[This modification has been verified to work with Smoothwall Express 2.0.]
This page describes how to filter web traffic using Squid ACLs, and also covers various other Squid configuration elements. Squid is the web proxy software used on Smoothwall.
Requirements:
You'll need:
- A Smoothwall Express 2.0 installation (obviously...).
- A way of getting a command-line prompt on your Smoothwall box (either by logging directly onto your Smoothwall box, using a SSH client such as PuTTY or SSH Secure Shell, or via the Smoothwall web interface).
Squid is the most popular web proxy software available, and Smoothwall comes with Squid pre-installed.
There are a number of reasons why you might want to use a web proxy:
Cache Web Page Content:
The primary purpose of a web proxy is to cache web content locally. This provides a number of benefits, including faster web browsing, and less bandwidth usage.
Whether you're using a dialup account or a fast ADSL account, reducing the amount of data that needs to be retrieved from the source webserver will provide you with a faster web browsing experience. This is particularly true if multiple users on your green network visit the same pages, or if you frequent a web-based forum or bulletin board, as all images will be cached by the proxy server.
Restrict Web Page Access:
If PCs on your green network are configured to use the web proxy, you can restrict access to specified sites, only allow access to specified sites, restrict PCs to only have web access during specified time periods, etc.
Block Advertisements:
If all web traffic is going through the web proxy, you can block advertisements that are displayed on web pages. For more information on doing this, see my page on Ad Zapping with Squid.
Blocking webpage advertisements can also provide additional benefits on slower internet connections, as the volume of data is reduced, due to the advertisements not being loaded from the originating webserver.
Update multiple PCs from Microsoft's Windows Update site through a web proxy also means the patches are only downloaded once, and cached locally by the web proxy.
Monitor Web Sites Being Visited:
All web pages that are accessed through the web proxy are logged to the Squid access log. You can then use this data to monitor exactly which users are visiting which sites. See my Web Proxy Log Analysis Reports for more information on generating reports from the Squid access log.
The primary purpose of a web proxy is to cache web content locally. This provides a number of benefits, including faster web browsing, and less bandwidth usage.
Whether you're using a dialup account or a fast ADSL account, reducing the amount of data that needs to be retrieved from the source webserver will provide you with a faster web browsing experience. This is particularly true if multiple users on your green network visit the same pages, or if you frequent a web-based forum or bulletin board, as all images will be cached by the proxy server.
Restrict Web Page Access:
If PCs on your green network are configured to use the web proxy, you can restrict access to specified sites, only allow access to specified sites, restrict PCs to only have web access during specified time periods, etc.
Block Advertisements:
If all web traffic is going through the web proxy, you can block advertisements that are displayed on web pages. For more information on doing this, see my page on Ad Zapping with Squid.
Blocking webpage advertisements can also provide additional benefits on slower internet connections, as the volume of data is reduced, due to the advertisements not being loaded from the originating webserver.
Update multiple PCs from Microsoft's Windows Update site through a web proxy also means the patches are only downloaded once, and cached locally by the web proxy.
Monitor Web Sites Being Visited:
All web pages that are accessed through the web proxy are logged to the Squid access log. You can then use this data to monitor exactly which users are visiting which sites. See my Web Proxy Log Analysis Reports for more information on generating reports from the Squid access log.
Log Timestamp Correction:
The timestamps in the Squid access log on Smoothwall Express 2.0 are in GMT format.
This is because the strict access permissions on the /var/smoothwall/ directory prevent Squid from reading the timezone information.
To correct this, and get Smoothwall's Squid access log using the local time for all timestamps, execute the following from a command prompt on your Smoothwall:
chmod 701 /var/smoothwall/ /usr/local/bin/restartsquid
This will adjust the permissions on the /var/smoothwall/, and restart the web proxy to make the change take effect.
Using Smoothwall's Web Proxy:
Smoothwall's web proxy can be configured to run in transparent mode, or in non-transparent mode.
In transparent mode, all web traffic going through Smoothwall will automatically be redirected to go through the proxy, without requiring any proxy configuration in the web browsers on the PCs on your green network.
This effectively forces all web browsing from PCs on your green network to go through Smoothwall's web proxy.
In non-transparent mode, all web browsers on your green network must be configured to use Smoothwall's green IP address on port 800 as a web proxy.
If you want to use Smoothwall's web proxy as a way of blocking some websites and/or some users, you should run the web proxy in transparent mode, to ensure users are not bypassing the proxy.
Any user who is blocked by any ACLs which you configure will see a Squid error page, indicating that their web access is being blocked by Smoothwall.
the default access denied page
Editing the Config File:
Smoothwall's Squid configuration is stored in /var/smoothwall/proxy/squid.conf.
However, you should never edit this file directly, as it's re-written each time changes are made to the web proxy configuration, or the proxy is restarted through the web interface.
Instead, you should always add your new configuration to /var/smoothwall/proxy/acl.
