2.5.1. Web Proxy Administrative Web Page

A web proxy server is a program that makes requests for web pages on behalf of all the other machines on your intranet. The proxy server will cache the pages it retrieves from the web so that if 3 machines request the same page only one transfer from the Internet is required. If your organization has a number of commonly used web sites this can save on Internet accesses.

Normally you must configure the web browsers used on your network to use the proxy server for Internet access. You should set the name/address of the proxy to that of the IPCop machine and the port to the one you have entered into the Proxy Port box, default 8080. This configuration allows browsers to bypass the proxy if they wish. It is also possible to run the proxy in “transparent” mode. In this case the browsers need no special configuration and the firewall automatically redirects all traffic on port 80, the standard HTTP port, to the proxy server.

2.5.1.1. Web proxy

The first line in the Settings box indicates if the proxy server is stopped or running.

Figure 2.23. Web proxy - Common settings, Upstream proxy & Log Settings Sections

Common Settings section

2.5.1.2. Common settings

You can choose if you want to proxy requests from your Green (private) network and/or your Blue (wireless) network (if fitted). Just tick the relevant boxes.

Enabled on...  Tick the appropriate checkbox to enable the proxy server to listen for requests on the selected interface (Green or Blue). If the proxy service is disabled, all client requests will be forwarded directly to the destination address.

Transparent on...  If “transparent mode” is enabled, all requests for the destination port 80 will be forwarded to the proxy server without the need to specially configure your clients.

Proxy Port This is the port on which the proxy server will listen for client requests. The default is 8080. In transparent mode, all client requests for port 80 will automatically be redirected to this port.

Visible hostname - optional.  If you want to display a different hostname in proxy server error messages to clients, or for upstream proxy servers, then specify it here. If you leave it blank, your IPCop's real hostname will be used.

Cache administrator email - optional.  You can specify an email address that appears in proxy server error messages to clients. If you leave it blank, “webmaster” will be used instead.

Error messages language You can select the language in which any proxy server error messages will be shown to clients.

Error messages design You can select the design style in which proxy server error messages are shown to clients. You can chose between “IPCop” and “Standard”.

The IPCop design includes a nice graphic banner, while the Standard design is the usual one shipped with Squid.

Figure 2.24. Proxy Error Message Designs. IPCop on the left, Standard on the right.

Error messages designs

Note

If you define a Visible hostname (see above), the Standard design will always be used.

Suppress version information Tick this checkbox to prevent the display of the version of Squid Cache in Squid's error messages to clients.

Squid Cache version This indicates the version of Squid Cache installed.

2.5.1.3. Upstream proxy

These settings may be required for chained proxy environments.

If your ISP requires you to use their cache for web access then you should specify the hostname and port in the Upstream proxy text box. If your ISP's proxy requires a username and password then enter them in the Upstream username and Upstream password boxes.

Proxy address forwarding This enables the HTTP VIA header field. If enabled, this information will be added to the HTTP header:

1.0 ipcop.localdomain:8080 (Squid/2.7.STABLE7)

Note

If the last proxy in chain doesn't strip this field, it will be forwarded to the destination host!

This field will be suppressed by default.

Client IP address forwarding This enables the HTTP X-FORWARDED-FOR header field. If enabled, the internal client IP address will be added to the HTTP header, e.g.:

192.168.1.30

This can useful for source based ACLs or logging on remote proxy servers.

Note

If the last proxy in chain doesn't strip this field, it will be forwarded to the destination host!

Instead of forwarding “unknown”, this field will be completely suppressed by default.

Username forwarding If any type of authentication is activated, this enables the forwarding of the login name.

This can useful for user based ACLs or logging on remote proxy servers.

Note

This is for ACL or logging purposes only, and doesn't work if the upstream proxy requires a real login.

This forwarding is limited to the username. The password will not be forwarded.

No connection oriented authentication forwarding This disables the forwarding of Microsoft connection oriented authentication (NTLM and Kerberos).

2.5.1.4. Log Settings

Log enabled If you choose to enable the proxy, then you can also log web accesses by ticking the Log Enabled checkbox. This enables the proxy server system log as well, which might be useful for troubleshooting.

Accesses made through the proxy can be seen by visiting the Proxy Logs webpage.

Logging also has to be enabled for the Proxy Graphs to work.

Log query terms The part of the URL containing dynamic queries will be stripped by default before logging. Enabling the option “Log query terms” will turn this off and the complete URL will be logged.

