User Manual v2

© 2008 Office Efficiencies (India) Pvt. Ltd.

Total Access Control Total Content Control

Granular

Scalable

Manageable

I


Table of ContentsPart I User Manual 1

................................................................................................................................... 11 Who should use this guide

Part II Implementation 2

Part III System Requirements 4

Part IV Installing SafeSquid 8

Part V Test Your Installation 10

Part VI SafeSquid Logs 12

Part VII SafeSquid Interface 16

................................................................................................................................... 181 Active Connections

................................................................................................................................... 202 Statistics

................................................................................................................................... 243 DNS Cache

................................................................................................................................... 264 Show Headers

................................................................................................................................... 285 View Cache Entries

................................................................................................................................... 316 Connection Pool

................................................................................................................................... 327 Prefetch Queue

................................................................................................................................... 348 URL Blacklist

................................................................................................................................... 359 View Log Entries

................................................................................................................................... 3610 Save Settings

................................................................................................................................... 3711 Load Settings

................................................................................................................................... 3912 Config Section

.......................................................................................................................................................... 40Basic Behaviour

.......................................................................................................................................................... 45URL Blacklist

.......................................................................................................................................................... 48Access Control

.......................................................................................................................................................... 54Profiles

.......................................................................................................................................................... 59cProfiles

.......................................................................................................................................................... 64Define user limits

.......................................................................................................................................................... 67FTP proxy

.......................................................................................................................................................... 69Templates

.......................................................................................................................................................... 75DNS Blacklists

.......................................................................................................................................................... 77URL Filtering

.......................................................................................................................................................... 81URL redirect

.......................................................................................................................................................... 84Mime Filtering

IIContents

II© 2008 Office Efficiencies (India) Pvt. Ltd.

.......................................................................................................................................................... 87Header Filtering

.......................................................................................................................................................... 90Cookie Control

.......................................................................................................................................................... 94Word Filtering

.......................................................................................................................................................... 96Content Re-Write

.......................................................................................................................................................... 100Content Caching

.......................................................................................................................................................... 105Request Forwarding

.......................................................................................................................................................... 109Internet Content Adaptation Protocol (ICAP)

.......................................................................................................................................................... 114External Parser

.......................................................................................................................................................... 117Prefetching Embedded Objects

.......................................................................................................................................................... 120Pornographic Image Filter

Part VIII URL commands 122

Part IX Multiple Proxy Configuration 125

Part X Reverse Proxying 128

Part XI Chain Squid with SafeSquid 130

Part XII Multi-ISP networks 132

Part XIII Using Profiles for granular Access Policies 133

Part XIV Using Authentication for Security and CreatingUser Profiles 139

Part XV Configuring PAM 142

Index 0

1


1 User Manual

SafeSquid® Administrator's GuideVersion: 2.0Produced on: Tuesday, October 14, 2008 :: 5:08:32 PM

SafeSquid®: Content Filtering Internet Proxy, helps you to distribute Internet Access across yourenterprise network. It's vast array of features, when used wisely by a system administrator, candeliver Total Content Control and Total Access control.

SafeSquid®'s features have been built, to serve maximum benefits when the key demands are -scalability, security, and granularity.

SafeSquid® is offered in various Commercial editions, besides the Free Edition.This manual is not limited to users of any specific edition of SafeSquid®.This manual should help you to use the feature on your installed edition, provided your editionsupports the said feature.

1.1 Who should use this guide

This Guide is intended, for the users who have already installed, or would like to install, SafeSquid®.It will help the users - to set-up the Proxy Server with the desired Edition, and to configure thefeatures of SafeSquid® to make its optimum use.

This guide takes you onto the journey of knowledge, of setting up a secure Internet Proxy.This guide intends to reduce your efforts, and helps to optimize the use of Internet Facility.

This guide illustrates all the features of SafeSquid® and their behavioral basics.This guide should improve your understanding of - the underlying problems, your requirements,and to construct your corporate policies in order to avail the optimum out of the availableresources.To mention a few of these: Multi Proxy Setup, Profile Management, User Access Restrictions, URLBlacklists, URL Filter, DNS blacklists, Document Rewrite, Header Filtering, Caching, CookieFiltering, Virus Scanning, Image Filtering, Mime Filtering, Log analyzers, Keyword Filtering etc.

This guide will acquaint you with the Browser based User Interface.You will use it to configure and administer the features of SafeSquid®.

Hopefully, this guide is simple & understandable, and serves the purpose of those, wishing to gainknowledge for the optimum use of SafeSquid®.It intends to be useful, to naïve as well as experienced technicians.

The readers of this guide are requested to report any errors and suggestions for improvement.The readers can post their views, on the SafeSquid® forum available on the SafeSquid® website– http://www.safesquid.com/

User Manual 2


2 Implementation

The key to successful implementation of any software lies in pre-defining its use, and anticipatingthe results. With Software like SafeSquid® that has so many possibilities, it is just too easy to getlost in the myriad of options.

Ideally the implementation should begin on a piece of paper where we should decide ourexpectations and (if possible) how we intend to verify the effectiveness of the configurationsettings in meeting our REAL objectives.

As they say well-planned is half accomplished!

Sample Plan

How many proxies will be implemented in the enterprise?

· Number

The Corporate Internet Use Policy needs to be defined / modified only on the Master, allthe slave installations will automatically synchronize their configuration from the Master.Which will be the Master Proxy?

· The I.P. & hostname of the Master Proxy to be used for Browser-basedadministrative access administrative access.

· Is the proxy server multi homed?· Should the Proxy listen for requests on multiple IPs & Ports?

Web-Sites require an application layer security, therefore reverse proxying is used toensure the Application Layer Security.Should SafeSquid act as a Reverse Proxy for our web-server?

· What are the web-sites it should reverse-proxy?· Shall we change the DNS records of the web-sites?· Shall we just change the IP / Port configuration of the web Port configuration of the

web-server?

The enterprise uses a variety of Internet Connection Service Providers, and eachconnection is judiciously used for a specific set of users or application.Shall we use the same Internet Connection for all kinds of Internet Access?

· Or shall we configure SafeSquid to use different Internet Connections based on user,or nature of access?

· Will SafeSquid forward the requests to another proxy, web-cache or firewall?· Does the request forwarding require any Authentication?

Virus Defence begins at the Internet Gateway. What Virus Scanner should we use?What Anti-Virus Software will be used to scan all the Internet Traffic?

· F-ProtAV / KasperskyAV / McAfee AV offer SafeSquid compatible Daemons that canbe connected ONLY via Unix Sockets.So if we use any of these AV, they must Necessarily co-habit the Proxy Server.

3


· Sophos AV / ClamAV / Avast AV offer SafeSquid compatible Daemons that can beconnected via Unix Sockets OR TCP/IP Sockets.So if we use any of these AV, we have the option of installing them on a separatebox on a LAN Server OR co-habit them with the Proxy Server.To negate the latency effects in case of heavy traffic, it may be useful to set the LANconnection on a 100 Mbps or higher speed.

· Symantec ICAP / Trend Micro ICAP / Dr. Web ICAP offer ICAP based Scan Engines,that are fully compatible to SafeSquid's ICAP client.These Engines however require, good System Resources and are designed to deliveroptimum performance if located on a remote server.So if we use any of these AV, we must PREFERABLY install them on the a separateserver.

Since SafeSquid can be configured to use one or more of the Anti Virus Softwaresimultaneously, we may explore the option of scanning the entire Internet traffic viamore than one Anti Virus Software.

· Alternatively should we do this multi-AV scanning only for a few chosen Applications,or people?

· Or shall we just do the "battle-ready implementation" that allows us to switch to anyof the above Anti-Virus software, in times of emergency.

Policy settings to prevent Financial & Productivity Losses due to indiscriminate use ofInternet

· Shall we allow people to visit only a "white-list" of trusted web-sites & URLs?· Shall we allow people to visit any web-site that is not explicitly "black-listed"?· How are we going to review / modify our "white-lists" / "black-lists"· What are our high priority business-application web-sites?· What are the security relaxations that we may permit when our users acess these

web-sites? o Pop-ups, KeyWords, Banners, Activex Controls, Cookies, Header Content.

· What will be our bandwidth conservation policy to access these sites? o MiMe / File types that will be permitted to be uploaded / downloaded. o Speed / Volume of Uploads, Downloads. o Browsers or other web-clients that will be allowed to access the Internet.

· What will be our bandwidth conservation policy to access non-business-applicationweb sites?

· Do we have to make any granular policy modification to accommodate Profiles ofsome VIP users / Applications / Time of Access? o Should we enable pre-fetching fetching of certain or all objects for one ormore profiles?

· What kinds of Log Reports need to be generated? o How frequently should the log reports be generated? o How should the log reports be viewed and accessed?

· How are we going to bench-mark the performance of the hardware / software andthe Internet Connection? o What will be the maximum bandwith we will utilise to accomplish each test.

Implementation 4


3 System Requirements

SafeSquid - System Requirements!

Windows: SafeSquid for Windows depends upon library based functions provided by NativeWindows ports of the technologies that SafeSquid for Linux uses. These are fulfilled by a fewdll files, detailed below, that are included in the installation package.

Linux: SafeSquid (version 4.1.1 and higher) for Linux requires an Intel ArchitectureHardware with Linux Kernel 2.6 or higher, based operating system, properly installed withpreferably latest updates and patches.

The Minimum required hardware to get SafeSquid up and running, would be an i386 basedcomputer with Pentium III CPU and at least 128 MB of RAM and about 40G Hard Disk. Butthat would really serve only academic interests!

For reliable production class environments, it would be advisable to use a server classhardware. SafeSquid now has NPTL compatible design, to generate thousands of threads, tomeet as many concurrent requests. In event of un-forecasted bursts of concurrent requests,SafeSquid would have to open enough number of threads, and that may require a fast CPU.To successfully accomplish the various content filtering, caching and communication relatedactivities, it must have enough Memory. It is ideally recommended to provide about 7 to 10Mb of RAM per user for small networks. But for environments having more than 100 users,even 5 to 7 Mb per user should be sufficient, if we can compensate by using a faster CPU.

A PIII / PIV based computer with 512Mb RAM this should be adequate for a typical 20 Usernetwork, increasing the RAM to about 1G should make it serve upto 100 users.But if you are planning to use URL Blacklists, Antivirus Software, Log Analyzers also, verynaturally you must compensate with adequate RAM.

SafeSquid by itself has a very small memory foot-print, but you will always want touse one or more of add-ons, compatible software, etc. So it will be much better, touse systems with 1G RAM or more.

Recommendations for Standard Installations

SafeSquid® has a very low Total Cost of Owner-ship, and a very good ROI. In the long termmost users prefer to extract more out of the fixed costs, by increasing the derived results. Itis therefore recommended to use Hardware that can be scaled for RAM / CPU / NICs.

· Choose H/W that can scale for RAM / CPU, so that you may accommodate more users,over a period of time.

· Use Hard Disks with good seek/read/write speed, to reduce latency in case you plan touse large content disk-caches.

· If you expect a large traffic to be handled, it would be a good idea to use a GigaBit NIC.To increase security, or to cater to multiple networks it would be advisable to use 2NICs or more.

· System Configurations that have easily accessible Hardware drivers for Linux areabsolutely preferable, and would be useful, if you plan to increase redundancy by usingClusters.

5


· Use Linux Distributions that have a good support for Web Servers, Perl, PHP, CachingName Servers, etc. because a variety of Log Analyzers are now available both as closedand open source, that you will surely want to use.

· SafeSquid servers shouldn't be requiring x-windows, so basic hardening should beenough.

· Sooner than later you would want to install Antivirus to scan content being transportedvia SafeSquid, ClamAV is free, so at least install it, unless you are sure you prefer to besecured by a commercial vendor. In such case, choose a vendor that offers ICAP basedsolution.

· If you have a Microsoft Network, then sooner or later you will want authentication towork from ADS, and in any case if you are a large network you'll alternatively want userauthentication done from LDAP or RADIUS, or something else, that's available, sodefinitely install PAM libraries. And maybe also Winbind, that joins your SafeSquidserver to Windows Network.

· RPMS are available for most of the software mentioned above, but quite a few areserved as raw source codes, and must be compiled on your server. So it's always agood idea to install GCC & G++ on your SafeSquid Server.

System Requirements 6


Software Dependencies (Windows)

System Libraries Package Description

libeay32.dll libeay32.dll contains encryption functions which allow for coded communications over networks. Thisfile is open source and is used in many open source programs to help with SSL communication.

libssl32.dll libssl32.dll is a OpenSSL Shared Library belonging to The OpenSSL Toolkit from The OpenSSL Project, http://www.openssl.org/

nsldap32v50.dll nsldap32v50.dll provides the LDAP connectivity to ADS / LDAP servers. It is used by many programsfor LDAP authentication.

pthreadVC2.dll pthreadVC2.dll is Posix Threads Implementation for Windows environment. Many software that have amulti-threaded architecture, and originally created for Linux, use this.

zlib.dll zlib.dll provides the compression / decompression functions for safesquid. zlib was written by Jean-loup Gailly (compression) and Mark Adler (decompression).

Software Dependencies (Linux)

System Libraries Provider Package Package Description

libbz2.so.1 bzip2-libs

bzlib

Libraries for applications using bzip2

Description : Libraries for applications using the bzip2 compression format.

libcom_err.so.2 e2fsprogs Utilities for managing the second extended (ext2) filesystem.

Description : The e2fsprogs package contains a number of utilities for creating,checking, modifying, and correcting any inconsistencies in second extended(ext2) filesystems. E2fsprogs contains e2fsck (used to repair filesysteminconsistencies after an unclean shutdown), mke2fs (used to initialize a partitionto contain an empty ext2 filesystem), debugfs (used to examine the internalstructure of a filesystem, to manually repair a corrupted filesystem, or to createtest cases for e2fsck), tune2fs (used to modify filesystem parameters), and mostof the other core ext2fs filesystem utilities.

libdl.so.2libc.so.6libm.so.6libpthread.so.0libresolv.so.1

glibc The GNU libc libraries.

Description : The glibc package contains standard libraries which are used bymultiple programs on the system. In order to save disk space and memory, aswell as to make upgrading easier, common system code is kept in one place andshared between programs. This particular package contains the most importantsets of shared libraries: the standard C library and the standard math library.Without these two libraries, a Linux system will not function.

libgssapi_krb5.so.2libk5crypto.so.3libkrb5.so.3

krb5-libs The shared libraries used by Kerberos 5.

Description : Kerberos is a network authentication system. The krb5-libs packagecontains the shared libraries needed by Kerberos 5. If you are using Kerberos,you need to install this package.

libgcc_s.so.1 libgcc GNU C library

Description : The libgcc1 package contains GCC shared libraries for gcc 3.4

7


libgmp.so.3 libgmp3 A GNU arbitrary precision library.

Description : The gmp package contains GNU MP, a library for arbitrary precisionarithmetic, signed integers operations, rational numbers and floating pointnumbers. GNU MP is designed for speed, for both small and very large operands.GNU MP is fast because it uses fullwords as the basic arithmetic type, it uses fastalgorithms, it carefully optimizes assembly code for many CPUs\' most commoninner loops, and it generally emphasizes speed over simplicity/elegance in itsoperations.

libstdc++.so.6 libstdc++ GNU Standard C++ Library

Description : The libstdc++ package contains a rewritten standard compliantGCC Standard C++ Library

libcrypto.so.4libssl.so.4

openssl097a The OpenSSL toolkit

Description : The OpenSSL toolkit provides support for secure communicationsbetween machines. OpenSSL includes a certificate management tool and sharedlibraries which provide various cryptographic algorithms and protocols.

libpam.so.0 pam A security tool which provides authentication for applications

Description : PAM (Pluggable Authentication Modules) is a system security toolthat allows system administrators to set authentication policy without having torecompile programs that handle authentication.

libz.so.1 zlib1 The zlib compression and decompression library

Description : Zlib is a general-purpose, patent-free, lossless data compressionlibrary which is used by many different programs.

System Requirements 8


4 Installing SafeSquid

Installation Procedure:

Copy the downloaded safesquid.tar.gz into /usr/local/src/

cp safesquid-4.2.0-com20-free.tar.gz /usr/local/src/safesquid.tar.gz

Decompress the tar file using command -

tar -xvzf safesquid-4.2.0-com20-free.tar.gz

Creates a directory safesquid in your current working directoryChange directory to SafeSquid

cd safesquid/

The safesquid directory contains the installation script install.Run the script

./install

The install script asks you to select one of the following 3 options -

Press "F" if we are doing a Fresh installPress "U" if we want to Update an existing installationPress "A" if we want to Adjust an existing conf file

Press "F" for fresh installationThe install script checks for dependencies and displays the statusThe output should be similar to -

"Checking Dependencies/lib/libsafe.so.2 (0xf6ffa000)libpam.so.0 => /lib/libpam.so.0 (0xf6fea000)libdl.so.2 => /lib/libdl.so.2 (0xf6fe5000)libpthread.so.0 => /lib/tls/i686/libpthread.so.0 (0xf6fd4000)libssl.so.4 => /lib/libssl.so.4 (0xf6fa0000)libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00bbb000)libm.so.6 => /lib/tls/i686/libm.so.6 (0xf6f7d000)libc.so.6 => /lib/tls/i686/libc.so.6 (0xf6e69000)libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00974000)/lib/ld-linux.so.2 (0x00b97000)libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x009e7000)libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00b1e000)libcom_err.so.2 => /lib/libcom_err.so.2 (0x009e2000)libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00afb000)libresolv.so.2 => /lib/libresolv.so.2 (0xf6e55000)libcrypto.so.4 => /lib/libcrypto.so.4 (0x00a11000)libz.so.1 => /usr/lib/libz.so.1 (0x00962000)

looks okayPress any key to continue"

If a missing dependency is reported, you will have to install it before you can continue.

9


If everything is fine, then press any key to continue

The SafeSquid End-User License Agreement is displayed.The options are as follows -

Press "B" / "F" to move Back / ForwardPress "S" when you have finished reading

Read the License Agreement, or press "S" to skip and continue.

The following options are displayed -

Press Y if you find the End-User License AcceptablePress A To Read the End-User License AgainPress N if you find the End-User License NOT Acceptableand immediately abort the Installation Process

Press "Y" to continue

Here onwards, the install script will ask for about 28 configuration option.All option pages are self explanatory, and should not require you to make any changes.To make changes in the default option, press "C"When you have made the necessary changes, press "S" to continue with the installation.You can also press "S" on the first option screen, to install with the default option.(The settings can later be changed by editing the startup.conf file, which you will find in /opt/safesquid/safesquid/init.d directory.The changes will take effect the next time Safesquid is restarted.)

The installation starts when you press "S"The installation will pause a few times to display the status, and for confirmation.When the installation is complete, the following message is displayed -

Press "S" if you would like to start your safesquid nowPress any other key to simply exit

Press "S" to start SafeSquidYou should get the following message -

1. safesquid started with PID: 9659 ... ssquid is NOT LISTENING on :8080 ...2. safesquid started with PID: 9659 ... ssquid is LISTENING on 192.168.0.30:8080 ... ProcessIS RUNNING

So, your SafeSquid is installed and running.

