You are on page 1of 150

Total Access Control

Total Content Control

Granular Scalable Manageable

2008 Office Efficiencies (India) Pvt. Ltd.

Table of Contents
Part I User Manual
1 Who should use this guide ...................................................................................................................................

1
1

Part II Implementation Part III System Requirements Part IV Installing SafeSquid Part V Test Your Installation Part VI SafeSquid Logs Part VII SafeSquid Interface
1 Active Connections ................................................................................................................................... 2 Statistics................................................................................................................................... 3 DNS Cache ................................................................................................................................... 4 Show Headers ................................................................................................................................... 5 View Cache Entries ................................................................................................................................... 6 Connection Pool ................................................................................................................................... 7 Prefetch Queue ................................................................................................................................... 8 URL Blacklist ................................................................................................................................... 9 View Log................................................................................................................................... Entries 10 Save Settings ................................................................................................................................... 11 Load Settings ................................................................................................................................... 12 Config Section ...................................................................................................................................
Basic Behaviour URL Blacklist Access Control Profiles cProfiles FTP proxy Templates DNS Blacklists URL Filtering URL redirect Mime Filtering

2 4 8 10 12 16
18 20 24 26 28 31 32 34 35 36 37 39

.......................................................................................................................................................... 40 .......................................................................................................................................................... 45 .......................................................................................................................................................... 48 .......................................................................................................................................................... 54 .......................................................................................................................................................... 59 .......................................................................................................................................................... 67 .......................................................................................................................................................... 69 .......................................................................................................................................................... 75 .......................................................................................................................................................... 77 .......................................................................................................................................................... 81 .......................................................................................................................................................... 84

Define user limits .......................................................................................................................................................... 64

2008 Office Efficiencies (India) Pvt. Ltd.

Contents
Header Filtering Cookie Control Word Filtering

II

.......................................................................................................................................................... 87 .......................................................................................................................................................... 90 .......................................................................................................................................................... 94

Content Re-Write .......................................................................................................................................................... 96 Content Caching .......................................................................................................................................................... 100 Request Forwarding .......................................................................................................................................................... 105 Internet Content Adaptation Protocol (ICAP) .......................................................................................................................................................... 109 External Parser .......................................................................................................................................................... 114 Prefetching Embedded Objects .......................................................................................................................................................... 117 Pornographic Image Filter .......................................................................................................................................................... 120

Part VIII URL commands Part IX Multiple Proxy Configuration Part X Reverse Proxying Part XI Chain Squid with SafeSquid Part XII Multi-ISP networks Part XIII Using Profiles for granular Access Policies Part XIV Using Authentication for Security and Creating User Profiles Part XV Configuring PAM Index

122 125 128 130 132 133 139 142 0

2008 Office Efficiencies (India) Pvt. Ltd.

II

User Manual
SafeSquid Administrator's Guide Version: 2.0 Produced on: Tuesday, October 14, 2008 :: 5:08:32 PM SafeSquid: Content Filtering Internet Proxy, helps you to distribute Internet Access across your enterprise network. It's vast array of features, when used wisely by a system administrator, can deliver Total Content Control and Total Access control. SafeSquid's features have been built, to serve maximum benefits when the key demands are scalability, security, and granularity. SafeSquid is offered in various Commercial editions, besides the Free Edition. This manual is not limited to users of any specific edition of SafeSquid. This manual should help you to use the feature on your installed edition, provided your edition supports the said feature.

1.1

Who should use this guide


This Guide is intended, for the users who have already installed, or would like to install, SafeSquid . It will help the users - to set-up the Proxy Server with the desired Edition, and to configure the features of SafeSquid to make its optimum use. This guide takes you onto the journey of knowledge, of setting up a secure Internet Proxy. This guide intends to reduce your efforts, and helps to optimize the use of Internet Facility. This guide illustrates all the features of SafeSquid and their behavioral basics. This guide should improve your understanding of - the underlying problems, your requirements, and to construct your corporate policies in order to avail the optimum out of the available resources. To mention a few of these: Multi Proxy Setup, Profile Management, User Access Restrictions, URL Blacklists, URL Filter, DNS blacklists, Document Rewrite, Header Filtering, Caching, Cookie Filtering, Virus Scanning, Image Filtering, Mime Filtering, Log analyzers, Keyword Filtering etc. This guide will acquaint you with the Browser based User Interface. You will use it to configure and administer the features of SafeSquid. Hopefully, this guide is simple & understandable, and serves the purpose of those, wishing to gain knowledge for the optimum use of SafeSquid. It intends to be useful, to nave as well as experienced technicians. The readers of this guide are requested to report any errors and suggestions for improvement. The readers can post their views, on the SafeSquid forum available on the SafeSquid website http://www.safesquid.com/

2008 Office Efficiencies (India) Pvt. Ltd.

User Manual

Implementation
The key to successful implementation of any software lies in pre-defining its use, and anticipating the results. With Software like SafeSquid that has so many possibilities, it is just too easy to get lost in the myriad of options. Ideally the implementation should begin on a piece of paper where we should decide our expectations and (if possible) how we intend to verify the effectiveness of the configuration settings in meeting our REAL objectives. As they say well-planned is half accomplished! Sample Plan How many proxies will be implemented in the enterprise? Number The Corporate Internet Use Policy needs to be defined / modified only on the Master, all the slave installations will automatically synchronize their configuration from the Master. Which will be the Master Proxy? The I.P. & hostname of the Master Proxy to be used for Browser-based administrative access administrative access. Is the proxy server multi homed? Should the Proxy listen for requests on multiple IPs & Ports? Web-Sites require an application layer security, therefore reverse proxying is used to ensure the Application Layer Security. Should SafeSquid act as a Reverse Proxy for our web-server? What are the web-sites it should reverse-proxy? Shall we change the DNS records of the web-sites? Shall we just change the IP / Port configuration of the web Port configuration of the web-server? The enterprise uses a variety of Internet Connection Service Providers, and each connection is judiciously used for a specific set of users or application. Shall we use the same Internet Connection for all kinds of Internet Access? Or shall we configure SafeSquid to use different Internet Connections based on user, or nature of access? Will SafeSquid forward the requests to another proxy, web-cache or firewall? Does the request forwarding require any Authentication? Virus Defence begins at the Internet Gateway. What Virus Scanner should we use? What Anti-Virus Software will be used to scan all the Internet Traffic? F-ProtAV / KasperskyAV / McAfee AV offer SafeSquid compatible Daemons that can be connected ONLY via Unix Sockets. So if we use any of these AV, they must Necessarily co-habit the Proxy Server.

2008 Office Efficiencies (India) Pvt. Ltd.

Sophos AV / ClamAV / Avast AV offer SafeSquid compatible Daemons that can be connected via Unix Sockets OR TCP/IP Sockets. So if we use any of these AV, we have the option of installing them on a separate box on a LAN Server OR co-habit them with the Proxy Server. To negate the latency effects in case of heavy traffic, it may be useful to set the LAN connection on a 100 Mbps or higher speed. Symantec ICAP / Trend Micro ICAP / Dr. Web ICAP offer ICAP based Scan Engines, that are fully compatible to SafeSquid's ICAP client. These Engines however require, good System Resources and are designed to deliver optimum performance if located on a remote server. So if we use any of these AV, we must PREFERABLY install them on the a separate server. Since SafeSquid can be configured to use one or more of the Anti Virus Software simultaneously, we may explore the option of scanning the entire Internet traffic via more than one Anti Virus Software. Alternatively should we do this multi-AV scanning only for a few chosen Applications, or people? Or shall we just do the "battle-ready implementation" that allows us to switch to any of the above Anti-Virus software, in times of emergency. Policy settings to prevent Financial & Productivity Losses due to indiscriminate use of Internet Shall we allow people to visit only a "white-list" of trusted web-sites & URLs? Shall we allow people to visit any web-site that is not explicitly "black-listed"? How are we going to review / modify our "white-lists" / "black-lists" What are our high priority business-application web-sites? What are the security relaxations that we may permit when our users acess these web-sites? o Pop-ups, KeyWords, Banners, Activex Controls, Cookies, Header Content. What will be our bandwidth conservation policy to access these sites? o MiMe / File types that will be permitted to be uploaded / downloaded. o Speed / Volume of Uploads, Downloads. o Browsers or other web-clients that will be allowed to access the Internet. What will be our bandwidth conservation policy to access non-business-application web sites? Do we have to make any granular policy modification to accommodate Profiles of some VIP users / Applications / Time of Access? o Should we enable pre-fetching fetching of certain or all objects for one or more profiles? What kinds of Log Reports need to be generated? o How frequently should the log reports be generated? o How should the log reports be viewed and accessed? How are we going to bench-mark the performance of the hardware / software and the Internet Connection? o What will be the maximum bandwith we will utilise to accomplish each test.

2008 Office Efficiencies (India) Pvt. Ltd.

Implementation

System Requirements
SafeSquid - System Requirements! Windows: SafeSquid for Windows depends upon library based functions provided by Native Windows ports of the technologies that SafeSquid for Linux uses. These are fulfilled by a few dll files, detailed below, that are included in the installation package. Linux: SafeSquid (version 4.1.1 and higher) for Linux requires an Intel Architecture Hardware with Linux Kernel 2.6 or higher, based operating system, properly installed with preferably latest updates and patches. The Minimum required hardware to get SafeSquid up and running, would be an i386 based computer with Pentium III CPU and at least 128 MB of RAM and about 40G Hard Disk. But that would really serve only academic interests! For reliable production class environments, it would be advisable to use a server class hardware. SafeSquid now has NPTL compatible design, to generate thousands of threads, to meet as many concurrent requests. In event of un-forecasted bursts of concurrent requests, SafeSquid would have to open enough number of threads, and that may require a fast CPU. To successfully accomplish the various content filtering, caching and communication related activities, it must have enough Memory. It is ideally recommended to provide about 7 to 10 Mb of RAM per user for small networks. But for environments having more than 100 users, even 5 to 7 Mb per user should be sufficient, if we can compensate by using a faster CPU. A PIII / PIV based computer with 512Mb RAM this should be adequate for a typical 20 User network, increasing the RAM to about 1G should make it serve upto 100 users. But if you are planning to use URL Blacklists, Antivirus Software, Log Analyzers also, very naturally you must compensate with adequate RAM. SafeSquid by itself has a very small memory foot-print, but you will always want to use one or more of add-ons, compatible software, etc. So it will be much better, to use systems with 1G RAM or more. Recommendations for Standard Installations SafeSquid has a very low Total Cost of Owner-ship, and a very good ROI. In the long term most users prefer to extract more out of the fixed costs, by increasing the derived results. It is therefore recommended to use Hardware that can be scaled for RAM / CPU / NICs. Choose H/W that can scale for RAM / CPU, so that you may accommodate more users, over a period of time. Use Hard Disks with good seek/read/write speed, to reduce latency in case you plan to use large content disk-caches. If you expect a large traffic to be handled, it would be a good idea to use a GigaBit NIC. To increase security, or to cater to multiple networks it would be advisable to use 2 NICs or more. System Configurations that have easily accessible Hardware drivers for Linux are absolutely preferable, and would be useful, if you plan to increase redundancy by using Clusters.

2008 Office Efficiencies (India) Pvt. Ltd.

Use Linux Distributions that have a good support for Web Servers, Perl, PHP, Caching Name Servers, etc. because a variety of Log Analyzers are now available both as closed and open source, that you will surely want to use. SafeSquid servers shouldn't be requiring x-windows, so basic hardening should be enough. Sooner than later you would want to install Antivirus to scan content being transported via SafeSquid, ClamAV is free, so at least install it, unless you are sure you prefer to be secured by a commercial vendor. In such case, choose a vendor that offers ICAP based solution. If you have a Microsoft Network, then sooner or later you will want authentication to work from ADS, and in any case if you are a large network you'll alternatively want user authentication done from LDAP or RADIUS, or something else, that's available, so definitely install PAM libraries. And maybe also Winbind, that joins your SafeSquid server to Windows Network. RPMS are available for most of the software mentioned above, but quite a few are served as raw source codes, and must be compiled on your server. So it's always a good idea to install GCC & G++ on your SafeSquid Server.

2008 Office Efficiencies (India) Pvt. Ltd.

System Requirements

Software Dependencies (Windows)


System Libraries Package Description libeay32.dll libssl32.dll nsldap32v50.dll pthreadVC2.dll zlib.dll libeay32.dll contains encryption functions which allow for coded communications over networks. This file is open source and is used in many open source programs to help with SSL communication. libssl32.dll is a OpenSSL Shared Library belonging to The OpenSSL Toolkit from The OpenSSL Project, http://www.openssl.org/ nsldap32v50.dll provides the LDAP connectivity to ADS / LDAP servers. It is used by many programs for LDAP authentication. pthreadVC2.dll is Posix Threads Implementation for Windows environment. Many software that have a multi-threaded architecture, and originally created for Linux, use this. zlib.dll provides the compression / decompression functions for safesquid. zlib was written by Jeanloup Gailly (compression) and Mark Adler (decompression).

Software Dependencies (Linux)

System Libraries Provider Package Package Description libbz2.so.1 bzip2-libs bzlib libcom_err.so.2 e2fsprogs Libraries for applications using bzip2 Description : Libraries for applications using the bzip2 compression format. Utilities for managing the second extended (ext2) filesystem. Description : The e2fsprogs package contains a number of utilities for creating, checking, modifying, and correcting any inconsistencies in second extended (ext2) filesystems. E2fsprogs contains e2fsck (used to repair filesystem inconsistencies after an unclean shutdown), mke2fs (used to initialize a partition to contain an empty ext2 filesystem), debugfs (used to examine the internal structure of a filesystem, to manually repair a corrupted filesystem, or to create test cases for e2fsck), tune2fs (used to modify filesystem parameters), and most of the other core ext2fs filesystem utilities. libdl.so.2 libc.so.6 libm.so.6 libpthread.so.0 libresolv.so.1 glibc The GNU libc libraries. Description : The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets of shared libraries: the standard C library and the standard math library. Without these two libraries, a Linux system will not function. The shared libraries used by Kerberos 5. Description : Kerberos is a network authentication system. The krb5-libs package contains the shared libraries needed by Kerberos 5. If you are using Kerberos, you need to install this package. GNU C library Description : The libgcc1 package contains GCC shared libraries for gcc 3.4

libgssapi_krb5.so.2 krb5-libs libk5crypto.so.3 libkrb5.so.3

libgcc_s.so.1

libgcc

2008 Office Efficiencies (India) Pvt. Ltd.

libgmp.so.3

libgmp3

A GNU arbitrary precision library. Description : The gmp package contains GNU MP, a library for arbitrary precision arithmetic, signed integers operations, rational numbers and floating point numbers. GNU MP is designed for speed, for both small and very large operands. GNU MP is fast because it uses fullwords as the basic arithmetic type, it uses fast algorithms, it carefully optimizes assembly code for many CPUs\' most common inner loops, and it generally emphasizes speed over simplicity/elegance in its operations.

libstdc++.so.6

libstdc++

GNU Standard C++ Library Description : The libstdc++ package contains a rewritten standard compliant GCC Standard C++ Library

libcrypto.so.4 libssl.so.4

openssl097a

The OpenSSL toolkit Description : The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols.

libpam.so.0

pam

A security tool which provides authentication for applications Description : PAM (Pluggable Authentication Modules) is a system security tool that allows system administrators to set authentication policy without having to recompile programs that handle authentication.

libz.so.1

zlib1

The zlib compression and decompression library Description : Zlib is a general-purpose, patent-free, lossless data compression library which is used by many different programs.

2008 Office Efficiencies (India) Pvt. Ltd.

System Requirements

Installing SafeSquid
Installation Procedure: Copy the downloaded safesquid.tar.gz into /usr/local/src/ cp safesquid-4.2.0-com20-free.tar.gz /usr/local/src/safesquid.tar.gz Decompress the tar file using command tar -xvzf safesquid-4.2.0-com20-free.tar.gz Creates a directory safesquid in your current working directory Change directory to SafeSquid cd safesquid/ The safesquid directory contains the installation script install. Run the script ./install The install script asks you to select one of the following 3 options Press "F" if we are doing a Fresh install Press "U" if we want to Update an existing installation Press "A" if we want to Adjust an existing conf file Press "F" for fresh installation The install script checks for dependencies and displays the status The output should be similar to "Checking Dependencies /lib/libsafe.so.2 (0xf6ffa000) libpam.so.0 => /lib/libpam.so.0 (0xf6fea000) libdl.so.2 => /lib/libdl.so.2 (0xf6fe5000) libpthread.so.0 => /lib/tls/i686/libpthread.so.0 (0xf6fd4000) libssl.so.4 => /lib/libssl.so.4 (0xf6fa0000) libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00bbb000) libm.so.6 => /lib/tls/i686/libm.so.6 (0xf6f7d000) libc.so.6 => /lib/tls/i686/libc.so.6 (0xf6e69000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00974000) /lib/ld-linux.so.2 (0x00b97000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x009e7000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00b1e000) libcom_err.so.2 => /lib/libcom_err.so.2 (0x009e2000) libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00afb000) libresolv.so.2 => /lib/libresolv.so.2 (0xf6e55000) libcrypto.so.4 => /lib/libcrypto.so.4 (0x00a11000) libz.so.1 => /usr/lib/libz.so.1 (0x00962000) looks okay Press any key to continue" If a missing dependency is reported, you will have to install it before you can continue.