Log useragents Enabling “Log useragents” writes the useragent string to the log file /var/log/squid/user_agent.log This log file option should only be enabled for debugging purposes and the results are not shown with the GUI based log viewer.

2.5.1.5. Cache management

You can choose how much disk space should be used for caching web pages in the Cache Management section. You can also set the size of the smallest object to be cached, normally 0, and the largest, 4096KB.

For privacy reasons, the proxy will not cache pages received via https, or other pages where a username and password are submitted via the URL.

HTTP Web Proxy Page

Warning

Caching can take up a lot of space on your hard drive. If you use a large cache, then the minimum size hard drive listed in the IPCop documentation will not be large enough.

The larger the cache you choose, the more memory is required by the proxy server to manage the cache. If you are running IPCop on a machine with low memory do not choose a large cache.

Memory cache size This is the amount of physical RAM to be used for negative-cached and in-transit objects. This value should not exceed more than 50% of your installed RAM. The minimum for this value is 1 MB, the default is 2 MB.

This parameter does not specify the maximum process size. It only places a limit on how much additional RAM the proxy will use as a cache of objects.

Harddisk cache size This is the amount of disk space, in MB, to use for cached objects. The default is 50 MB. Change this to suit your configuration. Do not put the size of your disk drive here. Instead, if you want squid to use the entire disk drive, subtract 20% and use that value.

How do I make IPCop proxy only, without caching anything?

Set the Memory cache size and the Harddisk cache size both to 0, to completely disable caching.

Min object size Objects smaller than this size will not be saved on disk. The value is specified in kilobytes, and the default is 0 KB, which means there is no minimum.

Max object size Objects larger than this size will not be saved on disk. The value is specified in kilobytes, and the default is 4 MB. If you wish to increase speed, more than you want to save bandwidth, you should leave this low.

Number of level-1 subdirectories The default value for the harddisk cache level-1 subdirectories is 16.

Each level-1 directory contains 256 subdirectories, so a value of 256 level-1 directories will use a total of 65536 directories for the harddisk cache. This will significantly slow down the startup process of the proxy service but can speed up the caching under certain conditions.

Note

The recommended value for level-1 directories is 16. You should increase this value only when it's necessary.

Memory replacement policy The memory replacement policy parameter determines which objects are purged from memory, when memory space is needed. The default policy for memory replacement on IPCop is LRU.

Possible replacement policies are:

LRU

Squid's original list based Last Recently Used policy. The LRU policy keeps recently referenced objects. For instance, it replaces the object that has not been accessed for the longest time.

heap GDSF

The heap Greedy-Dual Size Frequency policy optimizes object hit rate by keeping smaller popular objects in cache, so it has a better chance of getting a hit. It achieves a lower byte hit rate than LFUDA though, since it evicts larger (possibly popular) objects.

heap LFUDA

Least Frequently Used with Dynamic Aging. This policy keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate since one large, popular object will prevent many smaller, slightly less popular objects from being cached.

heap LRU

Last Recently Used policy implemented using a heap. Works like LRU, but uses a heap instead.

Note

If using the LFUDA replacement policy, the value of Max object size should be increased above its default of 4096 KB to maximize the potential byte hit rate improvement of LFUDA.

Cache replacement policy The cache replacement policy parameter decides which objects will remain in cache and which objects are evicted (replaced) to create space for the new objects. The default policy for cache replacement on IPCop is LRU.

See above for details.

Enable offline mode Enabling this option will turn off the validation of cached objects. This gives access to more cached information (stale cached versions, where the original server should have been contacted).

Do not cache these destinations (optional).  A list of sites which cause the request to not be satisfied from the cache and the reply to not be cached. In other words, use this to force objects to never be cached.

Examples:

Entire domains and subdomains

*.example.net
*.google.com

Single hosts

www.example.net
www.google.com

IP addresses

81.169.145.75
74.125.39.103

URLs

www.example.net/download
www.google.com/images

Note

You can enter all of these destination types in any order.

2.5.1.6. Destination ports

These fields enumerate the allowed destination ports for standard HTTP and SSL encrypted HTTPS requests.

HTTP Web Proxy Page

The ports can be defined as a single port number or a range of ports.

Default standard ports

80 # http
21 # ftp
443 # https
1025-65535 # unregistered ports
800 # Squids port (for icons)

Default SSL ports

443 # https
8443 # alternative https

2.5.1.7. Network based access control

This defines the access control for accessing the proxy server based on the client network address.

HTTP Web Proxy Page

Allowed subnets All listed subnets are allowed to access the proxy server. By default, the subnets for GREEN and BLUE (if available) are listed here.