Now, to access the SafeSquid Interface, point the proxy setting in the browser to the SafeSquidServer's IP:PORT, e.g. 192.168.0.30:8080, and access the URL http://safesquid.cfg

Installing SafeSquid 10


5 Test Your Installation

Testing on server side

Command to check SafeSquid is running on server

Command:

ps waux | grep safesquid

output should be quite-like:

ssquid 11533 81.2 33.1 1750524 1372096 ? Sl Oct13 973:01 /opt/safesquid/safesquid/safesquid

root 29005 0.0 0.0 2852 704 pts/0 R+ 10:51 0:00 grep safesquid

Command to be sure that SafeSquid is listening on port 8080

Command:

netstat -anp | grep :8080

The output should be quite-like:

tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 11533/safesquidtcp 0 0 10.0.0.5:8080 192.168.10.152:3238 SYN_RECV -tcp 0 0 10.0.0.5:8080 192.168.10.29:1167 SYN_RECV -tcp 0 0 10.0.0.5:8080 192.168.10.127:1677 SYN_RECV -tcp 0 0 10.0.0.5:8080 192.168.50.15:1864 SYN_RECV -tcp 0 0 10.0.0.5:8080 192.168.10.122:2496 TIME_WAIT -tcp 0 253 10.0.0.5:8080 192.168.10.18:1192 FIN_WAIT1 -tcp 0 0 10.0.0.5:8080 192.168.10.132:1342 ESTABLISHED11533/safesquidtcp 1 0 10.0.0.5:8080 192.168.50.4:4999 CLOSE_WAIT 11533/safesquid

Command to check how SafeSquid is handling requests

Command:

tail -f /opt/safesquid/safesquid/logs/native/safesquid.log


2008 10 14 10:54:17 [691984] request: GET http://www.ingentaconnect.com:80/css/size14.css2008 10 14 10:54:17 [692021] network: allowed connect from 192.168.10.10 on port 80802008 10 14 10:54:17 [692021] security: PAM authentication succeeded for mlpbs2008 10 14 10:54:17 [692021] network: binding outgoing connection to 10.0.0.112008 10 14 10:54:17 [690705] request: GET http://www.allbusiness.com:80/asset/image/icon/2984516.gif2008 10 14 10:54:17 [691736] request: GET http://www.contentlinks.asiancerc.com:80/scwm/images/

11


arrow_down.gif2008 10 14 10:54:17 [692013] network: 192.168.10.122 disconnected after making 2 requests2008 10 14 10:54:17 [691763] network: binding outgoing connection to 10.0.0.212008 10 14 10:54:17 [692022] network: allowed connect from 192.168.10.29 on port 80802008 10 14 10:54:17 [692021] request: CONNECT login.yahoo.com:4432008 10 14 10:54:17 [692005] request: GET http://www3.interscience.wiley.com:80/journal/104086741/abstract?CRETRY=12008 10 14 10:54:17 [692005] network: 192.168.50.12 disconnected after making 1 requests2008 10 14 10:54:17 [692023] network: allowed connect from 192.168.50.12 on port 8080

Command to check how SafeSquid is running on port 8080

Command:

lsof -i :8080


COMMAND PID USER FD TYPE DEVICE SIZE NODE NAMEsafesquid 18934 ssquid 5u IPv4 1443628 TCP *:webcache (LISTEN)safesquid 18934 ssquid 8u IPv4 1515549 TCP linux:webcache->unreliable:2075 (ESTABLISHED)safesquid 18934 ssquid 9u IPv4 1515550 TCP linux:2535->nt5.oe2000.com:webcache (CLOSE_WAIT)safesquid 18936 ssquid 5u IPv4 1443628 TCP *:webcache (LISTEN)safesquid 18936 ssquid 8u IPv4 1515549 TCP linux:webcache->unreliable:2075 (ESTABLISHED)safesquid 18936 ssquid 9u IPv4 1515550 TCP linux:2535->nt5.oe2000.com:webcache (CLOSE_WAIT)safesquid 18937 ssquid 5u IPv4 1443628 TCP *:webcache (LISTEN)

Test Your Installation 12


6 SafeSquid Logs

SafeSquid Logs

SafeSquid produces logs in three distinct formats.We traditionally name them as access.log (Access Log Format), extended.log (NCSA /Extended log format) and safesquid.log (Native Log Format).The path to the log files, and soft link that is created during installation, are as follows:

Log File Path Soft Link

access.log /var/log/safesquid/safesquid/access/ /opt/safesquid/safesquid/logs/access/

safesquid.log /var/log/safesquid/safesquid/native/ /opt/safesquid/safesquid/logs/native/

extended.log /var/log/safesquid/safesquid/extended/ /opt/safesquid/safesquid/logs/extended/

Access Log

The access.log has been traditional favorite, because it can be used by a variety of loganalyzers like Calamaris, SARG, Squint, SquidTailD, etc.The reports produced by these log analyzers reveal useful details of the overall usage andthe pattern of access of the application.

Access Log fields:start_time_in_seconds.milliseconds elapsed_time client cachecode/status size method urlusername peercode/peer mime

Example:1189403858.675 654 192.168.0.21 TCP_MISS/200 246 GET http://ds.ds3ps.co.uk:80/refer/surebrowse/operator/chat-server.xml?time=1189404101675 sudipta DIRECT/ds.ds3ps.co.uk text/xml

The details of the fields in access.log are as follows:

Field Explanation

TimeUNIX time stamp as Coordinated Universal Time (UTC) seconds with a millisecondresolution.

ElapsedTime

Length of time in milliseconds that the cache was busy with the transaction. Theinformation is logged after the reply has been sent, not during the lifetime of thetransaction.

Client IP address of the requesting host.

Cachecode/Status

Two entries separated by a slash. Code specifies the result of the transaction: the kindof request, how it was satisfied, or in what way it failed. The second entry contains theHTTP result codes.

Bytes Amount of data delivered to the client. This does not constitute the net object size,

13


because headers are also counted. Also, failed requests may deliver an error page, thesize of which is also logged here.

Method Request method to obtain an object, e.g. GET, POST, CONNECT.

URL URL requested.

Username Authenticated username

Peerstatus/Peerhost

Two entries separated by a slash. The first entry represents a code that explains howthe request was handled, for example, by forwarding it to a peer, or returning therequest to the source. The second entry contains the name of the host from which theobject was requested. This host may be the origin site, a parent, or any other peer. Alsonote that the host name may be numerical.

Mime Mime type of the object.

Extended Log

The extended.log (NCSA / Extended log format) records maximum details of each requesthandled by the proxy application.Log Analyzers like Sawmill can generate analysis reports using the extended log, and givelots more information, than the ones using access.log.

FORMAT :"UNIQUE_RECORDID" ELAPSED_TIME_IN_MSEC CLIENT_IP "USER_NAME""CLIENT_CONNECTION_ID" [DATE_TIME_OF_REQUEST] "METHOD URL""HTTP_STATUS_CODE" BYTES_TRANSFERRED "REFERRER_URL" "USER_AGENT" MIME_TYPE"FILTER_NAME FILTERING_REASON" "COMMA_SEPARATED_LIST_OF_PROFILES_APPLIED""INTERFACE_IP:INTERFACE_PORT"

Example:"1191586598.504-7-192.168.0.221-8080" 929 192.168.0.150 "anonymous" "7" [05/Oct/2007:17:46:39] "GET http://updates.f-prot.com:80/cgi-bin/check-updates?run_as=check_updates&protocol=1" 200 750 "-" "FPAV_Update_Monitor/3.16f (Windows;WINNT; 2000 Professional; SP4)" text/plain "- -" "-" "192.168.0.221:8080"

The details of the fields in extended.log are as follows:

Field Explanation

Unique Record IDA unique record identifier, to prevent duplication of records when importedinto SQL databases.Here in e.g. 1215419711.460

Elapsed time inmilliseconds

Elapsed time of the request, in milliseconds.

Client IP The IP address of the requesting client.

User nameThe username, (or user ID) used by the client for authentication. If no valueis present, "anonymous" is substituted.

Client connection ID The internal SafeSquid ID associated with this connection.

Date & time of request The date and time stamp of the HTTP request.The fields in the date/time

SafeSquid Logs 14


field are [dd/MMM/yyyy:hh:mm:ss +-hhmm], where the fields are defined asfollows:dd is the day of the month, MMM is the month, yyyy is the year, hh is thehour, mm is the minute, ss is the seconds.

Method URLThe HTTP request. The request field contains three pieces of information.The main piece is the requested resource. The request field also contains theHTTP method.

HTTP Status CodeThe status code is the numeric code indicating the success or failure of theHTTP request.

Bytes TransferredThis field is a numeric field containing the number of bytes of datatransferred as part of the HTTP request, not including the HTTP header. E.g.750.

Referrer URLThe referrer is the URL of the HTTP resource that referred the user to theresource requested. "-" is substituted when there are no referrers.

User agent

An HTTP client that makes HTTP requests. It is customary for an HTTP client,such as a Web browser, to identify itself by name when making an HTTPrequest. It is not required, but most HTTP clients do identify themselves byname.

Mime type MIME-type of the requested object. E.g. text/plain.

Filter name & Filteringreason

If the request get blocked, then this field contains the name of the filter, orthe reason for which the request was blocked. "- -" is substituted when thereare no blocks.

Comma separated listof profiles applied

Comma separated list of profiles that were applied to the request. "-" issubstituted when no profiles are applied.

Interface IP:Interfaceport

IP:PORT that received the request. This can be important when SafeSquid islistening on multiple IPs or Ports.

Native Log

This is SafeSquid's native log format.It records various functional aspects like REQUESTS, SECURITY, REDIRECT etc. that areeffected by the various features and their configuration.You can control the verbosity of the Native log by specifying LOGLEVEL, as shown in thetable below.The LOGLEVEL parameter affects only the SafeSquid's Native log.

Value Process logged Value Process logged

1 Requests 16384 Forwarding

2 Network 32768 Config synchronization

4 URL filtering 65536 Antivirus

8 Header filtering 131072 External parsers

16 Mime filtering 262144 ICAP

32 Cookie filtering 524288 DNS blacklist

15


64 Redirections 1048576 URL blacklist

128 Templates 2097152 URL commands

256 Keyword filtering 4194304 Modules

512 Rewriting 8388608 Security

1024 Limits 16777216 Warnings

2048 Caching 33554432 Errors

4096 Prefetching 67108864 Profiles

8192 ICP 134217728 Debug

So, if you wish to record only the requests set LOGLEVEL to 1, if you wish to record onlycaching related activities set LOGLEVEL to 2048.If you wish to record all the three activities of rewriting, limits and forwarding, you wouldsimply set LOGLEVEL to 512 + 1024 + 16384 i.e. 17920.Similarly, if you wished to view absolutely everything (and run the risk of generating a veryhuge log file in a very short time!), you could set LOGLEVEL to a total of all the values in thetable, i.e. 134217727 which is also the default LOGLEVEL if you simply comment theLOGLEVEL specification!.If you wished to produce just debug logs you should set the LOGLEVEL to 134217728.If you wished to record all activities and debug information, you should set the LOGLEVEL to268435455.

NOTE: Adjusting this value requires a restart of SafeSquid service.

Log rotation

There obviously needs to be a control on log file size. SafeSquid executable cannot start ifthe size of any of the log files exceeds 2147483648 bytes (2GB).The parameter sets themaximum size in bytes for a log file, exceeding which, the logrotate (/etc/init.d/safesquidlogrotate) will automatically truncate and compress all the three types of log files. The samecommand can be also run manually to rotate your logs in case any situation demands.

SafeSquid Logs 16


7 SafeSquid Interface

SafeSquid® has a Browser based User Interface, that allows users to configure various featuresin accordance with their respective Corporate Internet Usage Policies.

To configure or change configuration, you must have access to the SafeSquid® ManagementInterface. To access the Interface, you must configure your web-browser to use the SafeSquid®proxy server.

For example - if you have set-up SafeSquid to listen on IP 192.168.0.130 on port 8080, then youshould configure your web-browser to use proxy at 192.168.0.130 on port 8080

Now you should be able to access the User management Interface with the URL-http://safesquid.cfg

Note:To set IP and Port, you should open (Internet Explorer) Web Browser, go to Tools Menu -->Internet Options --> Connections --> LAN Settings --> select Use Proxy server option in thedialogue box then Specify your proxy server’s I.P. in Address option and Port (Default 8080).

You should now be able to access the URL http://safesquid.cfg to configure various Features aswell as monitor them from the same window.

Mozilla users should open Web Browser, go to Tools Menu--> Options--> Connection settings-->Select Manual Proxy Configuration--> Specify your Proxy server’s I.P. in HTTP Proxy option andPort (Default 8080). You should now be able to access the URL http://safesquid.cfg to configurevarious Features as well as monitor them from the same window.

Most features of SafeSquid® can be set, using this SafeSquid® Management Interface.The Top Menu gives you the links, and access to various features & functions as shown on theimage below.This image displays the main page of Browser based SafeSquid® Management Interface availablewith SafeSquid®.

17


SafeSquid Interface 18


7.1 Active Connections

'Active connections' displays all the active connections being handled by SafeSquid® proxy serverat a particular instance.The image below shows the page that is displayed when user clicks on Active Connections link.

The 'Active connections' has two sub-sections - Transferring and Client Pool.

Transferring subsection illustrates the requests being fulfilled, at a particular instance, and theClient Pool subsection shows all the requests, that are waiting in queue, at the very sameinstance i.e. these are the requests which are waiting to acquire the physical connection.

'Transferring' & 'Client Pool' sub-section

Transferring subsection illustrates the requests being fulfilled, at a particular instance

19


Client ID

Client ID is an auto generated identification number,which is generated for every requestmade by client.

IP

IP is the IP address of the machine in the network, that made the request, to fetch thedesired web page.

Requests

Requests illustrate the total number of requests made by clients, which can be helpful toidentify the load per requested URL/Domain.

Method

Method field exhibit HTTP Methods like GET, POST and CONNECT etc.

Details

GET: It is basically for just getting (retrieving) data.

POST: Post involves things like storing or updating data, or ordering a product, or sendingE-mail.

CONNECT: CONNECT method is often used with a proxy that can change to being anSecure Sockets Layer tunnel. CONNECT is used for https requests.

URL

URL field displays the current URLs, that are requested, as well as served.

Idle

Idle is the field that exhibits the time, for which a request has been lying idle in the queue,waiting to get served.



7.2 Statistics

This displays Statistics on the base of the real time data, with reference to various parameters,like System, Requests, Network, DNS cache, Cache, Cache refresh, Connection- pool, Hosts,Mimes, User and IP addresses.

Statistics

System

System subsection display information, with respect to usage of system resources.

User time: Displays the total amount of CPU time, in seconds, that SafeSquid® hasused. User time is CPU time spent executing the user program, rather than in kernel

21


system calls.User time is displayed in HH:MM:SS:ms.

System Time: Total CPU time, in seconds, that is used in making the kernel / system callsto service SafeSquid®. Unit are in HH:MM:SS:ms format.

Note: The resource usage statistics depend on a 1:1 thread model. Due to the limitationsof the API's used to gather this information, using other thread libraries, may result ininaccurate statistics.

Memory resident: The amount of the memory used by memory resident processes ofSafeSquid®. These are TSRs i.e. Terminate and stay resident processes. For example, URLBlacklist loads URL Blacklists in the memory and remains in the memory till we shut downSafeSquid®.Details: Memory resident means Permanently in memory. Normally, a computer does nothave enough memory, to hold all the programs you use, when you want to run a program.Therefore, the operating system is obliged to free some memory by copying data orprograms from main memory to a disk. This process is known as swapping. Certainprograms, however, can be marked as being memory resident, which means that theoperating system is not permitted to swap them out to a storage device; they will alwaysremain in memory.

Memory Shared: The amount of the memory that is occupied by the shared libraries likelibstdc++, so3, libpam. This may increase or decrease depending upon Add-on modules orother software that we use in conjunction with SafeSquid®.Details: Shared memory refers to a (typically) large block of Random access memory, thatcan be accessed by several different central processing units (CPUs) in amultiple-processor computer system.

Minor Page fault: Gives the total number of minor page faults, since the startup of theSafeSquid® Processes.

Major Page faults: Represents the total number of the Major page faults, since thestartup of the SafeSquid® processes.Details: SafeSquid® is a caching proxy. It may have to look inside the cache to servecontents and also some time to serve templates. Similarly, SafeSquid® generates logs.SafeSquid® also could be invoking other applications.So SafeSquid® performs a lot ofmemory swapping and disk i/o. The Statistics page displays the various aspects of thisactivity as minor and major page faults, besides any errors if they occur. An interruptoccurs when a program requests data that is not currently in real memory. The interrupttriggers the operating system to fetch the data from a virtual memory and load it intoRAM. An invalid page fault or page fault error occurs when the operating system cannotfind the data in virtual memory. This usually happens when the virtual memory area, orthe table that maps virtual addresses to real addresses, becomes corrupt. Minor Pagefaults are number of hard page faults (i.e. those required i/o). Major Page Faults are thenumber of times a process was swapped out of physical memory.

Requests

Requests subsection gives information on total number of HTTP, FTP and CONNECTrequests fulfilled, since the last startup of the SafeSquid® processes.This quickly tells youabout the different protocols being serviced through your proxy server.



Network

For administrators it is very important to know what is the amount of data that has beenthroughput. Network subsection gives information on Total Successful connections, Failedconnections, DNS failures and Total Bytes transferred in/out of the network, since thelatest startup of the SafeSquid® Processes. This helps you to set various parameters inSafeSquid® and System's Network settings to have improved performance. For example ifyou see too many DNS failures, you may need a better connectivity to your DNS servers.Similarly if you see too many failed connections and your logs say that they were genuinerequests then it means that either your network is saturated or you need better ISP.

DNS Cache

When a request is made, its web server address is resolved from DNS Servers.SafeSquid® has a DNS cache to store these resolved addresses for future use. This candramatically reduce the latency. This section gives total number of Hit Ratio and MissRatio. A HIT means that the document was found in the DNS cache. A MISS, that it wasnot found in the DNS cache.

Cache, Cache Refresh & Connection Pool

This section gives total number of Hit Ratio and Miss Ratio of the Cache. A HIT means thatthe requested content was found in the cache. A MISS, that it was not found in the cache.

Cache Refresh

You can configure SafeSquid® to revalidate the cached content after defined interval. Ifneed be, SafeSquid® refreshes the content and serves the relevant content to the clients,depending on the various parameters you set in the 'Cache' section. Quite a few times,SafeSquid® could discover that the validity of the cached content was obsolete. This isrecorded as miss in the Cache Refresh subsection.

Connection Pool

Connection Pool shows the number of times a connection was available to the request andthe number of times it had to create a new connection for a particular request. Thenumber of times it found the connection in the connection pool it is a hit and the numberof times proxy had to establish a new connection it is considered as a miss

Hosts

This section shows the sites that are most frequently accessed by users, and the numberof requests for a particular host along with its usage percentage.

Mimes

Mimes subsection display Mime types being accessed, and the usage percentage of thesame.

Users

Users subsection displays users and their respective usage percentage, of the ProxyServices. If authentication is enabled, the users section would display usernames and thenumber of requests they have made, otherwise it will display anonymous.

23


IP Addresses

IP Address of the machines that have made requests, along with their respective usagepercentage.



7.3 DNS Cache

DNS resolution is a very important part in Internet surfing. Whenever a request is made the proxyhas to resolve the address of the web server. This incurs latency. Hence to reduce this latency,SafeSquid® maintains DNS cache, wherein it stores all resolved DNS addresses. When anotherrequest is made for the same web site, SafeSquid® can easily get the address from the DNScache. These entries remain in the DNS Cache for 360 seconds, and then it is refreshed, i.e. after360 seconds, Proxy has to resolve DNS again.

DNS Cache

Hostname

The host name of the requested page

IP Address

25


The IP Address of that host.

Age

The Age of respective entries in the DNS cache, i.e. how long the entry has been residingin the DNS Cache.



7.4 Show Headers

This section has two subsections viz. Unfiltered and Filtered. It describes the details of the client(browser) headers. Unfiltered subsection display Type and Value of the unfiltered Headers;similarly, Filtered section display Type and Value of Filtered headers.

Show Headers

Host

Shows the Host Name.

User-Agent

The Browser that is being used.

Accept

27


Shows the accepted value of the headers that are unfiltered / filtered.

Accept-Language

Specifies the language that is acceptable, i.e. content on pages should be displayed inspecified Accept-Language. For example “en-us” specifies that all the pages should bespecified in US English.

Accept –Encoding

The Value of header types for which encoding should be accepted / allowed.For example: safesquid.cfg

Proxy-Connection

The type of connection for the Proxy Server. For example, Keep alive value, keeps theconnection alive till it is exclusively switched off.