2008 Office Efficiencies (India) Pvt. Ltd.

9
If everything is fine, then press any key to continue The SafeSquid End-User License Agreement is displayed. The options are as follows Press "B" / "F" to move Back / Forward Press "S" when you have finished reading Read the License Agreement, or press "S" to skip and continue. The following options are displayed Press Y if you find the End-User License Acceptable Press A To Read the End-User License Again Press N if you find the End-User License NOT Acceptable and immediately abort the Installation Process Press "Y" to continue Here onwards, the install script will ask for about 28 configuration option. All option pages are self explanatory, and should not require you to make any changes. To make changes in the default option, press "C" When you have made the necessary changes, press "S" to continue with the installation. You can also press "S" on the first option screen, to install with the default option. (The settings can later be changed by editing the startup.conf file, which you will find in /opt/ safesquid/safesquid/init.d directory. The changes will take effect the next time Safesquid is restarted.) The installation starts when you press "S" The installation will pause a few times to display the status, and for confirmation. When the installation is complete, the following message is displayed Press "S" if you would like to start your safesquid now Press any other key to simply exit Press "S" to start SafeSquid You should get the following message 1. safesquid started with PID: 9659 ... ssquid is NOT LISTENING on :8080 ... 2. safesquid started with PID: 9659 ... ssquid is LISTENING on 192.168.0.30:8080 ... Process IS RUNNING So, your SafeSquid is installed and running. Now, to access the SafeSquid Interface, point the proxy setting in the browser to the SafeSquid Server's IP:PORT, e.g. 192.168.0.30:8080, and access the URL http://safesquid.cfg

2008 Office Efficiencies (India) Pvt. Ltd.

Installing SafeSquid

10

Test Your Installation


Testing on server side Command to check SafeSquid is running on server
Command: ps waux | grep safesquid

output should be quite-like: ssquid 11533 81.2 33.1 1750524 1372096 ? Sl Oct13 973:01 /opt/safesquid/safesquid/safesquid root 29005 0.0 0.0 2852 704 pts/0 R+ 10:51 0:00 grep safesquid

Command to be sure that SafeSquid is listening on port 8080


Command: netstat -anp | grep :8080

The output should be quite-like: tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 11533/safesquid tcp 0 0 10.0.0.5:8080 192.168.10.152:3238 SYN_RECV tcp 0 0 10.0.0.5:8080 192.168.10.29:1167 SYN_RECV tcp 0 0 10.0.0.5:8080 192.168.10.127:1677 SYN_RECV tcp 0 0 10.0.0.5:8080 192.168.50.15:1864 SYN_RECV tcp 0 0 10.0.0.5:8080 192.168.10.122:2496 TIME_WAIT tcp 0 253 10.0.0.5:8080 192.168.10.18:1192 FIN_WAIT1 tcp 0 0 10.0.0.5:8080 192.168.10.132:1342 ESTABLISHED11533/safesquid tcp 1 0 10.0.0.5:8080 192.168.50.4:4999 CLOSE_WAIT 11533/safesquid

Command to check how SafeSquid is handling requests


Command: tail -f /opt/safesquid/safesquid/logs/native/safesquid.log

The output should be quite-like: 2008 10 14 10:54:17 [691984] request: GET http://www.ingentaconnect.com:80/css/size14.css 2008 10 14 10:54:17 [692021] network: allowed connect from 192.168.10.10 on port 8080 2008 10 14 10:54:17 [692021] security: PAM authentication succeeded for mlpbs 2008 10 14 10:54:17 [692021] network: binding outgoing connection to 10.0.0.11 2008 10 14 10:54:17 [690705] request: GET http://www.allbusiness.com:80/asset/image/icon/2984516.gif 2008 10 14 10:54:17 [691736] request: GET http://www.contentlinks.asiancerc.com:80/scwm/images/

2008 Office Efficiencies (India) Pvt. Ltd.

11

arrow_down.gif 2008 10 14 10:54:17 [692013] network: 192.168.10.122 disconnected after making 2 requests 2008 10 14 10:54:17 [691763] network: binding outgoing connection to 10.0.0.21 2008 10 14 10:54:17 [692022] network: allowed connect from 192.168.10.29 on port 8080 2008 10 14 10:54:17 [692021] request: CONNECT login.yahoo.com:443 2008 10 14 10:54:17 [692005] request: GET http://www3.interscience.wiley.com:80/journal/104086741/abstract? CRETRY=1 2008 10 14 10:54:17 [692005] network: 192.168.50.12 disconnected after making 1 requests 2008 10 14 10:54:17 [692023] network: allowed connect from 192.168.50.12 on port 8080

Command to check how SafeSquid is running on port 8080


Command: lsof -i :8080

The output should be quite-like: COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME safesquid 18934 ssquid 5u IPv4 1443628 TCP *:webcache (LISTEN) safesquid 18934 ssquid 8u IPv4 1515549 TCP linux:webcache->unreliable:2075 (ESTABLISHED) safesquid 18934 ssquid 9u IPv4 1515550 TCP linux:2535->nt5.oe2000.com:webcache (CLOSE_WAIT) safesquid 18936 ssquid 5u IPv4 1443628 TCP *:webcache (LISTEN) safesquid 18936 ssquid 8u IPv4 1515549 TCP linux:webcache->unreliable:2075 (ESTABLISHED) safesquid 18936 ssquid 9u IPv4 1515550 TCP linux:2535->nt5.oe2000.com:webcache (CLOSE_WAIT) safesquid 18937 ssquid 5u IPv4 1443628 TCP *:webcache (LISTEN)

2008 Office Efficiencies (India) Pvt. Ltd.

Test Your Installation

12

SafeSquid Logs
SafeSquid Logs SafeSquid produces logs in three distinct formats. We traditionally name them as access.log (Access Log Format), extended.log (NCSA / Extended log format) and safesquid.log (Native Log Format). The path to the log files, and soft link that is created during installation, are as follows:
Log File access.log safesquid.log extended.log Path /var/log/safesquid/safesquid/access/ /var/log/safesquid/safesquid/native/ /var/log/safesquid/safesquid/extended/ Soft Link /opt/safesquid/safesquid/logs/access/ /opt/safesquid/safesquid/logs/native/ /opt/safesquid/safesquid/logs/extended/

Access Log The access.log has been traditional favorite, because it can be used by a variety of log analyzers like Calamaris, SARG, Squint, SquidTailD, etc. The reports produced by these log analyzers reveal useful details of the overall usage and the pattern of access of the application. Access Log fields: start_time_in_seconds.milliseconds elapsed_time client cachecode/status size method url username peercode/peer mime Example: 1189403858.675 654 192.168.0.21 TCP_MISS/200 246 GET http://ds.ds3ps.co.uk:80/ refer/surebrowse/operator/chat-server.xml?time=1189404101675 sudipta DIRECT/ds. ds3ps.co.uk text/xml The details of the fields in access.log are as follows:
Field Time Elapsed Time Client Cachecode/ Status Bytes Explanation UNIX time stamp as Coordinated Universal Time (UTC) seconds with a millisecond resolution. Length of time in milliseconds that the cache was busy with the transaction. The information is logged after the reply has been sent, not during the lifetime of the transaction. IP address of the requesting host. Two entries separated by a slash. Code specifies the result of the transaction: the kind of request, how it was satisfied, or in what way it failed. The second entry contains the HTTP result codes. Amount of data delivered to the client. This does not constitute the net object size,

2008 Office Efficiencies (India) Pvt. Ltd.

13

because headers are also counted. Also, failed requests may deliver an error page, the size of which is also logged here. Method URL Username Request method to obtain an object, e.g. GET, POST, CONNECT. URL requested. Authenticated username Two entries separated by a slash. The first entry represents a code that explains how the request was handled, for example, by forwarding it to a peer, or returning the request to the source. The second entry contains the name of the host from which the object was requested. This host may be the origin site, a parent, or any other peer. Also note that the host name may be numerical. Mime type of the object.

Peerstatus/ Peerhost

Mime

Extended Log The extended.log (NCSA / Extended log format) records maximum details of each request handled by the proxy application. Log Analyzers like Sawmill can generate analysis reports using the extended log, and give lots more information, than the ones using access.log.

FORMAT : "UNIQUE_RECORDID" ELAPSED_TIME_IN_MSEC CLIENT_IP "USER_NAME" "CLIENT_CONNECTION_ID" [DATE_TIME_OF_REQUEST] "METHOD URL" "HTTP_STATUS_CODE" BYTES_TRANSFERRED "REFERRER_URL" "USER_AGENT" MIME_TYPE "FILTER_NAME FILTERING_REASON" "COMMA_SEPARATED_LIST_OF_PROFILES_APPLIED" "INTERFACE_IP:INTERFACE_PORT" Example: "1191586598.504-7-192.168.0.221-8080" 929 192.168.0.150 "anonymous" "7" [05/ Oct/2007:17:46:39] "GET http://updates.f-prot.com:80/cgi-bin/check-updates? run_as=check_updates&protocol=1" 200 750 "-" "FPAV_Update_Monitor/3.16f (Windows; WINNT; 2000 Professional; SP4)" text/plain "- -" "-" "192.168.0.221:8080" The details of the fields in extended.log are as follows:
Field Unique Record ID Elapsed time in milliseconds Client IP User name Client connection ID Date & time of request Explanation A unique record identifier, to prevent duplication of records when imported into SQL databases.Here in e.g. 1215419711.460 Elapsed time of the request, in milliseconds. The IP address of the requesting client. The username, (or user ID) used by the client for authentication. If no value is present, "anonymous" is substituted. The internal SafeSquid ID associated with this connection. The date and time stamp of the HTTP request.The fields in the date/time

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Logs

14

field are [dd/MMM/yyyy:hh:mm:ss +-hhmm], where the fields are defined as follows: dd is the day of the month, MMM is the month, yyyy is the year, hh is the hour, mm is the minute, ss is the seconds. Method URL The HTTP request. The request field contains three pieces of information. The main piece is the requested resource. The request field also contains the HTTP method. The status code is the numeric code indicating the success or failure of the HTTP request. This field is a numeric field containing the number of bytes of data transferred as part of the HTTP request, not including the HTTP header. E.g. 750. The referrer is the URL of the HTTP resource that referred the user to the resource requested. "-" is substituted when there are no referrers. An HTTP client that makes HTTP requests. It is customary for an HTTP client, such as a Web browser, to identify itself by name when making an HTTP request. It is not required, but most HTTP clients do identify themselves by name. MIME-type of the requested object. E.g. text/plain. If the request get blocked, then this field contains the name of the filter, or the reason for which the request was blocked. "- -" is substituted when there are no blocks. Comma separated list of profiles that were applied to the request. "-" is substituted when no profiles are applied. IP:PORT that received the request. This can be important when SafeSquid is listening on multiple IPs or Ports.

HTTP Status Code

Bytes Transferred

Referrer URL

User agent

Mime type Filter name & Filtering reason Comma separated list of profiles applied Interface IP:Interface port

Native Log This is SafeSquid's native log format. It records various functional aspects like REQUESTS, SECURITY, REDIRECT etc. that are effected by the various features and their configuration. You can control the verbosity of the Native log by specifying LOGLEVEL, as shown in the table below. The LOGLEVEL parameter affects only the SafeSquid's Native log.
Value 1 2 4 8 16 32 Process logged Requests Network URL filtering Header filtering Mime filtering Cookie filtering Value 16384 32768 65536 131072 262144 524288 Process logged Forwarding Config synchronization Antivirus External parsers ICAP DNS blacklist

2008 Office Efficiencies (India) Pvt. Ltd.

15

64 128 256 512 1024 2048 4096 8192

Redirections Templates Keyword filtering Rewriting Limits Caching Prefetching ICP

1048576 2097152 4194304 8388608 16777216 33554432 67108864 134217728

URL blacklist URL commands Modules Security Warnings Errors Profiles Debug

So, if you wish to record only the requests set LOGLEVEL to 1, if you wish to record only caching related activities set LOGLEVEL to 2048. If you wish to record all the three activities of rewriting, limits and forwarding, you would simply set LOGLEVEL to 512 + 1024 + 16384 i.e. 17920. Similarly, if you wished to view absolutely everything (and run the risk of generating a very huge log file in a very short time!), you could set LOGLEVEL to a total of all the values in the table, i.e. 134217727 which is also the default LOGLEVEL if you simply comment the LOGLEVEL specification!. If you wished to produce just debug logs you should set the LOGLEVEL to 134217728. If you wished to record all activities and debug information, you should set the LOGLEVEL to 268435455. NOTE: Adjusting this value requires a restart of SafeSquid service.

Log rotation There obviously needs to be a control on log file size. SafeSquid executable cannot start if the size of any of the log files exceeds 2147483648 bytes (2GB).The parameter sets the maximum size in bytes for a log file, exceeding which, the logrotate (/etc/init.d/safesquid logrotate) will automatically truncate and compress all the three types of log files. The same command can be also run manually to rotate your logs in case any situation demands.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Logs

16

SafeSquid Interface
SafeSquid has a Browser based User Interface, that allows users to configure various features in accordance with their respective Corporate Internet Usage Policies. To configure or change configuration, you must have access to the SafeSquid Management Interface. To access the Interface, you must configure your web-browser to use the SafeSquid proxy server. For example - if you have set-up SafeSquid to listen on IP 192.168.0.130 on port 8080, then you should configure your web-browser to use proxy at 192.168.0.130 on port 8080 Now you should be able to access the User management Interface with the URLhttp://safesquid.cfg Note: To set IP and Port, you should open (Internet Explorer) Web Browser, go to Tools Menu --> Internet Options --> Connections --> LAN Settings --> select Use Proxy server option in the dialogue box then Specify your proxy servers I.P. in Address option and Port (Default 8080). You should now be able to access the URL http://safesquid.cfg to configure various Features as well as monitor them from the same window. Mozilla users should open Web Browser, go to Tools Menu--> Options--> Connection settings--> Select Manual Proxy Configuration--> Specify your Proxy servers I.P. in HTTP Proxy option and Port (Default 8080). You should now be able to access the URL http://safesquid.cfg to configure various Features as well as monitor them from the same window. Most features of SafeSquid can be set, using this SafeSquid Management Interface. The Top Menu gives you the links, and access to various features & functions as shown on the image below. This image displays the main page of Browser based SafeSquid Management Interface available with SafeSquid.

2008 Office Efficiencies (India) Pvt. Ltd.

17

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

18

7.1

Active Connections
'Active connections' displays all the active connections being handled by SafeSquid proxy server at a particular instance. The image below shows the page that is displayed when user clicks on Active Connections link.

The 'Active connections' has two sub-sections - Transferring and Client Pool. Transferring subsection illustrates the requests being fulfilled, at a particular instance, and the Client Pool subsection shows all the requests, that are waiting in queue, at the very same instance i.e. these are the requests which are waiting to acquire the physical connection.

'Transferring' & 'Client Pool' sub-section Transferring subsection illustrates the requests being fulfilled, at a particular instance

2008 Office Efficiencies (India) Pvt. Ltd.

19

Client ID Client ID is an auto generated identification number,which is generated for every request made by client. IP IP is the IP address of the machine in the network, that made the request, to fetch the desired web page. Requests Requests illustrate the total number of requests made by clients, which can be helpful to identify the load per requested URL/Domain. Method Method field exhibit HTTP Methods like GET, POST and CONNECT etc. Details GET: It is basically for just getting (retrieving) data. POST: Post involves things like storing or updating data, or ordering a product, or sending E-mail. CONNECT: CONNECT method is often used with a proxy that can change to being an Secure Sockets Layer tunnel. CONNECT is used for https requests. URL URL field displays the current URLs, that are requested, as well as served. Idle Idle is the field that exhibits the time, for which a request has been lying idle in the queue, waiting to get served.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

20

7.2

Statistics
This displays Statistics on the base of the real time data, with reference to various parameters, like System, Requests, Network, DNS cache, Cache, Cache refresh, Connection- pool, Hosts, Mimes, User and IP addresses.

Statistics System System subsection display information, with respect to usage of system resources. User time: Displays the total amount of CPU time, in seconds, that SafeSquid has used. User time is CPU time spent executing the user program, rather than in kernel

2008 Office Efficiencies (India) Pvt. Ltd.

21

system calls.User time is displayed in HH:MM:SS:ms. System Time: Total CPU time, in seconds, that is used in making the kernel / system calls to service SafeSquid. Unit are in HH:MM:SS:ms format. Note: The resource usage statistics depend on a 1:1 thread model. Due to the limitations of the API's used to gather this information, using other thread libraries, may result in inaccurate statistics. Memory resident: The amount of the memory used by memory resident processes of SafeSquid. These are TSRs i.e. Terminate and stay resident processes. For example, URL Blacklist loads URL Blacklists in the memory and remains in the memory till we shut down SafeSquid. Details: Memory resident means Permanently in memory. Normally, a computer does not have enough memory, to hold all the programs you use, when you want to run a program. Therefore, the operating system is obliged to free some memory by copying data or programs from main memory to a disk. This process is known as swapping. Certain programs, however, can be marked as being memory resident, which means that the operating system is not permitted to swap them out to a storage device; they will always remain in memory. Memory Shared: The amount of the memory that is occupied by the shared libraries like libstdc++, so3, libpam. This may increase or decrease depending upon Add-on modules or other software that we use in conjunction with SafeSquid. Details: Shared memory refers to a (typically) large block of Random access memory, that can be accessed by several different central processing units (CPUs) in a multiple-processor computer system. Minor Page fault: Gives the total number of minor page faults, since the startup of the SafeSquid Processes. Major Page faults: Represents the total number of the Major page faults, since the startup of the SafeSquid processes. Details: SafeSquid is a caching proxy. It may have to look inside the cache to serve contents and also some time to serve templates. Similarly, SafeSquid generates logs. SafeSquid also could be invoking other applications.So SafeSquid performs a lot of memory swapping and disk i/o. The Statistics page displays the various aspects of this activity as minor and major page faults, besides any errors if they occur. An interrupt occurs when a program requests data that is not currently in real memory. The interrupt triggers the operating system to fetch the data from a virtual memory and load it into RAM. An invalid page fault or page fault error occurs when the operating system cannot find the data in virtual memory. This usually happens when the virtual memory area, or the table that maps virtual addresses to real addresses, becomes corrupt. Minor Page faults are number of hard page faults (i.e. those required i/o). Major Page Faults are the number of times a process was swapped out of physical memory. Requests Requests subsection gives information on total number of HTTP, FTP and CONNECT requests fulfilled, since the last startup of the SafeSquid processes.This quickly tells you about the different protocols being serviced through your proxy server.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

22

Network For administrators it is very important to know what is the amount of data that has been throughput. Network subsection gives information on Total Successful connections, Failed connections, DNS failures and Total Bytes transferred in/out of the network, since the latest startup of the SafeSquid Processes. This helps you to set various parameters in SafeSquid and System's Network settings to have improved performance. For example if you see too many DNS failures, you may need a better connectivity to your DNS servers. Similarly if you see too many failed connections and your logs say that they were genuine requests then it means that either your network is saturated or you need better ISP. DNS Cache When a request is made, its web server address is resolved from DNS Servers. SafeSquid has a DNS cache to store these resolved addresses for future use. This can dramatically reduce the latency. This section gives total number of Hit Ratio and Miss Ratio. A HIT means that the document was found in the DNS cache. A MISS, that it was not found in the DNS cache. Cache, Cache Refresh & Connection Pool This section gives total number of Hit Ratio and Miss Ratio of the Cache. A HIT means that the requested content was found in the cache. A MISS, that it was not found in the cache. Cache Refresh You can configure SafeSquid to revalidate the cached content after defined interval. If need be, SafeSquid refreshes the content and serves the relevant content to the clients, depending on the various parameters you set in the 'Cache' section. Quite a few times, SafeSquid could discover that the validity of the cached content was obsolete. This is recorded as miss in the Cache Refresh subsection. Connection Pool Connection Pool shows the number of times a connection was available to the request and the number of times it had to create a new connection for a particular request. The number of times it found the connection in the connection pool it is a hit and the number of times proxy had to establish a new connection it is considered as a miss Hosts This section shows the sites that are most frequently accessed by users, and the number of requests for a particular host along with its usage percentage. Mimes Mimes subsection display Mime types being accessed, and the usage percentage of the same. Users Users subsection displays users and their respective usage percentage, of the Proxy Services. If authentication is enabled, the users section would display usernames and the number of requests they have made, otherwise it will display anonymous.

2008 Office Efficiencies (India) Pvt. Ltd.

23

IP Addresses IP Address of the machines that have made requests, along with their respective usage percentage.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

24

7.3

DNS Cache
DNS resolution is a very important part in Internet surfing. Whenever a request is made the proxy has to resolve the address of the web server. This incurs latency. Hence to reduce this latency, SafeSquid maintains DNS cache, wherein it stores all resolved DNS addresses. When another request is made for the same web site, SafeSquid can easily get the address from the DNS cache. These entries remain in the DNS Cache for 360 seconds, and then it is refreshed, i.e. after 360 seconds, Proxy has to resolve DNS again.

DNS Cache Hostname The host name of the requested page IP Address

2008 Office Efficiencies (India) Pvt. Ltd.

25

The IP Address of that host. Age The Age of respective entries in the DNS cache, i.e. how long the entry has been residing in the DNS Cache.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

26

7.4

Show Headers
This section has two subsections viz. Unfiltered and Filtered. It describes the details of the client (browser) headers. Unfiltered subsection display Type and Value of the unfiltered Headers; similarly, Filtered section display Type and Value of Filtered headers.

Show Headers Host Shows the Host Name. User-Agent The Browser that is being used. Accept

2008 Office Efficiencies (India) Pvt. Ltd.

27

Shows the accepted value of the headers that are unfiltered / filtered. Accept-Language Specifies the language that is acceptable, i.e. content on pages should be displayed in specified Accept-Language. For example en-us specifies that all the pages should be specified in US English. Accept Encoding The Value of header types for which encoding should be accepted / allowed. For example: safesquid.cfg Proxy-Connection The type of connection for the Proxy Server. For example, Keep alive value, keeps the connection alive till it is exclusively switched off. Referer This is the address or URI (Unique Resource Identifier) of the document (or element within the document) from which, the URI in the request, was obtained. Referrer allows a server to generate lists of back-links to documents, for interest, logging, etc. It allows bad links to be traced for maintenance.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

28

7.5

View Cache Entries


SafeSquid has a multi-tier cache. This section gives Information related to the Cache volumes. It displays the list of Cache files, and give users the option to search through, and if required, selectively delete them using "Delete Matches" option. The Cache Information section gives information for Memory Cache and Disk Cache Volumes. It shows the total number of objects, the total size of those objects in Bytes, and the percentage of total Cache used. It also displays the path of the various Disk Cache Volume(s).

Figure 1

2008 Office Efficiencies (India) Pvt. Ltd.

29

The Regular Expression Match section has a text box, where you can enter a regular expression or any word, using which, the corresponding matches are found from Memory Cache, as well as Disk Cache, and displayed. Figure 2 displays the result of the search for 'yimg'. The result displays the URL, size in bytes and whether the content exists in the Memory and / or Disk Cache.