You can add other subnets, like subnets behind GREEN in larger environments, to this list. All subnets not listed here will be blocked for web access.

Disable internal proxy access This option prevents direct HTTP access through the internal proxy service to local web servers at those subnets, as defined above. This selection overrides the following two options which manage HTTP access to GREEN and from BLUE.

Disable internal proxy access to Green from other subnets This prevents direct HTTP access through the internal proxy service to web servers on GREEN from any other subnet (e.g. BLUE).

For example, while proxy access is enabled for GREEN and BLUE, usually all requests will be forwarded to RED. But when a client from BLUE wants to access a web server on GREEN, the Proxy Server takes the internal shortcut between the BLUE and the GREEN interface, regardless of any firewall rules.

Note

To protect your servers on GREEN, it's recommended that you enable this option and use the Address Filter or DMZ pinholes if necessary.

Disable internal proxy access from Blue to other subnets This prevents direct HTTP access through the internal proxy service from BLUE to web servers on any other subnet (e.g.GREEN).

For example, while proxy access is enabled for GREEN and BLUE, usually all requests will be forwarded to RED. But when a client from BLUE wants to access a web server on GREEN, the Proxy Server takes the internal shortcut between the BLUE and the GREEN interface, regardless of any firewall rules.

Note

This option is only available with a BLUE interface installed.

If enabled, clients on BLUE can only access web servers on BLUE or RED.

Unrestricted IP addresses (optional).  All client IP addresses in this list will override the following restrictions:

  • Time restrictions

  • Size limits for download requests

  • Download throttling

  • Browser check

  • MIME type filter

  • Authentication (will be required by default for these addresses, but can be turned off)

  • Concurrent logins per user (only available if authentication is enabled)

Unrestricted MAC addresses (optional).  All client MAC addresses in this list will override the following restrictions:

  • Time restrictions

  • Size limits for download requests

  • Download throttling

  • Browser check

  • MIME type filter

  • Authentication (will be required by default for these addresses, but can be turned off)

  • Concurrent logins per user (only available if authentication is enabled)

Using MAC addresses instead of IP addresses can be useful if the DHCP service is enabled without having fixed leases defined.

MAC addresses can be entered in either one of these forms:

00-00-00-00-00-00
00:00:00:00:00:00

Note

The proxy server can only determine MAC addresses from clients configured for the subnets of the GREEN, BLUE or ORANGE interfaces.

Banned IP addresses (optional).  All requests from the clients (IP addresses or subnets) listed here will be blocked.

Banned MAC addresses (optional).  All requests from clients in this list will be blocked.

2.5.1.8. Classroom extensions

The ClassRoom Extensions (CRE) to the proxy server give you the ability to delegate administrative tasks to non-administrative users through a separate Web Access Management page.

See the Classroom extensions section for further information.

2.5.1.9. Time Restrictions

This section defines when the web proxy is active. The default position is to allow access 24 hours a day, 7 days a week.

The Access option “allow” permits web access, and the “deny” option blocks web access within the selected timeframe. The choice of “allow” or “deny” will depend on the time rules you want to apply.

Time Restrictions will not affect these clients:

  • Unrestricted IP addresses

  • Unrestricted MAC addresses

  • Members of the group “Extended” if the proxy uses “Local authentication

2.5.1.10. Transfer limits

This section allows you to enter limits for the size of each download and/or upload request. The values are given in Kilobytes (KB). You can use this to prevent your Users downloading large files and slowing Internet access for everyone else.

Set the Max download size and Max upload size fields to 0, the default, to remove all restrictions.

Download limits will not affect these clients:

  • Unrestricted IP addresses

  • Unrestricted MAC addresses

  • Members of the group “Extended” if the proxy uses “Local authentication

2.5.1.11. Download Throttling

The download bandwith can be unlimited, or limited per interface, and/or per host, or based on the type of content.

Throttling will not affect these clients:

  • Unrestricted IP addresses

  • Unrestricted MAC addresses

Bandwidth limits can be defined per interface as an overall limit, and per host. The used bandwith for all hosts will be limited by the overall limit.

By default, throttling affects all kinds of traffic, but throttling can be limited to certain types of content. However, this disables throttling for other types of content.

Content based throttling can be applied to:

  • Binary files: bz2, bin, dmg, exe, sea, tar, tgz, zip etc.

  • CD images: ccd, cdi, img, iso, raw, tib etc.