Referer

This is the address or URI (Unique Resource Identifier) of the document (or element withinthe document) from which, the URI in the request, was obtained.Referrer allows a server to generate lists of back-links to documents, for interest, logging,etc. It allows bad links to be traced for maintenance.



7.5 View Cache Entries

SafeSquid has a multi-tier cache. This section gives Information related to the Cache volumes. Itdisplays the list of Cache files, and give users the option to search through, and if required,selectively delete them using "Delete Matches" option.

The Cache Information section gives information for Memory Cache and Disk Cache Volumes. Itshows the total number of objects, the total size of those objects in Bytes, and the percentage oftotal Cache used. It also displays the path of the various Disk Cache Volume(s).

Figure 1

29


The Regular Expression Match section has a text box, where you can enter a regular expression orany word, using which, the corresponding matches are found from Memory Cache, as well as DiskCache, and displayed. Figure 2 displays the result of the search for 'yimg'. The result displays theURL, size in bytes and whether the content exists in the Memory and / or Disk Cache.

Figure 2

You can also filter content on the basis of content modification date, accessed date and file size.On the basis of these filter criterion, all the urls that meet the specified criteria, are displayedbelow the regular expression match section.

The "Delete-matches" option allows you to delete the resulting matches.

Note: If you want to delete all the cache entries, leave the text box blank, select the "Deletematches" option, and click on the submit button.

The details of the content can be seen by clicking on the URL of a content, as shown in Figure 3.



Figure 3

Details:

MD5 Sums are 32 byte character strings that are the result of running the MD5 sum programagainst a particular file. Since any difference between two files results in two different strings,MD5's can be used to determine that the file or iso you downloaded is a bit-for-bit copy of theremote file or iso. If you are running one of the GNU/Linux distributions, you should already havethe MD5 program installed.

Epoch is an instant of time selected as a point of reference. In Linux, this time is considered as1st January 1970.Epoch Time is the time represented in the total number of seconds from an instant of timeselected as a point of reference i.e. Epoch. Hence termed as Epoch time.

31


7.6 Connection Pool

This link displays information of the current connection(s) that are being held open, in theconnection pool and / or awaiting reuse.

The details that are displayed are - Protocol, Host, Port, Username (if authentication is enabled)and the Age in seconds since the connection was opened.



7.7 Prefetch Queue

The Prefetching feature can be used as an 'internet accelerator'. It allows virtually any filereferenced in HTML to be pre-fetched (not just images) and cached. Prefetching is a good way toimprove retrieval time. It reduces resource retrievals and improves retrieval time.

This link allows you to add the webpage URLs, that you would like to prefetch and cache.

These entries are reflected in active connections under the IP as 0.0.0.0 and the method as“PREFETCH”.

33




7.8 URL Blacklist

URL Blacklist consists of a list of thousands of domains and URLs, bifurcated in various categories,and stored in flat files. This section allows you to search these categories, to find out whether aspecific Domain, URL or File is present in the URL Blacklist, and if it is, then in what category.

You can search for a domain or a file, by entering your query (supports regular expression) in thecorresponding text box, and clicking on the 'Submit' button. The result lists the category in whicha match was found, Domains that matched the query and the paths to the matched Domains.

Note: See URL Blacklist under the Config Section, for installing and configuring URL Blacklist.

35


7.9 View Log Entries

'View log entries' displays a blow-by-blow account of recent activities.It can be used to monitor all transactions, track specific transactions, check events for troubleshooting, and check for errors, warnings and advices.

The 'Regular Expression match' field allows you to search for specific events, using regularexpressions.

'Log Buffer size' allows you to specify the number of entries from the log, that you would want tosee at a time.

The Clear option lets you clear the whole buffer, or the entries filtered with the 'RegularExpression match' option.

Image 11.0.



7.10 Save Settings

When SafeSquid starts, it load the configuration file (config.xml) into the systems memory. Whenyou make any changes to the rules / policies from the SafeSquid interface, these changes aremade in the configuration file stored in the memory, and would get lost if SafeSquid service, orthe server, is stopped or restarted. Use the 'Save settings' link to make the changes permanent.It copies / saves the configuration files in the memory, to the location specified in the 'Filename'field. The default path to the configuration file is /opt/safesquid/safesquid/config.xml.

On successfully coping the file to the specified location, you should get a “File saved “ message.

Image 12.0

This option can also be used to take a backup of the existing config file, before you make anychanges to the original file.

For example, before attempting any changes to the existing configuration, you could click on'Save settings', and backup the original file, by specifying the 'Filename' as/opt/safesquid/safesquid/config_org.xml.

37


7.11 Load Settings

The 'Load settings' option is used, either to load and completely overwrite the existingconfiguration file with another, or to import rule snippets into to current configuration file.

Overwrite configurationFor example, suppose you make changes to the existing configuration from the interface, do notsave the recent changes with the 'Save settings' option, and would want to revert back to theoriginal configuration. To do this, just click on the 'Load settings' option. The default path isdisplayed in the 'Filename' field. Click on 'Submit' while leaving the 'Overwrite' option to 'Yes'.

This option can also be used if you have more that one configuration files, and would like tochange over to another file, in real-time, from the one that you are currently using.

Note: When SafeSquid is started, it by default uses the configuration file specified in theCONFIG_FILE parameter in the startup.conf.The default value of this parameter is set as /opt/safesquid/safesquid/config.xmlIf you have multiple configuration files, the configuration file that you would want to be loaded onstartup, should always be the one that is specified in the CONFIG_FILE parameter in thestartup.conf file.The value of CONFIG_FILE can be changed by running /etc/init.d/safesquid adjust.

Import rule snippetRule snippets are short, specific rules that are created to perform specific tasks. For example,safesearch.xml, which is available from the SafeSquid Download page, can be imported into yourexisting configuration file (config.xml), to enforce Google Safe Search. Similarly,porn_keypwords.xml and anonproxy.xml, are rule snippets for Keyword Filtering rules, to blockporn and anonymous proxy websites.

To import rule snippets, download the rule snippet file to the SafeSquid server, click on 'Loadsettings', specify the path of the snippet file in the 'Filename' field, change 'Overwrite' to 'No', andclick on 'Submit'. If the file is successfully loaded, you should get a message 'File loaded'.Changing 'Overwrite' to 'No' adds the file being loaded into your current configuration file.

Instead of downloading and copying the snippet file to the server, you can also specify the URL ofthe file in the 'Filename' field.For example, the URL of the safesearch.xml file is http://downloads.safesquid.net/free/general/sample_rules/safesearch.xmlBut since access to this file requires you to authenticate with your SafeSquid Forum ID, you cantype this URL in the 'Filename' field -

http://username:[email protected]/free/general/sample_rules/safesearch.xml

Replace the username:password in the URL with your forum username and password.

Note: The rule snippet get imported into the configuration file loaded in the Server's memory,and gets activated in real-time.To make the changes permanent, you need to click on 'Save settings' and save the config.xml file.The changes will be lost when SafeSquid service is restarted, if you don't save the file.



Image 13.0

39


7.12 Config Section

Config opens a drop down dialog which contains all configurable features of SafeSquid®.Select any feature you want to view, configure or modify and click the submit button.When you select a feature, the page displayed, exhibits entire list of rules and current settings ofthat feature, which can be modified as per your requirements. Intuitive tool tips are provided forevery option available on the page, to guide you through each and every option.

All the features exhibit various Options and their corresponding Values. 'Search Entries' allowsyou to search through all the sections for a specific option or value.



7.12.1 Basic Behaviour

The "General" section in the SafeSquid Interface allows you to configure options that affect theoverall operation of the proxy server. These options mainly depend on your networkinfrastructure, like availability of Internet resources, network resources, network traffic, etc.

'Profiles' allow you to very granularly configure the way various content is processed, dependingon the content type, like text, application, embedded, etc.

The options in this section must be very carefully set, as they most comprehensively affect yourimplementations of SafeSquid.

general section

The global section gives access to configuration options that affect the overall operation of the proxy server.

Option

Proxy hostname localhost

Temporary directory /tmp

Web interface line length 150

Connection pool size 20

Connection pool timeout 60

Submit

General

Add

Option Value

Enabled true

Profiles embedded

Connection timeout 30

Header timeout 120

Keepalive timeout 120

Maximum download buffer size 1M

Maximum upload buffer size 500K

Buffer wait time 0

CONNECT ports 80,443

Compress outgoing true

Compress incoming true

Add X-Forwarded-For header true

Add Via header true

Edit Delete Clone Up Down Top Bottom

41


'Add' in General Section

Option Value

Enabled Yes: ¤ No: ¢

Comment

Profiles

Connection timeout 10

Header timeout 60

Keepalive timeout 120

Maximum download buffer size 10M

Maximum upload buffer size 500K

Buffer wait time

CONNECT ports

Always compress mimetype

Compress outgoing Yes: ¢ No: ¤

Compress incoming Yes: ¢ No: ¤

Add X-Forwarded-For header Yes: ¢ No: ¤

Add Via header Yes: ¢ No: ¤

Submit

General section

Proxy hostname

The hostname of this proxy, if not defined in startup.conf. The Proxy Hostname defined duringSafeSquid installation, and stored in the startup.conf, precedes this value. This needs to beconfigured properly for CARP (Cache Array Routing Protocol) and Web interface requeststhrough HTTP to work. You have to give here the hostname of the proxy by which you will beaccessing Web interface. If you want to access proxy by using IP address you can put the IPaddress of the safesquid proxy server. Give the hostname which should be defined on DNS, sothat you can access it from any machine in your intranet or internet.

Temporary directory

The directory in which temporary files are stored. The default path is /tmp. If you want tochange this, create a directory with 777 permissions, and specify the path here.

Web interface line length

The maximum length of a string with no spaces, until an explicit break is placed in it. This isrequired since lines without spaces won't wrap in a table, which may cause Web interface tableformatting problem. Normally, this parameter does not require any changes.



Connection pool size

The number of keep-alive connections, made to HTTP and FTP servers, to be kept in theconnection pool. These connections are shared between threads.

Connection pool timeout

The time in seconds a connection may remain in the connection pool before being closed. Thisvalue should be increased, if Internet connection is slow.

Add subsection

You can granularly define a specific set of values to various content types, by creating adifferent Profile for each content type, in the 'Profiles' section. These profiles can then be used inthis section, to allot them different values.

Enabled

This option allows you to enable or disable a specific rule.

Value:Yes - Enable this ruleNo - Disable this rule

Comment

A comment for future reference explaining what this rule does

Profiles

A comma separated list of Profiles on which this rule should apply. The rule applies to everythingif this field is left blank

Connection timeout

The timeout in seconds to wait for a connection to be established before giving up. SafeSquidwill wait for the specified time duration for the target server to respond. If it exceeds thespecified value, SafeSquid closes the connection and sends a template to the requesting user,saying that the Connection failed. This value can be increased if the Internet connection is slow.

Header timeout

The timeout in seconds to wait for a client, to make the initial HTTP request by sending requestheaders. SafeSquid tries to get the initial headers during this time. If it fails, SafeSquid sends'Connection failed' template to user. You can increase the time if the network connection is slow.

Keepalive timeout

43


After an HTTP session is established , data must be exchanged periodically to ensure thatsession is still alive. The keepalive timeout defines the time in seconds that SafeSquid servershould wait before closing the session. This is the timeout value for persistent connections.SafeSquid closes keepalive connections if they are idle for this amount of time. The default is120 seconds and does not need to be changed. SafeSquid, being multi-threaded, allows theuse of the same connection for multiple requests. The advantage is that less number ofconnections are required to be opened, for individual users, to the same server.

Maximum download buffer size

The maximum size in bytes of content that are buffered, for process by the Rewrite document,Keyword Filter and external programs like Anti Virus. You can define the value depending on thetype of content . If you want to handle large size of data files then you can increase the value.

Maximum upload buffer size

The maximum size of upload content that is stored in memory for processing. Content largerthat the specified value will be sent directly without processing. Having an upload buffer that istoo large will cause the browser to timeout since all the data is received by SafeSquidimmediately, but may take more time to process and transfer to the website.

Buffer wait time

The maximum time a file can be buffered before a message is sent to the client indicating it'sbeing downloaded and for them to retry.

CONNECT ports

The ports on which outgoing CONNECT requests are allowed to be made. You can disableconnection through proxy to certain ports , by not specifying their port numbers here. Each portor port range should be separated by a comma.

Always compress mimetype

A regular expression matching the MIME-Types which should always be buffered andcompressed even if they wouldn't be buffered otherwise. Specify here the regular expression forMIME Type's. This will speed up the proxy process. Regular expression for MIME Type of BinaryFile (i.e. application/octet-stream) is âpplication/octet-stream.

Compress outgoing

Toggle gzip or deflate encoding of outgoing processed content if the client supports it. If theproxy server is running locally, it is recommended to disable this feature.

Compress incoming

This option will make Safesquid attach an Accept-Encoding header that lets the Web serverknow that it can accept gzip and deflate content encoding, regardless of whether or not the



browser making the request supports it; if the browser doesn't support it, it will be buffered anddecompressed before sending.

Add X-Forwarded-For header

This option will add a header allowing an upstream proxy or Web server know the IP addresswhere the original request came from.

Add Via header

This option will add a header allowing an upstream proxy or Web server know which proxyserver the request passed through.

45


7.12.2 URL Blacklist

This section allows you to use a URL blacklist obtained from www.urlblacklist.com to restrictaccess to websites based on content category like porn, adult, webmail, jobsearch,entertainment, etc. The site www.urlblacklist.com maintains a well categorized list of various web-sites and pages. This is an excellent resource for an administrator seeking to granularly enforce acorporate policy that allows or disallows only certain kinds of web-sites to be accessible by specificusers, groups or networks.

The Commercial Edition of SafeSquid® and all Composite Editions, including the Free CompositeEdition 20 allows the administrators to use urlblacklist very easily and with a desired level ofsophistication. You can use this feature by downloading the trial urlblacklist database fromurlblacklist.com.

urlblacklist section

This section allows you to use a URL blacklist to restrict access to Websites based on content category.

Option Value


Policy Allow: ¤ Deny: ¢

Blacklist path /opt/safesquid/urlbl/

Default template

Submit

Allow

Add

Deny

Add

Option ValueEnabled trueComment Globally block access to the URL Blacklist categories 'adult' and 'porn'Categories adult,porn


Option ValueEnabled trueComment Block access to the URL Blacklist categories 'jobsearch' for everyone

except HRD ProfileProfiles !HRDCategories jobsearch




urlblacklist section

Enabled

This option allows you to enable, or completely disable the URL Blacklist Sectionirrespective of the rules defined in the section

Value:Yes - Enable URL Blacklist SectionNo - Disable URL Blacklist Section

Policy

Defines the Global Policy for the URL Blacklist Section

Value:Allow - Allow everything, and deny ONLY the rules under the 'Deny' subsectionDeny - Deny everything, and allow ONLY the rules under the 'Allow' subsection

Blacklist path

The path to urlblacklist database. The default path is /opt/safesquid/urlbl. Untar (unzip)the downloaded urlblacklist database here. Please note that the complete database isloaded into the system memory, when SafeSquid service starts. If you plan to use onlyspecific categories, then copy only those category directories in this location. This will helpsave memory resources, which would otherwise be unnecessarily used up by unwantedcategories.

Default template

The template to display for blocked sites. If left blank, default template is used. You candesign and display custom templates. For details, check Customisable Templates

Allow / Deny subsection

You can define rules either under the Allow or Deny subsection, depending on the selectedPolicy. If Policy is Allow, you should define rules under the Deny subsection, and If Policy isDeny, you should define rules under the Allow subsection. In the above example, thePolicy is Allow. Hence, rules are defined in the Deny subsection to deny access to adult,porn and jobsearch categories.

Enabled

This option allows you to enable or disable a rule.


Comment


47


Profiles

A comma separated list of Profiles on which this rule should apply. The rule applies toevery one if this field is left blank

Categories

A comma separated list of URL Blacklist Categories, existing in the Blacklist Path, that youwant to allow / deny.

Template

Template to display, when this specific rule matches. If left blank, Default Template isused.



7.12.3 Access Control

'Access Restrictions' section allows you to control who can access the proxy server, and to whatextent. This is where you define who is allowed to access SafeSquid, from where, whether theuser should be authenticated, by what method, etc. You also define the profile of a user here,which will then be used in other sections to control his access.

Access Restrictionsaccess section

The access feature is used to control who can access the proxy server, and to what extent.

Option Value

Policy Allow: ¢ Deny: ¤

Submit

Allow

Add

Option ValueEnabled trueComment This default rule allows access to every users of the network with IP address and

username field left blank.PAM authentication falseAccess config,proxy,http,transparent,connect,bypass,urlcommand

Deny

Add

49


'Add' Sub-SectionOption Value


Comment

Profiles

IP Address

PAM authentication

User name

Password

Access Web interface þProxy requests þHTTP requests þTransparent proxying þCONNECT requests þAllow bypassing þURL commands þ

Bypass URL filtering pHeader filtering pMime filtering pURL redirecting pCookie filtering pDocument rewriting pExternal parsers pForwarding pKeyword filtering pDNS blacklist pLimits pAntivirus pICAP pURL blacklist p

Interface username

Interface password

Added profiles

Submit



Access Section

Policy

Default action to take when no matching entry is found. Defines the Global Policy for theURL Blacklist Section

Value:Allow - Allow everyone, and deny ONLY the rules under the 'Deny' subsectionDeny - Deny everyone, and allow ONLY the rules under the 'Allow' subsection

'Add' subsection

When Policy is 'Deny', You can add rules under Allow that would explicitly result in allowingall or Specific set of conditions. This effectively allows you set a variety of intelligently andcreatively defined Access Control Whitelist(s). When Policy is 'Allow', you can add rulesunder Deny that would explicitly result in blocking or denial of access to all or Specific setof conditions. This effectively allows you set a variety of intelligently and creatively definedAccess Control Blacklist(s).

Enabled



Comment


Profiles

Profiles cannot be used under the Access Restrictions section. This is a dummy field.

IP Address

A regular expression matching the IP addresses this entry applies to. Leaving this fieldblank will cause the entry to match all IP addresses. You can enter a single IP (e.g.192.168.0.25), a comma separated list of IPs (e.g. 192.168.0.25,192.168.0.29) and / orIP ranges (e.g. 192.168.0.25,192.168.0.29,192.168.0.36-192.168.0.46).When used in conjunction with username & password, it binds the user to the specified IP(s), i.e. the user is allowed access only from the specified IP(s).

PAM authentication

PAM is An acronym for Pluggable Authentication Modules. PAM is an authentication systemthat controls access to Linux System. It allows you to authenticate users from an externalauthenticating mechanisms like Samba, Active Directory, Radius, POP3, MySQL database,etc.

51


If this option is selected, clients will be required to authenticate with the proxy and PAMwill be used to authenticate the username and password. This option will work only if theproxy is configured and compiled with PAM support. For details about configuring.Check Working with PAM for details.

User name

With PAM Selected:If PAM is selected, this field is used to specify a username on the authenticatingmechanism.If left blank, it allows any username that exists on the authenticating mechanism.Since this field option is a regular expression, you can also specify multiple usernames,separated with pipe, that exist on the authenticating mechanism. This is useful if youwould like to allow only specific users to access SafeSquid or would like to create a groupprofile. For example, if you would like to allow only usernames john, ali & sean, you shouldenter (john|ali|sean) in this field.

Another thing to note is that if you specify any IP(s) in the 'IP Address' field, the user(s)will be allowed access only from the specified IP(s). If the IP Address field is blank, theuser(s) will be allowed access from any IP.

Without PAM Selected:Without PAM, this field can be used to create usernames. For creating a username, simplyenter the username in this field, and password in the 'Password' field. Entering a usernameand password, will cause an authentication challenge when a user tries to accessSafeSquid. Now, the user will be allowed access only if supplies the entered username andpassword.

Another thing to note is that if you specify any IP(s) in the 'IP Address' field, this user willbe allowed access only from the specified IP(s). If the IP Address field is blank, the userwill be allowed access from any IP.Leaving this field blank will allow access with authentication.

