15.17. Web Filter

You can find the Web Filter Settings at Services → SquidProxy.

The Web Filter is using SquidProxy, a caching proxy for the Web supporting HTTP, HTTPS and more.

15.17.1. Settings

SquidProxy

15.17.1.1. General Settings

Enabled can be changed to enable or disable SquidProxy. It’s disabled by default.

Proxy Interfaces are the interfaces and addresses the proxy is running on.

15.17.1.2. HTTP

Enabled can be changed to enable or disable HTTP. It’s enabled by default.

Proxy Port is the port the HTTP proxy server will listen on. Default is 3128.

Transparent Proxy can be enabled to make the proxy act as a transparent proxy. It’s disabled by default. The transparent proxy will redirect any traffic to port 80 on the Proxy Interface to Squid.

SquidProxy

15.17.1.3. HTTPS

Enabled can be changed to enable or disable HTTPS. It’s disabled by default.

Proxy Port is the port the HTTPS proxy server will listen on. Default is 3129.

Transparent Proxy can be enabled to to make the proxy act as a transparent proxy. It’s disabled by default. The transparent proxy will redirect any traffic to port 443 on the Proxy Interface to Squid. Since traffic is encrypted and the Transparent Proxy of VT AIR does not do a Man in the Middle Attack the desired information are obtained from looking at the connection start and extracted IPs and the SNI field. This leaves the client without warnings about the connection while obtaining enough information to evaluate HTTP Access rules.

HTTPS Proxy Mode can be configured when Transparent Proxy is enabled. It can be either SNI Scan or Man-in-the-Middle. SNI will look at the SNI field during the TLS handshake. Man-in-the-Middle will break the connection and presents the client it’s own Certificate. The client must trust the Certificate or a browser warning is generated.

Verify DNS Verify HTTPS Header Domain against the DNS entry. Disabling this allows security risks like spoofing. On the other hand google or amazon sites usually do not work when transparent SSL is enabled because they use so many DNS entries.

Certificate can be configured which certificate will be used.

15.17.1.4. Cache Settings

Hard Disk Cache Size is the amount of disk space to use in megabytes. The default is 100 MB.

Memory Cache Size specifies the ideal amount of memory to be used in megabytes. Default is 256 MB.

SquidProxy

15.17.1.5. Clamav Anti-Virus

ClamAV can scan the webtraffic of the proxy for viruses. This only works when the traffic can actually be seen unencrypted and is uneffective in the transparant HTTPS case.

Enabled enable or disable the virus scan.

Error Page is the complete url of an error page where the user is redirected to if a virus is found.

Update Interval specifies how often the virus definition should be updated during a 24 hour period.

15.17.1.6. Blocklist

Allows you to import a wide variety of community created blocklists. The Blocklist categories are imported to the ACLs and can be used for HTTP Access Rule.

Enabled enable or disable the blocklists.

Update Interval specifies how often the blocklist definition should be updated.

SquidProxy

15.17.1.7. WPAD Autoconfigure

WPAD allows your clients to enable the Auto Proxy setting and find the VT AIR Webfilter.

Proxy lets you choose the HTTP or HTTPS proxy port.

WAPD Interface is the interface address used to propagate to the clients. Only one ipaddress can be used here so make sure that the connection is allowed in the Firewall.

A DNS record with wpad is created to find the settings.

The wpad file is served by the webserver over port 80.

SquidProxy WPAD

15.17.1.8. Advanced

Visible Hostname will be displayed in proxy server error messages. Default is localhost.

Administrator’s Email will be displayed in error messages to the users. Default is admin@localhost.

Custom Options can be used for custom configuration parameters for the config. They are placed between ACLs und HTTP Access definitions.

15.17.2. ACL

SquidProxy

Defining an Access List. An ACL has a type Source, Destination Domain, Destination Regex, Port, Protocol or Custom. Custom allows you to pick an ACL Type from the Squid manual (Squid ACL).

An ACL entry can have one or multiple entries and you have to enter one per line. For example the ACL Source could contain:

  • 192.168.100.1
  • 192.168.101.0/24

15.17.3. HTTP Access

SquidProxy

Allowing or Denying access based on defined access lists. HTTP Access lists are defined by combining ACLs with either AND or OR. You can also negate an ACL with NOT.

This allows you to define access or decline access based on ACLs.

For example to deny access to www.google.com you have to create an ACL of type Destination Domain. You can use that ACL in HTTP Access of type Deny.

The order of HTTP Access matters and you can drag & drop entries in the list to create the desired order.

15.17.4. Example Proxy Configuration

SquidProxy can be configured as a Proxy in your network. This means that traffic from inside your network can be analyzed before leaving towards the internet and web content entering your network can be cached. This is useful for blocking access to specific services that are unwanted but not necessarily malicious (which is a task for Intrusion Detection Intrusion Detection) and to save on bandwidth when browsing the internet with multiple clients in your local network.

A typical configuration is shown here. Go to Services → Web Filter and enable the package. Typically you’d want your local network (e.g. LAN) selected as the Interface.

Transparent Proxy

Top configure your SquidProxy as a transparent proxy that caches web traffic for your local network, enable HTTP and HTTPS as well as the Transparent Proxy option on both.

SquidProxy HTTP(S) Config

Be aware that the HTTPS transparent proxy can not look inside encrypted traffic. Only the certificate and hostname are visible to make decisions.

Proxy with anti-virus

Then Enable ClamAV Anti-Virus and choose an update interval. The anti virus can only inspect unencrypted traffic. For HTTPS transparent proxy no virus scan can be performed.

Blocklists

Enable Blocklist and choose an update interval to pull in the predefined blocklists.

To configure your blocklist settings go to Services → SquidProxy → ACL. Here you can find an overview of all the blocklisting categories that are available. Go to Services → SquidProxy → HTTP Access to create the filtering rules.

Click Add or Edit to create or edit the blocklist rule. Set Action to Deny, Logical Operator to OR and add all the blocklist categories that you want to block under ACL.

SquidProxy Blocklist Configuration