2.5.2. URL Filter Administrative Web Page

URL filter extends IPCop's functionality with the ability to block access to unwanted domains, URLs and files. This feature is based on the well known squidGuard redirector. The URL filter graphical user interface gives you access to all required settings, including squidGuard compatible blacklists and time, category and client based constraints.

URL filter was originally written by Marco Sondermann as an add-on module for IPCop. It was included in version v2.1.1 of IPCop.

2.5.2.1. URL Filter

The first line in the Settings box indicates if the filter service is stopped or running.

Common Settings section

2.5.2.2. Common settings

Enabled This box needs to be checked to enable the URL Filter. In addition, the URL Filter must be enabled on the Web Proxy page.

Log enabled Enable this to write a logfile with all offending requests.

Log username Enable this to add the username for each request to the logfile.

Split log by categories Split the logfile into single files, one for each category instead of one common logfile. The option Log enabled needs to be enabled.

2.5.2.3. Block categories

Different categories can be selected, depending on the blacklist installed.

Block categories section

2.5.2.4. Custom blacklist/whitelist/expression list

Custom blacklist - Enabled Enable this to block the manually entered domains and URLs.

Blocked domains (one per line) optional.  Define the domains you want to block. This could be:

example.net
subdomain.example.net

Blocked URLs (one per line) optional.  Define the URLs you want to block. This could be:

example.net/foo
example.net/foo/bar

Custom whitelist - Enabled Enable this for the manually entered domains and URLs to be allowed, even if listed in another category.

Allowed domains (one per line) optional.  Define the domains you want to allow. This could be:

example.net
subdomain.example.net

Allowed URLs (one per line) optional.  Define the URLs you want to allow. This could be:

example.net/foo
example.net/foo/bar

Custom expression list - Enabled Enables URLs to be blocked if the manually entered expressions matches them.

Blocked expressions (as regular expressions) optional.  Define the expressions to be blocked if they appear within a URL. You can use regular expressions for this, one per line.

2.5.2.5. File extension blocking

Binary files Enable this to block the download of executable files. This also includes files rated as potentially insecure. Extensions such as:

.bat .com .exe .sys .vbs

Multimedia Enable this to block the download of audio and video related files. Examples of multimedia file extensions are:

.aiff .avi .dif .divx .mov .movie .mp3 .mpeg .mpv2 .ogg .qt .wav .wma .wmf .wmv

Compressed archive files Enable this to block the download of compressed archives containing other files. Examples of compressed archive file extensions are:

.bin .bz2 .cab .cdr .dmg .gz .hqx .rar .sit .sea .tgz .zip

2.5.2.6. Network based access control

Unrestricted IP Addresses (optional).  The listed IP address(es) or network(s) will bypass all active filter rules.

Banned IP Addresses (optional).  The listed IP address(es) or network(s) will be banned, regardless of the active filter rules.

You can define one or more single host addresses, networks in CIDR notation, networks with a certain netmask, a range of hosts, or a combination of all of them.

Examples are:

192.168.0.54
192.168.0.0/24
192.168.0.0/255.255.255.0
192.168.0.100-192.168.0.200

2.5.2.7. Time based access control

There are two buttons in this section. Set time constraints opens another GUI dialog for time based constraints, and Set user quota opens a GUI dialog for user based time quotas.

The first button takes you to a dialog which allows you to add and edit time constraint rules. Current rules are displayed at the foot of the page.

Time constraint rule dialog screen

Definition Determines whether the rule will be active within or outside the given time frame.

Weekday Select the weekdays from Monday to Sunday for the rule.

From/to Start and end time for the rule. Note: The time refers to URL filter time and not to the local client time!

Source Enter the source host or network address(es) for the rule.

Destination Select one or more categories. To select more than one category, press the Ctrl key and click the desired category.

In addition to the regular block categories, there are four more categories:

any : includes all categories
in-addr : includes all URLs accessed by their IP address
files : includes all file extension blockings
custom-blocked : includes the custom blacklist domains and URLs

These categories can be selected, no matter whether they are activated within the main page.

Access Determines whether the rule will allow or block access.

Enabled Enables the rule.

Add/Update Saves the rule. Note: The URL filter needs to be restarted to activate the changes!

Reset Resets all changes for the current rule and re-reads the saved settings.

<< Returns to the main URL Filter page.

Current rules Shows all existing time constraint rules.

Note

All rules are applied in the same order as they are listed!

The Set user quota button takes you to a dialog which allows you to add and edit user time quota rules. Current rules are displayed at the foot of the page.

User time quota rule dialog screen

Time quota The time (in minutes) a user may have access to the web. The counter starts with the first request and the user gets blocked if this time limit will be reached.

Activity detection If the user doesn't access any website for 5 or 15 minutes, the quota limit will not be decreased until the next request is sent.