Password

With PAM Selected:If PAM is selected, this field should be left blank, since the password for the specified user(s) is verified from the authentication mechanism.

Without PAM Selected:Without PAM selected, this is where you specify the password for the user specified in the'Username' field.

Access

The Access field allows you to select the types of request a user is allowed to make:

Web interface: Allowed access to the SafeSquid Management Interface (http://safesquid.cfg)

Proxy requests: Allowed to make regular proxy requests.



HTTP requests: Allowed to make regular HTTP requests to proxy (for Web interfaceand other redirect requests set in the SafeSquid proxy).

Transparentproxying:

Allowed to make transparent proxy requests (must be allowed tomake HTTP requests as well).

CONNECTrequests:

Allowed to make CONNECT requests.

Allow bypassing: Allowed to use the special xx--bypass URL command to bypassfilters.

URL commands: Allowed to use the special xx-- URL commands. Check Use URLCommands for details

Bypass

This section allows you to bypass VIP users from the effects of the listed filter sections.This can also be useful in diagnosing a denial event.The filter sections that can be bypassed are -· URL Filter· Header Filter· Mime Filter· URL Redirecting· Cookie Filter· Document Rewrite· External Parsers· Forwarding· Keyword Filter· DNS Blacklist· Limits· Antivirus· ICAP· URL blacklist

Interface username

This field, along with Interface password, can be used to secure access to the SafeSquidInterface (http://safesquid.cfg). Users will have to give the specified Interface usernameand password, to get access to the interface.

It can also be used to give different username and password to administrators, when thereare more than one administrators managing the proxy

Interface password

Password for 'Interface username' field.

Added profiles

This is where you 'create' a profile for users, to identify or classify them and give furtheraccess rights.

For example, if you wanted to identify IP addresses 192.168.0.5-192.168.0.15 as

53


'accounts' department, you specify the IP range in the 'IP address' field and in the 'Addedprofiles' you should mention 'Accounts'.

With PAM enabled, you can create a group of users, by specifying a pipe separated list ofusernames existing on the authenticating mechanism, e.g. (john|ali|sean), and specifyingthe group name, e.g. Accounts, in the Added Profiles field.

Without PAM, you will have to create a separate rule for each user, with username andpassword, and specify the group each belongs to in the Added Profiles field.

The value of Added Profiles field is then used in the 'Profiles' and other filter sections, tocollectively allow or deny access to various content, to the users.

Check Profiled Internet Access for details



7.12.4 Profiles

SafeSquid's Profiles feature allows you to accommodate the demands of extremely granular rulesfor Internet Access privileges and restrictions. The 'Profiles' section allows you to very preciselydefine situations. Each situation, thus defined is referred to as a Profile. Each Profile can bedefined (or bound) by a programmable set of conditional parameters. Profiles are used as aconditional parameter in almost all of the various filtering sections in SafeSquid. You can thusensure that filtering action happens exactly, as required.

Check Profiled Internet Access that explains the use of Profiles for granular Internet access

The parameters that are available for defining a profile are explained below.

Profiles 'Add' subsectionOption Value


Comment

Profiles

Protocol

Host

File

Mime type

Port range list

URL Command

Proxy host

Request header pattern

Response header pattern

Month range p active January to January

Day range p active 0 to 0

Weekday range p active Sunday to Sunday

Hour range p active 0 to 0

Minute range p active 0 to 0

Time match mode Absolute: ¤ All ranges: ¢

Added profiles

Removed profiles

Submit

55


'Add' Subsection

The following parameters can be used to define a profile:

Enabled

This option allows you to enable or disable a specific profile.

Value:Yes - Enable this profileNo - Disable this profile

Comment


Profiles

A comma separated list of previously created profile(s) (either in Access Restriction or inProfiles section), to which this rule should apply. Applies globally if left blank.

Protocol

A regular expression matching the protocol this entry applies to, e.g. ^ftp$, ^http$, etc.Applies to all protocols if left blank.

Host

A regular expression matching the host's this entry applies to, e.g. (example.com|mysite.com|yousite.com). Applies to all hosts if left blank.

File

A regular expression matching the file (the part of a URL that succeeds the hostname) thisentry applies to, e.g. (cgi-bin|\?) will apply to queries in a URL. Applies to everything if leftblank.

Mime type

A regular expression matching the MIME-type this entry applies to, e.g. "îmage/" willmatch will match all image files. Applies to all MIME-types if left blank.MIME-type matching is done after receiving the server header, so it may only be used forcertain features; header filtering, cache refresh policy, and cache store selection are donebefore the server header is received.

Port range list

A comma seperated list of ports or port ranges this entry applies to, e.g. a value "80,21-25" means port 80 and port rgae from 21 to 25. Applies to all ports if left blank.

URL Command

A comma seperated list of URL commands which will activate this entry. Applies to all



commands if left blank. Check Use URL Commands for details

Proxy host

A regular expression matching the proxy hosts this entry applies to. This is useful whensharing a configuration file between several SafeSquid proxy servers or instances in Multi-Proxy or Multi-Instance scenario. Applies to all hosts if left blank.

Request header pattern

A regular expression pattern matching the request header's this entry applies to, e.g.Mozilla/4.0.* MSIE.* matches a request from Internet Explorer. Applies to all patterns if leftblank.

Response header pattern.

A regular expression pattern matching the response headers this entry applies to. Appliesto all patterns if left blank.

Month range

The range of months within which this entry is active, e.g. January to March will keep thisprofile active from January through March. Applies to all months if left blank.

Day range

The range of days within which this entry is active, e.g. 5 to 15 will keep this profile activefrom 5th through 15th. Applies to all days if left blank.

Weekday range

The range of weekdays within which this entry is active, e.g. Monday to Thursday will keepthis profile active from Monday through Thursday. Applies to all weekdays if left blank.

Hour range

The range of hours within which this entry is active, e.g. 9 to 12 will keep this profile activefrom 9 hrs through 12 hrs. Applies to all hours if left blank.

Minute range

The range of minutes within which this entry is active. This can be used in conjunction withHour Range, e.g. if the hour range is 9 to 12 and minute range is 15 to 30, then the profilewill remain active from 9:15 through 12:30. Applies to every minute if left blank.

Time match mode

The time match mode option allows you to specify how a time is matched, if you specifymultiple ranges.

Value:Absolute - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17,then selecting 'Absolute' Time Match Mode, will match any time starting Monday, 9AM andending Friday, 5PM.

57


All ranges - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17,then selecting 'All ranges' Time Match Mode, will match any time between 9AM to 5PM, onall weekdays from Monday to Friday.

Added profiles

This is where you specify (or create) what profile should be applied if the specified situationmatches.See examples below.

Removed profiles

This field can be used to remove a profile from a situation, or exclude a situation frombeing applied a profile.See example below.

Example #1

Suppose you wanted to allow access only to a few sites to the 'Accounts' profile (which is createdin Access Restriction Section - see Access Control), while allowing any / all sites sites to the 'VIP'profile. To match these situations, you will need to add 2 profiles in the Profiles section, like this -

Profile 1

Option Value

Enabled true

Comment This profile specifies the sites allowed to 'Accounts' group

Profiles Accounts

Host (firstsite.com|secondsite.net|thirdsite.org)

Time match mode absolutetime

Added profiles allowed_sites

Profile 2

Option Value

Enabled true

Comment This profile specifies the sites allowed to 'VIP' group

Profiles Accounts



Please note that the fields that are not mentioned above are blank. So, the first rule says that, ifthe request already carries the profile 'Accounts', and the request is for either abc.com, def.comor ghi.com, then give is another profile 'allowed_sites'.

Similarly, the second rule says that, if the request already carries the profile 'VIP', and the



request is for any site (Host field is blank), then give it another profile 'allowed_site'.

Next, you will go to the 'URL filter' section. Select Policy as 'Allow'. Now, since the policy is allow,you should add a rule under the Deny subsection, like this -

Option Value

Enabled true

Comment Block everything, except 'allowed_site' profile

Profiles !allowed_site

The above rule says that deny everything, EXCEPT / but NOT (!) the request that carry'allowed_sites' profile.Now, all the requests from VIP will carry the profile 'allowed_sites', while requests from'Accounts', ONLY for abc.com, def.com or ghi.com, will carry 'allowed_sites' profile. Effectivly,'VIP' will be able to access any site, while 'Accounts', only the specified sites.

Example #2

Now suppose you wanted to allow 'Accounts' to access xyz.com, but only during lunch hours from13 hrs to 14 hrs. To define this situation, you can add another rule under the Profiles section, likethis -

Option Value

Enabled true

Comment Time restricted access

Profiles Accounts

Host xyz.com

Hour range 13,14



The above rule says that, if the request already carries the profile 'Accounts', AND the request isfor xyz.com, AND the time of the day is between 13 hrs to 14 hrs, then give the request'allowed_sites' profile.

You can similarly define situations, or create profiles, by using one or multiple parameters likeProtocol, File, Mime type, Port range list, URL Command, Proxy host, Request header pattern &Response header pattern.

59


7.12.5 cProfiles

cProfiles allows you to ADD/Remove Profiles, depending upon the potential nature of the contentserved, by the web-site. cProfiles queries SafeSquid's Content Categorization Service (CCS)*, to determine if a web-site belongs to one or more categories. The determination is actually ascore of probability: for example:

· a score of 1 ==> the site definitely does not belong to the queried category,· a score of 100 ==> the site most definitely belongs to this category.

Now based on the determination, you can ADD / Remove Profiles, and thus take necessaryactions, via the various filters like URL Filter, Mime-Filter, etc. cProfiles stores the results, in ahigh-speed memory based (volatile) cache, to ensure quick response for often accessed web-sites.

* CCS maintains a categorized database of web-sites. The categorization has been done on thebasis of availability of content of certain category, at the web-site. cProfiles uses the standard DNS protocol to communicate with CCS, thus the query results will be stored (non-volatile) in allthe en-route caching nameservers. Thus query results should be quickly accessible to you evenacross restarts.

cProfiles section

Option Value


Cache Size 1000

Enterprise Identity 0101-1408-1b0b-123f-1711-05@ircmpvef

Submit

Entries for processing cProfiles

Add

Option Value

Enabled true

Comment Identify websites belonging to porn category

Categories list porn

Score Range 2-100

Added profiles category-porn




'Add' under 'Entries for processing cProfiles'Option Value


Comment

Profiles

Category List ads content padult content padult_education content parts content pchat content pdrugs content peducation content p

fileshare content p

finance content p

gambling content p

games content p

government content p

hacking content p

hate content p

highrisk content p

housekeeping content p

instantmessaging content p

jobs content p

leisure content p

mail content p

multimedia content pScore Range 2-100

Added profiles

Removed profiles

Submit

cProfiles section

Enabled

This option allows you to enable, or completely disable the URL Blacklist Sectionirrespective of the rules defined in the section

61


Value:Yes - Enable cProfiles SectionNo - Disable cProfiles Section

Cache Size

Specify the number of query responses that should be cached by cProfiles. cProfiles willcreate an equivalent high-speed memory based (volatile) cache, to ensure quickresponse for often accessed web-sites.

Caution #1: Use a realistic number that approximately equals the number of differentweb-sites visited by users in your enterprise. A number between 1000 - 10000 shouldgenerally serve most enterprise networks.

Caution #2: The current cache will be destroyed and a new one re-created. Therefore,kindly do not make changes here, too often.

Enterprise Identity

Specify your Enterprise Identity key here. This key is required to activate cProfiles.Enterprise Identity key can be obtained by subscribing to SafeSquid CSS service.Enterprise Identity is unique and allows CCS to sort, the web-sites that were requestedby your enterprise. Thus the CCS can prioritize the web-sites that must be classified, toserve your enterprise better.

Caution: The Enterprise Identity is a unique key, that must never be shared betweennetworks / enterprises, to ensure proper results from CCS.

'Add' under 'Entries for processing cProfiles' section

Enabled



Comment


Profiles

A comma separated list of Profiles on which this rule should apply. The rule applies toevery one if this field is left blank

Category List

Comma separated list of categories that must be checked on the CCS. By default, allavailable categories are listed, when you add a new rule. The following categories arecurrently available: ads, adult, adult_education, arts, chat, drugs, education, fileshare,



finance, gambling, games, government, hacking, hate, highrisk, housekeeping,instantmessaging, jobs, leisure, mail, multimedia, news, porn, proxy, searchengines,shopping, social, sports, systemutils, travel, business.You may either create a separate rule for the categories that you would want to identify,or include a comma separated list of multiple categories in a single rule.

Score Range

Specify the score range for a positive match. cProfiles will query the SafeSquid's Content Categorisation Service (CCS) to determine, the probability of content natureto belong to the above mentioned categories. The probability could be between 1 and100.

· a score of 1 = the site definitely does not belong to the queried category· a score of 100 = the site most definitely belongs to this category.

So, if you set the score range to 2-100, then entries created below for Added Profiles orRemoved Profiles, will be applied only if the scored value is more than 1.

Added profiles

Comma separated list of profiles that will be Added to the connection, if the selectedcategories have a positive match. These profiles can then be used in various filters likeURL Filter, Mime-Filter, etc. to take desired action.

Removed profiles

A comma separated list of profiles to remove when the selected categories have apositive match. If any of these profiles have been already applied to the connection byany other Profile rules, they will be removed.

Example:

Suppose you wanted to globally block 'porn' category, and restrict 'Accounts' profiles fromaccessing 'jobsearch' category.Create the following rules in the cProfiles section:

cProfiles Section

Option Value

Enabled true

Comment Identify websites under 'porn' category

CategoryList

porn

ScoreRange

2-100

Addedprofiles

blocked-category

63


Option Value

Enabled true

Comment Identify websites under 'jobsearch' category

Profiles Accounts

CategoryList

jobsearch

Score Range 2-100

Addedprofile

blocked-category

Next, go to the URL filter section and add the following rule under Deny subsection (Presumingthat Policy is Allow).

URL filter - Deny subsection

Option Value

Enabled true

Comment This rule blocks access to 'blocked-category'profile

Profiles blocked-category

The first rule applies 'blocked-category' profile to all the requests, for which there is a positivematch, under the 'porn' category. This rule applies to every body, since the 'Profiles' field isblank.

The second rule applies 'blocked-category' profile to all the requests, for which there is apositive match, under the 'josearch' category. This rule applies only to 'Accounts' profile.

The rule defined under URL filter section, blocks all requests with blocked-category profile.



7.12.6 Define user limits

The SafeSquid Limits feature allows you to define User Limits, for accessing content from theInternet. You can create rules to limit the maximum size of individual files that are fetched fromthe Internet. These rules can also pre-set the speed-limits at which the content may be accessed.Rules that set limits to the nature of content being accessed during specific time-periods, can alsobe set.

Limits 'Add' subsectionOption Value


Comment

Profiles

Action Allow: ¤ Deny: ¢

Template

Month range p active January to January

Day range p active 0 to 0

Weekday range p active Sunday to Sunday

Hour range p active 0 to 0

Minute range p active 0 to 0

Download transfer limit 0

Upload transfer limit 0

Request limit 0

Download rate 0


Flags

Limit cache transfers pPer-request limit pGroup limit p

Submit

65


Limits 'Add' subsection

The following parameters can be used to define rules for setting various user limits:

Enabled



Comment


Profiles

A comma separated list of previously created profile(s) (either in Access Restriction or inProfiles section), to which this rule should apply. Applies globally if left blank.

Action

The action to take when this entry matches. If set to Deny - any request falling into thespecified time range is blocked, otherwise the request is allowed. Select Allow if you desireto set a limit on the amount of data that can be transferred, or the number of requeststhat can be made. Further access will later be denied, when the limit is reached.

Template

The template, or message, that should be displayed on a users screen when access isdenied due to this rule. This template is only sent if the page was blocked due to the timerestrictions. Default template is used if this field is left blank.See Customizable Templates for details about templates

Month range

The range of months within which this entry is active, e.g. January to March will keep thisprofile active from January through March. Applies to all months if left blank

Day range

The range of days within which this entry is active, e.g. 5 to 15 will keep this profile activefrom 5th through 15th. Applies to all days if left blank.

Weekday range

The range of weekdays within which this entry is active, e.g. Monday to Thursday will keepthis profile active from Monday through Thursday. Applies to all weekdays if left blank.

Hour range



The range of hours within which this entry is active, e.g. 9 to 12 will keep this profile activefrom 9 hrs through 12 hrs. Applies to all hours if left blank.

Minute range

The range of minutes within which this entry is active. This can be used in conjunction withHour Range, e.g. if the hour range is 9 to 12 and minute range is 15 to 30, then the profilewill remain active from 9:15 through 12:30. Applies to every minute if left blank.

Download transfer limit

The amount of download in bytes that would be allowed during the specified time. No limitif left blank.

Upload transfer limit

The amount of upload in bytes that would be allowed during the specified time. No limit ifleft blank.

Request limit

The number of requested that would be allowed during the specified time. No limit if leftblank.

Download rate

The maximum download transfer rate (speed or QoS) that should be allowed. Maximumavailable if left blank.

Time match mode


Value:Absolute - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17,then selecting 'Absolute' Time Match Mode, will match any time starting Monday, 9AM andending Friday, 5PM. All ranges - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17,then selecting 'All ranges' Time Match Mode, will match any time between 9AM to 5PM, onall weekdays from Monday to Friday.

Flags

The following flags are used to define, or fine tune, the rule· Limit cache transfers: apply the rule even when the content is being served from

the cache· Per-request limit: confine transfer limit to each single request. E.g. if you set

Download transfer limit as 5MB, each and every matching request will be allowed5MB

· Group limit: share transfer limit between all matching connections. E.g. if you setDownload transfer limit as 5MB, it will be shared between all the matchingconnections

67


7.12.7 FTP proxy

SafeSquid is a very powerful FTP proxy and can very neatly get you the the contents of FTPservices, directories and contents. The FTP section lets you configure how the FTP connections are

established, and results displayed.

FTP Sectionftp section

FTP connection options.

Option Value

Passive mode Yes: ¤ No: ¢

Timeout

Anonymous login

Anonymous password

Sort order Ascending: ¤ Descending: ¢

Sort field None: ¢ Name: ¤ Size: ¢ Date: ¢

Submit

FTP Section

The following parameters are available for configuration in the FTP Section

Passive mode

Use passive mode for FTP transfers; this is useful if you are behind a firewall that preventsthe FTP server from opening a connection to you.

Options:Yes: Select Passive ModeNo: Do not select Passive Mode

Timeout

Time in seconds to wait for a response for commands sent to the FTP server.

Anonymous login

The login name to use when none is explicitly given in the URL.

Anonymous password

The password to use when none is explicitly given in the URL.



Sort order

The order in which FTP directory listings are sorted.

Options:Ascending: Sort directory listing in ascending orderDescending: Sort directory listing in descending order

Sort field

The field by which FTP directory listings are sorted.

Options:None : Do not sort by any fieldName : Sort by Name fieldSize : Sort by sizeDate : Sort by date

69


7.12.8 Templates

Templates are used throughout Safesquid as a replacement for pages which can't be displayeddue to filtering, error, or other conditions.SafeSquid comes with the following default templates:

Template Condition

blocked Page blocked

nodns DNS lookup failed

badrequest Malformed HTTP header from client

badresponse Malformed HTTP header from server

nofile File not found

nocacheCache file not found when browsing in offlinemode

noconnect Connection failed

noaccess Access denied

badprotocol Protocol not implemented

badauthAuthorization failed (when forwarding throughSOCKS4)

maxbandwidth Bandwidth limit exceeded

maxrequests Request limit exceeded

proxy.pacA script to configure the browser to use theproxy.

nterface.css Web interface stylesheet

These templates can be viewed from http://safesquid.cfg/template/blocked (template name)

You can replace the default templates with your own customized templates (SafeSquid AdvancedEdition and all Composite Editions, including the free Composite Edition 20). Customizedtemplates can be really useful, when you would want the error messages to be displayed in alanguage other than English. It can also be used to display your company logo, warning ormessage like 'If you feel this site was unnecessarily blocked, please notify the administrator [email protected]'.