Applying Your Changes:
Any changes made to this file will take effect when you restart the web proxy through Smoothwall's web interface. This will cause Smoothwall to re-write /var/smoothwall/proxy/squid.conf, and include the contents of /var/smoothwall/proxy/acl.
As with any modifications to your Smoothwall, make a backup copy of this file before making any changes to it, so you can easily revert back to a known working version.
Only Allow Specific PCs:
If you only want to allow some PCs to use Smoothwall's web proxy, you can add one or more ACLs to limit this access.
Edit /var/smoothwall/proxy/acl, and before the line containing
http_access deny all
insert the following lines:
acl ok_users src 192.168.0.2 acl ok_users src 192.168.0.3 http_access allow ok_users
and add another acl line for each PC you want to allow.
You'll also need to comment out the following line (it's the second last line):
http_access allow localnet
by inserting a # character at the beginning of the line.
Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.
Block Specific Sites:
To block access to specific websites, edit /var/smoothwall/proxy/acl, and just before the line containing
http_access allow localnet
insert the following lines:
acl blocked_sites url_regex www.xxx.com acl blocked_sites url_regex www.yyy.com acl blocked_sites url_regex www.zzz.com http_access deny blocked_sites
Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.
Note that if you have a longer list of sites you want to block, it may be easier to list the websites in a text file, and then just reference the text file in the Squid configuration file.
Assuming you have created a text file called /var/smoothwall/proxy/badsites.txt, containing a single URL on each line, use the following in /var/smoothwall/proxy/acl:
acl blocked_sites url_regex "/var/smoothwall/proxy/badsites.txt" http_access deny blocked_sites
If you make any changes to the contents of /var/smoothwall/proxy/badsites.txt, you'll need to restart the web proxy to make your changes take effect.
Time Restrictions:
You can also use Squid ACLs to restrict web browsing to specific times.
To allow a specific PC on your green network to only access the web during lunchtime on weekdays, edit/var/smoothwall/proxy/acl, and immediately before the line containing
http_access allow localnet
insert the following:
acl clients src 192.168.0.3 acl lunchtime time MTWHF 12:00-13:00 http_access allow clients lunchtime http_access deny clients
where the following day abbreviations can be used:
| S | Sunday |
| M | Monday |
| T | Tuesday |
| W | Wednesday |
| H | Thrusday |
| F | Friday |
| A | Saturday |
Note that all times need to be in GMT, as Smoothwall's Squid is configured to only use GMT (all logs are timestamped with GMT times too).
Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.
Allow Another Network:
If you have another subnet behind your Smoothwall (ie, behind a router on the green network or similar), by default, this subnet will not be able to use Smoothwall's web proxy, but will receive an error message saying the requested URL cannot be retrieved from the cache due to access control configuration.
Assuming you already have a static route in place to allow the other network to communicate with Smoothwall, edit /var/smoothwall/proxy/acl, and just before the line containing
http_access allow localnet
insert the following line:
acl localnet src 192.168.2.0/255.255.255.0
and replace the network address and subnet mask with that of your other subnet.
Smoothwall already has an acl for localnet, allowing the green network, so here we're adding another subnet to the acl which defines the networks allowed access to the proxy.
Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.
Customising Error Pages:
If you're blocking access to some websites and/or some users, you may want to customise the error messages displayed by Squid, to provide more meaningful messages to your users.
All of the Squid error pages are in /var/squid/smootherrors/, so just identify the error page you want to modify, modify it as required, and restart the web proxy through Smoothwall's web interface to make your changes take effect.
For example, the error page displayed when attempting to access a page that has been blocked by ACLs is/var/squid/smootherrors/ERR_ACCESS_DENIED
New Error Pages:
You can also define new error pages for specific ACLs, using the deny_info option.
For example, to display a new error page for the time-restricted user, create a new error page in the following location:
/var/squid/smootherrors/ERR_TIMERESTRICT
containing the error message you want to display to the user when they are denied access.
Then edit /var/smoothwall/proxy/acl, and immediately before the line containing
http_access allow localnet
insert the following:
acl clients src 192.168.0.3 acl lunchtime time MTWHF 12:00-13:00 deny_info ERR_TIMERESTRICT clients http_access allow clients lunchtime http_access deny clients
This will cause your new error page to be displayed whenever the specified PC attempts to access the web outside of the allowed time period.
The deny_info option can be used in a similar way with any other ACLs.
Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.
Change The Cache Administrator Email:
Most of the Squid error pages report include a message mentioning the cache administrator. However, this message includes a non-existing and invalid email address of just webmaster.
It's easy to include a valid cache administrator email address on these error pages. To do so, add a line containing the following to the end of /var/smoothwall/proxy/acl:
cache_mgr email@host.com
replacing email@host.com with a valid email address of course!
Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.
Install Smootwall
Tidak ada komentar:
Posting Komentar