Figure 2

You can also filter content on the basis of content modification date, accessed date and file size. On the basis of these filter criterion, all the urls that meet the specified criteria, are displayed below the regular expression match section. The "Delete-matches" option allows you to delete the resulting matches. Note: If you want to delete all the cache entries, leave the text box blank, select the "Delete matches" option, and click on the submit button. The details of the content can be seen by clicking on the URL of a content, as shown in Figure 3.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

30

Figure 3 Details: MD5 Sums are 32 byte character strings that are the result of running the MD5 sum program against a particular file. Since any difference between two files results in two different strings, MD5's can be used to determine that the file or iso you downloaded is a bit-for-bit copy of the remote file or iso. If you are running one of the GNU/Linux distributions, you should already have the MD5 program installed. Epoch is an instant of time selected as a point of reference. In Linux, this time is considered as 1st January 1970. Epoch Time is the time represented in the total number of seconds from an instant of time selected as a point of reference i.e. Epoch. Hence termed as Epoch time.

2008 Office Efficiencies (India) Pvt. Ltd.

31

7.6

Connection Pool
This link displays information of the current connection(s) that are being held open, in the connection pool and / or awaiting reuse. The details that are displayed are - Protocol, Host, Port, Username (if authentication is enabled) and the Age in seconds since the connection was opened.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

32

7.7

Prefetch Queue
The Prefetching feature can be used as an 'internet accelerator'. It allows virtually any file referenced in HTML to be pre-fetched (not just images) and cached. Prefetching is a good way to improve retrieval time. It reduces resource retrievals and improves retrieval time. This link allows you to add the webpage URLs, that you would like to prefetch and cache.

These entries are reflected in active connections under the IP as 0.0.0.0 and the method as PREFETCH.

2008 Office Efficiencies (India) Pvt. Ltd.

33

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

34

7.8

URL Blacklist
URL Blacklist consists of a list of thousands of domains and URLs, bifurcated in various categories, and stored in flat files. This section allows you to search these categories, to find out whether a specific Domain, URL or File is present in the URL Blacklist, and if it is, then in what category. You can search for a domain or a file, by entering your query (supports regular expression) in the corresponding text box, and clicking on the 'Submit' button. The result lists the category in which a match was found, Domains that matched the query and the paths to the matched Domains. Note: See URL Blacklist under the Config Section, for installing and configuring URL Blacklist.

2008 Office Efficiencies (India) Pvt. Ltd.

35

7.9

View Log Entries


'View log entries' displays a blow-by-blow account of recent activities. It can be used to monitor all transactions, track specific transactions, check events for trouble shooting, and check for errors, warnings and advices. The 'Regular Expression match' field allows you to search for specific events, using regular expressions. 'Log Buffer size' allows you to specify the number of entries from the log, that you would want to see at a time. The Clear option lets you clear the whole buffer, or the entries filtered with the 'Regular Expression match' option.

Image 11.0.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

36

7.10

Save Settings
When SafeSquid starts, it load the configuration file (config.xml) into the systems memory. When you make any changes to the rules / policies from the SafeSquid interface, these changes are made in the configuration file stored in the memory, and would get lost if SafeSquid service, or the server, is stopped or restarted. Use the 'Save settings' link to make the changes permanent. It copies / saves the configuration files in the memory, to the location specified in the 'Filename' field. The default path to the configuration file is /opt/safesquid/safesquid/config.xml. On successfully coping the file to the specified location, you should get a File saved message.

Image 12.0 This option can also be used to take a backup of the existing config file, before you make any changes to the original file. For example, before attempting any changes to the existing configuration, you could click on 'Save settings', and backup the original file, by specifying the 'Filename' as /opt/safesquid/safesquid/config_org.xml.

2008 Office Efficiencies (India) Pvt. Ltd.

37

7.11

Load Settings
The 'Load settings' option is used, either to load and completely overwrite the existing configuration file with another, or to import rule snippets into to current configuration file. Overwrite configuration For example, suppose you make changes to the existing configuration from the interface, do not save the recent changes with the 'Save settings' option, and would want to revert back to the original configuration. To do this, just click on the 'Load settings' option. The default path is displayed in the 'Filename' field. Click on 'Submit' while leaving the 'Overwrite' option to 'Yes'. This option can also be used if you have more that one configuration files, and would like to change over to another file, in real-time, from the one that you are currently using. Note: When SafeSquid is started, it by default uses the configuration file specified in the CONFIG_FILE parameter in the startup.conf. The default value of this parameter is set as /opt/safesquid/safesquid/config.xml If you have multiple configuration files, the configuration file that you would want to be loaded on startup, should always be the one that is specified in the CONFIG_FILE parameter in the startup.conf file. The value of CONFIG_FILE can be changed by running /etc/init.d/safesquid adjust.

Import rule snippet Rule snippets are short, specific rules that are created to perform specific tasks. For example, safesearch.xml, which is available from the SafeSquid Download page, can be imported into your existing configuration file (config.xml), to enforce Google Safe Search. Similarly, porn_keypwords.xml and anonproxy.xml, are rule snippets for Keyword Filtering rules, to block porn and anonymous proxy websites. To import rule snippets, download the rule snippet file to the SafeSquid server, click on 'Load settings', specify the path of the snippet file in the 'Filename' field, change 'Overwrite' to 'No', and click on 'Submit'. If the file is successfully loaded, you should get a message 'File loaded'. Changing 'Overwrite' to 'No' adds the file being loaded into your current configuration file. Instead of downloading and copying the snippet file to the server, you can also specify the URL of the file in the 'Filename' field. For example, the URL of the safesearch.xml file is http://downloads.safesquid.net/free/general/sample_rules/safesearch.xml But since access to this file requires you to authenticate with your SafeSquid Forum ID, you can type this URL in the 'Filename' field http://username:password@downloads.safesquid.net/free/general/sample_rules/safesearch.xml Replace the username:password in the URL with your forum username and password. Note: The rule snippet get imported into the configuration file loaded in the Server's memory, and gets activated in real-time. To make the changes permanent, you need to click on 'Save settings' and save the config.xml file. The changes will be lost when SafeSquid service is restarted, if you don't save the file.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

38

Image 13.0

2008 Office Efficiencies (India) Pvt. Ltd.

39

7.12

Config Section
Config opens a drop down dialog which contains all configurable features of SafeSquid. Select any feature you want to view, configure or modify and click the submit button. When you select a feature, the page displayed, exhibits entire list of rules and current settings of that feature, which can be modified as per your requirements. Intuitive tool tips are provided for every option available on the page, to guide you through each and every option.

All the features exhibit various Options and their corresponding Values. 'Search Entries' allows you to search through all the sections for a specific option or value.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

40

7.12.1 Basic Behaviour


The "General" section in the SafeSquid Interface allows you to configure options that affect the overall operation of the proxy server. These options mainly depend on your network infrastructure, like availability of Internet resources, network resources, network traffic, etc. 'Profiles' allow you to very granularly configure the way various content is processed, depending on the content type, like text, application, embedded, etc. The options in this section must be very carefully set, as they most comprehensively affect your implementations of SafeSquid.
general section The global section gives access to configuration options that affect the overall operation of the proxy server.

Option
Proxy hostname Temporary directory Web interface line length Connection pool size Connection pool timeout localhost /tmp 150 20 60 Submit

General Add Option


Enabled Profiles Connection timeout Header timeout Keepalive timeout Maximum download buffer size Maximum upload buffer size Buffer wait time CONNECT ports Compress outgoing Compress incoming Add X-Forwarded-For header Add Via header Edit Delete Clone

Value
true embedded 30 120 120 1M 500K 0 80,443 true true true true Up Down Top Bottom

2008 Office Efficiencies (India) Pvt. Ltd.

41 'Add' in General Section


Option
Enabled Comment Profiles Connection timeout Header timeout Keepalive timeout Maximum download buffer size Maximum upload buffer size Buffer wait time CONNECT ports Always compress mimetype Compress outgoing Compress incoming Add X-Forwarded-For header Add Via header 10 60 120 10M 500K

Value
Yes:

No:

No: No: Yes: No: Yes: No:


Yes: Yes: Submit

General section Proxy hostname The hostname of this proxy, if not defined in startup.conf. The Proxy Hostname defined during SafeSquid installation, and stored in the startup.conf, precedes this value. This needs to be configured properly for CARP (Cache Array Routing Protocol) and Web interface requests through HTTP to work. You have to give here the hostname of the proxy by which you will be accessing Web interface. If you want to access proxy by using IP address you can put the IP address of the safesquid proxy server. Give the hostname which should be defined on DNS, so that you can access it from any machine in your intranet or internet. Temporary directory The directory in which temporary files are stored. The default path is /tmp. If you want to change this, create a directory with 777 permissions, and specify the path here. Web interface line length The maximum length of a string with no spaces, until an explicit break is placed in it. This is required since lines without spaces won't wrap in a table, which may cause Web interface table formatting problem. Normally, this parameter does not require any changes.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

42

Connection pool size The number of keep-alive connections, made to HTTP and FTP servers, to be kept in the connection pool. These connections are shared between threads. Connection pool timeout The time in seconds a connection may remain in the connection pool before being closed. This value should be increased, if Internet connection is slow. Add subsection You can granularly define a specific set of values to various content types, by creating a different Profile for each content type, in the 'Profiles' section. These profiles can then be used in this section, to allot them different values. Enabled This option allows you to enable or disable a specific rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to everything if this field is left blank Connection timeout The timeout in seconds to wait for a connection to be established before giving up. SafeSquid will wait for the specified time duration for the target server to respond. If it exceeds the specified value, SafeSquid closes the connection and sends a template to the requesting user, saying that the Connection failed. This value can be increased if the Internet connection is slow. Header timeout The timeout in seconds to wait for a client, to make the initial HTTP request by sending request headers. SafeSquid tries to get the initial headers during this time. If it fails, SafeSquid sends 'Connection failed' template to user. You can increase the time if the network connection is slow. Keepalive timeout

2008 Office Efficiencies (India) Pvt. Ltd.

43

After an HTTP session is established , data must be exchanged periodically to ensure that session is still alive. The keepalive timeout defines the time in seconds that SafeSquid server should wait before closing the session. This is the timeout value for persistent connections. SafeSquid closes keepalive connections if they are idle for this amount of time. The default is 120 seconds and does not need to be changed. SafeSquid, being multi-threaded, allows the use of the same connection for multiple requests. The advantage is that less number of connections are required to be opened, for individual users, to the same server. Maximum download buffer size The maximum size in bytes of content that are buffered, for process by the Rewrite document, Keyword Filter and external programs like Anti Virus. You can define the value depending on the type of content . If you want to handle large size of data files then you can increase the value. Maximum upload buffer size The maximum size of upload content that is stored in memory for processing. Content larger that the specified value will be sent directly without processing. Having an upload buffer that is too large will cause the browser to timeout since all the data is received by SafeSquid immediately, but may take more time to process and transfer to the website. Buffer wait time The maximum time a file can be buffered before a message is sent to the client indicating it's being downloaded and for them to retry. CONNECT ports The ports on which outgoing CONNECT requests are allowed to be made. You can disable connection through proxy to certain ports , by not specifying their port numbers here. Each port or port range should be separated by a comma. Always compress mimetype A regular expression matching the MIME-Types which should always be buffered and compressed even if they wouldn't be buffered otherwise. Specify here the regular expression for MIME Type's. This will speed up the proxy process. Regular expression for MIME Type of Binary File (i.e. application/octet-stream) is ^application/octet-stream. Compress outgoing Toggle gzip or deflate encoding of outgoing processed content if the client supports it. If the proxy server is running locally, it is recommended to disable this feature. Compress incoming This option will make Safesquid attach an Accept-Encoding header that lets the Web server know that it can accept gzip and deflate content encoding, regardless of whether or not the

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

44

browser making the request supports it; if the browser doesn't support it, it will be buffered and decompressed before sending. Add X-Forwarded-For header This option will add a header allowing an upstream proxy or Web server know the IP address where the original request came from. Add Via header This option will add a header allowing an upstream proxy or Web server know which proxy server the request passed through.

2008 Office Efficiencies (India) Pvt. Ltd.

45

7.12.2 URL Blacklist


This section allows you to use a URL blacklist obtained from www.urlblacklist.com to restrict access to websites based on content category like porn, adult, webmail, jobsearch, entertainment, etc. The site www.urlblacklist.com maintains a well categorized list of various websites and pages. This is an excellent resource for an administrator seeking to granularly enforce a corporate policy that allows or disallows only certain kinds of web-sites to be accessible by specific users, groups or networks. The Commercial Edition of SafeSquid and all Composite Editions, including the Free Composite Edition 20 allows the administrators to use urlblacklist very easily and with a desired level of sophistication. You can use this feature by downloading the trial urlblacklist database from urlblacklist.com.

urlblacklist section This section allows you to use a URL blacklist to restrict access to Websites based on content category. Option Enabled Policy Blacklist path Default template Submit Value Yes: Allow:

No: Deny:

/opt/safesquid/urlbl/

Allow Add Deny Add Option Enabled Comment Categories Edit Delete Clone Option Enabled Comment Profiles Categories Edit Delete Clone Value true Globally block access to the URL Blacklist categories 'adult' and 'porn' adult,porn Up Down Top Bottom Value true Block access to the URL Blacklist categories 'jobsearch' for everyone except HRD Profile !HRD jobsearch Up Down Top Bottom

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

46

urlblacklist section Enabled This option allows you to enable, or completely disable the URL Blacklist Section irrespective of the rules defined in the section Value: Yes - Enable URL Blacklist Section No - Disable URL Blacklist Section Policy Defines the Global Policy for the URL Blacklist Section Value: Allow - Allow everything, and deny ONLY the rules under the 'Deny' subsection Deny - Deny everything, and allow ONLY the rules under the 'Allow' subsection Blacklist path The path to urlblacklist database. The default path is /opt/safesquid/urlbl. Untar (unzip) the downloaded urlblacklist database here. Please note that the complete database is loaded into the system memory, when SafeSquid service starts. If you plan to use only specific categories, then copy only those category directories in this location. This will help save memory resources, which would otherwise be unnecessarily used up by unwanted categories. Default template The template to display for blocked sites. If left blank, default template is used. You can design and display custom templates. For details, check Customisable Templates Allow / Deny subsection You can define rules either under the Allow or Deny subsection, depending on the selected Policy. If Policy is Allow, you should define rules under the Deny subsection, and If Policy is Deny, you should define rules under the Allow subsection. In the above example, the Policy is Allow. Hence, rules are defined in the Deny subsection to deny access to adult, porn and jobsearch categories. Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does

2008 Office Efficiencies (India) Pvt. Ltd.

47

Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every one if this field is left blank Categories A comma separated list of URL Blacklist Categories, existing in the Blacklist Path, that you want to allow / deny. Template Template to display, when this specific rule matches. If left blank, Default Template is used.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

48

7.12.3 Access Control


'Access Restrictions' section allows you to control who can access the proxy server, and to what extent. This is where you define who is allowed to access SafeSquid, from where, whether the user should be authenticated, by what method, etc. You also define the profile of a user here, which will then be used in other sections to control his access.

Access Restrictions
access section The access feature is used to control who can access the proxy server, and to what extent. Option Policy Value Allow:

Deny:
Submit Allow Add

Option Enabled Comment PAM authentication Access

Value true This default rule allows access to every users of the network with IP address and username field left blank. false config,proxy,http,transparent,connect,bypass,urlcommand Deny Add

2008 Office Efficiencies (India) Pvt. Ltd.

49

'Add' Sub-Section
Option Enabled Comment Profiles IP Address PAM authentication User name Password Access Web interface Proxy requests HTTP requests Transparent proxying CONNECT requests Allow bypassing URL commands Bypass URL filtering Header filtering Mime filtering URL redirecting Cookie filtering Document rewriting External parsers Forwarding Keyword filtering DNS blacklist Limits Antivirus ICAP URL blacklist Interface username Interface password Added profiles Submit Value Yes:

No:

p p p p p p p p p p p p p p

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

50

Access Section Policy Default action to take when no matching entry is found. Defines the Global Policy for the URL Blacklist Section Value: Allow - Allow everyone, and deny ONLY the rules under the 'Deny' subsection Deny - Deny everyone, and allow ONLY the rules under the 'Allow' subsection 'Add' subsection When Policy is 'Deny', You can add rules under Allow that would explicitly result in allowing all or Specific set of conditions. This effectively allows you set a variety of intelligently and creatively defined Access Control Whitelist(s). When Policy is 'Allow', you can add rules under Deny that would explicitly result in blocking or denial of access to all or Specific set of conditions. This effectively allows you set a variety of intelligently and creatively defined Access Control Blacklist(s). Enabled This option allows you to enable or disable a specific rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles Profiles cannot be used under the Access Restrictions section. This is a dummy field. IP Address A regular expression matching the IP addresses this entry applies to. Leaving this field blank will cause the entry to match all IP addresses. You can enter a single IP (e.g. 192.168.0.25), a comma separated list of IPs (e.g. 192.168.0.25,192.168.0.29) and / or IP ranges (e.g. 192.168.0.25,192.168.0.29,192.168.0.36-192.168.0.46). When used in conjunction with username & password, it binds the user to the specified IP (s), i.e. the user is allowed access only from the specified IP(s). PAM authentication PAM is An acronym for Pluggable Authentication Modules. PAM is an authentication system that controls access to Linux System. It allows you to authenticate users from an external authenticating mechanisms like Samba, Active Directory, Radius, POP3, MySQL database, etc.

2008 Office Efficiencies (India) Pvt. Ltd.

51

If this option is selected, clients will be required to authenticate with the proxy and PAM will be used to authenticate the username and password. This option will work only if the proxy is configured and compiled with PAM support. For details about configuring. Check Working with PAM for details. User name With PAM Selected: If PAM is selected, this field is used to specify a username on the authenticating mechanism. If left blank, it allows any username that exists on the authenticating mechanism. Since this field option is a regular expression, you can also specify multiple usernames, separated with pipe, that exist on the authenticating mechanism. This is useful if you would like to allow only specific users to access SafeSquid or would like to create a group profile. For example, if you would like to allow only usernames john, ali & sean, you should enter (john|ali|sean) in this field. Another thing to note is that if you specify any IP(s) in the 'IP Address' field, the user(s) will be allowed access only from the specified IP(s). If the IP Address field is blank, the user(s) will be allowed access from any IP. Without PAM Selected: Without PAM, this field can be used to create usernames. For creating a username, simply enter the username in this field, and password in the 'Password' field. Entering a username and password, will cause an authentication challenge when a user tries to access SafeSquid. Now, the user will be allowed access only if supplies the entered username and password. Another thing to note is that if you specify any IP(s) in the 'IP Address' field, this user will be allowed access only from the specified IP(s). If the IP Address field is blank, the user will be allowed access from any IP. Leaving this field blank will allow access with authentication. Password With PAM Selected: If PAM is selected, this field should be left blank, since the password for the specified user (s) is verified from the authentication mechanism. Without PAM Selected: Without PAM selected, this is where you specify the password for the user specified in the 'Username' field. Access The Access field allows you to select the types of request a user is allowed to make:

Web interface: Proxy requests:

Allowed access to the SafeSquid Management Interface (http:// safesquid.cfg) Allowed to make regular proxy requests.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

52

HTTP requests: Transparent proxying: CONNECT requests: Allow bypassing: URL commands:

Allowed to make regular HTTP requests to proxy (for Web interface and other redirect requests set in the SafeSquid proxy). Allowed to make transparent proxy requests (must be allowed to make HTTP requests as well). Allowed to make CONNECT requests. Allowed to use the special xx--bypass URL command to bypass filters. Allowed to use the special xx-- URL commands. Check Use URL Commands for details

Bypass This section allows you to bypass VIP users from the effects of the listed filter sections. This can also be useful in diagnosing a denial event. The filter sections that can be bypassed are URL Filter Header Filter Mime Filter URL Redirecting Cookie Filter Document Rewrite External Parsers Forwarding Keyword Filter DNS Blacklist Limits Antivirus ICAP URL blacklist Interface username This field, along with Interface password, can be used to secure access to the SafeSquid Interface (http://safesquid.cfg). Users will have to give the specified Interface username and password, to get access to the interface. It can also be used to give different username and password to administrators, when there are more than one administrators managing the proxy Interface password Password for 'Interface username' field. Added profiles This is where you 'create' a profile for users, to identify or classify them and give further access rights. For example, if you wanted to identify IP addresses 192.168.0.5-192.168.0.15 as

2008 Office Efficiencies (India) Pvt. Ltd.

53

'accounts' department, you specify the IP range in the 'IP address' field and in the 'Added profiles' you should mention 'Accounts'. With PAM enabled, you can create a group of users, by specifying a pipe separated list of usernames existing on the authenticating mechanism, e.g. (john|ali|sean), and specifying the group name, e.g. Accounts, in the Added Profiles field. Without PAM, you will have to create a separate rule for each user, with username and password, and specify the group each belongs to in the Added Profiles field. The value of Added Profiles field is then used in the 'Profiles' and other filter sections, to collectively allow or deny access to various content, to the users. Check Profiled Internet Access for details

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

54

7.12.4 Profiles
SafeSquid's Profiles feature allows you to accommodate the demands of extremely granular rules for Internet Access privileges and restrictions. The 'Profiles' section allows you to very precisely define situations. Each situation, thus defined is referred to as a Profile. Each Profile can be defined (or bound) by a programmable set of conditional parameters. Profiles are used as a conditional parameter in almost all of the various filtering sections in SafeSquid. You can thus ensure that filtering action happens exactly, as required. Check Profiled Internet Access that explains the use of Profiles for granular Internet access The parameters that are available for defining a profile are explained below.