A template may not necessarily be an html, but can be almost about anything like an audio file,flash file or an executable. It can be used to invoke a file for a specific condition. For example,SafeSquid has 3 built-in templates - tinygif (a 1x1 transparent gif image), checkeredgif (a 4x4gray and transparent checkered pattern), and tinyswf (an empty flash animation). Thecheckeredgif template is used by default, to replace images that it blocked by the PornographicImage Filter add-on module that is used to block pornographic images in real time. So, when thepage is displayed to a user, a block of checkered boxes is displayed instead of the blocked image.

There are several variables that can be used in templates if the parsable option is selected whichwill be replaced with information about the request currently being handled. These variable canbe used to generate content in real time. The variables are:



Variable Description

@AVSCANNER@ The name of Antivirus Scanner used

@CATEGORY@ The Category of Blacklist used

@HTTP_METHOD@ Method used to request file

@HTTP_HOST@ The Host to which HTTP request was made to

@HTTP_FILE@ File HTTP request was made for

@HTTP_PORT@ Port HTTP request was made to.

@DOWNLOADLIMIT@ The Limit given to Downloading

@UPLOADLIMIT@ The Limit given to Upload a file

@IP@ IP address of client making request

@INTERFACE@ IP address of the interface the client connected to

@IMAGESCORE@ Score for Individual Images

@IMAGETHRESHOLD@

The cut-off value from which Image is decided as good orbad(porn)

@PORT@ PORT the client connected to

@SIZE@ Amount of value going to transferred

@TRANSFERRED@ Amount of value transferred already

@USERNAME@ The username by which the user logs on afterauthentication

@URL@ The full URL (the same as @HTTP_METHOD@://@HTTP_HOST@:@HTTP_PORT@@HTTP_FILE@)

@VERSION@ The proxy server version

@VIRUSNAME@ The name of the Virus detected

The Template Section in the SafeSquid Interface, allows you to configure customized templates

Customisable Templates

Option Value

Path /opt/safesquid/safesquid/templates

Submit

Template

Add

71


'Add' Sub SectionOption Value


Comment

Profiles

Name

File

Mime type

Response code

Type File: ¤ Executable: ¢

Parsable Yes: ¤ No: ¢

Submit

Templates section

The following parameters are available for configuration in the Templates Section

Path

The directory path on the server where the template files are located

Add

Add a custom template

'Add' subsection

The following parameters are available for configuration in the 'Add' subsection

Enabled



Comment


Profiles

A comma separated list of Profiles on which this rule should apply. The rule applies to every one if this field is left blank

Name

The name by which this template should be referred to in other sections.



File

The name of the file in template directory, to be used with this template

Mime type

The MIME-type of the template file. When using an executable, this is send in the HTTP response header.

Response code

The response code to use when sending the template. Leave blank to use internal default.

Type

Specify the type of template.

Options:File: The content of the file will be sent as template.Executable: The file is executed, and whatever it writes on STDOUT, is sent as the template.

Parsable

If this option is selected, all variables in the template will be substituted.

Example:

In this example we will replace the default template displayed when a site is blocked by URL Filtersection. Let us presume that this file is called filter.html, and it's content is as below -

filter.html

<html>

<head><title>site is blocked</title></head><bodystyle="color: rgb(255, 255, 255); background-color:rgb(255, 0, 0);"link="#000099" alink="#000099" vlink="#990099"><div style="text-align: center; font-family: Verdana;"><h1>The site @HTTP_HOST@ is blocked </h1></div></body>

</html>

73


Now, copy this file to the directory /opt/safesquid/safesquid/template/ on the SafeSquid Server.Next, from the SafeSquid Interface (http://safesquid.cfg) go to Config => Template.Click on 'Add' under the template subsection and add the following rule -



Template 'Add' subsectionOption Value


Comment Template for URL FIlter Section

Profiles

Name filter

File filter.html

Mime type text/html

Response code 404

Type File: ¤ Executable: ¢

Parsable Yes: ¤ No: ¢

Submit

Next, go to Config => URL filter, and change the value of 'Default template' to 'filter'

url-filtering section

This section filters the URLs based on the host name and file path.

Option Value



Default template filter

Submit

Now, when you visit a website that is blocked by URL filter, you will see the new template, insteadof the default.Remember to save the changed setting by clicking on 'Save setting' from the top menu in theSafeSquid Interface.

75


7.12.9 DNS Blacklists

The DNS-bl is a co-operative effort by DNS providers across the internet to deny DNS service toknown spam domains. in.dnsbl.org allows making nslookup queries to identify if a particulardomain has been listed for fraud, Spamming, illegal content, malware, etc.

For example, if we had to find out if somesite.example.com has been listed on dnsbl, we simplyhave to do an nslookup for somesite.example.com.in.dnsbl.org. If this domain is listed, theresponse would be one of 127.0.0.2-8, depending on the category under which it is listed.

The categories are:

Response Category

127.0.0.2 UCE

127.0.0.3 Fraud

127.0.0.4 Spam Promo

127.0.0.5 Illegal Content

127.0.0.6 Pre-emptive

127.0.0.7 Improper List Practices

127.0.0.8 Botnet Activity / Malware

Check http://dnsbl.org/ for details.

DNS Blacklist Section

dnsbl section

DNS blacklist services use a DNS server to allow people to lookup domains of known abusive servers.

Option Value


Template

Domain in.dnsbl.org

Blocked IP addresses 127.0.0.1,127.0.0.2,127.0.0.3,127.0.0.4,127.0.0.5

Submit

dnsbl section

The following parameters are available for configuration in the DNS Blacklist Section

Enabled

This option allows you to enable or disable the DNS blacklist section .

Value:Yes - Enable DNS blacklist section



No - Disable DNS blacklist section

Template

The template to send when domain is blocked.

Domain

The domain to use for making queries. For example, the domain to use the services from dnsbl.org isin.dnsbl.org. You can also use any other service that provides similar service.

Blocked IP addresses

A comma separated list of IP addresses (or responses - see table above), from in.dnsbl.org, that youwould like to block access to. For example, if you would like to block access to domains listed under"Fraud" and "Botnet Activity / Malware", type 127.0.0.3,127.0.0.8 here.

77


7.12.10 URL Filtering

URL filter section can be used to block access to URLs based on ther host name and / or file path.If the URL is denied, an error page template is sent to the web browser.

URL filter can not only be used to block access to specific websites, but it can also be used to veryeffectively and granularly block specific objects like banners and advertisement, search enginequeries, URLs containing specific words like 'sex' or 'mail', and access to IMs and Chats like YahooMessenger, Google Talk, Rediff Bol, etc.

url-filtering section

This section filters the URLs based on their host name and file path.

Option Value



Default template

Submit

Allow

Add

Deny

Add

Option Value

Enabled true

Comment SAMPLE rule to block specific websites

File (rapidshare.de|orkut.com|myspace.com)


Option Value

Enabled true

Comment SAMPLE rule to block specific profiles

Mime type disallowed_query,ad_servers,banners




'Add' under Allow / Deny SubsectionOption Value


Comment

Profiles

Host

File

Mime type

Template

Submit

mime-filtering section

Enabled

This option allows you to enable, or completely disable the URL Filtering Sectionirrespective of the rules defined in the section

Value:Yes - Enable Mime filtering SectionNo - Disable Mime filtering Section

Policy

Defines the Global Policy for the URL Filtering Section


Default template


'Add' under Allow / Deny subsection

You can define rules either under the Allow or Deny subsection, depending on the selectedPolicy. If Policy is Allow, you should define rules under the Deny subsection, and If Policy isDeny, you should define rules under the Allow subsection. In the above example, thePolicy is Allow. Hence, rules are defined in the Deny subsection to deny access to specificcontent.

Enabled


79



Comment


Profiles

A comma separated list of Profiles on which this rule should apply. The rule applies toevery thing if this field is left blank

Host

A regular expression matching the host on which this rule should apply. You can definemultiple hosts seperated with pipe. E.g. (safesquid.com|yoursite.org|mysite.net). Leavethis field blank to apply to all hosts.

File

You can further fine tune the rule by specifying a regular expression for the file partcontained in a URL, to restrict access to only specific file / folder on the hosts mentioned inthe Host field (applies to all if Host field is left blank). E.g. if you would like to restrictaccess to ads or banners on mysite.com, specify mysite.com in Host and /ad(|s|v|(|_)banner(|s))/ in the File field. This will block access only to mysite.com/ad/ or mysite.com/ads/ or mysite.com/adv/ or mysite.com/banner/ or mysite.com/banners/

IP ranges

A comma separated list of requesting IPs and / or IP ranges on which this rule to apply. E.g. 192.168.0.10-192.168.0.20,192.168.0.25-192.168.0.29,192.168.0.33

Template

This field can be used to send a customized template, instead of the default template,when a URL is blocked specifically due to this rule.

Example:

Suppose you wanted to restrict the 'Accounts' group from accessing some specific web sites.Create the following rule in the Profiles section:

Profiles Section

Option Value

Enabled true

Comment This profile is used in URL filter to restrict'Accounts' group from accessing the specifiedsites.



Profiles Accounts


Time matchmode

absolutetime

Added profiles Blocked-Site

Next, go to the URL filter section and add the following rule under Deny subsection (Presumingthat Policy is Allow).

URL filter - Deny subsection

Option Value

Enabled true

Comment This rule blocks access to 'Blocked-Site' profile

Profiles Blocked-Site

The first rule defines that when users with 'Accounts' profile, request for the sites specified in Hostfield, give that request another profile - Blocked-Site. This rule only defines the situation, anddoes not do any blocking. The second rule, defined under URL filter section, blocks all requestswith Blocked-Site profile.

81


7.12.11 URL redirect

URL Redirect allows you to redirect client requests to defined targets, which may or may not bewhat the client requested. This feature is a very popular and should be used with some

imagination and logic to get the best results.

redirect section

The redirect feature allows you to redirect requests.

Option Value


Submit

Redirect

Add

'Add' under Redirect SubsectionOption Value


Comment

Profiles

URL

Redirect

Port 0

302 redirect Yes: ¢ No: ¤

Options Encode URL pDecode URL before pDecode URL after p

Applies to Location header: ¢ URL: ¢ Both: ¤

Submit

redirect section

Enabled

This option allows you to enable, or completely disable the URL Redirect Sectionirrespective of the rules defined in the section

Value:



Yes - Enable URL Redirect SectionNo - Disable URL Redirect Section

'Add' under Redirect subsection

Enabled



Comment


Profiles


URL

A regular expression matching the URL you wish to redirect. The URL will always be in theform "protocol://host/file" or "/file" for HTTP requests. This may be trailed with a / followedby flag characters like in Perl to modify options used to compile the regular expression,and must be, if a / is used anywhere else in the regular expression.

Redirect

The URL to redirect to. It may contain back references to strings captured usingparenthesis in the URL pattern. This can be in the form "protocol://host/file" or "/file" ifyou wish to send a relative URL when redirecting a URL in the Location: header. If thisoption is left blank, no action will be taken against requests matching the URL

Port

The port to redirect to. If left blank, the same port to which the original request was made,is used.

302 redirect

If yes, a 302 redirect is used; otherwise the new host is connected to directly and the newfile is requested. A 302 redirect should always be used when possible to ensure relativelinks and images are correct.

Options

The following options are available to control how the URL should be handled:

Encode URL - Encode the new URL.Decode URL before - Decode the URL before attempting to match it with the regularexpression.

83


Decode URL after - Decode the new URL after matching.

Applies to

Select whether the redirection applies to requested URL's, the Location header when aremote site sends a 302 redirect, or both.

Example:

SafeSquid automatically produces the auto-configure-script proxy.pac (Proxy Auto Configuration)file, that clients can use to automatically configure the proxy server. This file can also be used byWPAD (Web Proxy Automatic Discovery) protocol, which allows automatic discovery of Proxyservers. The following redirect rule will redirect any client request for proxy.pac file to the defaultSafeSquid proxy.pac file.

Option Value

Enabled true

Comment This will send a template when /proxy.pac is requested toconfigure the browser to use the proxy

URL ^/proxy.pac$

Redirect /safesquid.cfg/template/proxy.pac

302 redirect false

Applies to url



7.12.12 Mime Filtering

The Mime filtering section allows you to filter content based on its Mime type.


The mime feature allows you to filter content based on it's MIME-type.

Option Value



Defaulttemplate

Allow

Add

Deny

Add

Option Value

Enabled true

Comment A SAMPLE rule that blocks downloads of files by file extension.

File \.(exe|mp3|avi|wmv|wma|mpeg|zip|tar|gz)$

Edit Delete Clone Up Down Up Down

Option Value

Enabled true

Comment A SAMPLE rule that blocks downloads of files by mime type.

Mime type (âudio/|^video/)


'Add' under Allow / Deny Subsection

85


Option Value


Comment

Profiles

Host

File

Mime type

Template

Submit


Enabled

This option allows you to enable, or completely disable the Mime filtering Sectionirrespective of the rules defined in the section

Value:Yes - Enable Mime filtering SectionNo - Disable Mime filtering Section

Policy

Defines the Global Policy for the Mime filtering Section


Default template



You can define rules either under the Allow or Deny subsection, depending on the selectedPolicy. If Policy is Allow, you should define rules under the Deny subsection, and If Policy isDeny, you should define rules under the Allow subsection. In the above example, thePolicy is Allow. Hence, rules are defined in the Deny subsection to deny access to specificcontent.

Enabled


Value:



Yes - Enable this ruleNo - Disable this rule

Comment


Profiles


Host

A regular expression matching the host on which this rule should apply. You can definemultiple hosts separated with pipe. E.g. (safesquid.com|yoursite.org|mysite.net). Leavethis field blank to apply to all hosts.

File

You can further fine tune the rule by specifying a regular expression for the file partcontained in a URL. Leave blank to match everything.

Mime Type

A regular expression matching the MIME-types this rule applies to, e.g. âudio/, ^video/,application/octet-stream, etc. Matches all MIME-types if left blank.

Template

This field can be used to send a customized template, instead of the default template,when a URL is blocked specifically due to this rule.

87


7.12.13 Header Filtering

Header filtering allows you to control what headers are passed from your browser to websites. Inadditional to the allow and deny actions, there is an insert action which will add a new headeronto the ones sent by your browser. For these entries, the Type and Value options are plain text.

For detailed syntax and semantics of standard HTTP/1.1 header fields, refer to this link

header-filtering section

The header feature allows you to control what headers are passed from your browser to websites. Inadditional to the allow and deny actions in some other sections, there is an insert action which will adda new header onto the ones sent by your browser; for these entries, the Type and Value options areplain text.

Option Value



Submit

Allow

Add

Deny

Add

Insert

Add

'Add' under Allow / Deny / Insert Subsection

Option Value


Comment

Profiles

Type

Value

Applies to Client header pServer header p

Submit

header-filtering section



Enabled

This option allows you to enable, or completely disable the Header filtering Section,irrespective of the rules defined in the section

Value:Yes - Enable Header filtering SectionNo - Disable Header filtering Section

Policy

Defines the Global Policy for the Header filtering Section


'Add' under Allow / Deny / Insert subsection

You can add rules under Deny that would explicitly remove header content from All and /or Specific set of server and / or client requests. This effectively allows you set a variety ofintelligently and creatively defined Privacy Blacklist(s).You can add rules under Allow that would explicitly allow header content within All and / orSpecific set of server and / or client requests. This effectively allows you set a variety ofintelligently and creatively defined Privacy Whitelist(s)You can also define rules under the 'Insert' subsection, to insert additional information inthe headers sent by your browser.

Enabled



Comment


Profiles


Type

A regular expression matching the header types this entry applies to; leave blank to matcheverything (header's are in the form "Type: value")

Value

A regular expression matching the header value, this entry applies to; leave blank to

89


match everything.

Applies to

The types of headers that will be affected by this rule.SafeSquid supports header control inboth - server side and client side headers.



7.12.14 Cookie Control

Cookie Filter allows you to choose which hosts, the browsers are allowed to send and receivecookies to and from.

Cookies: Persistent Client-State HTTP Cookies are files containing information about visitors to aweb site (e.g. user name and preferences). This information is provided by the user during thefirst visit to a web server. The server records this information in a text file and stores this file onthe visitor's hard drive. When the visitor accesses the same web site again the server looks forthe cookie and configures itself based on the information provided.

cookie-filtering section

The cookies feature allows you to choose which hosts your browser is allowed to send and receivecookies to and from.

Option Value



Submit

Allow

Add

Deny

Add

'Add' under Allow / Deny SubsectionOption Value


Comment

Profiles

Expiry year range p active to

Expiry month range p active January to January

Expiry day range p active to

Expiry weekday range p active Sunday to Sunday

Expiry hour range p active to

Expiry minute range p active to

Domain

Path

Direction In: ¢ Out: ¢ Both: ¤


Submit

91


cookie-filtering section

Enabled

This option allows you to enable, or completely disable the Cookie filtering Section,irrespective of the rules defined in the section

Value:Yes - Enable Cookie filtering SectionNo - Disable Cookie filtering Section

Policy

Defines the Global Policy for the Cookie filtering Section



You can add rules under Deny that would explicitly result in blocking or denial of cookietransfer to all or specific set of conditions. This effectively allows you to set a variety ofintelligently and creatively defined Cookie Transfer Blacklist(s). You can add rules underAllow that would explicitly result in acceptance or allowance of cookie transfer to all orspecific set of conditions. This effectively allows you set a variety of intelligently andcreatively defined Cookie Transfer Whitelist(s).

Enabled



Comment


Profiles


Expiry year range

The cookie expiry year range this entry applies to.

Expiry month range



The cookie expiry month range this entry applies to.

Expiry day range

The cookie expiry day range this entry applies to.

Expiry weekday range

The cookie expiry weekday range this entry applies to.

Expiry hour range

The cookie expiry hour range this entry applies to.

Expiry minute range

The cookie expiry minute range this entry applies to.

Domain

A regular expression matching the cookie's domain attribute this entry applies to.

Path

A regular expression matching the cookie's path attribute this entry applies to.

Direction

The direction of the cookie this entry applies to; can be either in (Set-cookie sent bywebsite), out (Cookie sent by browser), or both.

Time match mode


Value:Absolute - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17,then selecting 'Absolute' Time Match Mode, will match any time starting Monday, 9AM andending Friday, 5PM. All ranges - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17,then selecting 'All ranges' Time Match Mode, will match any time between 9AM to 5PM, onall weekdays from Monday to Friday.

93




7.12.15 Word Filtering

Keyword Filtering allows you to block pages which may contain inappropriate content, using aweighed keyword scoring system. When the host, file, mime-type, and keyword in an entrymatches, it's score is added to the total score; when that total score exceeds the threshold, thepage is deemed inappropriate and blocked.

This is a very intelligent method of blocking websites, belonging a specific category, like porn,without depending on any databases like URL Blacklist. For details, see Identifying and blockingPornography web-sites

Although SafeSquid is bundled with Keyword Filtering rules to block porn websites, you can alsodownload the rule snippet from the Downloads page.

keywords-filtering section

Option Value


Threshold

Template

Submit

keyword

Add

'Add' under keyword Subsection

Option Value


Comment

Profiles

Mime type

Keyword

Score

Submit

keywords-filtering section

Enabled

95


This option allows you to enable, or completely disable the keyword filter Section,irrespective of the rules defined in the section

Value:Yes - Enable keyword filter SectionNo - Disable keyword filter Section

Threshold

The number the total score must equal or exceed, until it is blocked.

Template


'Add' under keyword subsection

Enabled



Comment


Profiles


Mime type

A regular expression matching the mime-types this entry applies to, e.g. text, html,javascript. It is highly advisable that you set this to some mime-type, otherwise all fileswill be checked. If you're unsure, set this to "text/".

Keyword

A regular expression matching words or expressions in the body of the document,considered inappropriate. E.g. (sex|sexy|porn|pornography)

Score

The score allotted to this entry. When the defined keyword matches, this score is added tothe total score. This can be a positive or a negative integer.