Refresh Specify the time frame for the given user quota. The quota for this user will be reset either hourly, daily or weekly.

Assigned users The RFC931 compliant user names that will be affected by this rule.

Enabled Enables the rule.

Add/Update Saves the rule. Note: The URL filter needs to be restarted to activate the changes!

Reset Resets all changes for the current rule and re-reads the saved settings.

<< Returns to the main URL Filter page.

Current rules Shows all existing time constraint rules.

Note

The current quota counters will be reset for all users when restarting the URL filter, the proxy service or rebooting the server!

2.5.2.8. Block page settings

When a Client tries to visit a web page on the blocked list, they are redirected to the “Block page” shown below. The contents of the Block page can be customised by changing various settings.

Access denied Block page

Show category on block page If enabled, the blocked category will be shown in the block message. This can be a useful hint, if you are not sure which category is blocking your request.

Show URL on block page If enabled, the requested URL will be shown in the block message.

Show IP on block page If enabled, the client IP address will be shown in the block message.

Use DNS Error to block URLs The default block message will be replaced by a “Server or DNS not found error” message. This can be useful when you want to let the destination appear to clients as Offline, rather than as Blocked. This option should only be used with the Web Proxy service running in transparent mode.

Enable background image If enabled, a background image is displayed on the block page. The default image is the IPCop logo.

The background image can be replaced by your own custom image, if a .png graphic file is placed on IPCop, in this directory with this filename:

/home/httpd/html/images/custom-redirect-background.png

Redirect to this URL (optional).  You can define a custom website where clients will be redirected to if they are blocked.

Message line 1 (optional).  You can define your own text here to replace the default text “ACCESS DENIED” on the block page.

Message line 2 (optional).  You can define your own text here to replace the default text “Access to the requested page has been denied” on the block page.

Message line 3 (optional).  You can define your own text here to replace the default text “Please contact the Network Administrator if you think there has been an error” on the block page.

Remember to Save and restart the service after making any changes.

2.5.2.9. Advanced settings

Enable expression lists Enables predefined expression lists. In addition to the domain and URL lists, all URLs will be checked for certain keywords. The existence of those expression lists depends on the installed blacklist.

Enable SafeSearch Enables the search-engine based SafeSearch filtering for image search and ordinary web search. This may depend on whether a search-engine supports the SafeSearch feature.

Block sites accessed by their IP Address If enabled, all sites accessed by their IP address will be blocked. The same sites will be available if accessed by their domain name, and if not blocked by another rule.

Block "ads" with empty window Enable this to replace banners, pop-up windows and advertisements with a blank window. This will be done by redirecting to a 1 pixel sized .gif file. Requires the category “ads” or “adv” to be selected for blocking.

Block all URLs not explicitly allowed Enable this to block all requests, except for those defined in the “Custom Whitelist”.

Allow custom whitelist for banned clients All requests from banned clients (banned by definition or by time constraints) will be blocked by default. If enabled, this option allows the banned clients to request websites from the Custom Whitelist. The Custom Whitelist must be enabled for this.

2.5.2.10. Save/Save and restart

Save After making any changes, press the Save button to save them.

Save and restart Use the Save and restart button to save and apply changes.

2.5.2.11. Blacklist Maintenance

Any squidGuard compatible blacklist can be installed with URL Filter. If you install a new blacklist, all existing categories will be replaced and all additional new categories will be added.

The .tar.gz archive must have the internal path blacklists/category/list where category will be the name of the category and list will be one or more files named domains, urls or expressions.

Depending on your hardware performance (especially your hard disk) and the size of the blacklist, it may take several minutes to compile the blacklist into prebuilt databases. Prebuilt databases are required to speed up the start process of the URL Filter significantly, especially on machines with a poor level of performance.

Blacklist Maintenance section

Blacklist Update Automatic blacklist updates can be scheduled in the Scheduler section.

Check for Updates after IPCop connects is an option, when enabled, to automatically check for a blacklist update when IPCop connects to the Internet.

Blacklist Source Select one of the predefined download sources, or a custom source URL.

If the custom source URL is selected for the download source, enter the complete URL for the blacklist in the Custom Blacklist URL field.

After making any changes, press the Save button to save them.

Manually upload a Blacklist If you have an squidGuard compatible blacklist file or a backup of a previously installed blacklist, you can upload it in this section. The file will be uploaded and compiled for URL filter to use it.

Blacklist Editor See Section below.

2.5.2.12. Blacklist Editor

Introduction to be written...

Blacklist Editor page

Blacklist name Section to be written...

Edit domains, URLS and expressions Section to be written...

Load blacklist Section to be written...

Import blacklist Section to be written...

Export blacklist Section to be written...

Install blacklist Section to be written...