Profiles 'Add' subsection


Option Enabled Comment Profiles Protocol Host File Mime type Port range list URL Command Proxy host Request header pattern Response header pattern Month range Day range Weekday range Hour range Minute range Time match mode Added profiles Removed profiles Submit Value Yes:

No:

p p p p p

active active active active active

January 0 Sunday 0 0 All ranges:

to January to 0 to Sunday to 0 to 0

Absolute:

2008 Office Efficiencies (India) Pvt. Ltd.

55

'Add' Subsection The following parameters can be used to define a profile: Enabled This option allows you to enable or disable a specific profile. Value: Yes - Enable this profile No - Disable this profile Comment A comment for future reference explaining what this rule does Profiles A comma separated list of previously created profile(s) (either in Access Restriction or in Profiles section), to which this rule should apply. Applies globally if left blank. Protocol A regular expression matching the protocol this entry applies to, e.g. ^ftp$, ^http$, etc. Applies to all protocols if left blank. Host A regular expression matching the host's this entry applies to, e.g. (example.com|mysite. com|yousite.com). Applies to all hosts if left blank. File A regular expression matching the file (the part of a URL that succeeds the hostname) this entry applies to, e.g. (cgi-bin|\?) will apply to queries in a URL. Applies to everything if left blank. Mime type A regular expression matching the MIME-type this entry applies to, e.g. "^image/" will match will match all image files. Applies to all MIME-types if left blank. MIME-type matching is done after receiving the server header, so it may only be used for certain features; header filtering, cache refresh policy, and cache store selection are done before the server header is received. Port range list A comma seperated list of ports or port ranges this entry applies to, e.g. a value "80,2125" means port 80 and port rgae from 21 to 25. Applies to all ports if left blank. URL Command A comma seperated list of URL commands which will activate this entry. Applies to all

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

56

commands if left blank. Check Use URL Commands for details Proxy host A regular expression matching the proxy hosts this entry applies to. This is useful when sharing a configuration file between several SafeSquid proxy servers or instances in MultiProxy or Multi-Instance scenario. Applies to all hosts if left blank. Request header pattern A regular expression pattern matching the request header's this entry applies to, e.g. Mozilla/4.0.* MSIE.* matches a request from Internet Explorer. Applies to all patterns if left blank. Response header pattern. A regular expression pattern matching the response headers this entry applies to. Applies to all patterns if left blank. Month range The range of months within which this entry is active, e.g. January to March will keep this profile active from January through March. Applies to all months if left blank. Day range The range of days within which this entry is active, e.g. 5 to 15 will keep this profile active from 5th through 15th. Applies to all days if left blank. Weekday range The range of weekdays within which this entry is active, e.g. Monday to Thursday will keep this profile active from Monday through Thursday. Applies to all weekdays if left blank. Hour range The range of hours within which this entry is active, e.g. 9 to 12 will keep this profile active from 9 hrs through 12 hrs. Applies to all hours if left blank. Minute range The range of minutes within which this entry is active. This can be used in conjunction with Hour Range, e.g. if the hour range is 9 to 12 and minute range is 15 to 30, then the profile will remain active from 9:15 through 12:30. Applies to every minute if left blank. Time match mode The time match mode option allows you to specify how a time is matched, if you specify multiple ranges. Value: Absolute - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17, then selecting 'Absolute' Time Match Mode, will match any time starting Monday, 9AM and ending Friday, 5PM.

2008 Office Efficiencies (India) Pvt. Ltd.

57

All ranges - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17, then selecting 'All ranges' Time Match Mode, will match any time between 9AM to 5PM, on all weekdays from Monday to Friday. Added profiles This is where you specify (or create) what profile should be applied if the specified situation matches. See examples below. Removed profiles This field can be used to remove a profile from a situation, or exclude a situation from being applied a profile. See example below.

Example #1 Suppose you wanted to allow access only to a few sites to the 'Accounts' profile (which is created in Access Restriction Section - see Access Control), while allowing any / all sites sites to the 'VIP' profile. To match these situations, you will need to add 2 profiles in the Profiles section, like this -

Profile 1
Option Enabled Comment Profiles Host Time match mode Added profiles Value true This profile specifies the sites allowed to 'Accounts' group Accounts (firstsite.com|secondsite.net|thirdsite.org) absolutetime allowed_sites

Profile 2
Option Enabled Comment Profiles Time match mode Added profiles Value true This profile specifies the sites allowed to 'VIP' group Accounts absolutetime allowed_sites

Please note that the fields that are not mentioned above are blank. So, the first rule says that, if the request already carries the profile 'Accounts', and the request is for either abc.com, def.com or ghi.com, then give is another profile 'allowed_sites'. Similarly, the second rule says that, if the request already carries the profile 'VIP', and the

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface
request is for any site (Host field is blank), then give it another profile 'allowed_site'.

58

Next, you will go to the 'URL filter' section. Select Policy as 'Allow'. Now, since the policy is allow, you should add a rule under the Deny subsection, like this -

Option Enabled Comment Profiles

Value true Block everything, except 'allowed_site' profile !allowed_site

The above rule says that deny everything, EXCEPT / but NOT (!) the request that carry 'allowed_sites' profile. Now, all the requests from VIP will carry the profile 'allowed_sites', while requests from 'Accounts', ONLY for abc.com, def.com or ghi.com, will carry 'allowed_sites' profile. Effectivly, 'VIP' will be able to access any site, while 'Accounts', only the specified sites. Example #2 Now suppose you wanted to allow 'Accounts' to access xyz.com, but only during lunch hours from 13 hrs to 14 hrs. To define this situation, you can add another rule under the Profiles section, like this -

Option Enabled Comment Profiles Host Hour range Time match mode Added profiles

Value true Time restricted access Accounts xyz.com 13,14 absolutetime allowed_sites

The above rule says that, if the request already carries the profile 'Accounts', AND the request is for xyz.com, AND the time of the day is between 13 hrs to 14 hrs, then give the request 'allowed_sites' profile. You can similarly define situations, or create profiles, by using one or multiple parameters like Protocol, File, Mime type, Port range list, URL Command, Proxy host, Request header pattern & Response header pattern.

2008 Office Efficiencies (India) Pvt. Ltd.

59

7.12.5 cProfiles
cProfiles allows you to ADD/Remove Profiles, depending upon the potential nature of the content served, by the web-site. cProfiles queries SafeSquid's Content Categorization Service (CCS) *, to determine if a web-site belongs to one or more categories. The determination is actually a score of probability: for example: a score of 1 ==> the site definitely does not belong to the queried category, a score of 100 ==> the site most definitely belongs to this category. Now based on the determination, you can ADD / Remove Profiles, and thus take necessary actions, via the various filters like URL Filter, Mime-Filter, etc. cProfiles stores the results, in a high-speed memory based (volatile) cache, to ensure quick response for often accessed websites. * CCS maintains a categorized database of web-sites. The categorization has been done on the basis of availability of content of certain category, at the web-site. cProfiles uses the standard DNS protocol to communicate with CCS, thus the query results will be stored (non-volatile) in all the en-route caching nameservers. Thus query results should be quickly accessible to you even across restarts.

cProfiles section

Option Enabled Cache Size Enterprise Identity

Value Yes:

No:

1000 0101-1408-1b0b-123f-1711-05@ircmpvef Submit

Entries for processing cProfiles Add

Option Enabled Comment Categories list Score Range Added profiles Edit Delete Clone

Value true Identify websites belonging to porn category porn 2-100 category-porn Up Down Top Bottom

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface
'Add' under 'Entries for processing cProfiles'
Option Enabled Comment Profiles Category List ads content adult content adult_education content arts content chat content drugs content education content fileshare content finance content gambling content games content government content hacking content hate content highrisk content housekeeping content instantmessaging content jobs content leisure content mail content multimedia content Score Range Added profiles Removed profiles Submit 2-100 Value Yes:

60

No:

p p p p p p p p p p p p p p p p p p p p p

cProfiles section Enabled This option allows you to enable, or completely disable the URL Blacklist Section irrespective of the rules defined in the section

2008 Office Efficiencies (India) Pvt. Ltd.

61

Value: Yes - Enable cProfiles Section No - Disable cProfiles Section Cache Size Specify the number of query responses that should be cached by cProfiles. cProfiles will create an equivalent high-speed memory based (volatile) cache, to ensure quick response for often accessed web-sites. Caution #1: Use a realistic number that approximately equals the number of different web-sites visited by users in your enterprise. A number between 1000 - 10000 should generally serve most enterprise networks. Caution #2: The current cache will be destroyed and a new one re-created. Therefore, kindly do not make changes here, too often. Enterprise Identity Specify your Enterprise Identity key here. This key is required to activate cProfiles. Enterprise Identity key can be obtained by subscribing to SafeSquid CSS service. Enterprise Identity is unique and allows CCS to sort, the web-sites that were requested by your enterprise. Thus the CCS can prioritize the web-sites that must be classified, to serve your enterprise better. Caution: The Enterprise Identity is a unique key, that must never be shared between networks / enterprises, to ensure proper results from CCS. 'Add' under 'Entries for processing cProfiles' section Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every one if this field is left blank Category List Comma separated list of categories that must be checked on the CCS. By default, all available categories are listed, when you add a new rule. The following categories are currently available: ads, adult, adult_education, arts, chat, drugs, education, fileshare,

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

62

finance, gambling, games, government, hacking, hate, highrisk, housekeeping, instantmessaging, jobs, leisure, mail, multimedia, news, porn, proxy, searchengines, shopping, social, sports, systemutils, travel, business. You may either create a separate rule for the categories that you would want to identify, or include a comma separated list of multiple categories in a single rule. Score Range Specify the score range for a positive match. cProfiles will query the SafeSquid's Content Categorisation Service (CCS) to determine, the probability of content nature to belong to the above mentioned categories. The probability could be between 1 and 100. a score of 1 = the site definitely does not belong to the queried category a score of 100 = the site most definitely belongs to this category. So, if you set the score range to 2-100, then entries created below for Added Profiles or Removed Profiles, will be applied only if the scored value is more than 1. Added profiles Comma separated list of profiles that will be Added to the connection, if the selected categories have a positive match. These profiles can then be used in various filters like URL Filter, Mime-Filter, etc. to take desired action. Removed profiles A comma separated list of profiles to remove when the selected categories have a positive match. If any of these profiles have been already applied to the connection by any other Profile rules, they will be removed.

Example: Suppose you wanted to globally block 'porn' category, and restrict 'Accounts' profiles from accessing 'jobsearch' category. Create the following rules in the cProfiles section: cProfiles Section
Option Enabled Comment Category List Score Range Added profiles Value true Identify websites under 'porn' category porn 2-100 blocked-category

2008 Office Efficiencies (India) Pvt. Ltd.

63

Option Enabled Comment Profiles Category List Added profile

Value true Identify websites under 'jobsearch' category Accounts jobsearch

Score Range 2-100 blocked-category

Next, go to the URL filter section and add the following rule under Deny subsection (Presuming that Policy is Allow).

URL filter - Deny subsection


Option Enabled Comment Profiles Value true This rule blocks access to 'blocked-category' profile blocked-category

The first rule applies 'blocked-category' profile to all the requests, for which there is a positive match, under the 'porn' category. This rule applies to every body, since the 'Profiles' field is blank. The second rule applies 'blocked-category' profile to all the requests, for which there is a positive match, under the 'josearch' category. This rule applies only to 'Accounts' profile. The rule defined under URL filter section, blocks all requests with blocked-category profile.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

64

7.12.6 Define user limits


The SafeSquid Limits feature allows you to define User Limits, for accessing content from the Internet. You can create rules to limit the maximum size of individual files that are fetched from the Internet. These rules can also pre-set the speed-limits at which the content may be accessed. Rules that set limits to the nature of content being accessed during specific time-periods, can also be set.

Limits 'Add' subsection


Option Enabled Comment Profiles Action Template Month range Day range Weekday range Hour range Minute range Download transfer limit Upload transfer limit Request limit Download rate Time match mode Allow: Value Yes:

No:

Deny:

to to to to to January 0 Sunday 0 0

p p p p p
0 0 0 0

active January active 0 active Sunday active 0 active 0

Absolute:

All ranges:

Limit cache transfers p Flags Per-request limit Group limit

p p
Submit

2008 Office Efficiencies (India) Pvt. Ltd.

65

Limits 'Add' subsection The following parameters can be used to define rules for setting various user limits: Enabled This option allows you to enable or disable a specific rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of previously created profile(s) (either in Access Restriction or in Profiles section), to which this rule should apply. Applies globally if left blank. Action The action to take when this entry matches. If set to Deny - any request falling into the specified time range is blocked, otherwise the request is allowed. Select Allow if you desire to set a limit on the amount of data that can be transferred, or the number of requests that can be made. Further access will later be denied, when the limit is reached. Template The template, or message, that should be displayed on a users screen when access is denied due to this rule. This template is only sent if the page was blocked due to the time restrictions. Default template is used if this field is left blank. See Customizable Templates for details about templates Month range The range of months within which this entry is active, e.g. January to March will keep this profile active from January through March. Applies to all months if left blank Day range The range of days within which this entry is active, e.g. 5 to 15 will keep this profile active from 5th through 15th. Applies to all days if left blank. Weekday range The range of weekdays within which this entry is active, e.g. Monday to Thursday will keep this profile active from Monday through Thursday. Applies to all weekdays if left blank. Hour range

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

66

The range of hours within which this entry is active, e.g. 9 to 12 will keep this profile active from 9 hrs through 12 hrs. Applies to all hours if left blank. Minute range The range of minutes within which this entry is active. This can be used in conjunction with Hour Range, e.g. if the hour range is 9 to 12 and minute range is 15 to 30, then the profile will remain active from 9:15 through 12:30. Applies to every minute if left blank. Download transfer limit The amount of download in bytes that would be allowed during the specified time. No limit if left blank. Upload transfer limit The amount of upload in bytes that would be allowed during the specified time. No limit if left blank. Request limit The number of requested that would be allowed during the specified time. No limit if left blank. Download rate The maximum download transfer rate (speed or QoS) that should be allowed. Maximum available if left blank. Time match mode The time match mode option allows you to specify how a time is matched, if you specify multiple ranges. Value: Absolute - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17, then selecting 'Absolute' Time Match Mode, will match any time starting Monday, 9AM and ending Friday, 5PM. All ranges - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17, then selecting 'All ranges' Time Match Mode, will match any time between 9AM to 5PM, on all weekdays from Monday to Friday. Flags The following flags are used to define, or fine tune, the rule Limit cache transfers: apply the rule even when the content is being served from the cache Per-request limit: confine transfer limit to each single request. E.g. if you set Download transfer limit as 5MB, each and every matching request will be allowed 5MB Group limit: share transfer limit between all matching connections. E.g. if you set Download transfer limit as 5MB, it will be shared between all the matching connections

2008 Office Efficiencies (India) Pvt. Ltd.

67

7.12.7 FTP proxy


SafeSquid is a very powerful FTP proxy and can very neatly get you the the contents of FTP services, directories and contents. The FTP section lets you configure how the FTP connections are established, and results displayed.

FTP Section
ftp section FTP connection options. Option Passive mode Timeout Anonymous login Anonymous password Sort order Sort field Ascending: Value Yes:

No:

Descending:

None: Name: Size:

Date:

Submit

FTP Section The following parameters are available for configuration in the FTP Section Passive mode Use passive mode for FTP transfers; this is useful if you are behind a firewall that prevents the FTP server from opening a connection to you. Options: Yes: Select Passive Mode No: Do not select Passive Mode Timeout Time in seconds to wait for a response for commands sent to the FTP server. Anonymous login The login name to use when none is explicitly given in the URL. Anonymous password The password to use when none is explicitly given in the URL.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

68

Sort order The order in which FTP directory listings are sorted. Options: Ascending: Sort directory listing in ascending order Descending: Sort directory listing in descending order Sort field The field by which FTP directory listings are sorted. Options: None : Do not sort by any field Name : Sort by Name field Size : Sort by size Date : Sort by date

2008 Office Efficiencies (India) Pvt. Ltd.

69

7.12.8 Templates
Templates are used throughout Safesquid as a replacement for pages which can't be displayed due to filtering, error, or other conditions. SafeSquid comes with the following default templates:
Template blocked nodns badrequest badresponse nofile nocache noconnect noaccess badprotocol badauth maxbandwidth maxrequests proxy.pac nterface.css Condition Page blocked DNS lookup failed Malformed HTTP header from client Malformed HTTP header from server File not found Cache file not found when browsing in offline mode Connection failed Access denied Protocol not implemented Authorization failed (when forwarding through SOCKS4) Bandwidth limit exceeded Request limit exceeded A script to configure the browser to use the proxy. Web interface stylesheet

These templates can be viewed from http://safesquid.cfg/template/blocked (template name) You can replace the default templates with your own customized templates (SafeSquid Advanced Edition and all Composite Editions, including the free Composite Edition 20). Customized templates can be really useful, when you would want the error messages to be displayed in a language other than English. It can also be used to display your company logo, warning or message like 'If you feel this site was unnecessarily blocked, please notify the administrator on helpdisk@mycompany.com'. A template may not necessarily be an html, but can be almost about anything like an audio file, flash file or an executable. It can be used to invoke a file for a specific condition. For example, SafeSquid has 3 built-in templates - tinygif (a 1x1 transparent gif image), checkeredgif (a 4x4 gray and transparent checkered pattern), and tinyswf (an empty flash animation). The checkeredgif template is used by default, to replace images that it blocked by the Pornographic Image Filter add-on module that is used to block pornographic images in real time. So, when the page is displayed to a user, a block of checkered boxes is displayed instead of the blocked image. There are several variables that can be used in templates if the parsable option is selected which will be replaced with information about the request currently being handled. These variable can be used to generate content in real time. The variables are:

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface
Variable @AVSCANNER@ @CATEGORY@ @HTTP_METHOD@ @HTTP_HOST@ @HTTP_FILE@ @HTTP_PORT@ @UPLOADLIMIT@ @IP@ @INTERFACE@ @IMAGESCORE@ Description The name of Antivirus Scanner used The Category of Blacklist used Method used to request file The Host to which HTTP request was made to File HTTP request was made for Port HTTP request was made to. The Limit given to Upload a file IP address of client making request IP address of the interface the client connected to Score for Individual Images

70

@DOWNLOADLIMIT@ The Limit given to Downloading

@IMAGETHRESHOLD The cut-off value from which Image is decided as good or @ bad(porn) @PORT@ @SIZE@ @TRANSFERRED@ @USERNAME@ @URL@ @VERSION@ @VIRUSNAME@ PORT the client connected to Amount of value going to transferred Amount of value transferred already The username authentication by which the user logs on after

The full URL (the same as @HTTP_METHOD@:// @HTTP_HOST@:@HTTP_PORT@@HTTP_FILE@) The proxy server version The name of the Virus detected

The Template Section in the SafeSquid Interface, allows you to configure customized templates
Customisable Templates

Option Path

Value /opt/safesquid/safesquid/templates Submit

Template Add

2008 Office Efficiencies (India) Pvt. Ltd.

71 'Add' Sub Section


Option Enabled Comment Profiles Name File Mime type Response code Type Parsable File: Executable: Yes: Value Yes:

No:

No:

Submit

Templates section The following parameters are available for configuration in the Templates Section Path The directory path on the server where the template files are located Add Add a custom template 'Add' subsection The following parameters are available for configuration in the 'Add' subsection Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every one if this field is left blank Name The name by which this template should be referred to in other sections.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

72

File The name of the file in template directory, to be used with this template Mime type The MIME-type of the template file. When using an executable, this is send in the HTTP response header. Response code The response code to use when sending the template. Leave blank to use internal default. Type Specify the type of template. Options: File: The content of the file will be sent as template. Executable: The file is executed, and whatever it writes on STDOUT, is sent as the template. Parsable If this option is selected, all variables in the template will be substituted.