  • Multimedia files: aiff, avi, divx, mov, mp3, mp4, mpeg, qt etc.

Figure 2.25. Web proxy - Time restrictions, Transfer limits & Download throttling Sections

HTTP Web Proxy Page

2.5.1.12. MIME type filter

The MIME type filter can be configured to block content depending on its MIME type.

Enabled If enabled, the filter checks all incoming headers for their MIME type.

Block these MIME types (optional).  If the requested MIME type is listed to be blocked, access to it will be denied. This way you can block content, no matter what type of file name extension is used.

For example, add this MIME type on one line if you want to block the download of Word files:

application/msword

Or, add these MIME types, each type on a separate line, if you want to block the download of MPEG and QuickTime video files:

video/mpeg
video/quicktime

Do not filter these destinations (optional).  Use this list to avoid MIME type filtering particular destinations. This should be a list, each one on a separate line, of Domains or Subdomains, Hostnames, IP Addresses, or URLs.

Some examples might be:

*.example.net
www.example.net
123.45.67.89
www.example.net/downloads

2.5.1.13. Web browser

Enable browser check Check this box if you want to enable browser checking.

Allowed clients for web access Check the appropriate box(es) for permitted clients.

Figure 2.26. Web proxy - MIME type filter & Web browser Sections

HTTP Web Proxy Page

2.5.1.14. Privacy

This allows the modification of some HTTP header fields to protect your privacy.

Privacye

Fake useragent submitted to external sites (optional).  By default, the useragent of the currently used web browser will be submitted to external web servers. Some dynamic websites generate the content depending on the submitted useragent string. This string will also be logged to the Web Server log files.

With the “Fake useragent” option you have the ability to rewrite this string for all your clients. For outgoing requests the useragent header field will be changed by the proxy server and submitted to external sites instead of the original useragent string. This can be useful to protect your privacy or to enforce a desired level of compatibility.

Fake referer submitted to external sites (optional).  When clicking a hyperlink, the source URL will be submitted to the destination website. This can be turned off by entering a user defined string. This string will be submitted instead of the real referring URL. This can be useful to protect your privacy.

Note

Modifying the referer violates the HTTP standard and may sometimes lead to difficulties. Some websites are blocking requests with an invalid referer to protect themselves against so called deep links or the abuse by “stealing” graphics from their website.

2.5.1.15. Redirectors

Redirectors work with the proxy to filter and redirect web traffic based on rules that can include blacklists, whitelists, time constraints etc.

Redirectors Section

Enabled Check the box to enable redirectors.

Number of redirector processes You can increase or decrease the number of active filter processes. The number of processes depends on your hardware performance, your bandwidth and the concurrent number of clients. The default value is 5.

Available redirectors Lists the redirectors installed, and which is active. URL Filter, in this example.

2.5.1.16. Authentication method

The Web Proxy offers several methods for user authentication.

Authentication Method Section

None (default).  Authentication is disabled. Users do not need to authenticate when accessing web sites.

Local This authentication method is the preferred solution for SOHO environments. Users need to authenticate when accessing web sites by entering a valid username and password. See the Local Proxy Authentication section for further information.

identd This authentication method is the preferred solution for environments where

  • Authentication must be a “hidden” process without entering username and password

  • Proxy service must operate in transparent mode

  • Usernames will be used only for logging rather than for authentication

The identd authentication method requires an identd service or daemon running on the client. See the identd Authentication section for further information.

LDAP This authentication method is the preferred solution for medium and large network environments. Users will have to authenticate when accessing web sites by entering a valid username and password. The credentials are verified against an external Server using the Lightweight Directory Access Protocol (LDAP).

LDAP authentication will be useful if you have already a directory service in your network and do not want to maintain additional user accounts and passwords for web access. See the LDAP Authentication section for further information.

Windows This authentication method is the preferred solution for small and medium network environments. Users will have to authenticate when accessing web sites. The credentials are verified against an external Server acting as a Domain Controller. See the Windows Authentication section for further information.

RADIUS This authentication method is the preferred solution for small and medium network environments. Users will have to authenticate when accessing web sites. The credentials are verified against an external RADIUS server. See the RADIUS Authentication section for further information.

Note

When using authentication and enabling the web proxy log files, the requesting user name will be logged in addition to the requested URL. Before enabling log files while using authentication, make sure not to violate existing laws.

2.5.1.17. Clear Cache/Save

Clear cache You can flush all pages out of the proxy cache at any time by clicking the Clear cache button.

Save After making any changes, press the Save button to apply them.