7.12.16 Content Re-Write

Content Re-Write (Rewrite document) is a very powerful feature that must be used with extremecare. This feature allows you to use regular expressions to modify the contents of web pages,files, the client header, and server header in real time. It can be used to remove content likeAcitveX, JavaScript, etc., from non-trusted websites, before serving the page to users.

rewrite section

Option Value


Submit

Rewrite

Add

'Add' under Rewrite SubsectionOption Value


Comment

Profiles

MIME type

Pattern

Replace

Applies to Client header pServer header pBody þPOST data p

Submit

rewrite section

Enabled

97


This option allows you to enable, or completely disable the Rewrite document Section,irrespective of the rules defined in the section

Value:Yes - Enable Rewrite document SectionNo - Disable Rewrite document Section

'Add' under Rewrite subsection

Enabled



Comment


Profiles


MIME type

A regular expression matching the MIME-type this entry applies to. This must be filled withsome Mime-type, otherwise the rewrite rule will be applied to every downloaded file, whichis almost certainly not what you want. To have it applied to web pages, fill this field with"text/html".

Pattern

A regular expression pattern matching the area of text inside the file to modify. If this fieldis left blank, and the host, file, or mime-type options aren't, this will be the last entrymatched for sites matching the host, file, and mime-type. This may be trailed with a /followed by flag characters like in Perl to modify options used to compile the regularexpression, and must be if a / is used anywhere else in the regular expression.

Replace

The replacement text to use in place of the area of text matching the pattern; it maycontain back references to strings captured using parenthesis in the pattern. A backreference to a captured string is in the form "$#", where # is a number from 1-9; "$0" willbe replaced with the entire area of text matching the regular expression. Escapesequences may be used to represent unprintable characters, they are "\n" (newline),"\r" (carrier return), and "\t" (tab). To use a backslash as part of the replacement text,precede it with another backslash.

Applies to



This option is to select what the rewrite rule applies to; the options are:

Client header - Rewrite the client header; this happens before SafeSquid parses it. So becareful not to remove any headers needed to handle the request properly. The Mime-typeoption serves no purpose for this.

Server header - Rewrite the header from the remote web server; same conditions fromclient header apply.

Body - Rewrite the body of the webpage or file.

POST data - Rewrite POST/PUT data sent when submitting a form or uploading a file.

Example:

The following example is for blocking ActiveX codes from specific websites

Create the following rule in the Profiles section:

Profiles Section

Option Value

Enabled true

Comment This profile is used in Rewrite document section to blockActiveX from specified sites.


Time matchmode

absolutetime

Added profiles Block-ActiveX

Next, go to the Rewrite document section and add the following rule:

Rewrite document section

Option Value

Enabled true

Comment This rule will replace ActiveX codes in web pages from hostsspecified in Block-ActiveX profile, in Profiles section

Profiles Block-ActiveX

MIME type text/html

Pattern <object[^>]*>(.*)</object>

Replace <b><font color="blue" > SafeSquid </font> restricting<font color="red" > Active X </font> download</b>

Applies to body

This will replace ActiveX codes in web pages from the specified hosts, and replace them with thefollowing:

99


SafeSquid restricting Active X download

You can also do the reverse, by allowing ActiveX only from specific web site, while blocking it fromthe rest. To do that, created a profile, e.g. 'Trusted-Websites' in the profiles section, and specifythe web sites in the 'Host' field. Next, in the Rewrite document section, instead of entering 'Block-ActiveX' in the 'Profiles' field, enter '!Trusted-Websites'. The '!' here means 'NOT'. Effectively, theRewrite document rule will apply to all web sites, EXCEPT the ones specified in 'Trusted-Websites'profile.



7.12.17 Content Caching

Content Caching improves bandwidth efficiency. A page or file, when requested by a user, isserved to the user and a copy of it is also maintained locally in the cache. So, when a request ismade to fetch the same page or file, it is served with the local copy, instead of 'a fresh fetch'.SafeSquid has a very neat, efficient and manageable Content Caching system.

cache section

Option Value


Violate RFC Yes: ¢ No: ¤

Memory cache size 50M

Memory free extra 200M

Minimum file size 0

Maximum file size 1M

Prefetch window 30

ICP port 0

ICP timeout 1000

Store balance method Fill size: ¢ Fill percent: ¤

journal size 128

Clean Interval 30

Submit

Store

Add

Option Value

Enabled false

Comment This is the default path of cache directory

Path /var/cache/safesquid

Maximum disk size 1G

Disk free extra 250M

MD5 integrity check false


Refresh

Add

101


Option Value

Enabled true

Cachable true

Minimum age 1800

Maximum age 2592000

Revalidate age 1259000

Last-Modified time factor 10


'Add' under Store SubsectionOption Value


Comment

Profiles

path

Maximum disk size 0

Disk free extra 0

MD5 integrity check Yes: ¢ No: ¤

Submit

'Add' under Refresh SubsectionOption Value


Comment

Profiles

Cachable Yes: ¤ No: ¢

Minimum age 0

Maximum age 0

Revalidate age 0

Last-Modified time factor 0

Submit

cache section

Enabled

This option allows you to enable, or completely disable the Caching Section, irrespective ofthe rules defined in the section

Value:



Yes - Enable Caching SectionNo - Disable Caching Section

Violate RFC

This option will cause the proxy server to violate some rules in the HTTP RFC to helpimprove cache performance. Specifically, when a website requests that the file not becached with the “No-Cache” directive in the Cache-Control header, the proxy will cache itanyways but always validate it with an If-Modified-Since conditional request.

Memory cache size

The maximum size in bytes of the memory cache.

Memory free extra

The number of additional bytes to free up when the memory is cleaned.

Minimum file size

The minimum file size in bytes of any cached file.

Maximum file size

The maximum file size in bytes of any cached file; if set to 0, no maximum file size isimposed.

Prefetch window

This option can be used to specify the time period after a file is pre-fetched, in which it willbe exempt from any refresh or expiry rules.

ICP port

The UDP port to listen for ICP packets on. You can change as per your configuration.

ICP timeout

The timeout in milliseconds for response ICP packets.

Store balance method

This option controls how a file goes into selected storage directory, when you definemultiple storage volumes.Fill size - will select the storage directory with the least total bytes usedFill percent - will select the storage directory with the lowest percentage of space used.

journal size

The maximum size in bytes of the journal

Clean Interval

Interval time in seconds after which the content in the Memory Cache is dumped into thedisk storage.

103


'Add' under Store subsection

You can add one or more locations under "Store" that would be used for physically storingthe content for caching.

Enabled



Comment


Profiles


Path

The directory where cached files are stored.

Maximum disk size

The amount of space that should be used to store cached files in this directory.

Disk free extra

When the cache is cleaned, this additional amount will be freed as well. This option can beuseful to prevent the cache from getting evicted too often, which can hurt performance.

MD5 integrity check

It performs MD5 check on cache files when saving them and loading them from disk. Thisensures that corrupted cache files don't get used.

'Add' under Refresh subsection

You can add / modify the rules under "Refresh" that would enforce your policies forrenewing or refreshing the contents in the cache, to ensure that the users are served withcontent that is 'fresh enough'. This effectively allows you to intelligently and creativelymanipulate the bandwidth usage.

Enabled





Comment


Profiles


Cachable

Whether or not requests matching this entry are cached.

Minimum age

The minimum age of any file must be according to the Last-Modified header before it iscached.

Maximum age

The maximum age of any cached file before it must be revalidated. This overrides anygiven expiry time.

Revalidate age

The maximum age of any cached file that didn't include any headers indicating when itshould expire before it must be revalidated. If set to 0, all cached files whose expiry timeis uncertain will be verified. If no "Last-Modified" header is received to calculate thepercent of age freshness, the cached file is always revalidated.

Last-Modified time factor

The percentage of time between the date given in the Last-Modified header and thecurrent time, a cached file is considered fresh after downloading.

105


7.12.18 Request Forwarding

The Forwarding section allows you to selectively forward requests through another proxy, SOCKS4or SOCKS5 firewalls.

SafeSquid also supports CARP & ICP Protocols.

CARP (Cache Array Routing Protocol):The Cache Array Routing Protocol (CARP) is used in load-balancing HTTP requests across multipleproxy cache servers. It works by generating a hash for each URL requested. A different hash isgenerated for each URL and by splitting the hash namespace into equal (or unequal parts, ifuneven load is intended) the overall number of requests can be distributed to multiple servers.

ICP (Internet Caching Protocol):The Internet Cache Protocol (ICP) is a protocol used for coordinating web caches. Its purpose is tofind out the most appropriate location to retrieve a requested object from in the situation wheremultiple caches are in use at a single site. The goal is to use the caches as efficiently as possible,and to minimize the number of remote requests to the originating server. Hierarchically, a queriedcache can either be a parent, a child, a sibling.

forward section

Option Value


Enable CARP Yes: ¢ No: ¤

CARP hash size

Submit

Forward

Add

Option Value

Enabled true

Comment sample rule for forwarding

Proxy parent_proxy

Port 3128

ICP peer type none

ICP port 0

Type HTTP

Applies to HTTP,FTP,CONNECT




'Add' under Forward SubsectionOption Value


Comment

Profiles

Proxy

User name

Password

Domain

Port 0

ICP peer type None: ¤ Parent: ¢ Sibling: ¢

ICP port

Type HTTP: ¤ SOCK4: ¢ SOCKS5: ¢ Connect: ¢

Applies to HTTP requests pFTP requests pCONNECT requests p

Submit

forward section

Enabled

This option allows you to enable or completely disable the Forwarding Section, irrespectiveof the rules defined in the section

Value:Yes - Enable Forwarding SectionNo - Disable Forwarding Section

Enable CARP

This option allows you to enable or disable the use of CARPValue:Yes - Enable CARPNo - Disable CARP

CARP hash size

The maximum value of CARP hash set on the peer proxies. Otherwise decrease this valuefor greater redundancy of cached files. If the peer is Squid set this value to 0.

'Add' under Forward subsection

You can add unique rules to deal with different proxies, profiles, requests in thissubsection.

107


Enabled



Comment


Profiles


Proxy

The hostname or IP address of the proxy to forward through. If this is left blank, and thehost or file options aren't, no action will be taken for requests matching the host and file. Ifthe Proxy is the same as the server's own hostname, the entry is ignored. This makes iteasier to have a configuration file shared between several proxy servers.

User name

The user name to use if the proxy requires authentication.

Password

The password for the User name used

Domain

The NT domain when using the NTLM authentication protocol.

Port

The port number of the proxy to forward through.

ICP peer type

The peering relationship of this proxy.

None - The ICP protocol will not be used with this proxy

Parent - This proxy is a Parent. When no peer has the cached file, it will still be requestedfrom a parent, so that it is cached for other peer proxy servers.

Sibling - This proxy is a Sibling. Files are requested from it only when it has a cachedcopy.

ICP port

The UDP port ICP packets are sent on to this proxy.



Type

The type of proxy the requests are being forwarded to:

HTTP: This is a HTTP proxy.

SOCKS4: This is a SOCKS4 firewall.

SOCKS5: This is a SOCKS5 firewall.

Connect: The connect method will be used through the HTTP proxy.

Applies to

What type of requests should be forwarded:

HTTP requests: Forward HTTP requests

FTP requests: Forward FTP requests

CONNECT requests: Forward CONNECT requests

109


7.12.19 Internet Content Adaptation Protocol (ICAP)

ICAP is a protocol designed to off-load specific Internet-based content to dedicated servers,thereby freeing up resources and standardizing the way in which features are implemented. Forexample, a server that handles only language translation is inherently more efficient than anystandard Web server performing many additional tasks.

ICAP concentrates on leveraging edge-based devices (proxies and caches) to help deliver value-added services. At the core of this process is a cache that will proxy all client transactions and willprocess them through ICAP Web servers. These ICAP servers are focused on a specific function,for example, add insertion, virus scanning, content translation, language translation, or contentfiltering. Off-loading value-added services from Web servers to ICAP servers allows those sameweb servers to be scaled according to raw HTTP throughput versus having to handle these extratasks.

ICAP in its most basic form is a "lightweight" HTTP based remote procedure call protocol.In other words, ICAP allows its clients to pass HTTP based (HTML) messages (Content) to ICAPservers for adaptation. Adaptation refers to performing the particular value added service(content manipulation) for the associated client request/response.

How does ICAP work in SafeSquid?The ICAP feature enables the proxy server to use an ICAP server to perform request modification,request satisfaction, or response modification to any request or response. When enabled, whatbasically happens is this:

For request modification:- client sends request to proxy server.- proxy server forwards request to the ICAP server, ICAP server will respond with a possiblymodified request header.- proxy server will use that modified request header to process the request.

This allows the ICAP server to do things like redirection, header filtering, etc.

For request satisfaction:- client sends request to proxy server.- proxy server forwards request to ICAP server, ICAP server will respond with a _response_header and possibly a response body.- proxy server will pass that response header and body onto the client, the request will not befurther processed.

This allows the ICAP server to do things like URL blocking, etc.

For response modification:- client sends request to proxy server.- proxy requests file from web server (or uses cached response). - proxy server forwardsresponse header and body to ICAP server, ICAP server will respond with a possibly modifiedresponse header and body.- proxy server will then send the possibly modified response header and body to the client.

This allows the ICAP server to do things like virus scanning, content modification, blockinappropriate content, etc.When an ICAP server is installed with a caching system, every transaction is piped through the



ICAP server, allowing the server to modify or redirect Web requests or responses.When an ICAP server is installed in an FTP system, every transaction is piped through the ICAPserver, allowing virus and content filteringsoftware to operate on the content.

ICAP section

Option Value


Submit

ICAP

Add

'Add' under ICAP SubsectionOption Value


Comment

Profiles

Host

File

Port

Applies to Requests pResponses p

Submit

ICAP section

Enabled

This option allows you to enable or completely disable the ICAP Section, irrespective of therules defined in the section

Value:Yes - Enable ICAP SectionNo - Disable ICAP Section

'Add' under ICAP subsection

Enabled

111




Comment


Profiles


Host

The Host name or IP address of the ICAP Server.

File

The file to request from the ICAP server.

Port

The port of the ICAP server

Applies to

Which part of the HTTP request this entry applies to:

Requests: The ICAP server will be used to modify or satisfy requests.

Responses: The ICAP server will be used to modify responses.

Examples:

In all the examples below, it is presumed that the IP of the ICAP server is 192.168.0.175 andthey are listening on port 1344.The profile 'virus_scan' is used in all examples, to ensure that only the files that require virusscanning are sent to the ICAP server. This profile is created in the "Profiles' section. The samplerule is as follows:



Profiles Section

Option Value

Enabled true

Comment The following file types will be scanned for viruses

File (386|ADE|ADP|ADT|APP|ASP|BAS|BAT|BIN|BTM|CBT|CHM|CLA|CLASS|CMD|COM|CPL|CRT|CSC|CSS|DLL|DOC|DOT|DRV|EML|EMAIL|EXE|FON|HLP|HTA|HTM|HTML|INF|INI|INS|ISP|JS|JSE|LIB|LNK|MDB|MDE|MHT|MHTM|MHTML|MP3|MSO|MSC|MSI|MSP|MST|OBJ|OCX|OV\?|PCD|PGM|PIF|PPT|PRC|REG|RTF|SCR|SCT|SHB|SHS|SMM|SYS|URL|VB|VBE|VBS|VXD|WSC|WSF|ZIP|GZ|RAR|WSH|XL\?)


Added profiles virus_scan

1. Using Dr. Web's ICAP Server for virus-scan of incoming content

Option Value

Enabled true

Comment Configurations for using Dr. Web ICAP server

Profiles virus_scan

Host 192.168.0.175

File /respmod

Port 1344

Applies to responses

2. Using Kaspersky ICAP Server for virus-scan of incoming and outgoing content

Rule for scanning incoming content

Option Value

Enabled true

Comment Configuration for using Kaspersky ICAP to virus-scanincoming content

Profiles virus_scan

Host 192.168.0.175

File /respmod

Port 1344


113


Rule for scanning outgoing content - GET / POST

Option Value

Enabled true

Comment Configuration for using Kaspersky ICAP to virus-scanoutgoing content

Profiles virus_scan

Host 192.168.0.175

File //av/reqmod

Port 1344

Applies to requests

2. Using Symantec ICAP Server for virus-scan of incoming and outgoing content

Option Value

Enabled true

Comment Configurations for using Symantec ICAP to virus-scanincoming & outgoing content

Profiles virus_scan

Host 192.168.0.175

File /respmod

Port 1344




7.12.20 External Parser

External Parsers allows you to use any program or script to parse the contents of a file. Theexternal parser must send a complete HTTP request or response header, which will override theones sent by the browser or Web server. If no body is sent after the header, the original bodywith modified headers is used.

external section

Option Value


Submit

External

Add

'Add' under Rewrite SubsectionOption Value


Comment

Profiles

Executable

Type Pipe: ¤ File: ¢

Applies to Requests pResponses p

Run once per session Yes: ¤ No: ¢

Send header Request header pResponse header p

Submit

external section

Enabled


Value:Yes - Enable External parsers SectionNo - Disable External parsers Section

115


'Add' under External subsection

Enabled



Comment


Profiles


Executable

The path to the executable. If no absolute path is specified, the path as given in the PATHenvironment variable is searched. You have to specify the path in this option i.e. /opt/safesquid/script/external.sh.

Any number of arguments can be passed by separating them by spaces. If you're using atemporary file as the method to pass the contents of the file, it's path will be the lastargument. When the program is executed, several environment variables are set to reflectthe properties of the file being handled, they are:

VERSION The proxy server version

HTTP_METHOD Method used to request the file

HTTP_HOST Host HTTP request was made to

HTTP_FILE File HTTP request was made for

HTTP_PORT Port HTTP request was made to

IP IP address of client making request

INTERFACE IP address of the interface the client connected to

PORT Port the client connected to

Additionally, for every header received from the remote website and set by a client, anenvironment variable is set. All the environment variables for the server's headers startwith SERVER_, and the client's start with CLIENT_; All '-' (dashes) in the header type areconverted to '_' (underscores), and all characters are in uppercase. If an executablereturns with a non-zero status code, the original content is returned.

Type

The method to be used to pass the content to the external program. The options are:



Pipe: Content is piped to the program's STDINFile: Content is stored in a temporary file and it's path is passed as the last argument.

Applies to

Select whether the external parser is used on request header or response header or both.

Requests - Use on request headers.Responses - Use on response headers.

When both options are selected, it uses on both, request and response headers.

Run once per session

Run external parser for every request in a session until it returns a non-zero status code.This is useful for performing authentication through an external program.

Send header

Which header(s), if any, to send to the external program before sending the body.The options are:

Request headers: Send request headersResponse headers: Send response headers

The response header option only applies to external programs that process the response.If both headers are selected, the request header is sent first.

Example:

See article Use External Parsers To Authenticate Only Specific Web Sites for a complete example.

117


7.12.21 Prefetching Embedded Objects

The Prefetching feature can be used as an 'internet accelerator'. It allows virtually any filereferenced in HTML to be pre-fetched, not just images, and cached. Prefetching is a good way toimprove retrieval time. It reduces resource retrievals and improves retrieval time. The targetrange is wider than that of both, mirroring and caching.

prefetch section

Option Value


Threads

Queue size

Host limit

Submit

Prefetch

Add

'Add' under Prefetch SubsectionOption Value


Comment

Profiles

Tag name

Tag attribute

Attribute pattern

Maximum file size 0

Recursion level 1

Submit

prefetch section

Enabled


Value:Yes - Enable Prefetching SectionNo - Disable Prefetching Section

Threads



The number of threads to run in the background for prefetching files. Safesquid needs tobe restarted for this setting to take effect.

Queue size

The size of the prefetch queue.

Host limit

The maximum number of queued prefetches per host.

'Add' under Prefetch subsection

Enabled



Comment

A comment for future reference explaining what this rule does.

Profiles

A comma separated list of Profiles on which this rule should apply. The rule applies toevery thing if this field is left blank.

Tag name

The HTML tag the attribute is in.

