Proxy web

El proxy web es un servidor que se encuentra entre las PCs de LAN y los sitios de Internet. Los clientes hacen peticiones al proxy que se comunica con sitios externos y luego envían la respuesta al cliente.

Las ventajas de un proxy web son:

  • capacidad de filtrar contenido

  • reducir el uso del ancho de banda mediante el almacenamiento en caché de las páginas que visita

El proxy sólo se puede activar en zonas verdes y azules. Los modos admitidos son:

  • Manual: todos los clientes deben configurarse manualmente

  • Los usuarios autenticados deben ingresar un nombre de usuario y una contraseña para navegar

  • Transparente: todos los clientes se ven obligados automáticamente a usar el proxy para las conexiones HTTP

  • SSL transparente: todos los clientes se obligan automáticamente a utilizar el proxy para las conexiones HTTP y HTTPS

Authenticated mode

Before enabling the web proxy in authenticated mode, please make sure to configure a local or remote account provider.

When Samba Active Directory is installed, or the server is joined to a remote Active Directory, Windows machines can use integrated authentication with Kerberos. All Windows clients must access the proxy server using the FQDN.

All other clients can use basic authentication mechanism.

Nota

NTLM authentications is deprecated and it’s not supported.

Configuración del cliente

El proxy está siempre escuchando en el puerto 3128. Cuando se utilizan modos manuales o autenticados, todos los clientes deben estar configurados explícitamente para usar el proxy. El panel de configuración es accesible desde la configuración del navegador. Por cierto, la mayoría de los clientes serán configurados automáticamente usando el protocolo WPAD. En este caso, es útil habilitar la opción Bloquear puertos HTTP y HTTPS para evitar el bypass de proxy.

Si el proxy está instalado en modo transparente, todo el tráfico web procedente de clientes se desvía a través del proxy. No se requiere configuración en los clientes individuales.

Nota

Para que el archivo WPAD sea accesible desde la red de invitados, agregue la dirección de la red azul dentro del campo Permitir hosts para el servicio httpd desde la página :guilabel:` Servicios de red`.

Proxy SSL

In transparent SSL mode, the proxy implements the so-called «peek and splice» behavior: it establishes the SSL connection with remote sites and checks the validity of certificates without decrypting the traffic. Then the server can filter requested URLs using the web filter and return back the response to the client.

Nota

There is no need to install any certificate into the clients, just enabling the SSL proxy is enough.

Nota

If the web proxy is enabled on the blue network this allows you to reach the green devices via the http or https protocols. If you want to avoid this behavior, simply create a bypass by destination by entering the CIDR of the green network as explained below.

Bypass

En algunos casos, puede ser necesario garantizar que el tráfico procedente de una dirección IP específica o destinado a algunos sitios no se enrute a través del proxy HTTP / HTTPS.

El proxy le permite crear:

  • bypass by domains

  • bypass by source

  • bypass by destination

Bypass by domains

Bypass by domains can be configured from Domains without proxy section. All domains listed inside this page can be directly accessed from LAN clients. No antivirus or content filtering is applied to these domains.

Every domain listed will be expanded also for its own sub-domains. For example, adding nethserver.org will bypass also www.nethserver.org, mirror.nethserver.org, etc.

Nota

All LAN clients must use the server itself as DNS, either directly or as a forwarder.

Bypass by source and destinations

A source bypass allows direct access to any HTTP/HTTPS sites from selected hosts, host groups, IP ranges and network CIDR. Source bypasses are configurable from Hosts without proxy section.

A destination bypass allows direct access from any LAN clients to HTTP/HTTPS sites hosted on specific hosts, host groups or network CIDR. Destination bypasses are configurable from Sites without proxy section.

These bypass rules are also configured inside the WPAD file.

Priority and divert rules

Firewall rules for routing traffic to a specific provider, or decrease/increase priority, are applied only to network traffic which traverse the gateway. These rules don’t apply if the traffic goes through the proxy because the traffic is generated from the gateway itself.

In a scenario where the web proxy is enabled in transparent mode and the firewall contains a rule to lower the priority for a given host, the rule applies only to non-HTTP services like SSH.

The Rules tab allows the creation of priority and divert rules also for the traffic intercepted by the proxy.