Example: In this example we will replace the default template displayed when a site is blocked by URL Filter section. Let us presume that this file is called filter.html, and it's content is as below filter.html

<html> <head> <title>site is blocked</title> </head> <body style="color: rgb(255, 255, 255); background-color: rgb(255, 0, 0);" link="#000099" alink="#000099" vlink="#990099"> <div style="text-align: center; font-family: Verdana;"> <h1>The site @HTTP_HOST@ is blocked </h1> </div> </body> </html>

2008 Office Efficiencies (India) Pvt. Ltd.

73

Now, copy this file to the directory /opt/safesquid/safesquid/template/ on the SafeSquid Server. Next, from the SafeSquid Interface (http://safesquid.cfg) go to Config => Template. Click on 'Add' under the template subsection and add the following rule -

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

74

Template 'Add' subsection


Option Enabled Comment Profiles Name File Mime type Response code Type Parsable filter filter.html text/html 404 File: Executable: Yes: Value Yes:

No:

Template for URL FIlter Section

No:

Submit

Next, go to Config => URL filter, and change the value of 'Default template' to 'filter'

url-filtering section This section filters the URLs based on the host name and file path. Option Enabled Policy Default template Value Yes: filter Submit

Allow:

No: Deny:

Now, when you visit a website that is blocked by URL filter, you will see the new template, instead of the default. Remember to save the changed setting by clicking on 'Save setting' from the top menu in the SafeSquid Interface.

2008 Office Efficiencies (India) Pvt. Ltd.

75

7.12.9 DNS Blacklists


The DNS-bl is a co-operative effort by DNS providers across the internet to deny DNS service to known spam domains. in.dnsbl.org allows making nslookup queries to identify if a particular domain has been listed for fraud, Spamming, illegal content, malware, etc. For example, if we had to find out if somesite.example.com has been listed on dnsbl, we simply have to do an nslookup for somesite.example.com.in.dnsbl.org. If this domain is listed, the response would be one of 127.0.0.2-8, depending on the category under which it is listed. The categories are: Response 127.0.0.2 127.0.0.3 127.0.0.4 127.0.0.5 127.0.0.6 127.0.0.7 127.0.0.8 Category UCE Fraud Spam Promo Illegal Content Pre-emptive Improper List Practices Botnet Activity / Malware

Check http://dnsbl.org/ for details. DNS Blacklist Section


dnsbl section DNS blacklist services use a DNS server to allow people to lookup domains of known abusive servers. Option Enabled Template Domain in.dnsbl.org Value Yes:

No:

Blocked IP addresses 127.0.0.1,127.0.0.2,127.0.0.3,127.0.0.4,127.0.0.5 Submit

dnsbl section The following parameters are available for configuration in the DNS Blacklist Section Enabled This option allows you to enable or disable the DNS blacklist section . Value: Yes - Enable DNS blacklist section

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

76

No - Disable DNS blacklist section Template The template to send when domain is blocked. Domain The domain to use for making queries. For example, the domain to use the services from dnsbl.org is in.dnsbl.org. You can also use any other service that provides similar service. Blocked IP addresses A comma separated list of IP addresses (or responses - see table above), from in.dnsbl.org, that you would like to block access to. For example, if you would like to block access to domains listed under "Fraud" and "Botnet Activity / Malware", type 127.0.0.3,127.0.0.8 here.

2008 Office Efficiencies (India) Pvt. Ltd.

77

7.12.10 URL Filtering


URL filter section can be used to block access to URLs based on ther host name and / or file path. If the URL is denied, an error page template is sent to the web browser. URL filter can not only be used to block access to specific websites, but it can also be used to very effectively and granularly block specific objects like banners and advertisement, search engine queries, URLs containing specific words like 'sex' or 'mail', and access to IMs and Chats like Yahoo Messenger, Google Talk, Rediff Bol, etc.

url-filtering section
This section filters the URLs based on their host name and file path. Option Enabled Policy Default template Submit Value

No: Allow: Deny:


Yes:

Allow Add

Deny Add

Option Enabled Comment File Edit Delete Clone

Value true SAMPLE rule to block specific websites (rapidshare.de|orkut.com|myspace.com) Up Down Top Bottom

Option Enabled Comment Mime type Edit Delete Clone

Value true SAMPLE rule to block specific profiles disallowed_query,ad_servers,banners Up Down Top Bottom

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

78

'Add' under Allow / Deny Subsection


Option Enabled Comment Profiles Host File Mime type Template Submit Value Yes:

No:

mime-filtering section Enabled This option allows you to enable, or completely disable the URL Filtering Section irrespective of the rules defined in the section Value: Yes - Enable Mime filtering Section No - Disable Mime filtering Section Policy Defines the Global Policy for the URL Filtering Section Value: Allow - Allow everything, and deny ONLY the rules under the 'Deny' subsection Deny - Deny everything, and allow ONLY the rules under the 'Allow' subsection Default template The template to display for blocked sites. If left blank, default template is used. You can design and display custom templates. For details, check Customisable Templates 'Add' under Allow / Deny subsection You can define rules either under the Allow or Deny subsection, depending on the selected Policy. If Policy is Allow, you should define rules under the Deny subsection, and If Policy is Deny, you should define rules under the Allow subsection. In the above example, the Policy is Allow. Hence, rules are defined in the Deny subsection to deny access to specific content. Enabled This option allows you to enable or disable a rule.

2008 Office Efficiencies (India) Pvt. Ltd.

79

Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Host A regular expression matching the host on which this rule should apply. You can define multiple hosts seperated with pipe. E.g. (safesquid.com|yoursite.org|mysite.net). Leave this field blank to apply to all hosts. File You can further fine tune the rule by specifying a regular expression for the file part contained in a URL, to restrict access to only specific file / folder on the hosts mentioned in the Host field (applies to all if Host field is left blank). E.g. if you would like to restrict access to ads or banners on mysite.com, specify mysite.com in Host and /ad(|s|v|(|_) banner(|s))/ in the File field. This will block access only to mysite.com/ad/ or mysite.com/ ads/ or mysite.com/adv/ or mysite.com/banner/ or mysite.com/banners/ IP ranges A comma separated list of requesting IPs and / or IP ranges on which this rule to apply. E. g. 192.168.0.10-192.168.0.20,192.168.0.25-192.168.0.29,192.168.0.33 Template This field can be used to send a customized template, instead of the default template, when a URL is blocked specifically due to this rule.

Example:
Suppose you wanted to restrict the 'Accounts' group from accessing some specific web sites. Create the following rule in the Profiles section: Profiles Section
Option Enabled Comment Value true This profile is used in URL filter to restrict 'Accounts' group from accessing the specified sites.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

80

Profiles Host Time match mode Added profiles

Accounts (firstsite.com|secondsite.net|thirdsite.org) absolutetime Blocked-Site

Next, go to the URL filter section and add the following rule under Deny subsection (Presuming that Policy is Allow).

URL filter - Deny subsection


Option Enabled Comment Profiles Value true This rule blocks access to 'Blocked-Site' profile Blocked-Site

The first rule defines that when users with 'Accounts' profile, request for the sites specified in Host field, give that request another profile - Blocked-Site. This rule only defines the situation, and does not do any blocking. The second rule, defined under URL filter section, blocks all requests with Blocked-Site profile.

2008 Office Efficiencies (India) Pvt. Ltd.

81

7.12.11 URL redirect


URL Redirect allows you to redirect client requests to defined targets, which may or may not be what the client requested. This feature is a very popular and should be used with some imagination and logic to get the best results.

redirect section The redirect feature allows you to redirect requests. Option Enabled Value Yes:

No:

Submit Redirect Add

'Add' under Redirect Subsection


Option Enabled Comment Profiles URL Redirect Port 302 redirect Options 0 Yes: Value Yes:

No:

No:

p Decode URL before p Decode URL after p


Encode URL Location header: URL: Submit

Applies to

Both:

redirect section Enabled This option allows you to enable, or completely disable the URL Redirect Section irrespective of the rules defined in the section Value:

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

82

Yes - Enable URL Redirect Section No - Disable URL Redirect Section 'Add' under Redirect subsection Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank URL A regular expression matching the URL you wish to redirect. The URL will always be in the form "protocol://host/file" or "/file" for HTTP requests. This may be trailed with a / followed by flag characters like in Perl to modify options used to compile the regular expression, and must be, if a / is used anywhere else in the regular expression. Redirect The URL to redirect to. It may contain back references to strings captured using parenthesis in the URL pattern. This can be in the form "protocol://host/file" or "/file" if you wish to send a relative URL when redirecting a URL in the Location: header. If this option is left blank, no action will be taken against requests matching the URL Port The port to redirect to. If left blank, the same port to which the original request was made, is used. 302 redirect If yes, a 302 redirect is used; otherwise the new host is connected to directly and the new file is requested. A 302 redirect should always be used when possible to ensure relative links and images are correct. Options The following options are available to control how the URL should be handled: Encode URL - Encode the new URL. Decode URL before - Decode the URL before attempting to match it with the regular expression.

2008 Office Efficiencies (India) Pvt. Ltd.

83

Decode URL after - Decode the new URL after matching. Applies to Select whether the redirection applies to requested URL's, the Location header when a remote site sends a 302 redirect, or both.

Example: SafeSquid automatically produces the auto-configure-script proxy.pac (Proxy Auto Configuration) file, that clients can use to automatically configure the proxy server. This file can also be used by WPAD (Web Proxy Automatic Discovery) protocol, which allows automatic discovery of Proxy servers. The following redirect rule will redirect any client request for proxy.pac file to the default SafeSquid proxy.pac file.

Option Enabled Comment URL Redirect 302 redirect Applies to

Value true This will send a template when /proxy.pac is requested to configure the browser to use the proxy ^/proxy.pac$ /safesquid.cfg/template/proxy.pac false url

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

84

7.12.12 Mime Filtering


The Mime filtering section allows you to filter content based on its Mime type.

mime-filtering section The mime feature allows you to filter content based on it's MIME-type. Option Enabled Policy Default template Value

No: Allow: Deny:


Yes:

Allow Add Deny Add Option Enabled Comment File Edit Delete Clone Option Enabled Comment Mime type Edit Delete Clone Value true A SAMPLE rule that blocks downloads of files by mime type. (^audio/|^video/) Up Down Top Bottom Value true A SAMPLE rule that blocks downloads of files by file extension. \.(exe|mp3|avi|wmv|wma|mpeg|zip|tar|gz)$ Up Down Up Down

'Add' under Allow / Deny Subsection

2008 Office Efficiencies (India) Pvt. Ltd.

85
Option Enabled Comment Profiles Host File Mime type Template Submit Value Yes:

No:

mime-filtering section Enabled This option allows you to enable, or completely disable the Mime filtering Section irrespective of the rules defined in the section Value: Yes - Enable Mime filtering Section No - Disable Mime filtering Section Policy Defines the Global Policy for the Mime filtering Section Value: Allow - Allow everything, and deny ONLY the rules under the 'Deny' subsection Deny - Deny everything, and allow ONLY the rules under the 'Allow' subsection Default template The template to display for blocked sites. If left blank, default template is used. You can design and display custom templates. For details, check Customisable Templates 'Add' under Allow / Deny subsection You can define rules either under the Allow or Deny subsection, depending on the selected Policy. If Policy is Allow, you should define rules under the Deny subsection, and If Policy is Deny, you should define rules under the Allow subsection. In the above example, the Policy is Allow. Hence, rules are defined in the Deny subsection to deny access to specific content. Enabled This option allows you to enable or disable a rule. Value:

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

86

Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Host A regular expression matching the host on which this rule should apply. You can define multiple hosts separated with pipe. E.g. (safesquid.com|yoursite.org|mysite.net). Leave this field blank to apply to all hosts. File You can further fine tune the rule by specifying a regular expression for the file part contained in a URL. Leave blank to match everything. Mime Type A regular expression matching the MIME-types this rule applies to, e.g. ^audio/, ^video/, application/octet-stream, etc. Matches all MIME-types if left blank. Template This field can be used to send a customized template, instead of the default template, when a URL is blocked specifically due to this rule.

2008 Office Efficiencies (India) Pvt. Ltd.

87

7.12.13 Header Filtering


Header filtering allows you to control what headers are passed from your browser to websites. In additional to the allow and deny actions, there is an insert action which will add a new header onto the ones sent by your browser. For these entries, the Type and Value options are plain text. For detailed syntax and semantics of standard HTTP/1.1 header fields, refer to this link

header-filtering section The header feature allows you to control what headers are passed from your browser to websites. In additional to the allow and deny actions in some other sections, there is an insert action which will add a new header onto the ones sent by your browser; for these entries, the Type and Value options are plain text. Option Enabled Policy Value Yes: Allow:

No: Deny:
Submit

Allow Add Deny Add Insert Add

'Add' under Allow / Deny / Insert Subsection


Option Enabled Comment Profiles Type Value Applies to Client header Value Yes:

No:

Server header p Submit

header-filtering section

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

88

Enabled This option allows you to enable, or completely disable the Header filtering Section, irrespective of the rules defined in the section Value: Yes - Enable Header filtering Section No - Disable Header filtering Section Policy Defines the Global Policy for the Header filtering Section Value: Allow - Allow everything, and deny ONLY the rules under the 'Deny' subsection Deny - Deny everything, and allow ONLY the rules under the 'Allow' subsection 'Add' under Allow / Deny / Insert subsection You can add rules under Deny that would explicitly remove header content from All and / or Specific set of server and / or client requests. This effectively allows you set a variety of intelligently and creatively defined Privacy Blacklist(s). You can add rules under Allow that would explicitly allow header content within All and / or Specific set of server and / or client requests. This effectively allows you set a variety of intelligently and creatively defined Privacy Whitelist(s) You can also define rules under the 'Insert' subsection, to insert additional information in the headers sent by your browser. Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Type A regular expression matching the header types this entry applies to; leave blank to match everything (header's are in the form "Type: value") Value A regular expression matching the header value, this entry applies to; leave blank to

2008 Office Efficiencies (India) Pvt. Ltd.

89

match everything. Applies to The types of headers that will be affected by this rule.SafeSquid supports header control in both - server side and client side headers.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

90

7.12.14 Cookie Control


Cookie Filter allows you to choose which hosts, the browsers are allowed to send and receive cookies to and from. Cookies: Persistent Client-State HTTP Cookies are files containing information about visitors to a web site (e.g. user name and preferences). This information is provided by the user during the first visit to a web server. The server records this information in a text file and stores this file on the visitor's hard drive. When the visitor accesses the same web site again the server looks for the cookie and configures itself based on the information provided.

cookie-filtering section The cookies feature allows you to choose which hosts your browser is allowed to send and receive cookies to and from. Option Enabled Policy Value Yes: Allow:

No: Deny:
Submit

Allow Add Deny Add

'Add' under Allow / Deny Subsection


Option Enabled Comment Profiles Expiry year range Expiry month range Expiry day range Expiry weekday range Expiry hour range Expiry minute range Domain Path Direction Time match mode In: Value Yes:

No:

p active p active p active p active p active p active

to
January

to to to to to

January

Sunday

Sunday

Out:

Both:

Absolute:

All ranges: Submit

2008 Office Efficiencies (India) Pvt. Ltd.

91

cookie-filtering section Enabled This option allows you to enable, or completely disable the Cookie filtering Section, irrespective of the rules defined in the section Value: Yes - Enable Cookie filtering Section No - Disable Cookie filtering Section Policy Defines the Global Policy for the Cookie filtering Section Value: Allow - Allow everything, and deny ONLY the rules under the 'Deny' subsection Deny - Deny everything, and allow ONLY the rules under the 'Allow' subsection 'Add' under Allow / Deny subsection You can add rules under Deny that would explicitly result in blocking or denial of cookie transfer to all or specific set of conditions. This effectively allows you to set a variety of intelligently and creatively defined Cookie Transfer Blacklist(s). You can add rules under Allow that would explicitly result in acceptance or allowance of cookie transfer to all or specific set of conditions. This effectively allows you set a variety of intelligently and creatively defined Cookie Transfer Whitelist(s). Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Expiry year range The cookie expiry year range this entry applies to. Expiry month range

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

92

The cookie expiry month range this entry applies to. Expiry day range The cookie expiry day range this entry applies to. Expiry weekday range The cookie expiry weekday range this entry applies to. Expiry hour range The cookie expiry hour range this entry applies to. Expiry minute range The cookie expiry minute range this entry applies to. Domain A regular expression matching the cookie's domain attribute this entry applies to. Path A regular expression matching the cookie's path attribute this entry applies to. Direction The direction of the cookie this entry applies to; can be either in (Set-cookie sent by website), out (Cookie sent by browser), or both. Time match mode The time match mode option allows you to specify how a time is matched, if you specify multiple ranges. Value: Absolute - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17, then selecting 'Absolute' Time Match Mode, will match any time starting Monday, 9AM and ending Friday, 5PM. All ranges - If the Weekday range specified is Monday to Friday and Hour Range 9 to 17, then selecting 'All ranges' Time Match Mode, will match any time between 9AM to 5PM, on all weekdays from Monday to Friday.

2008 Office Efficiencies (India) Pvt. Ltd.

93

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

94

7.12.15 Word Filtering


Keyword Filtering allows you to block pages which may contain inappropriate content, using a weighed keyword scoring system. When the host, file, mime-type, and keyword in an entry matches, it's score is added to the total score; when that total score exceeds the threshold, the page is deemed inappropriate and blocked. This is a very intelligent method of blocking websites, belonging a specific category, like porn, without depending on any databases like URL Blacklist. For details, see Identifying and blocking Pornography web-sites Although SafeSquid is bundled with Keyword Filtering rules to block porn websites, you can also download the rule snippet from the Downloads page.

keywords-filtering section

Option Enabled Threshold Template

Value Yes:

No:

Submit

keyword Add

'Add' under keyword Subsection


Option Enabled Comment Profiles Mime type Keyword Score Submit Value Yes:

No:

keywords-filtering section Enabled

2008 Office Efficiencies (India) Pvt. Ltd.

95

This option allows you to enable, or completely disable the keyword filter Section, irrespective of the rules defined in the section Value: Yes - Enable keyword filter Section No - Disable keyword filter Section Threshold The number the total score must equal or exceed, until it is blocked. Template The template to display for blocked sites. If left blank, default template is used. You can design and display custom templates. For details, check Customisable Templates 'Add' under keyword subsection Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Mime type A regular expression matching the mime-types this entry applies to, e.g. text, html, javascript. It is highly advisable that you set this to some mime-type, otherwise all files will be checked. If you're unsure, set this to "text/". Keyword A regular expression matching words or expressions in the body of the document, considered inappropriate. E.g. (sex|sexy|porn|pornography) Score The score allotted to this entry. When the defined keyword matches, this score is added to the total score. This can be a positive or a negative integer.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

96

7.12.16 Content Re-Write


Content Re-Write (Rewrite document) is a very powerful feature that must be used with extreme care. This feature allows you to use regular expressions to modify the contents of web pages, files, the client header, and server header in real time. It can be used to remove content like AcitveX, JavaScript, etc., from non-trusted websites, before serving the page to users.

rewrite section

Option Enabled

Value Yes:

No:

Submit

Rewrite Add

'Add' under Rewrite Subsection


Option Enabled Comment Profiles MIME type Pattern Replace Value Yes:

No:

Applies to

Client header Server header Body POST data

p p p

Submit

rewrite section Enabled

2008 Office Efficiencies (India) Pvt. Ltd.

97

This option allows you to enable, or completely disable the Rewrite document Section, irrespective of the rules defined in the section Value: Yes - Enable Rewrite document Section No - Disable Rewrite document Section 'Add' under Rewrite subsection Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank MIME type A regular expression matching the MIME-type this entry applies to. This must be filled with some Mime-type, otherwise the rewrite rule will be applied to every downloaded file, which is almost certainly not what you want. To have it applied to web pages, fill this field with "text/html". Pattern A regular expression pattern matching the area of text inside the file to modify. If this field is left blank, and the host, file, or mime-type options aren't, this will be the last entry matched for sites matching the host, file, and mime-type. This may be trailed with a / followed by flag characters like in Perl to modify options used to compile the regular expression, and must be if a / is used anywhere else in the regular expression. Replace The replacement text to use in place of the area of text matching the pattern; it may contain back references to strings captured using parenthesis in the pattern. A back reference to a captured string is in the form "$#", where # is a number from 1-9; "$0" will be replaced with the entire area of text matching the regular expression. Escape sequences may be used to represent unprintable characters, they are "\n" (newline), "\r" (carrier return), and "\t" (tab). To use a backslash as part of the replacement text, precede it with another backslash. Applies to

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

98

This option is to select what the rewrite rule applies to; the options are: Client header - Rewrite the client header; this happens before SafeSquid parses it. So be careful not to remove any headers needed to handle the request properly. The Mime-type option serves no purpose for this. Server header - Rewrite the header from the remote web server; same conditions from client header apply. Body - Rewrite the body of the webpage or file. POST data - Rewrite POST/PUT data sent when submitting a form or uploading a file.