Tag attribute

The HTML tag attribute holding the URL to be prefetched.

Attribute pattern

A regular expression matching the attribute value this entry applies to.

Maximum file size

The maximum size of the prefetched file, set to 0 for unlimited.

Recursion level

If the URL leads to another HTML page, this is the depth, links will be followed. Setting to0 causes links to be followed indefinitely.

Example:

119


An example for those unfamiliar with HTML, images and embedded objects that are inserted intothe Webpage using HTML tags. An HTML tag may look something like this:

<IMG SRC="cool.jpg">

The 'IMG' part is the TAG name, the 'SRC' part is an attribute, and the "cool.jpg" part is anattribute value.

Safesquid can parse HTML code and extract URL's from given tag's and attributes.

Example: you wish to prefetch any embedded shockwave flash files, after quickly looking at theHTML of a Webpage that has embedded flash animations you discover it typically, uses thefollowing HTML code:

<embed src="/ani.swf" wmode="opaque" name="newsticker" quality="high" scale="exactfit"bgcolor="#293381" width="770" height="25" type="application/x-shockwave-flash"pluginspage="http://www.macromedia.com/go/getflashplayer"></embed>

So the HTML tag is 'embed', and the tag attribute is 'src'

Wait though... there's a problem! how can SafeSquid know this is an embedded shockwave flashanimation and not something else?There is the 'type' attribute as well, but Safesquid can only match one attribute per tag.

What we can do is use the Attribute Pattern option in the entry to narrow this down a bit.Shockwave flash files have a .swf extension, as seen in the src attribute value "/ani.swf", so wecan fill in the attribute pattern option with a regular expression matching only files with a .swfextension, like "\.swf$".



7.12.22 Pornographic Image Filter

Image filter allows you to block pornographic images from websites and webmails, by analyzingthe graphical content of an image, in real time, and block all suspicious images, so that a blankbox is displayed in place of the blocked image. Although it is only about 80%-90% accurate, itacts as a good deterrent.

This is a commercially distributed add-on plug-in and works with SafeSquid Advanced Edition andall Composite Editions, including the FREE Composite Edition 20.This is a closed binary add-on module.

The Trial version of Pornographic Image Filter can be downloaded from the Downloads page.

The details for installing Pornographic Image Filter has been described in THIS TOPIC

imgfilter section

Option Value


Library path /opt/safesquid/modules/imgfilter/imgfilter

Default template

Submit

Image filters

Add

'Add' under Image filters SubsectionOption Value


Comment

Profiles

Threshold

Template

Submit

Imgfilter section

Enabled

This option allows you to enable, or completely disable the Image filter Section,irrespective of the rules defined in the section

121


Value:Yes - Enable Image filter SectionNo - Disable Image filter Section

Library path

The path where the Image Filter Libraries are stored

Default template

The template to display for blocked images, when a template is not defined in a rule under'Image filters' subsection. If left blank, default template is used.

'Add' under Image filters subsection

Enabled



Comment

A comment for future reference explaining what this rule does.

Profiles

A comma separated list of Profiles on which this rule should apply. The rule applies toevery thing if this field is left blank.

Threshold

Image filter allocates a score to the images that it analyzes. -10.0 is unlikely to be pornwhereas 0.0 is very likely. You can fine tune the filter by defining the threshold score limithere. You can create multiple rules, with different threshold limits for different profiles.

Template

Template to display, when an image is blocked. If left blank, the Template defined underthe imgfilter section is used.



8 URL commands

SafeSquid has powerful remote management features. The Browser-based GUI lets you configurethe way you Internet is used in your network. URL Commands allow you to test the functionalitiesand verify your configurations - REMOTELY.

URL commands can be used to show information about a webpage and to bypass certain features.For proxy requests, URL commands are prefixed onto the hostname of the website. For example, 'http://xx--bypass.www.somesite.com" would bypass all the filters that might be applying onwww.somesite.com. Bypassing is useful to work around sites that are having problems with sometypes of filtering. You can grant or remove the right to use URL commands to a user, in 'AccessRestrictions' section. See Access Control for details.

The other URL commands are:

Command Description

xx--freshFetch fresh copy of file from website, instead of using cache. Sometimes the cache refresh logic gets thingswrong.

xx--raw Show raw file (HTML), on FTP directory lists it'll show the raw listing

xx--cookies Display cookies sent to and received from website

xx--mime Show matching mime entry for requested URL

xx--headers Show headers sent by browser and received from website

xx--score Show score for page when doing keyword filtering

xx--diffThis will show the diff-like output of the changes made by the rewrite feature to a website, useful fordebugging regular expression patterns

xx--htmltreeDebug HTML parser when prefetching. It'll show a parsed HTML tree. Useful for people wanting to debugtheir HTML

xx--processBypass the maxbuffer setting and buffer/process the file anyways, so if someone wants to scan a large filefor virsues they can use this

xx--offline Browse in offline mode, only cached files can be viewed.. and cache files won't be validated if they're stale

xx--filter Display any matching filter entry for requested URL

xx--cache Display information about a cached file

xx--profiles Display a list of enabled profiles

xx--https

Make an https SSL request from a non-SSL client, also can be used to process HTTPS content (removebanners, scan viruses)i.e. http://xx--https.www.cibc.com would be the same as https://www.cibc.com these 2 features aredesigned to work together:

xx--prefetch Pre-fetch a file in the background without downloading it to the client.

xx--template Display a template instead of the requested file

xx--proxytest

This one is neat when forwarding to another proxy, this will make the proxy connect back to safesquid andsafesquid will display the headers that would have been passed onto the website... The purpose is to servesomeone who wishes to surf anonymously through open proxies. They can see if the website can stillidentify them.

The xx--bypass command can be used with additional options to selectively bypass (or unbypass)most features.

123


xx--bypass[OPTIONS]OPTIONS is a string of letters representing the features.

Here are the available options:

Option Description

f url filtering

h header filtering (both client and server)

m mime filtering

r URL redirection

c cookie filtering

w rewriting

e external parser (both request and response)

p forwarding

k keyword filtering

d dns blacklist

a antivirus scanning

i ICAP

A + or - symbol can be used to change between bypassing and un-bypassing, if the feature wasbypassed in the Access Restrictions section entry.

some examples:http://xx--bypass[fh].www.slashdot.org <-- bypasses URL and header filteringhttp://xx--bypass[e-i].www.safesquid.com <-- bypass external programs and UN-bypass ICAPhttp://xx--bypass.www.exn.ca <-- bypass everything

For regular HTTP requests (such as when the proxy is being used to redirect HTTP requests), anextra path element is added to the front of the requested file with the URL command inside; forexample, "http://xx--proxyip:port/bypass./somefile". URL commands are not only taken from therequest URL, but also from the Referer header sent by your browser as well; this allows them towork for images and files loaded from a website a URL command was used on. Additionally, URLcommands are automatically prefixed to the Location: header sent back when a 302 redirect isreceived or when a redirect rule that sends a 302 redirect matches. Below is a list of all availableURL commands and a description of what they do.

There's a few other things to note:· when a URL command is used on a site that sends back a 302 redirect, the URL command is

added to the URL in the Location header, so that the URL command still applies when thebrowser follows the redirect.

· when a request is made that has a URL command in the Referer header but not in the URL(like when someone clicks a link on a page they used a URL command on), the proxy willsend a 302 redirect to the same URL but with URL commands. This makes it possible tocontinuously browse with features bypassed.

· URL commands are also extracted from the Host header, so they work when the proxyserver is transparent.

URL commands 124


· URL commands are also prefixed to URL's sent by the Redirect feature, well.. except if'bypass' or 'bypass[r]' is used since the redirect feature would be bypassed.

125


9 Multiple Proxy Configuration

SafeSquid has a unique Multi Proxy, or Master-Slave, configuration. If your enterprise requiresmultiple proxies across its global networks, you can enjoy the convenience of SafeSquid's uniqueMaster-Slave deployment architecture. You just have to set policies on the Master & all the slaveswill automatically synchronize themselves, to your policies on the master. You can even createunique policies for any of the slave proxies. Master-Slave configuration can be used in both, asingle Gateway scenario to forward all request to the Master server; or in a distributed scenario,with independent Internet connections.

Master-Slave in Single Gateway scenario

Master-Slave in distributed network scenario

Multiple Proxy Configuration 126


Config synchronization allows a 'slave' proxy to match it's configuration to a 'master' proxy, and toupdate it's configuration automatically when it detects changes made to the master.

Using config synchronization in Safesquid is surprisingly easy.

A Master server can be set up in the normal way you would set up a stand alone server, and theonly additional step that needs to be taken is - to ensure every slave proxy is covered by anaccess rule, which allows it to access the Web interface.

Now, for every slave proxy, while installing SafeSquid, just mention the IP:PORT or FQDN:PORT ofthe Master server, in the "MASTER =" parameter (option 16/28 in version 4.1.1). Thisautomatically configures the server to 'pull' configuration parameters from the Master server. Thesynchronization interval can be specified in the SYNCTIME parameter. If this parameter is notmodified, or if left blank, SafeSquid selects the default SYNCTIME of 60 seconds

You can also edit the startup.conf (found in /opt/safesquid/safesquid/init.d/ directory) file of anexiting server, and modify the MASTER and SYNCTIME parameter.

There are some additional command line options which you may need to use, they are:

-H - specify the proxy's own hostname, instead of using the one in the configuration file... reasonshould be obvious, you don't want every proxy having the same hostname, especially when usingCARP.-I - the interval, in seconds, between synchronization attemps with the master.

127


-L - specify the interface and port to listen for connections on, this is used in addition to theconfiguration gathered from the master.-S - a comma-seperated list of section names which are synchronized, when used other sectionswon't be synchronized.-E - a comma-seperated list of section names which aren't synchrnozed, when used othersections will be synchronized.

When using config synchronization, you may also specify a configuration file in the command linewhich is loaded before config synchronization is performed. This is useful if you wish to excludesome sections from being synchronized and load them from a file instead.

The 'Proxy host' option in Profile entries can be used to have separate configuration options forspecific slaves.

Multiple Proxy Configuration 128


10 Reverse Proxying

A Reverse proxy is a proxy server which sits between a Web server and the rest of the internet,filtering content provided by your Web server for clients. Safesquid can work in this manner byusing transparent proxying and redirecting.

The advantage of using SafeSquid as a reverse proxy, is it's content filtering features. Just as youcan use SafeSquid to control user access to the internet, in reverse proxy mode, you can be useduse to control who can access what on your web server from the outside world, and thus secureyour web server.

A few examples -· Allow only authenticated access to specific content· Create groups of users and allow different access rights· Enhance security by accepting requests only from specific browsers, like IE & Firefox· Virus scan content being uploaded to the web server· Use as a Load Balancer by redirecting requests to multiple web servers.· Easily redirect requests to another server, when the original server requires maintenance

down-time.· Dynamically generate or modify content in real-time· Easily manage rules with browser-based GUI

To set a reverse proxy, simply have SafeSquid listen on the interface and port in place of yourWeb server. Configure the Web server to listen on a different port, and redirect all requests madeto the proxy server to the Web server using a redirect entry.

For a simple example, create the following rule in 'URL Redirecting' section, to redirect request toyour web server:(For a detailed description about URL Redirecting, see URL Redirect)

Option Value


Comment

Profiles

URL .*

Redirect http://webserver/$1

Port 80

302 redirect Yes: ¢ No: ¤Options Encode URL p

Decode URL before pDecode URL after p

Applies to Location header: ¤ URL: ¢ Both: ¢

Submit

You will also need to ensure there is an access entry that matches all clients that will be

129


connecting to your Web server, and you should also restrict access to the bare miniumum (HTTPrequests and Transparent requests).

Reverse proxying can be combined with other features to perform many other tricks, such ascreating a gateway between an intranet and the internet by using URL redirection, and rewritingto make URL's valid outside the intranet.

Reverse Proxying 130


11 Chain Squid with SafeSquid

For various reasons, it may be desirable to use Safesquid in conjunction with Squid.

This can be accomplished in two ways:(!) You may either have SafeSquid forward requests to Squid, or (2) have Squid forward requests to SafeSquid.Although it shouldn't matter, historically it has always worked better to have SafeSquid forward toSquid.

Case 1:

If you wish to forward requests from Safesquid to Squid, create a new forward entry with theProxy and Port options filled with the hostname and port of Squid. Remember that SafeSquidwon't forward to it's own host - so you will need to use your-IP instead of localhost if Squid isrunning locally and you're using the default configuration.

Suppose Squid is listening on 192.168.0.175 Port 3128. Create the following rule under'Forwarding' section:

Option Value

Enabled true

Comment This rule forwards request to Squid

Proxy 192.168.0.175

Port 3128

ICP peer type None

ICP port 0

Type HTTP


Now, if you would also like to use ICP to share cache content with Squid, you could also includethe ICP entry in the same rule, like this -

Option Value

Enabled true

Comment This rule forwards request to Squid

Proxy 192.168.0.175

Port 3128

ICP peer type Parent

ICP port 3130

Type HTTP


Case 2:

131


To have Squid forward requests to Safesquid, which is listening on 192.168.0.170 Port 8080, editsquid.conf file and add the following line to that:

cache_peer 192.168.0.170 parent 8080 0

Chain Squid with SafeSquid 132


12 Multi-ISP networks

SafeSquid has an option in 'Network Settings', to add new interface for outgoing connection.This is useful in networks where you need to split the load between different ISPs. It can also beuseful to switch different ISPs due to slow net connection or discontinuity.This can be accomplished by following way:

You wish to -

1. Forward outgoing request of the user group 'Accounts' and 'Finance' to ISP whoseconnection is on interface with IP 192.168.0.175

2. Forward outgoing request of the user group IT and System to ISP whose connection is oninterface with IP 192.168.0.180

Then, in 'Network Settings' section, add the following rules under the 'Interface' subsection -

Option Value

Enabled true

Comment This rule forwards request to IP 192.168.0.175

Profile Accounts,Finance

IP 192.168.0.175


Option Value

Enabled true

Comment This rule forwards request to IP 192.168.0.180

Profile IT,System

IP 192.168.0.180


Save settings after creating these rules by clicking on 'Save settings' in the top menu. And also restart the SafeSquid service by giving command

/etc/init.d/safesquid restart

Note: Profiles like 'Accounts', 'Finance' etc. are defined in the 'Access Restrictions' section Check Access Control for a detailed explanation.

133


13 Using Profiles for granular Access Policies

SafeSquid is generally hosted in large enterprises or environments, to exploit its various filteringcapabilities, besides simply providing a reliable mechanism of access to the WWW. In suchenterprises, it is very natural that people would be expected to access the web for reasons thatare partly similar, and for some reasons that are entirely unique to certain users or groups ofusers. It is impossible to think of a world, that would be governed by the same set of logic, thatdecides what's acceptable and what's not. SafeSquid's Content Filtering and Access Controlsystem derives its reputation from it's configuration schema, that provides unlimited possibilitiesfor re-configurable logic. This re-configurable logic allows enterprises, to build their InternetAccess Policies, unmindful of the way filtering technologies are actually implemented.

SafeSquid's configuration allows you to - very precisely define the situations. Each situation, thusdefined is referred to as a Profile. Each Profile can be defined (or bound) by a programmable setof conditional parameters. Profiles are used as a conditional parameter in almost all of the variousfiltering sections in SafeSquid. You can thus ensure that filtering action happens exactly, asrequired.

SafeSquid's Profiles feature allows you to accommodate the demands of extremely granular rulesfor Internet Access privileges and restrictions. Rest assured you will be able to deal with mostcomplex situation, as long as you can accurately defining a situation, and thus properly Profile asituation.

When you access the SafeSquid Web-GUI, notice the "Added Profiles" text-box in the AccessRestriction Section and the Profiles Section. The Profiles are created by specifying (commaseparated list) them, as "Added Profiles" in rules, in either of these sections. Both of thesesections allow you to apply the profile as a result of matching of the various entries (conditionalparameters) specified in each rule. The general rule is, if an entry is left blank, then it istranslated as "not considered ", or "anything ", or "immaterial ".

In our discussions about setting up user authentication, I showed to you - how, we could use the"Added Profiles ", in the Access Restrictions Section to create profiles that denote common and/orunique attributes for people. And we could then, use these as Profiles in the various filtering rules.We could similarly create Profiles in the Profiles Section.

The Access Restrictions Section allows you to apply (add) Profiles based on user's identity(username/password; I.P. Address). Obviously the applied Profiles would not change unless thesame user re-authenticated, using a new identity.

A situation may not always be completely defined by - who's making the request, or the source ofthe request. The rules in Profiles Section help you to apply (add or remove profiles) based onconditional parameters like the the source of the content or target, the nature of content, time ofthe day etc. A profile applied by any previous rule can also be used as a conditional parameter! Todo so, simply list them in the "Profiles" text-box. Each of the rules in the Profiles Section , ismatched against a request, and if the conditional parameters set in the rule's various enteredparameters (entries), the profiles specified in the "Added Profiles" entry is / are applied.Profiles specified in the "Removed Profiles" text-box entry would be removed, if any previouslyapplied rule had set it.

Understanding the creation and application of "Profiles" is the most essential part of overallSafeSquid's filtering configuration. Understanding how the Profiles work, internally, could be quite

Using Profiles for granular Access Policies 134


useful. Each request is matched against the various rules in the Access Restrictions and ProfilesSection. If all the specified conditional parameters (entries) of a rule match the request, then thelist of profiles (specified in the Added Profiles text-box are included in the Profiles List (array) forthat request. Similarly, if a rule in the Profiles Section has a list of profiles specified in theRemoved Profiles text-box, then these profiles are deleted from the array. SafeSquid, thus buildsan internal Profiles Array for each connection. SafeSquid ensures that a profile name is uniquelylisted in the array. Each of the filters, uniquely processes a connection, based on the conditionalparameters specified as entries in the various rules in the filters. Almost all Filters have Profiles asa conditional parameter. Thus by appropriately creating a profile and then, specifying them as aconditional parameter in any rule of any any Filtering Section, you can either subject or immunizethe connection from a Filtering Rule.

In the rest of the discussion unless, I specifically mention Profiles Section, you may presume thatI am referring to Profiles as - an entity, created by making appropriate entry in the "AddedProfiles" text-box, or deleted by specifying in the "Removed Profiles" text-box. You may thereforevery safely think of Profiles as - "quite like tickets, labels or tokens ", that can be given or takenaway, and filters as inspectors that process requests, depending upon the profiles applied orcarried by that connection.

I very strongly suggest, that you should review the list of conditional parameters available tocreate a profile and thus define a situation. To do so access the SafeSquid's WebGUI, click the"Config" link on the top menu, select the "Profiles" Option on the drop-down menu. SafeSquid isgenerally shipped with a set of sample rules in the Profile Section , click on the edit menu, to viewthe list of entries that have been specified or left blank. Pass your mouse, lazily over the namesbesides each of configuration text-boxes, check-boxes etc. A tool-tip should now be presentingyou with contextual information about that entry, that may be used as a conditional parameter.

Did you notice that the list of conditional parameters is pretty huge (monstrous?). But don't letthat overwhelm you - because you can simply leave options blank, if they do not seem to be aconditional parameter, that distinguishes the situation, that you desire to Profile. I will try to helpyou understand, by a few practical examples, and to keep things lucid, I will omit the entries inany rule, that are supposed, to be left blank. I will also try to focus on the logic but, avoid thediscussing reasons, about why one would want to create such rules.

I guess an example would help here.