The web interface allow the creation of rules for HTTP/S traffic to:

  • raise the priority of an host or network

  • lower the priority of an host or network

  • divert the source to a specific provider with automatic fail over if the provider fails

  • force the source to a specific provider without automatic fail over

Content filter

The content filter analyzes all web traffic and blocks selected websites or sites containing viruses. Forbidden sites are selected from a list of categories, which in turn must be downloaded from external sources and stored on the system.

The system allows to create an infinite number of profiles. A profile is composed by three parts:

  • Who: the client associated with the profile. Can be a user, a group of users, a host, a group of hosts, a zone or an interface role (like green, blue, etc).

  • What: which sites can be browsed by the profiled client. It’s a filter created inside the Filters section.

  • When: the filter can always be enabled or valid only during certain period of times. Time frames can be created inside the Times section.

This is the recommended order for content filter configuration:

  1. Select a list of categories from Blacklists page and start the download

  2. Create one or more time conditions (optional)

  3. Create custom categories (optional)

  4. Create a new filter or modify the default one

  5. Create a new profile associated to a user or host, then select a filter and a time frame (if enabled)

If no profile matches, the system provides a default profile that is applied to all clients.

Filters

A filter can:

  • block access to categories of sites

  • block access to sites accessed using IP address (recommended)

  • filter URLs with regular expressions

  • block files with specific extensions

  • enable global blacklist and whitelist

A filter can operate in two different modes:

  • Allow all: allow access to all sites, except those explicitly blocked

  • Block all: blocks access to all sites, except those explicitly permitted

Nota

The category list will be displayed only after the download of list selected from Blacklist page.

Reporte

Install nethserver-lightsquid package to generate web proxy stats.

LightSquid is a lite and fast log analyzer for Squid proxy, it parses logs and generates new HTML report every day, summarizing browsing habits of the proxy’s users. Lightsquid web interface can be found at the Applications tab inside the Dashboard.

Cleanup old reports

LightSquid reports are saved as directories of text files inside /var/lightsquid/. Since all reports are kept forever, the size of the directory can greatly grow during the years.

To cleanup all reports older than 1 year, execute the following:

find /var/lightsquid/  -maxdepth 1 -mindepth 1 -type d -name '????????' -mtime +360 -exec rm -rf {} \;

Cache

En la pestaña Cache hay un formulario para configurar los parámetros del caché:

  • El caché puede ser activado o desactivado (desactivado por defecto)

  • Tamaño de caché de disco: valor máximo de caché de squid en disco (en MB)

  • Tamaño mínimo de objeto: se puede dejar en 0 para almacenar en caché todo, pero puede ser elevado si no se desean objetos pequeños en la caché (en kB)

  • Tamaño máximo del objeto: los objetos mayores que este valor no se guardarán en el disco. Si la velocidad es más deseable que ahorrar ancho de banda, esto debería establecerse en un valor bajo (en kB)

The button Empty cache also works if squid is disabled, it might be useful to free space on disk.

Sitios sin caché

En algún momento el proxy no puede manejar correctamente algunos sitios mal diseñados. Para excluir uno o varios dominios de la caché, utilice la propiedad NoCache.

Ejemplo:

config setprop squid NoCache www.nethserver.org,www.google.com
signal-event nethserver-squid-save

Puertos seguros

Los puertos seguros son una lista de puertos accesibles mediante el proxy. Si un puerto no está dentro de la lista de puertos seguros, el proxy se negará a ponerse en contacto con el servidor. Por ejemplo, dado un servicio HTTP que se ejecuta en el puerto 1234, no se puede acceder al servidor mediante el proxy.

La propiedad SafePorts es una lista de puertos separados por comas. Los puertos listados se agregarán a la lista predeterminada de puertos seguros.

P.ej. Acceda a puertos adicionales 446 y 1234:

config setprop squid SafePorts 446,1234
signal-event nethserver-squid-save

Logs

Squid logs are kept for 5 weeks in compressed format, to control disk space usage. Web proxy logs are verbose to help troubleshoot problems. Web browsing activities are logged in aggregate and readable format by Lightsquid.

In environments where logs need to be preserved for more than 5 weeks, you could manually edit the logrotate configuration /etc/logrotate.d/squid. Finally, remember to add /etc/logrotate.d/squid to the configuration backup using the custom include.

echo '/etc/logrotate.d/squid' >> /etc/backup-config.d/custom.include