Example: The following example is for blocking ActiveX codes from specific websites Create the following rule in the Profiles section: Profiles Section
Option Enabled Comment Host Time match mode Value true This profile is used in Rewrite document section to block ActiveX from specified sites. (firstsite.com|secondsite.net|thirdsite.org) absolutetime

Added profiles Block-ActiveX

Next, go to the Rewrite document section and add the following rule: Rewrite document section
Option Enabled Comment Profiles MIME type Pattern Replace Applies to Value true This rule will replace ActiveX codes in web pages from hosts specified in Block-ActiveX profile, in Profiles section Block-ActiveX text/html <object[^>]*>(.*)</object> <b><font color="blue" > SafeSquid </font> restricting <font color="red" > Active X </font> download</b> body

This will replace ActiveX codes in web pages from the specified hosts, and replace them with the following:

2008 Office Efficiencies (India) Pvt. Ltd.

99
SafeSquid restricting Active X download You can also do the reverse, by allowing ActiveX only from specific web site, while blocking it from the rest. To do that, created a profile, e.g. 'Trusted-Websites' in the profiles section, and specify the web sites in the 'Host' field. Next, in the Rewrite document section, instead of entering 'BlockActiveX' in the 'Profiles' field, enter '!Trusted-Websites'. The '!' here means 'NOT'. Effectively, the Rewrite document rule will apply to all web sites, EXCEPT the ones specified in 'Trusted-Websites' profile.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

100

7.12.17 Content Caching


Content Caching improves bandwidth efficiency. A page or file, when requested by a user, is served to the user and a copy of it is also maintained locally in the cache. So, when a request is made to fetch the same page or file, it is served with the local copy, instead of 'a fresh fetch'. SafeSquid has a very neat, efficient and manageable Content Caching system.

cache section

Option Enabled Violate RFC Memory cache size Memory free extra Minimum file size Maximum file size Prefetch window ICP port ICP timeout Store balance method journal size Clean Interval

Value Yes: Yes: 50M 200M 0 1M 30 0 1000 Fill size: Fill percent: 128 30 Submit

No: No:

Store Add Option Enabled Comment Path Maximum disk size Disk free extra MD5 integrity check Edit Delete Clone Value false This is the default path of cache directory /var/cache/safesquid 1G 250M false Up Down Refresh Add Top Bottom

2008 Office Efficiencies (India) Pvt. Ltd.

101
Option Enabled Cachable Minimum age Maximum age Revalidate age Last-Modified time factor Edit Delete Clone Value true true 1800 2592000 1259000 10 Up Down Top Bottom

'Add' under Store Subsection


Option Enabled Comment Profiles path Maximum disk size Disk free extra MD5 integrity check 0 0 Yes: Value Yes:

No:

No:

Submit

'Add' under Refresh Subsection


Option Enabled Comment Profiles Cachable Minimum age Maximum age Revalidate age Last-Modified time factor Yes: 0 0 0 0 Submit Value Yes:

No:

No:

cache section Enabled This option allows you to enable, or completely disable the Caching Section, irrespective of the rules defined in the section Value:

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

102

Yes - Enable Caching Section No - Disable Caching Section Violate RFC This option will cause the proxy server to violate some rules in the HTTP RFC to help improve cache performance. Specifically, when a website requests that the file not be cached with the No-Cache directive in the Cache-Control header, the proxy will cache it anyways but always validate it with an If-Modified-Since conditional request. Memory cache size The maximum size in bytes of the memory cache. Memory free extra The number of additional bytes to free up when the memory is cleaned. Minimum file size The minimum file size in bytes of any cached file. Maximum file size The maximum file size in bytes of any cached file; if set to 0, no maximum file size is imposed. Prefetch window This option can be used to specify the time period after a file is pre-fetched, in which it will be exempt from any refresh or expiry rules. ICP port The UDP port to listen for ICP packets on. You can change as per your configuration. ICP timeout The timeout in milliseconds for response ICP packets. Store balance method This option controls how a file goes into selected storage directory, when you define multiple storage volumes. Fill size - will select the storage directory with the least total bytes used Fill percent - will select the storage directory with the lowest percentage of space used. journal size The maximum size in bytes of the journal Clean Interval Interval time in seconds after which the content in the Memory Cache is dumped into the disk storage.

2008 Office Efficiencies (India) Pvt. Ltd.

103

'Add' under Store subsection You can add one or more locations under "Store" that would be used for physically storing the content for caching. Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Path The directory where cached files are stored. Maximum disk size The amount of space that should be used to store cached files in this directory. Disk free extra When the cache is cleaned, this additional amount will be freed as well. This option can be useful to prevent the cache from getting evicted too often, which can hurt performance. MD5 integrity check It performs MD5 check on cache files when saving them and loading them from disk. This ensures that corrupted cache files don't get used. 'Add' under Refresh subsection You can add / modify the rules under "Refresh" that would enforce your policies for renewing or refreshing the contents in the cache, to ensure that the users are served with content that is 'fresh enough'. This effectively allows you to intelligently and creatively manipulate the bandwidth usage. Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

104

Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Cachable Whether or not requests matching this entry are cached. Minimum age The minimum age of any file must be according to the Last-Modified header before it is cached. Maximum age The maximum age of any cached file before it must be revalidated. This overrides any given expiry time. Revalidate age The maximum age of any cached file that didn't include any headers indicating when it should expire before it must be revalidated. If set to 0, all cached files whose expiry time is uncertain will be verified. If no "Last-Modified" header is received to calculate the percent of age freshness, the cached file is always revalidated. Last-Modified time factor The percentage of time between the date given in the Last-Modified header and the current time, a cached file is considered fresh after downloading.

2008 Office Efficiencies (India) Pvt. Ltd.

105

7.12.18 Request Forwarding


The Forwarding section allows you to selectively forward requests through another proxy, SOCKS4 or SOCKS5 firewalls. SafeSquid also supports CARP & ICP Protocols. CARP (Cache Array Routing Protocol): The Cache Array Routing Protocol (CARP) is used in load-balancing HTTP requests across multiple proxy cache servers. It works by generating a hash for each URL requested. A different hash is generated for each URL and by splitting the hash namespace into equal (or unequal parts, if uneven load is intended) the overall number of requests can be distributed to multiple servers. ICP (Internet Caching Protocol): The Internet Cache Protocol (ICP) is a protocol used for coordinating web caches. Its purpose is to find out the most appropriate location to retrieve a requested object from in the situation where multiple caches are in use at a single site. The goal is to use the caches as efficiently as possible, and to minimize the number of remote requests to the originating server. Hierarchically, a queried cache can either be a parent, a child, a sibling.

forward section

Option Enabled Enable CARP CARP hash size

Value Yes: Yes:

No: No:


Submit

Forward Add Option Enabled Comment Proxy Port ICP peer type ICP port Type Applies to Edit Delete Clone Value true sample rule for forwarding parent_proxy 3128 none 0 HTTP HTTP,FTP,CONNECT Up Down Top Bottom

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

106

'Add' under Forward Subsection


Option Enabled Comment Profiles Proxy User name Password Domain Port ICP peer type ICP port Type Applies to HTTP: 0 None: Parent: Sibling: Value Yes:

No:

SOCK4:

SOCKS5:

Connect:

HTTP requests FTP requests CONNECT requests Submit

p p p

forward section Enabled This option allows you to enable or completely disable the Forwarding Section, irrespective of the rules defined in the section Value: Yes - Enable Forwarding Section No - Disable Forwarding Section Enable CARP This option allows you to enable or disable the use of CARP Value: Yes - Enable CARP No - Disable CARP CARP hash size The maximum value of CARP hash set on the peer proxies. Otherwise decrease this value for greater redundancy of cached files. If the peer is Squid set this value to 0. 'Add' under Forward subsection You can add unique rules to deal with different proxies, profiles, requests in this subsection.

2008 Office Efficiencies (India) Pvt. Ltd.

107

Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Proxy The hostname or IP address of the proxy to forward through. If this is left blank, and the host or file options aren't, no action will be taken for requests matching the host and file. If the Proxy is the same as the server's own hostname, the entry is ignored. This makes it easier to have a configuration file shared between several proxy servers. User name The user name to use if the proxy requires authentication. Password The password for the User name used Domain The NT domain when using the NTLM authentication protocol. Port The port number of the proxy to forward through. ICP peer type The peering relationship of this proxy. None - The ICP protocol will not be used with this proxy Parent - This proxy is a Parent. When no peer has the cached file, it will still be requested from a parent, so that it is cached for other peer proxy servers. Sibling - This proxy is a Sibling. Files are requested from it only when it has a cached copy. ICP port The UDP port ICP packets are sent on to this proxy.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

108

Type The type of proxy the requests are being forwarded to: HTTP: This is a HTTP proxy. SOCKS4: This is a SOCKS4 firewall. SOCKS5: This is a SOCKS5 firewall. Connect: The connect method will be used through the HTTP proxy. Applies to What type of requests should be forwarded: HTTP requests: Forward HTTP requests FTP requests: Forward FTP requests CONNECT requests: Forward CONNECT requests

2008 Office Efficiencies (India) Pvt. Ltd.

109

7.12.19 Internet Content Adaptation Protocol (ICAP)


ICAP is a protocol designed to off-load specific Internet-based content to dedicated servers, thereby freeing up resources and standardizing the way in which features are implemented. For example, a server that handles only language translation is inherently more efficient than any standard Web server performing many additional tasks. ICAP concentrates on leveraging edge-based devices (proxies and caches) to help deliver valueadded services. At the core of this process is a cache that will proxy all client transactions and will process them through ICAP Web servers. These ICAP servers are focused on a specific function, for example, add insertion, virus scanning, content translation, language translation, or content filtering. Off-loading value-added services from Web servers to ICAP servers allows those same web servers to be scaled according to raw HTTP throughput versus having to handle these extra tasks. ICAP in its most basic form is a "lightweight" HTTP based remote procedure call protocol. In other words, ICAP allows its clients to pass HTTP based (HTML) messages (Content) to ICAP servers for adaptation. Adaptation refers to performing the particular value added service (content manipulation) for the associated client request/response. How does ICAP work in SafeSquid? The ICAP feature enables the proxy server to use an ICAP server to perform request modification, request satisfaction, or response modification to any request or response. When enabled, what basically happens is this: For request modification: - client sends request to proxy server. - proxy server forwards request to the ICAP server, ICAP server will respond with a possibly modified request header. - proxy server will use that modified request header to process the request. This allows the ICAP server to do things like redirection, header filtering, etc. For request satisfaction: - client sends request to proxy server. - proxy server forwards request to ICAP server, ICAP server will respond with a _response_ header and possibly a response body. - proxy server will pass that response header and body onto the client, the request will not be further processed. This allows the ICAP server to do things like URL blocking, etc. For response modification: - client sends request to proxy server. - proxy requests file from web server (or uses cached response). - proxy server forwards response header and body to ICAP server, ICAP server will respond with a possibly modified response header and body. - proxy server will then send the possibly modified response header and body to the client. This allows the ICAP server to do things like virus scanning, content modification, block inappropriate content, etc. When an ICAP server is installed with a caching system, every transaction is piped through the

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

110

ICAP server, allowing the server to modify or redirect Web requests or responses. When an ICAP server is installed in an FTP system, every transaction is piped through the ICAP server, allowing virus and content filtering software to operate on the content.

ICAP section

Option Enabled

Value Yes:

No:

Submit

ICAP Add

'Add' under ICAP Subsection


Option Enabled Comment Profiles Host File Port Applies to Requests Responses Value Yes:

No:

p p
Submit

ICAP section Enabled This option allows you to enable or completely disable the ICAP Section, irrespective of the rules defined in the section Value: Yes - Enable ICAP Section No - Disable ICAP Section 'Add' under ICAP subsection Enabled

2008 Office Efficiencies (India) Pvt. Ltd.

111

This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Host The Host name or IP address of the ICAP Server. File The file to request from the ICAP server. Port The port of the ICAP server Applies to Which part of the HTTP request this entry applies to: Requests: The ICAP server will be used to modify or satisfy requests. Responses: The ICAP server will be used to modify responses.

Examples: In all the examples below, it is presumed that the IP of the ICAP server is 192.168.0.175 and they are listening on port 1344. The profile 'virus_scan' is used in all examples, to ensure that only the files that require virus scanning are sent to the ICAP server. This profile is created in the "Profiles' section. The sample rule is as follows:

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface
Profiles Section
Option Enabled Comment File Value true The following file types will be scanned for viruses (386|ADE|ADP|ADT|APP|ASP|BAS|BAT|BIN|BTM|CBT| CHM|CLA|CLASS|CMD|COM|CPL|CRT|CSC|CSS|DLL| DOC|DOT|DRV|EML|EMAIL|EXE|FON|HLP|HTA|HTM| HTML|INF|INI|INS|ISP|JS|JSE|LIB|LNK|MDB|MDE| MHT|MHTM|MHTML|MP3|MSO|MSC|MSI|MSP|MST| OBJ|OCX|OV\?|PCD|PGM|PIF|PPT|PRC|REG|RTF|SCR| SCT|SHB|SHS|SMM|SYS|URL|VB|VBE|VBS|VXD|WSC| WSF|ZIP|GZ|RAR|WSH|XL\?) absolutetime virus_scan

112

Time match mode Added profiles

1. Using Dr. Web's ICAP Server for virus-scan of incoming content


Option Enabled Comment Profiles Host File Port Applies to Value true Configurations for using Dr. Web ICAP server virus_scan 192.168.0.175 /respmod 1344 responses

2. Using Kaspersky ICAP Server for virus-scan of incoming and outgoing content Rule for scanning incoming content
Option Enabled Comment Profiles Host File Port Applies to Value true Configuration for using Kaspersky ICAP to virus-scan incoming content virus_scan 192.168.0.175 /respmod 1344 responses

2008 Office Efficiencies (India) Pvt. Ltd.

113
Rule for scanning outgoing content - GET / POST
Option Enabled Comment Profiles Host File Port Applies to Value true Configuration for using Kaspersky ICAP to virus-scan outgoing content virus_scan 192.168.0.175 //av/reqmod 1344 requests

2. Using Symantec ICAP Server for virus-scan of incoming and outgoing content
Option Enabled Comment Profiles Host File Port Applies to Value true Configurations for using Symantec ICAP to virus-scan incoming & outgoing content virus_scan 192.168.0.175 /respmod 1344 responses

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

114

7.12.20 External Parser


External Parsers allows you to use any program or script to parse the contents of a file. The external parser must send a complete HTTP request or response header, which will override the ones sent by the browser or Web server. If no body is sent after the header, the original body with modified headers is used.

external section

Option Enabled

Value Yes:

No:

Submit

External Add

'Add' under Rewrite Subsection


Option Enabled Comment Profiles Executable Type Applies to Pipe: Value Yes:

No:

File:

Requests Responses

p p p p

Run once per session Send header

Yes:

No:

Request header Response header

Submit

external section Enabled This option allows you to enable, or completely disable the Rewrite document Section, irrespective of the rules defined in the section Value: Yes - Enable External parsers Section No - Disable External parsers Section

2008 Office Efficiencies (India) Pvt. Ltd.

115

'Add' under External subsection Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank Executable The path to the executable. If no absolute path is specified, the path as given in the PATH environment variable is searched. You have to specify the path in this option i.e. /opt/ safesquid/script/external.sh. Any number of arguments can be passed by separating them by spaces. If you're using a temporary file as the method to pass the contents of the file, it's path will be the last argument. When the program is executed, several environment variables are set to reflect the properties of the file being handled, they are: VERSION HTTP_METHOD HTTP_HOST HTTP_FILE HTTP_PORT IP INTERFACE PORT The proxy server version Method used to request the file Host HTTP request was made to File HTTP request was made for Port HTTP request was made to IP address of client making request IP address of the interface the client connected to Port the client connected to

Additionally, for every header received from the remote website and set by a client, an environment variable is set. All the environment variables for the server's headers start with SERVER_, and the client's start with CLIENT_; All '-' (dashes) in the header type are converted to '_' (underscores), and all characters are in uppercase. If an executable returns with a non-zero status code, the original content is returned. Type The method to be used to pass the content to the external program. The options are:

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

116

Pipe: Content is piped to the program's STDIN File: Content is stored in a temporary file and it's path is passed as the last argument. Applies to Select whether the external parser is used on request header or response header or both. Requests - Use on request headers. Responses - Use on response headers. When both options are selected, it uses on both, request and response headers. Run once per session Run external parser for every request in a session until it returns a non-zero status code. This is useful for performing authentication through an external program. Send header Which header(s), if any, to send to the external program before sending the body. The options are: Request headers: Send request headers Response headers: Send response headers The response header option only applies to external programs that process the response. If both headers are selected, the request header is sent first.

Example: See article Use External Parsers To Authenticate Only Specific Web Sites for a complete example.

2008 Office Efficiencies (India) Pvt. Ltd.

117

7.12.21 Prefetching Embedded Objects


The Prefetching feature can be used as an 'internet accelerator'. It allows virtually any file referenced in HTML to be pre-fetched, not just images, and cached. Prefetching is a good way to improve retrieval time. It reduces resource retrievals and improves retrieval time. The target range is wider than that of both, mirroring and caching.
prefetch section

Option Enabled Threads Queue size Host limit

Value Yes:

No:

Submit

Prefetch Add

'Add' under Prefetch Subsection


Option Enabled Comment Profiles Tag name Tag attribute Attribute pattern Maximum file size Recursion level 0 1 Submit Value Yes:

No:

prefetch section Enabled This option allows you to enable, or completely disable the Rewrite document Section, irrespective of the rules defined in the section Value: Yes - Enable Prefetching Section No - Disable Prefetching Section Threads

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

118

The number of threads to run in the background for prefetching files. Safesquid needs to be restarted for this setting to take effect. Queue size The size of the prefetch queue. Host limit The maximum number of queued prefetches per host. 'Add' under Prefetch subsection Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does. Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank. Tag name The HTML tag the attribute is in. Tag attribute The HTML tag attribute holding the URL to be prefetched. Attribute pattern A regular expression matching the attribute value this entry applies to. Maximum file size The maximum size of the prefetched file, set to 0 for unlimited. Recursion level If the URL leads to another HTML page, this is the depth, links will be followed. Setting to 0 causes links to be followed indefinitely.