Example #1

In an enterprise:

Joseph, Ali, Radha and Sam, are employed in the Marketing department John, Shyam, Bill and Sagar are employed in the Finance department

The corporate policy stated that: The Marketing people may access web-sites using any Internet Client or browser of theirchoice The Finance people were restricted to use only FireFox

So, let's see how we would enter the rules into the various sections, to derive the necessaryconfiguration:

135


Rules in Access Restriction Section:

Option Value

Enabled true

Comment This rule creates the Access Profile of Joseph, Ali, Radha and Sam, and profiles themas "Marketing"

PAM true

User name (Joseph|Ali|Radha|Sam)

Added profiles Marketing

Option Value

Enabled true

Comment This rule creates the Access Profile of John, Shyam, Bill and Sagar, and profiles themas "Finance"

PAM true

User name (John|Shyan|Bill|Sagar)

Added profiles Finance

Rules in Profiles Section:

Option Value

Enabled true

Comment This rule creates and applies the Profile "Unacceptable_Client" to everybody

Added profiles Unacceptable_Client

Option Value

Enabled true

Comment This rule removes the Profile Unacceptable_Client for "Finance" users, but only whenthey use FireFox

Removed profiles Unacceptable_Client

Option Value

Enabled true

Comment This rule removes the Profile "Unacceptable_Client" for "Marketing" users.

Removed profiles Unacceptable_Client

Rules in URL Filter Section: (The Global Policy Set to Allow, and the following rule created in the Deny Sub-section)



Option Value

Enabled true

Comment This rule Blocks / denies Internet access to all "Unacceptable_Client"

Profiles Unacceptable_Client

In the above set of rules, I actually made use of the Comment fields, to explain the logic, ofcreating the rules. The profiles by themselves do not dictate any denial of access, the denial of access orblocking is an activity executed by the various filters. We had to eventually instruct the Url Filterto deny access to "unacceptable internet clients ". In the above example, the policy was about thenature of Internet Clients being used by people. So we logically profiled what constitutes orprecisely defines the "Unacceptable_Client ". And then we created a single rule in URL Filter todeny access to all "Unacceptable_Client ". I hope that, you noticed that we identified the use ofFireFox, was by using the entry for Request Header Pattern as a conditional parameter andremoved the profile "Unacceptable_Client ", when it matched the PCRE (Perl Compatible RegularExpression)" .*FireFox.* ".The creation of PCRE, is a little off-topic, and we will discuss it, withinanother topic.

Did you notice, that in the above configuration, the third and last rule in the Profiles Sectionexplicitly removes the profile "Unacceptable_Client ", for the "Marketing" users. So what wouldhappen, in case we added more rules in the Access Restriction Section , to profile users fromother functional business groups? And what if the policies needed an alteration in future, toensure, that the Internet Clients used by even the "Marketing" users, needs some regulation? Isuppose you also appreciate the fact that, verification of this conditional parameter, is possible,only because, the browser (FireFox) used as the Internet Client, includes User_Agent Parametersin its request headers. There are a host of applications that are available, that allow you to spoof,this. For example, I could modify the "User-Agent" String of Internet Explorer to include the wordFireFox! Because from the security perspective, it now seems so obvious, that we have left gapingholes! But I am pretty sure that, you should be able to modify the above rules-set to plug anysuch holes. Remember, rules can always be written, or modified to precisely deliver the resultsdemanded by the policies. Much of the frustration faced by firewall rule makers, like you & I,would be because of situations left uncovered, or ambiguities contained in the policies. The bestway to deal with the things therefore is - to note down the policies on a piece of paper, andlogically dissect them with an open mind (stimulated by a cup of coffee!). The other primaryreason for frustrations would be, inadequate information about the overall, benefits desired, byany policy.

The Profiles can be built to very precisely define situations, by subjecting them to a variety ofconditional parameters. And then by applying the profile in to one or more rules in an appropriatefilter, we can always define the restrictions or relaxations. Selecting the filter requires a littlecreativity and understanding of web-technologies.

Example #2

One of the most popular situations, that people request for rules is for blocking access topersonal email services like yahoo, hotmail, gmail etc. However the request is always suffixed

137


with a few clauses, that - people should be able to access the basic search engine services offeredby these web-sites; queries based on certain kinds words should be prevented some of thesequeries should be universally prevented, while some queries should be permitted to only certainpeople; etc.. etc..

We can use PCRE to denote all hosts belonging to a group of web-sites, including their varioussub-domains, or genuinely child web-sites. Carefully look at the use of site1 and site2 in thisexpression:

(.*\.|^)(site1|site2)(\.[^.]{2}\.[^.]{2,4}|\.[^.]{3,4})$ This expression matches all of the following sites:

site1.com site1.co.uk site1.info www.site1.com child.site1.com site2.com site2.co.uk site2.info www.site2.com child.site2.com

In fact it covers all possible combinations, to cover a layman's reference to "site1" or "site2" Moreover you could expand the list of sites covered by simply modifying the aboveexpression. So, the following PCRE covers all web-sites of yahoo, hotmail and gmail:

(.*\.|^)(yahoo|hotmail|gmail)(\.[^.]{2}\.[^.]{2,4}|\.[^.]{3,4})$

(For the moment do not, stress too much to understand the use of characters like ". ""$ ""^"in the expression.)

I could now create a profile called Personal_Emails like this:

Rules in Profiles Section:

Option Value

Enabled true

Comment This rule applies "Personal_Emails" profile to all web-sites of yahoo, hotmail andgmail

Host (.*\.|^)(yahoo|hotmail|gmail)(\.[^.]{2}\.[^.]{2,4}|\.[^.]{3,4})$

Added profiles Personal_Emails

Rules in Cookie Filter Section: (The Global Policy Set to Allow, and the following rule created in the Deny Sub-section)

Option Value

Enabled true

Comment This rule blocks cookie exchanges with "Personal_Emails"

Direction Both

This time I chose Cookie Filter, because I know that you cannot log into http web-sites, if yourcookies are disabled! And who would want to visit personal email sites, but not log in!! But thensince, the web-site is not entirely blocked, the users can very conveniently use the other services,



that do not require any identification or authentication, like logins.

From security perspective, I would use making rules (like we just made above), to create aprivacy blanket for my users. For example I could create a profile for all web-sites belonging todoubleclick and block all cookies travelling between my users and to to these sites.

But then I suppose you are now quite conversant with Profiles, and should be able to translate,any of your corporate policies. The only problem (probably) would be PCRE.

139


14 Using Authentication for Security and Creating UserProfiles

Authentication is the key to web-security. Typically you might consider authentication, as the veryfirst layer of your security. Authenticating the internet access, prevents spy-ware, malware,adware from exploiting your Internet Gateway.

It also ensures that the "names" of the users show-up in the logs, instead of just IP-addresses,which can be so conveniently spoofed. And that can make - reviewing the log reports, so muchmore convenient!

But most importantly, SafeSquid's Authentication mechanism sets the Access Restrictions, andcreates the access profiles of the various users. The groups of users whose Internet Access canbe broadly considered identical, can be given a common profile.

You can start to configure, SafeSquid's authentication system by making appropriateconfigurations in the Access Restriction Section.

The Access Restriction Section has three subsections:

* The Global Allow / Deny Policy setting; * Allow Sub-Section set of entries; * Deny Sub-Section set of entries.

As you would expect in a typical FireWall:

* Setting global policy to Allow, means you would consider all request sources to be acceptable, while you would specificallydefine the unacceptable sources in the "Deny" Sub-Section. * Setting global policy to Deny, means you would consider all request sources to be unacceptable, while you would specificallydefine the acceptable sources in the "Allow" Sub-Section.

The rules are followed in a top-down hierarchy, and the first rule that matches a request'sparameters, gets applied.

As a thumb-rule, start by setting Global Policy to Deny. Don't worry, you can still (and very easily) allow all or specific sources of requests, to beacceptable.

Now consider adding a rule. Since we, have set the global policy to Deny, very obviously, therules created in the "Allow" Sub-Section, will be relevant and applicable. Clicking on the Add linkin the Allow Sub-Section, will present you with a Dialog, where you can now define theparameters, that would identify a request that should be allow. The important things to noticehere are the:

* When you lazily move the mouse over the various things printed, on the dialog box, littleTool-Tips appear, that tell you about the significance of each option and settable element. * Text boxes for I.P. Addresses, User name, Password, Added Profiles. (There's also a text-boxnamed "Profile", but just ignore it)

Using Authentication for Security and Creating User Profiles 140


* Radio-Button to enable / disable PAM * And a whole lot of check-boxes. Just move the mouse over the names that identify each ofthese check-boxes, and a relevant "ToolTip" will appear to tell you, more about that check-box.For the matter of lucidity and flow of the present discussion, let's just ignore these check-boxes.

The Text boxes that we mentioned above are very important in our discussion here, besides theradio-buttons for PAM.The parameters that identify a request are constituted by what you set in the Text boxes for I.P.Addresses, User name, Password.

The logic is simple - leaving any option blank, is equivalent to making it "irrelevant".

Let me help you with some examples here:

Set the radio-button for PAM to "NO" leave I.P. Address - blank. Set User name to "test" and password to "zebra"

This instructs, safesquid to send an authentication challenge to every user irrespective of thesource I.P. address. And ONLY if the this challenge is responded with username "test" andpassword "zebra", the request is considered as "allowed" or "acceptable".

Now, if you wished to further narrow the scope of this acceptability, by narrowing it down to an I.P. address, repeat the steps in the above example, but this time, instead of leaving the I.P.address - blank, set it to an I.P. address.

I guess, now if you wished to distinguish an "acceptable" request as a combination of I.P.address: 192.168.0.1, username "test" and password "zebra", you shouldn't have a problem,right?

Broadening the scope to a range of I.P. address is also easily done. Suppose you wished to allowrequests coming from an array of I.P. Addresses like - 192.168.0.1, 192.168.0.3, and all between192.168.0.110 to 192.168.0.160, fill in the the I.P. Address text-box as: 192.168.0.1,192.168.0.3, 192.168.0.110-192.168.0.160Simple isn't it?

Ok, so now you are ready to understand the relevance of the fourth text-box "Added Profiles"(continue to ignore the other text box called "Profiles").Notice, that the "Added Profiles" is at the very last in the dialog. You can enter a commaseparated list of tags, in the "Added Profiles Text Box. These tags can be just about any logicalwords, that commonly identifies one or more rules. These could be usergroups or work-functionsof people. Let me try to help you understand this with the an example.

Ramesh, Joseph and John belong to Accounts department, and are supposed to make internetaccess only from their respective workstations, that have I.P. address 192.168.0.1, 192.168.0.2,& 192.168.0.3. We would like to create common filtering and other rules that can be set in thevarious other sections of SafeSquid.

So we will now create three rules as follows:

141


Option Value

Enabled true

Comment This rule creates the Access Profile of Ramesh

IP Address 192.168.0.1

User name Ramesh

Password apple

Added profiles Accounts

Option Value

Enabled true

Comment This rule creates the Access Profile of Joseph


User name Joseph

Password mango


Option Value

Enabled true

Comment This rule creates the Access Profile of John


User name John

Password banana


Notice that in the above example, we maintained the "Added Profiles: Accounts" as a common,factor. This instructs SafeSquid to "profile" all internet requests made by Ramesh, Joseph andJohn as "Accounts". Now in any other section of SafeSquid, if you wished the filter-rule to affectJohn, Ramesh or Joseph, simply enter "Accounts" in the text-box named Profiles, in those sections(Not in the Access Restriction).

In this discussion, I have consciously held back on discussing the effects of setting PAM to YES.Setting PAM to Yes makes SafeSquid talk to the PAM sub-system for validating the user's identity.To put things simply -

you would set PAM to YES, if you do not wish to maintain huge lists passwords within theSafeSquid configuration system.

That is generally the way to live, when you have a large number of individuals in an enterprise,that must be served by SafeSquid. But then of course, you must first set the PAM Configurationsfor SafeSquid.

Using Authentication for Security and Creating User Profiles 142


15 Configuring PAM

Identity management begins with authenticating a user's username and password. In a largeenterprise you would have already established an identity management system. PAM (PluggableAuthenticating Mechanism) is a very popular UNIX based technology, and a standard sub-systemof the common and popularly used Linux distributions. PAM, by itself is quite a sizeable subject,and a very mature technology. It serves various needs and applications are built to meet a varietyof permutations and combinations. To maintain the lucidity of our discussions here, I will restrictthe discussions to only relevant areas.

PAM allows any service to easily communicate with a variety of Identity Management systems.The benefits of this are enormous. The most important benefit is - the username/passwordstorage is not required to be done within the various applications, that the users are permitted touse. To keep our discussion contextual, here-further we will refer to an Identity ManagementSystem as an Authentication Service. An Authentication Service could be typically a MicrosoftWindows SMB / AD service, or any other form of LDAP like OpenLDAP. It could also be a RADIUSserver or an SQL Database.

SafeSquid is intrinsically "PAM-aware". The principal feature of the PAM approach is that thenature of the authentication is dynamically configurable. In other words, you are free to choosehow SafeSquid will authenticate users. This dynamic configuration is set by the contents of thesingle Linux-PAM configuration file /etc/pam.conf. Alternatively, the configuration for each PAM-aware service can be set by individual configuration files located in the /etc/pam.d/ directory. Thepresence of this directory will cause Linux-PAM to ignore /etc/pam.conf.

Linux-PAM separates the tasks of authentication into four independent management groups:account management; authentication management; password management; and sessionmanagement. The configuration file lists the tasks in an appropriate sequence, and the name ofthe PAM library that will be called to accomplish the task. SafeSquid requires only authenticationand account to be configured.

From the point of view of the SafeSquid application, it is not of primary importance to understandthe internal behavior of the Linux-PAM library. These libraries are popularly referred to as -modules. The important point to recognize is that the configuration file(s) define the connectionbetween applications (services like SafeSquid) and the pluggable authentication modules (PAMs)that perform the actual authentication tasks.

PAM modules are readily available to verify username-password combinations from variousauthenticating services. A variety of PAM Modules are freely distributed. So you can judiciouslydecide the suitable module, depending upon the Authenticating Service, that you intend to use.To prevent configuration errors, please do check out if whether your chosen PAM module performsthe Authenticate (auth) and/or Account tasks, and the correct usage for each of the respectivetasks. Some PAM modules are very simple and straight forward to use. But there are some thatrequire a lot of elaborate configuration, that involves some additional configuration files, and /orsystem configuration.

SafeSquid 4.1.x and higher allow you to specify the name of the file in the /etc/pam.d directory,that must be used. This setting can be done only as an option in the command-line, whenSafeSquid is started. In earlier versions it was fixed as "safesquid". To maintain the relevance ofthis discussion for users of older versions of SafeSquid, I will refer to /etc/pam.d/safesquid as thepam-configuration file. So when you want your user's username/password combination to be

143


verified by an Authenticating System, you would begin with appropriately configuring the /etc/pam.d/safesquid file. Look at the contents of a typical pam-configuration file:

############ CONFIGURATION EXAMPLE1 /etc/pam.d/safesquid############

#%PAM-1.0

# This enables authentication of users created in the local systemauth required pam_unix.so shadow

## This is a pretty standard directive and needs to be changed only in a very few special casesaccount sufficient pam_permit.so

############ END OF FILE ############

Notice, that we could enter comments, to record the purpose of each directive, for posterity.pam_unix module allows verification of username/password, of all user accounts created on aLinux / Unix server.pam_permit.so is a positive dummy, i.e. it simply responds with "success" for anything. Thereforeit is quite obvious that the above PAM configuration file was created to very simply validate if ausername/password was appropriate.

This configuration file would be interpreted as follows:

Authenticate (auth) the username/password using pam_unix PAM module.This authentication should be compulsorily required, and failure should be considered, asfailure of the Authenticate task.The pam_unix PAM module should be used with an additional argument, "shadow"

Validate if the user has a valid account using the pam_permit PAM module.This validation should be considered as sufficient for the success of the Account task.

Note - Both the tasks Authenticate and Account must be successfully accomplished for ausername/password. Failure of either is enough for SafeSquid to refuse access. PAM has anotherinteresting benefit to offer - Module Stacking. This allows you to extract some excellent benefitsfor enhanced security. Suppose you wished to allow access to any of the users, whose username/password was stored on a Windows Domain Controller, or a Radius Server, or on the local linuxhost. The pam-configuration file would look quite like this:

############ CONFIGURATION EXAMPLE2 /etc/pam.d/safesquid############

#%PAM-1.0

# This enables authentication of users created in the local systemauth sufficient pam_unix.so shadow

Configuring PAM 144


auth sufficient pam_smb_auth.soauth sufficient pam_radius.so

## This is a pretty standard directive and needs to be changed only in a very few special casesaccount sufficient pam_permit.so

############ END OF FILE ############

Notice that, in the above example we are using "auth sufficient" instead of "auth required", thatwas used in the previous example.This configuration file would be interpreted as follows:

First Authenticate the username/password with pam_unix PAM module.If this is successfully done, then consider this as sufficient, and do not bother to authenticatethe validity of the username/password with the remaining PAM modules listed for auth.If the validation with pam_unix PAM module fails, due to any reason, including inappropriateusername/password, attempt to validate using pam_smb_auth PAM module. If this results insuccess, then simply skip any further validation in the "auth" list, else attempt to validateusing the pam_radius PAM module.

This effectively ensures that if the username/password is deemed valid by any one of theauthenticating services - local host, or Windows Domain Controller, or the RADIUS server,then the "auth" task is successfully accomplished.

Of-course, the "account" list needs to be additionally validated successfully. But then as Imentioned earlier, pam_permit PAM module is a dummy positive, so effectively unimportant.

You could surely use a more potent PAM module instead of pam_permit, that I have used in theabove examples, to strengthen security, so that the tasks listed in the "account" list are morethan trivia.

I guess, having read so much of the above, you are more keen, to learn, how it would help you asan Application Manager for SafeSquid.So let me immediately take the discussion towards that, by analysing a situation and working outthe solution with you.

Suppose Joseph, Ali, Radha and Sam, belong to "Marketing" Department, in an enterprise. Wewould like to create a common profile for all of them, and then apply various filters and rules justto that one profile , so that it effectively applies to all these four people. In a previous discussion Ihad explained, how we could create a common profile for a number of people, by creating rules inthe Access Restriction section, from SafeSquid's WebGUI. In that example we had consistently setPAM to NO. But now let me show, you how setting PAM to YES, reduces your works.

As in those examples in Access Restriction, we set the Global Policy to Deny, and Add a rule in theAllow sub-section as follows:

145


Option Value

Enabled true


PAM true



Note, we merely listed the names of these four users in a (rather peculiar looking) PCRE format.And left the text-box meant for Passwords, as blank. Since it is quite topical, and a novice (toPCRE) reader might be a little upset, I will explain the PCRE (Perl Compatible Regular Expression)formatted list, that we have used here.

(Joseph|Ali|Radha|Sam) simply translates to Match if it is Joseph or Ali or Radha or Sam.You could simply add to this list as many usernames as you wish, just separated by the pipes- '|"

You could even create more such rules for people belonging to other job functions like Finance, orHR, etc.You could even create more than one rule to profile people belonging to the same department.You would want to to do that when there too many people in a department, and accommodatingall of them within the same list would look rather unreadable or inelegant. You could eventranslate functional hierarchies, into setting web-access profiles, that are partially common, whileproviding additional privileges or constraints. Yes you would use the property of applying multipleprofiles to people. Let me help you here with an example set of rules, created within the sameconfiguration:

Option Value

Enabled true


PAM true



Option Value

Enabled true

Comment This rule creates the Access Profile of John, Shyam, Bill and Sagar, and profiles themas "Marketing"

PAM true

User name (John|Shyan|Bill|Sagar)

Added profiles Marketing,Night_staff,Instant_Messengers_Disallowed

Did you notice that the rules created above, covered eight people from the Marketing

Configuring PAM 146


Department? They applied the profile "Marketing" to all these eight people; and also appliedadditional profiles - "Night_staff" and "Instant_Messengers_Disallowed" to John, Shyam, Bill andSagar.

So far, so good. Using your preferred authentication service with shouldn't be much of a task, foryou, right?NO!! The real challenge with PAM actually begins here!

As I mentioned above, there are various PAM modules available to use a variety of AuthenticatingServices. But each of these modules may require simple to very intricate additional configuration.This configuration could be as simple as providing with an argument like "shadow" for thepam_unix in the above example. But it could also be fairly more complex, involving otherconfiguration files specifically relevant to the PAM module or maybe even some other additionalservices installed on the system.

147


Documents

User Manual v2