, pam_permit PAM module is a dummy positive, so effectively unimportant.
You could surely use a more potent PAM module instead of pam_permit, that I have used in theabove examples, to strengthen security, so that the tasks listed in the "account" list are morethan trivia.
I guess, having read so much of the above, you are more keen, to learn, how it would help you asan Application Manager for SafeSquid.So let me immediately take the discussion towards that, by analysing a situation and working outthe solution with you.
Suppose Joseph, Ali, Radha and Sam, belong to "Marketing" Department, in an enterprise. Wewould like to create a common profile for all of them, and then apply various filters and rules justto that one profile , so that it effectively applies to all these four people. In a previous discussion Ihad explained, how we could create a common profile for a number of people, by creating rules inthe Access Restriction section, from SafeSquid's WebGUI. In that example we had consistently setPAM to NO. But now let me show, you how setting PAM to YES, reduces your works.
As in those examples in Access Restriction, we set the Global Policy to Deny, and Add a rule in theAllow sub-section as follows:
145
© 2008 Office Efficiencies (India) Pvt. Ltd.
Option Value
Enabled true
Comment This rule creates the Access Profile of Joseph, Ali, Radha and Sam, and profiles themas "Marketing"
PAM true
User name (Joseph|Ali|Radha|Sam)
Added profiles Marketing
Note, we merely listed the names of these four users in a (rather peculiar looking) PCRE format.And left the text-box meant for Passwords, as blank. Since it is quite topical, and a novice (toPCRE) reader might be a little upset, I will explain the PCRE (Perl Compatible Regular Expression)formatted list, that we have used here.
(Joseph|Ali|Radha|Sam) simply translates to Match if it is Joseph or Ali or Radha or Sam.You could simply add to this list as many usernames as you wish, just separated by the pipes- '|"
You could even create more such rules for people belonging to other job functions like Finance, orHR, etc.You could even create more than one rule to profile people belonging to the same department.You would want to to do that when there too many people in a department, and accommodatingall of them within the same list would look rather unreadable or inelegant. You could eventranslate functional hierarchies, into setting web-access profiles, that are partially common, whileproviding additional privileges or constraints. Yes you would use the property of applying multipleprofiles to people. Let me help you here with an example set of rules, created within the sameconfiguration:
Option Value
Enabled true
Comment This rule creates the Access Profile of Joseph, Ali, Radha and Sam, and profiles themas "Marketing"
PAM true
User name (Joseph|Ali|Radha|Sam)
Added profiles Marketing
Option Value
Enabled true
Comment This rule creates the Access Profile of John, Shyam, Bill and Sagar, and profiles themas "Marketing"
PAM true
User name (John|Shyan|Bill|Sagar)
Added profiles Marketing,Night_staff,Instant_Messengers_Disallowed
Did you notice that the rules created above, covered eight people from the Marketing
Configuring PAM 146
© 2008 Office Efficiencies (India) Pvt. Ltd.
Department? They applied the profile "Marketing" to all these eight people; and also appliedadditional profiles - "Night_staff" and "Instant_Messengers_Disallowed" to John, Shyam, Bill andSagar.
So far, so good. Using your preferred authentication service with shouldn't be much of a task, foryou, right?NO!! The real challenge with PAM actually begins here!
As I mentioned above, there are various PAM modules available to use a variety of AuthenticatingServices. But each of these modules may require simple to very intricate additional configuration.This configuration could be as simple as providing with an argument like "shadow" for thepam_unix in the above example. But it could also be fairly more complex, involving otherconfiguration files specifically relevant to the PAM module or maybe even some other additionalservices installed on the system.
147
© 2008 Office Efficiencies (India) Pvt. Ltd.