Example:

2008 Office Efficiencies (India) Pvt. Ltd.

119
An example for those unfamiliar with HTML, images and embedded objects that are inserted into the Webpage using HTML tags. An HTML tag may look something like this:

<IMG SRC="cool.jpg"> The 'IMG' part is the TAG name, the 'SRC' part is an attribute, and the "cool.jpg" part is an attribute value. Safesquid can parse HTML code and extract URL's from given tag's and attributes. Example: you wish to prefetch any embedded shockwave flash files, after quickly looking at the HTML of a Webpage that has embedded flash animations you discover it typically, uses the following HTML code:

<embed src="/ani.swf" wmode="opaque" name="newsticker" quality="high" scale="exactfit" bgcolor="#293381" width="770" height="25" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer"></embed> So the HTML tag is 'embed', and the tag attribute is 'src' Wait though... there's a problem! how can SafeSquid know this is an embedded shockwave flash animation and not something else? There is the 'type' attribute as well, but Safesquid can only match one attribute per tag. What we can do is use the Attribute Pattern option in the entry to narrow this down a bit. Shockwave flash files have a .swf extension, as seen in the src attribute value "/ani.swf", so we can fill in the attribute pattern option with a regular expression matching only files with a .swf extension, like "\.swf$".

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

120

7.12.22 Pornographic Image Filter


Image filter allows you to block pornographic images from websites and webmails, by analyzing the graphical content of an image, in real time, and block all suspicious images, so that a blank box is displayed in place of the blocked image. Although it is only about 80%-90% accurate, it acts as a good deterrent. This is a commercially distributed add-on plug-in and works with SafeSquid Advanced Edition and all Composite Editions, including the FREE Composite Edition 20. This is a closed binary add-on module. The Trial version of Pornographic Image Filter can be downloaded from the Downloads page. The details for installing Pornographic Image Filter has been described in THIS TOPIC

imgfilter section

Option Enabled Library path Default template

Value Yes:

No:

/opt/safesquid/modules/imgfilter/imgfilter

Submit

Image filters Add

'Add' under Image filters Subsection


Option Enabled Comment Profiles Threshold Template Submit Value Yes:

No:

Imgfilter section Enabled This option allows you to enable, or completely disable the Image filter Section, irrespective of the rules defined in the section

2008 Office Efficiencies (India) Pvt. Ltd.

121

Value: Yes - Enable Image filter Section No - Disable Image filter Section Library path The path where the Image Filter Libraries are stored Default template The template to display for blocked images, when a template is not defined in a rule under 'Image filters' subsection. If left blank, default template is used. 'Add' under Image filters subsection Enabled This option allows you to enable or disable a rule. Value: Yes - Enable this rule No - Disable this rule Comment A comment for future reference explaining what this rule does. Profiles A comma separated list of Profiles on which this rule should apply. The rule applies to every thing if this field is left blank. Threshold Image filter allocates a score to the images that it analyzes. -10.0 is unlikely to be porn whereas 0.0 is very likely. You can fine tune the filter by defining the threshold score limit here. You can create multiple rules, with different threshold limits for different profiles. Template Template to display, when an image is blocked. If left blank, the Template defined under the imgfilter section is used.

2008 Office Efficiencies (India) Pvt. Ltd.

SafeSquid Interface

122

URL commands
SafeSquid has powerful remote management features. The Browser-based GUI lets you configure the way you Internet is used in your network. URL Commands allow you to test the functionalities and verify your configurations - REMOTELY. URL commands can be used to show information about a webpage and to bypass certain features. For proxy requests, URL commands are prefixed onto the hostname of the website. For example, ' http://xx--bypass.www.somesite.com" would bypass all the filters that might be applying on www.somesite.com. Bypassing is useful to work around sites that are having problems with some types of filtering. You can grant or remove the right to use URL commands to a user, in 'Access Restrictions' section. See Access Control for details. The other URL commands are:
Command xx--fresh xx--raw xx--cookies xx--mime xx--headers xx--score xx--diff xx--htmltree xx--process xx--offline xx--filter xx--cache xx--profiles Description Fetch fresh copy of file from website, instead of using cache. Sometimes the cache refresh logic gets things wrong. Show raw file (HTML), on FTP directory lists it'll show the raw listing Display cookies sent to and received from website Show matching mime entry for requested URL Show headers sent by browser and received from website Show score for page when doing keyword filtering This will show the diff-like output of the changes made by the rewrite feature to a website, useful for debugging regular expression patterns Debug HTML parser when prefetching. It'll show a parsed HTML tree. Useful for people wanting to debug their HTML Bypass the maxbuffer setting and buffer/process the file anyways, so if someone wants to scan a large file for virsues they can use this Browse in offline mode, only cached files can be viewed.. and cache files won't be validated if they're stale Display any matching filter entry for requested URL Display information about a cached file Display a list of enabled profiles Make an https SSL request from a non-SSL client, also can be used to process HTTPS content (remove banners, scan viruses) i.e. http://xx--https.www.cibc.com would be the same as https://www.cibc.com these 2 features are designed to work together: Pre-fetch a file in the background without downloading it to the client. Display a template instead of the requested file This one is neat when forwarding to another proxy, this will make the proxy connect back to safesquid and safesquid will display the headers that would have been passed onto the website... The purpose is to serve someone who wishes to surf anonymously through open proxies. They can see if the website can still identify them.

xx--https

xx--prefetch xx--template

xx--proxytest

The xx--bypass command can be used with additional options to selectively bypass (or unbypass) most features.

2008 Office Efficiencies (India) Pvt. Ltd.

123
xx--bypass[OPTIONS] OPTIONS is a string of letters representing the features. Here are the available options:
Option f h m r c w e p k d a i Description url filtering header filtering (both client and server) mime filtering URL redirection cookie filtering rewriting external parser (both request and response) forwarding keyword filtering dns blacklist antivirus scanning ICAP

A + or - symbol can be used to change between bypassing and un-bypassing, if the feature was bypassed in the Access Restrictions section entry. some examples: http://xx--bypass[fh].www.slashdot.org <-- bypasses URL and header filtering http://xx--bypass[e-i].www.safesquid.com <-- bypass external programs and UN-bypass ICAP http://xx--bypass.www.exn.ca <-- bypass everything

For regular HTTP requests (such as when the proxy is being used to redirect HTTP requests), an extra path element is added to the front of the requested file with the URL command inside; for example, "http://xx--proxyip:port/bypass./somefile". URL commands are not only taken from the request URL, but also from the Referer header sent by your browser as well; this allows them to work for images and files loaded from a website a URL command was used on. Additionally, URL commands are automatically prefixed to the Location: header sent back when a 302 redirect is received or when a redirect rule that sends a 302 redirect matches. Below is a list of all available URL commands and a description of what they do. There's a few other things to note: when a URL command is used on a site that sends back a 302 redirect, the URL command is added to the URL in the Location header, so that the URL command still applies when the browser follows the redirect. when a request is made that has a URL command in the Referer header but not in the URL (like when someone clicks a link on a page they used a URL command on), the proxy will send a 302 redirect to the same URL but with URL commands. This makes it possible to continuously browse with features bypassed. URL commands are also extracted from the Host header, so they work when the proxy server is transparent.

2008 Office Efficiencies (India) Pvt. Ltd.

URL commands

124

URL commands are also prefixed to URL's sent by the Redirect feature, well.. except if 'bypass' or 'bypass[r]' is used since the redirect feature would be bypassed.

2008 Office Efficiencies (India) Pvt. Ltd.

125

Multiple Proxy Configuration


SafeSquid has a unique Multi Proxy, or Master-Slave, configuration. If your enterprise requires multiple proxies across its global networks, you can enjoy the convenience of SafeSquid's unique Master-Slave deployment architecture. You just have to set policies on the Master & all the slaves will automatically synchronize themselves, to your policies on the master. You can even create unique policies for any of the slave proxies. Master-Slave configuration can be used in both, a single Gateway scenario to forward all request to the Master server; or in a distributed scenario, with independent Internet connections.

Master-Slave in Single Gateway scenario

Master-Slave in distributed network scenario

2008 Office Efficiencies (India) Pvt. Ltd.

Multiple Proxy Configuration

126

Config synchronization allows a 'slave' proxy to match it's configuration to a 'master' proxy, and to update it's configuration automatically when it detects changes made to the master. Using config synchronization in Safesquid is surprisingly easy. A Master server can be set up in the normal way you would set up a stand alone server, and the only additional step that needs to be taken is - to ensure every slave proxy is covered by an access rule, which allows it to access the Web interface. Now, for every slave proxy, while installing SafeSquid, just mention the IP:PORT or FQDN:PORT of the Master server, in the "MASTER =" parameter (option 16/28 in version 4.1.1). This automatically configures the server to 'pull' configuration parameters from the Master server. The synchronization interval can be specified in the SYNCTIME parameter. If this parameter is not modified, or if left blank, SafeSquid selects the default SYNCTIME of 60 seconds You can also edit the startup.conf (found in /opt/safesquid/safesquid/init.d/ directory) file of an exiting server, and modify the MASTER and SYNCTIME parameter. There are some additional command line options which you may need to use, they are: -H - specify the proxy's own hostname, instead of using the one in the configuration file... reason should be obvious, you don't want every proxy having the same hostname, especially when using CARP. -I - the interval, in seconds, between synchronization attemps with the master.

2008 Office Efficiencies (India) Pvt. Ltd.

127
-L - specify the interface and port to listen for connections on, this is used in addition to the configuration gathered from the master. -S - a comma-seperated list of section names which are synchronized, when used other sections won't be synchronized. -E - a comma-seperated list of section names which aren't synchrnozed, when used other sections will be synchronized. When using config synchronization, you may also specify a configuration file in the command line which is loaded before config synchronization is performed. This is useful if you wish to exclude some sections from being synchronized and load them from a file instead. The 'Proxy host' option in Profile entries can be used to have separate configuration options for specific slaves.

2008 Office Efficiencies (India) Pvt. Ltd.

Multiple Proxy Configuration

128

10

Reverse Proxying
A Reverse proxy is a proxy server which sits between a Web server and the rest of the internet, filtering content provided by your Web server for clients. Safesquid can work in this manner by using transparent proxying and redirecting. The advantage of using SafeSquid as a reverse proxy, is it's content filtering features. Just as you can use SafeSquid to control user access to the internet, in reverse proxy mode, you can be used use to control who can access what on your web server from the outside world, and thus secure your web server. A few examples Allow only authenticated access to specific content Create groups of users and allow different access rights Enhance security by accepting requests only from specific browsers, like IE & Firefox Virus scan content being uploaded to the web server Use as a Load Balancer by redirecting requests to multiple web servers. Easily redirect requests to another server, when the original server requires maintenance down-time. Dynamically generate or modify content in real-time Easily manage rules with browser-based GUI To set a reverse proxy, simply have SafeSquid listen on the interface and port in place of your Web server. Configure the Web server to listen on a different port, and redirect all requests made to the proxy server to the Web server using a redirect entry. For a simple example, create the following rule in 'URL Redirecting' section, to redirect request to your web server: (For a detailed description about URL Redirecting, see URL Redirect)

Option Enabled Comment Profiles URL Redirect Port 302 redirect Options

Value Yes:

No:

.* http://webserver/$1 80 Yes:

No:

Encode URL Decode URL after

p p
Submit

Decode URL before p Applies to Location header: URL: Both:

You will also need to ensure there is an access entry that matches all clients that will be

2008 Office Efficiencies (India) Pvt. Ltd.

129
connecting to your Web server, and you should also restrict access to the bare miniumum (HTTP requests and Transparent requests). Reverse proxying can be combined with other features to perform many other tricks, such as creating a gateway between an intranet and the internet by using URL redirection, and rewriting to make URL's valid outside the intranet.

2008 Office Efficiencies (India) Pvt. Ltd.

Reverse Proxying

130

11

Chain Squid with SafeSquid


For various reasons, it may be desirable to use Safesquid in conjunction with Squid. This can be accomplished in two ways: (!) You may either have SafeSquid forward requests to Squid, or (2) have Squid forward requests to SafeSquid. Although it shouldn't matter, historically it has always worked better to have SafeSquid forward to Squid. Case 1: If you wish to forward requests from Safesquid to Squid, create a new forward entry with the Proxy and Port options filled with the hostname and port of Squid. Remember that SafeSquid won't forward to it's own host - so you will need to use your-IP instead of localhost if Squid is running locally and you're using the default configuration. Suppose Squid is listening on 192.168.0.175 Port 3128. Create the following rule under 'Forwarding' section:

Option Enabled Comment Proxy Port ICP peer type ICP port Type Applies to

Value true This rule forwards request to Squid 192.168.0.175 3128 None 0 HTTP HTTP,FTP,CONNECT

Now, if you would also like to use ICP to share cache content with Squid, you could also include the ICP entry in the same rule, like this -

Option Enabled Comment Proxy Port ICP peer type ICP port Type Applies to

Value true This rule forwards request to Squid 192.168.0.175 3128 Parent 3130 HTTP HTTP,FTP,CONNECT

Case 2:

2008 Office Efficiencies (India) Pvt. Ltd.

131

To have Squid forward requests to Safesquid, which is listening on 192.168.0.170 Port 8080, edit squid.conf file and add the following line to that: cache_peer 192.168.0.170 parent 8080 0

2008 Office Efficiencies (India) Pvt. Ltd.

Chain Squid with SafeSquid

132

12

Multi-ISP networks
SafeSquid has an option in 'Network Settings', to add new interface for outgoing connection. This is useful in networks where you need to split the load between different ISPs. It can also be useful to switch different ISPs due to slow net connection or discontinuity. This can be accomplished by following way: You wish to 1. Forward outgoing request of the user group 'Accounts' and 'Finance' to ISP whose connection is on interface with IP 192.168.0.175 2. Forward outgoing request of the user group IT and System to ISP whose connection is on interface with IP 192.168.0.180 Then, in 'Network Settings' section, add the following rules under the 'Interface' subsection -

Option Enabled Comment Profile IP Edit Delete Clone

Value true This rule forwards request to IP 192.168.0.175 Accounts,Finance 192.168.0.175 Up Down Top Bottom

Option Enabled Comment Profile IP Edit Delete Clone

Value true This rule forwards request to IP 192.168.0.180 IT,System 192.168.0.180 Up Down Top Bottom

Save settings after creating these rules by clicking on 'Save settings' in the top menu. And also restart the SafeSquid service by giving command /etc/init.d/safesquid restart Note: Profiles like 'Accounts', 'Finance' etc. are defined in the 'Access Restrictions' section Check Access Control for a detailed explanation.

2008 Office Efficiencies (India) Pvt. Ltd.

133

13

Using Profiles for granular Access Policies


SafeSquid is generally hosted in large enterprises or environments, to exploit its various filtering capabilities, besides simply providing a reliable mechanism of access to the WWW. In such enterprises, it is very natural that people would be expected to access the web for reasons that are partly similar, and for some reasons that are entirely unique to certain users or groups of users. It is impossible to think of a world, that would be governed by the same set of logic, that decides what's acceptable and what's not. SafeSquid's Content Filtering and Access Control system derives its reputation from it's configuration schema, that provides unlimited possibilities for re-configurable logic. This re-configurable logic allows enterprises, to build their Internet Access Policies, unmindful of the way filtering technologies are actually implemented. SafeSquid's configuration allows you to - very precisely define the situations. Each situation, thus defined is referred to as a Profile. Each Profile can be defined (or bound) by a programmable set of conditional parameters. Profiles are used as a conditional parameter in almost all of the various filtering sections in SafeSquid. You can thus ensure that filtering action happens exactly, as required. SafeSquid's Profiles feature allows you to accommodate the demands of extremely granular rules for Internet Access privileges and restrictions. Rest assured you will be able to deal with most complex situation, as long as you can accurately defining a situation, and thus properly Profile a situation. When you access the SafeSquid Web-GUI, notice the "Added Profiles" text-box in the Access Restriction Section and the Profiles Section. The Profiles are created by specifying (comma separated list) them, as "Added Profiles" in rules, in either of these sections. Both of these sections allow you to apply the profile as a result of matching of the various entries (conditional parameters) specified in each rule. The general rule is, if an entry is left blank, then it is translated as "not considered ", or "anything ", or "immaterial ". In our discussions about setting up user authentication, I showed to you - how, we could use the "Added Profiles ", in the Access Restrictions Section to create profiles that denote common and/or unique attributes for people. And we could then, use these as Profiles in the various filtering rules. We could similarly create Profiles in the Profiles Section. The Access Restrictions Section allows you to apply (add) Profiles based on user's identity (username/password; I.P. Address). Obviously the applied Profiles would not change unless the same user re-authenticated, using a new identity. A situation may not always be completely defined by - who's making the request, or the source of the request. The rules in Profiles Section help you to apply (add or remove profiles) based on conditional parameters like the the source of the content or target, the nature of content, time of the day etc. A profile applied by any previous rule can also be used as a conditional parameter! To do so, simply list them in the "Profiles" text-box. Each of the rules in the Profiles Section , is matched against a request, and if the conditional parameters set in the rule's various entered parameters (entries), the profiles specified in the "Added Profiles" entry is / are applied. Profiles specified in the "Removed Profiles" text-box entry would be removed, if any previously applied rule had set it. Understanding the creation and application of "Profiles" is the most essential part of overall SafeSquid's filtering configuration. Understanding how the Profiles work, internally, could be quite

2008 Office Efficiencies (India) Pvt. Ltd.

Using Profiles for granular Access Policies

134

useful. Each request is matched against the various rules in the Access Restrictions and Profiles Section. If all the specified conditional parameters (entries) of a rule match the request, then the list of profiles (specified in the Added Profiles text-box are included in the Profiles List (array) for that request. Similarly, if a rule in the Profiles Section has a list of profiles specified in the Removed Profiles text-box, then these profiles are deleted from the array. SafeSquid, thus builds an internal Profiles Array for each connection. SafeSquid ensures that a profile name is uniquely listed in the array. Each of the filters, uniquely processes a connection, based on the conditional parameters specified as entries in the various rules in the filters. Almost all Filters have Profiles as a conditional parameter. Thus by appropriately creating a profile and then, specifying them as a conditional parameter in any rule of any any Filtering Section, you can either subject or immunize the connection from a Filtering Rule. In the rest of the discussion unless, I specifically mention Profiles Section, you may presume that I am referring to Profiles as - an entity, created by making appropriate entry in the "Added Profiles" text-box, or deleted by specifying in the "Removed Profiles" text-box. You may therefore very safely think of Profiles as - "quite like tickets, labels or tokens ", that can be given or taken away, and filters as inspectors that process requests, depending upon the profiles applied or carried by that connection. I very strongly suggest, that you should review the list of conditional parameters available to create a profile and thus define a situation. To do so access the SafeSquid's WebGUI, click the "Config" link on the top menu, select the "Profiles" Option on the drop-down menu. SafeSquid is generally shipped with a set of sample rules in the Profile Section , click on the edit menu, to view the list of entries that have been specified or left blank. Pass your mouse, lazily over the names besides each of configuration text-boxes, check-boxes etc. A tool-tip should now be presenting you with contextual information about that entry, that may be used as a conditional parameter. Did you notice that the list of conditional parameters is pretty huge (monstrous?). But don't let that overwhelm you - because you can simply leave options blank, if they do not seem to be a conditional parameter, that distinguishes the situation, that you desire to Profile. I will try to help you understand, by a few practical examples, and to keep things lucid, I will omit the entries in any rule, that are supposed, to be left blank. I will also try to focus on the logic but, avoid the discussing reasons, about why one would want to create such rules. I guess an example would help here. Example #1

In an enterprise: Joseph, Ali, Radha and Sam, are employed in the Marketing department John, Shyam, Bill and Sagar are employed in the Finance department The corporate policy stated that: The Marketing people may access web-sites using any Internet Client or browser of their choice The Finance people were restricted to use only FireFox So, let's see how we would enter the rules into the various sections, to derive the necessary configuration:

2008 Office Efficiencies (India) Pvt. Ltd.

135
Rules in Access Restriction Section:

Option Enabled Comment PAM User name Added profiles Option Enabled Comment PAM User name Added profiles

Value true This rule creates the Access Profile of Joseph, Ali, Radha and Sam, and profiles them as "Marketing" true (Joseph|Ali|Radha|Sam) Marketing Value true This rule creates the Access Profile of John, Shyam, Bill and Sagar, and profiles them as "Finance" true (John|Shyan|Bill|Sagar) Finance

Rules in Profiles Section:

Option Enabled Comment Added profiles Option Enabled Comment Removed profiles Option Enabled Comment Removed profiles

Value true This rule creates and applies the Profile "Unacceptable_Client" to everybody Unacceptable_Client Value true This rule removes the Profile Unacceptable_Client for "Finance" users, but only when they use FireFox Unacceptable_Client Value true This rule removes the Profile "Unacceptable_Client" for "Marketing" users. Unacceptable_Client

Rules in URL Filter Section: (The Global Policy Set to Allow, and the following rule created in the Deny Sub-section)

2008 Office Efficiencies (India) Pvt. Ltd.

Using Profiles for granular Access Policies

136

Option Enabled Comment Profiles

Value true This rule Blocks / denies Internet access to all "Unacceptable_Client" Unacceptable_Client

In the above set of rules, I actually made use of the Comment fields, to explain the logic, of creating the rules. The profiles by themselves do not dictate any denial of access, the denial of access or blocking is an activity executed by the various filters. We had to eventually instruct the Url Filter to deny access to "unacceptable internet clients ". In the above example, the policy was about the nature of Internet Clients being used by people. So we logically profiled what constitutes or precisely defines the "Unacceptable_Client ". And then we created a single rule in URL Filter to deny access to all "Unacceptable_Client ". I hope that, you noticed that we identified the use of FireFox, was by using the entry for Request Header Pattern as a conditional parameter and removed the profile "Unacceptable_Client ", when it matched the PCRE (Perl Compatible Regular Expression)" .*FireFox.* ".The creation of PCRE, is a little off-topic, and we will discuss it, within another topic. Did you notice, that in the above configuration, the third and last rule in the Profiles Section explicitly removes the profile "Unacceptable_Client ", for the "Marketing" users. So what would happen, in case we added more rules in the Access Restriction Section , to profile users from other functional business groups? And what if the policies needed an alteration in future, to ensure, that the Internet Clients used by even the "Marketing" users, needs some regulation? I suppose you also appreciate the fact that, verification of this conditional parameter, is possible, only because, the browser (FireFox) used as the Internet Client, includes User_Agent Parameters in its request headers. There are a host of applications that are available, that allow you to spoof, this. For example, I could modify the "User-Agent" String of Internet Explorer to include the word FireFox! Because from the security perspective, it now seems so obvious, that we have left gaping holes! But I am pretty sure that, you should be able to modify the above rules-set to plug any such holes. Remember, rules can always be written, or modified to precisely deliver the results demanded by the policies. Much of the frustration faced by firewall rule makers, like you & I, would be because of situations left uncovered, or ambiguities contained in the policies. The best way to deal with the things therefore is - to note down the policies on a piece of paper, and logically dissect them with an open mind (stimulated by a cup of coffee!). The other primary reason for frustrations would be, inadequate information about the overall, benefits desired, by any policy.

