Web proxy

The web proxy is a server that sits between the LAN PCs and Internet sites. Clients make requests to the proxy which communicates with external sites, then send the response back to the client.

The advantages of a web proxy are:

  • ability to filter content
  • reduce bandwidth usage by caching the pages you visit

The proxy can be enabled only on green and blue zones. Supported modes are:

  • Manual: all clients must be configured manually
  • Authenticated users must enter a user name and password in order to navigate
  • Transparent: all clients are automatically forced to use the proxy for HTTP connections
  • Transparent SSL: all clients are automatically forced to use the proxy for HTTP and HTTPS connections

Note

Please make sure to have Users module installed (nethserver-directory package), if you plan to use authenticate mode.

Client configuration

The proxy is always listening on port 3128. When using manual or authenticated modes, all clients must be explicitly configured to use the proxy. The configuration panel is accessible from the browser settings. By the way, most clients will be automatically configured using WPAD protocol. In this case it is useful to enable Block HTTP and HTTPS ports option to avoid proxy bypass.

If the proxy is installed in transparent mode, all web traffic coming from clients is diverted through the proxy. No configuration is required on individual clients.

Certificate file is saved inside /etc/pki/tls/certs/NSRV.crt file, it can be downloaded from client at http://<ip_server>/proxy.crt address.

Note

To make the WPAD file accessible from guest network, add the address of blue network inside the Allow hosts field for httpd service from the Network services page.

SSL Proxy

Warning

Decrypting HTTPS connection without user consent is illegal in many countries.

In transparent SSL mode, server is able to also filter encrypted HTTPS traffic. The proxy establishes the SSL connection with remote sites, it checks the validity of certificates and it decrypts the traffic. Finally, it generates a new certificate signed by the Certification Authority (CA) server itself.

The traffic between client and proxy is always encrypted, but you will need to install on every client (browser) the CA certificate of the server.

The server certificate is located in /etc/pki/tls/certs/NSRV.crt. It is advisable to transfer the file using an SSH client (eg FileZilla).

Bypass

In some cases it may be necessary to ensure that traffic originating from specific IP or destined to some sites it’s not routed through the HTTP/HTTPS proxy.

The proxy allows you to create:

  • bypass by source, configurable from Hosts without proxy section
  • bypass by destination, configurable from Sites without proxy section

Bypass rules are also configured inside the WPAD file.

Report

Install nethserver-lightsquid package to generate web navigation reports.

LightSquid is a lite and fast log analyzer for Squid proxy, it parses logs and generates new HTML report every day, summarizing browsing habits of the proxy’s users. Link to web interface can be found at the Applications tab inside the Dashboard.

Cache

Under tab Cache there is a form to configure cache parameters:

  • The cache can be enabled or disabled (disabled by default)
  • Disk cache size: maximum value of squid cache on disk (in MB)
  • Min object size: can be left at 0 to cache everything, but may be raised if small objects are not desired in the cache (in kB)
  • Max object size: objects larger than this setting will not be saved on disk. If speed is more desirable than saving bandwidth, this should be set to a low value (in kB)

The button Empty cache also works if squid is disabled, it might be useful to clear space on disk.

Sites without cache

Sometime the proxy can’t correctly handle some bad crafted sites. To exclude one or more domain from the cache, use the NoCache property.

Example:

config setprop squid NoCache www.nethserver.org,www.google.com
signal-event nethserver-squid-save

Safe ports

Safe ports are a list of ports accessible using the proxy. If a port is not inside the safe port list, the proxy will refuse to contact the server. For example, given a HTTP service running on port 1234, the server can’t be accessed using the proxy.

The SafePorts property is a comma-separated list of ports. Listed ports will be added to the default list of safe ports.

Eg. Access extra ports 446 and 1234:

config setprop squid SafePorts 446,1234
signal-event nethserver-squid-save