The Profiles can be built to very precisely define situations, by subjecting them to a variety of conditional parameters. And then by applying the profile in to one or more rules in an appropriate filter, we can always define the restrictions or relaxations. Selecting the filter requires a little creativity and understanding of web-technologies.

Example #2

One of the most popular situations, that people request for rules is for blocking access to personal email services like yahoo, hotmail, gmail etc. However the request is always suffixed

2008 Office Efficiencies (India) Pvt. Ltd.

137
with a few clauses, that - people should be able to access the basic search engine services offered by these web-sites; queries based on certain kinds words should be prevented some of these queries should be universally prevented, while some queries should be permitted to only certain people; etc.. etc.. We can use PCRE to denote all hosts belonging to a group of web-sites, including their various sub-domains, or genuinely child web-sites. Carefully look at the use of site1 and site2 in this expression: (.*\.|^)(site1|site2)(\.[^.]{2}\.[^.]{2,4}|\.[^.]{3,4})$ This expression matches all of the following sites: site1.com site1.co.uk site1.info www.site1.com child.site1.com site2.com site2.co.uk site2.info www.site2.com child.site2.com

In fact it covers all possible combinations, to cover a layman's reference to "site1" or "site2" Moreover you could expand the list of sites covered by simply modifying the above expression. So, the following PCRE covers all web-sites of yahoo, hotmail and gmail: (.*\.|^)(yahoo|hotmail|gmail)(\.[^.]{2}\.[^.]{2,4}|\.[^.]{3,4})$ (For the moment do not, stress too much to understand the use of characters like ". ""$ ""^" in the expression.) I could now create a profile called Personal_Emails like this: Rules in Profiles Section:

Option Enabled Comment Host Added profiles

Value true This rule applies "Personal_Emails" profile to all web-sites of yahoo, hotmail and gmail (.*\.|^)(yahoo|hotmail|gmail)(\.[^.]{2}\.[^.]{2,4}|\.[^.]{3,4})$ Personal_Emails

Rules in Cookie Filter Section: (The Global Policy Set to Allow, and the following rule created in the Deny Sub-section)

Option Enabled Comment Direction

Value true This rule blocks cookie exchanges with "Personal_Emails" Both

This time I chose Cookie Filter, because I know that you cannot log into http web-sites, if your cookies are disabled! And who would want to visit personal email sites, but not log in!! But then since, the web-site is not entirely blocked, the users can very conveniently use the other services,

2008 Office Efficiencies (India) Pvt. Ltd.

Using Profiles for granular Access Policies


that do not require any identification or authentication, like logins.

138

From security perspective, I would use making rules (like we just made above), to create a privacy blanket for my users. For example I could create a profile for all web-sites belonging to doubleclick and block all cookies travelling between my users and to to these sites. But then I suppose you are now quite conversant with Profiles, and should be able to translate, any of your corporate policies. The only problem (probably) would be PCRE.

2008 Office Efficiencies (India) Pvt. Ltd.

139

14

Using Authentication for Security and Creating User Profiles


Authentication is the key to web-security. Typically you might consider authentication, as the very first layer of your security. Authenticating the internet access, prevents spy-ware, malware, adware from exploiting your Internet Gateway. It also ensures that the "names" of the users show-up in the logs, instead of just IP-addresses, which can be so conveniently spoofed. And that can make - reviewing the log reports, so much more convenient! But most importantly, SafeSquid's Authentication mechanism sets the Access Restrictions, and creates the access profiles of the various users. The groups of users whose Internet Access can be broadly considered identical, can be given a common profile. You can start to configure, SafeSquid's authentication configurations in the Access Restriction Section. The Access Restriction Section has three subsections: * The Global Allow / Deny Policy setting; * Allow Sub-Section set of entries; * Deny Sub-Section set of entries. As you would expect in a typical FireWall: * Setting global policy to Allow, means you would consider all request sources to be acceptable, while you would specifically define the unacceptable sources in the "Deny" Sub-Section. * Setting global policy to Deny, means you would consider all request sources to be unacceptable, while you would specifically define the acceptable sources in the "Allow" Sub-Section. The rules are followed in a top-down hierarchy, and the first rule that matches a request's parameters, gets applied. As a thumb-rule, start by setting Global Policy to Deny. Don't worry, you can still (and very easily) allow all or specific sources of requests, to be acceptable. Now consider adding a rule. Since we, have set the global policy to Deny, very obviously, the rules created in the "Allow" Sub-Section, will be relevant and applicable. Clicking on the Add link in the Allow Sub-Section, will present you with a Dialog, where you can now define the parameters, that would identify a request that should be allow. The important things to notice here are the: * When you lazily move the mouse over the various things printed, on the dialog box, little Tool-Tips appear, that tell you about the significance of each option and settable element. * Text boxes for I.P. Addresses, User name, Password, Added Profiles. (There's also a text-box named "Profile", but just ignore it) system by making appropriate

2008 Office Efficiencies (India) Pvt. Ltd.

Using Authentication for Security and Creating User Profiles

140

* Radio-Button to enable / disable PAM * And a whole lot of check-boxes. Just move the mouse over the names that identify each of these check-boxes, and a relevant "ToolTip" will appear to tell you, more about that check-box. For the matter of lucidity and flow of the present discussion, let's just ignore these check-boxes. The Text boxes that we mentioned above are very important in our discussion here, besides the radio-buttons for PAM. The parameters that identify a request are constituted by what you set in the Text boxes for I.P. Addresses, User name, Password. The logic is simple - leaving any option blank, is equivalent to making it "irrelevant". Let me help you with some examples here:

Set the radio-button for PAM to "NO" leave I.P. Address - blank. Set User name to "test" and password to "zebra" This instructs, safesquid to send an authentication challenge to every user irrespective of the source I.P. address. And ONLY if the this challenge is responded with username "test" and password "zebra", the request is considered as "allowed" or "acceptable".

Now, if you wished to further narrow the scope of this acceptability, by narrowing it down to an I. P. address, repeat the steps in the above example, but this time, instead of leaving the I.P. address - blank, set it to an I.P. address. I guess, now if you wished to distinguish an "acceptable" request as a combination of I.P. address: 192.168.0.1, username "test" and password "zebra", you shouldn't have a problem, right? Broadening the scope to a range of I.P. address is also easily done. Suppose you wished to allow requests coming from an array of I.P. Addresses like - 192.168.0.1, 192.168.0.3, and all between 192.168.0.110 to 192.168.0.160, fill in the the I.P. Address text-box as: 192.168.0.1, 192.168.0.3, 192.168.0.110-192.168.0.160 Simple isn't it? Ok, so now you are ready to understand the relevance of the fourth text-box "Added Profiles" (continue to ignore the other text box called "Profiles"). Notice, that the "Added Profiles" is at the very last in the dialog. You can enter a comma separated list of tags, in the "Added Profiles Text Box. These tags can be just about any logical words, that commonly identifies one or more rules. These could be usergroups or work-functions of people. Let me try to help you understand this with the an example. Ramesh, Joseph and John belong to Accounts department, and are supposed to make internet access only from their respective workstations, that have I.P. address 192.168.0.1, 192.168.0.2, & 192.168.0.3. We would like to create common filtering and other rules that can be set in the various other sections of SafeSquid. So we will now create three rules as follows:

2008 Office Efficiencies (India) Pvt. Ltd.

141

Option Enabled Comment IP Address User name Password Added profiles Option Enabled Comment IP Address User name Password Added profiles Option Enabled Comment IP Address User name Password Added profiles

Value true This rule creates the Access Profile of Ramesh 192.168.0.1 Ramesh apple Accounts Value true This rule creates the Access Profile of Joseph 192.168.0.2 Joseph mango Accounts Value true This rule creates the Access Profile of John 192.168.0.3 John banana Accounts

Notice that in the above example, we maintained the "Added Profiles: Accounts" as a common, factor. This instructs SafeSquid to "profile" all internet requests made by Ramesh, Joseph and John as "Accounts". Now in any other section of SafeSquid, if you wished the filter-rule to affect John, Ramesh or Joseph, simply enter "Accounts" in the text-box named Profiles, in those sections (Not in the Access Restriction). In this discussion, I have consciously held back on discussing the effects of setting PAM to YES. Setting PAM to Yes makes SafeSquid talk to the PAM sub-system for validating the user's identity. To put things simply you would set PAM to YES, if you do not wish to maintain huge lists passwords within the SafeSquid configuration system. That is generally the way to live, when you have a large number of individuals in an enterprise, that must be served by SafeSquid. But then of course, you must first set the PAM Configurations for SafeSquid.

2008 Office Efficiencies (India) Pvt. Ltd.

Using Authentication for Security and Creating User Profiles

142

15

Configuring PAM
Identity management begins with authenticating a user's username and password. In a large enterprise you would have already established an identity management system. PAM (Pluggable Authenticating Mechanism) is a very popular UNIX based technology, and a standard sub-system of the common and popularly used Linux distributions. PAM, by itself is quite a sizeable subject, and a very mature technology. It serves various needs and applications are built to meet a variety of permutations and combinations. To maintain the lucidity of our discussions here, I will restrict the discussions to only relevant areas. PAM allows any service to easily communicate with a variety of Identity Management systems. The benefits of this are enormous. The most important benefit is - the username/password storage is not required to be done within the various applications, that the users are permitted to use. To keep our discussion contextual, here-further we will refer to an Identity Management System as an Authentication Service. An Authentication Service could be typically a Microsoft Windows SMB / AD service, or any other form of LDAP like OpenLDAP. It could also be a RADIUS server or an SQL Database. SafeSquid is intrinsically "PAM-aware". The principal feature of the PAM approach is that the nature of the authentication is dynamically configurable. In other words, you are free to choose how SafeSquid will authenticate users. This dynamic configuration is set by the contents of the single Linux-PAM configuration file /etc/pam.conf. Alternatively, the configuration for each PAMaware service can be set by individual configuration files located in the /etc/pam.d/ directory. The presence of this directory will cause Linux-PAM to ignore /etc/pam.conf. Linux-PAM separates the tasks of authentication into four independent management groups: account management; authentication manage- ment; password management; and session management. The configuration file lists the tasks in an appropriate sequence, and the name of the PAM library that will be called to accomplish the task. SafeSquid requires only authentication and account to be configured. From the point of view of the SafeSquid application, it is not of primary importance to understand the internal behavior of the Linux-PAM library. These libraries are popularly referred to as modules. The important point to recognize is that the configuration file(s) define the connection between applications (services like SafeSquid) and the pluggable authentication modules (PAMs) that perform the actual authentication tasks. PAM modules are readily available to verify username-password combinations from various authenticating services. A variety of PAM Modules are freely distributed. So you can judiciously decide the suitable module, depending upon the Authenticating Service, that you intend to use. To prevent configuration errors, please do check out if whether your chosen PAM module performs the Authenticate (auth) and/or Account tasks, and the correct usage for each of the respective tasks. Some PAM modules are very simple and straight forward to use. But there are some that require a lot of elaborate configuration, that involves some additional configuration files, and /or system configuration. SafeSquid 4.1.x and higher allow you to specify the name of the file in the /etc/pam.d directory, that must be used. This setting can be done only as an option in the command-line, when SafeSquid is started. In earlier versions it was fixed as "safesquid". To maintain the relevance of this discussion for users of older versions of SafeSquid, I will refer to /etc/pam.d/safesquid as the pam-configuration file. So when you want your user's username/password combination to be

2008 Office Efficiencies (India) Pvt. Ltd.

143
verified by an Authenticating System, you would begin with appropriately configuring the /etc/ pam.d/safesquid file. Look at the contents of a typical pam-configuration file:

############ CONFIGURATION EXAMPLE1 /etc/pam.d/safesquid ############ #%PAM-1.0 # This enables authentication of users created in the local system auth required pam_unix.so shadow ## This is a pretty standard directive and needs to be changed only in a very few special cases account sufficient pam_permit.so ############ END OF FILE ############

Notice, that we could enter comments, to record the purpose of each directive, for posterity. pam_unix module allows verification of username/password, of all user accounts created on a Linux / Unix server. pam_permit.so is a positive dummy, i.e. it simply responds with "success" for anything. Therefore it is quite obvious that the above PAM configuration file was created to very simply validate if a username/password was appropriate. This configuration file would be interpreted as follows: Authenticate (auth) the username/password using pam_unix PAM module. This authentication should be compulsorily required, and failure should be considered, as failure of the Authenticate task. The pam_unix PAM module should be used with an additional argument, "shadow" Validate if the user has a valid account using the pam_permit PAM module. This validation should be considered as sufficient for the success of the Account task.

Note - Both the tasks Authenticate and Account must be successfully accomplished for a username/password. Failure of either is enough for SafeSquid to refuse access. PAM has another interesting benefit to offer - Module Stacking. This allows you to extract some excellent benefits for enhanced security. Suppose you wished to allow access to any of the users, whose username/ password was stored on a Windows Domain Controller, or a Radius Server, or on the local linux host. The pam-configuration file would look quite like this:

############ CONFIGURATION EXAMPLE2 /etc/pam.d/safesquid ############ #%PAM-1.0 # This enables authentication of users created in the local system auth sufficient pam_unix.so shadow

2008 Office Efficiencies (India) Pvt. Ltd.

Configuring PAM
auth sufficient pam_smb_auth.so auth sufficient pam_radius.so

144

## This is a pretty standard directive and needs to be changed only in a very few special cases account sufficient pam_permit.so ############ END OF FILE ############

Notice that, in the above example we are using "auth sufficient" instead of "auth required", that was used in the previous example. This configuration file would be interpreted as follows: First Authenticate the username/password with pam_unix PAM module. If this is successfully done, then consider this as sufficient, and do not bother to authenticate the validity of the username/password with the remaining PAM modules listed for auth. If the validation with pam_unix PAM module fails, due to any reason, including inappropriate username/password, attempt to validate using pam_smb_auth PAM module. If this results in success, then simply skip any further validation in the "auth" list, else attempt to validate using the pam_radius PAM module. This effectively ensures that if the username/password is deemed valid by any one of the authenticating services - local host, or Windows Domain Controller, or the RADIUS server, then the "auth" task is successfully accomplished. Of-course, the "account" list needs to be additionally validated successfully. But then as I mentioned earlier, pam_permit PAM module is a dummy positive, so effectively unimportant.

You could surely use a more potent PAM module instead of pam_permit, that I have used in the above examples, to strengthen security, so that the tasks listed in the "account" list are more than trivia. I guess, having read so much of the above, you are more keen, to learn, how it would help you as an Application Manager for SafeSquid. So let me immediately take the discussion towards that, by analysing a situation and working out the solution with you. Suppose Joseph, Ali, Radha and Sam, belong to "Marketing" Department, in an enterprise. We would like to create a common profile for all of them, and then apply various filters and rules just to that one profile , so that it effectively applies to all these four people. In a previous discussion I had explained, how we could create a common profile for a number of people, by creating rules in the Access Restriction section, from SafeSquid's WebGUI. In that example we had consistently set PAM to NO. But now let me show, you how setting PAM to YES, reduces your works. As in those examples in Access Restriction, we set the Global Policy to Deny, and Add a rule in the Allow sub-section as follows:

2008 Office Efficiencies (India) Pvt. Ltd.

145

Option Enabled Comment PAM User name Added profiles

Value true This rule creates the Access Profile of Joseph, Ali, Radha and Sam, and profiles them as "Marketing" true (Joseph|Ali|Radha|Sam) Marketing

Note, we merely listed the names of these four users in a (rather peculiar looking) PCRE format. And left the text-box meant for Passwords, as blank. Since it is quite topical, and a novice (to PCRE) reader might be a little upset, I will explain the PCRE (Perl Compatible Regular Expression) formatted list, that we have used here.

(Joseph|Ali|Radha|Sam) simply translates to Match if it is Joseph or Ali or Radha or Sam. You could simply add to this list as many usernames as you wish, just separated by the pipes - '|"

You could even create more such rules for people belonging to other job functions like Finance, or HR, etc. You could even create more than one rule to profile people belonging to the same department. You would want to to do that when there too many people in a department, and accommodating all of them within the same list would look rather unreadable or inelegant. You could even translate functional hierarchies, into setting web-access profiles, that are partially common, while providing additional privileges or constraints. Yes you would use the property of applying multiple profiles to people. Let me help you here with an example set of rules, created within the same configuration:

Option Enabled Comment PAM User name Added profiles Option Enabled Comment PAM User name Added profiles

Value true This rule creates the Access Profile of Joseph, Ali, Radha and Sam, and profiles them as "Marketing" true (Joseph|Ali|Radha|Sam) Marketing Value true This rule creates the Access Profile of John, Shyam, Bill and Sagar, and profiles them as "Marketing" true (John|Shyan|Bill|Sagar) Marketing,Night_staff,Instant_Messengers_Disallowed

Did you notice that the rules created above, covered eight people from the Marketing

2008 Office Efficiencies (India) Pvt. Ltd.

Configuring PAM

146

Department? They applied the profile "Marketing" to all these eight people; and also applied additional profiles - "Night_staff" and "Instant_Messengers_Disallowed" to John, Shyam, Bill and Sagar. So far, so good. Using your preferred authentication service with shouldn't be much of a task, for you, right? NO!! The real challenge with PAM actually begins here! As I mentioned above, there are various PAM modules available to use a variety of Authenticating Services. But each of these modules may require simple to very intricate additional configuration. This configuration could be as simple as providing with an argument like "shadow" for the pam_unix in the above example. But it could also be fairly more complex, involving other configuration files specifically relevant to the PAM module or maybe even some other additional services installed on the system.

2008 Office Efficiencies (India) Pvt. Ltd.

147

2008 Office Efficiencies (India) Pvt. Ltd.