| Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
| slackware:proxy [2006/06/08 11:30] – Mention single-homed setup alien | slackware:proxy [2006/06/08 14:40] – alien |
|---|
| This article describes the setup of a http proxy chained to a content filter (think "parental control" for instance). | This article describes the setup of a http proxy chained to a content filter (think "parental control" for instance). |
| |
| There are many cases, where is not desirable to grant unlimited Internet access to certain groups of people. The most obvious group are children, either at home, or in schools, whom you want to protect from hitting upon too explicit imagery or language. Or perhaps you just want to block certain sites from them.\\ | There are many cases, where is not desirable to grant unlimited Internet access to certain groups of people. The most obvious group are children, either at home, in schools or public libraries, whom you want to protect from hitting upon too explicit imagery or language. Or perhaps you just want to block certain sites from them.\\ |
| Other uses for a content-filtering web proxy would be companies that want to limit the accessibility of the Internet facility they allow their employees. Content filtering does not stop at blocking undesirable content - blocking viruses in downloaded materials and malicious HTML code is another form of filtering incoming web traffic.\\ | Other uses for a content-filtering web proxy would be companies that want to limit the accessibility of the Internet facility they allow their employees. Content filtering does not stop at blocking undesirable content - blocking viruses in downloaded materials and malicious HTML code is another form of filtering incoming web traffic.\\ |
| A web proxy is what you need in this case. The proxy server intercepts all browser requests for web pages, and in co-operation with one or more filtering programs, decides whether the browser will or won't be able to retrieve the full content it was requesting. | A web proxy is what you need in this case. The proxy server intercepts all browser requests for web pages, and in co-operation with one or more filtering programs, decides whether the browser will or won't be able to retrieve the full content it was requesting. |
| Ideally, you would want a solution where such a filtering proxy server is installed on the Internet Gateway Server, and the desktop computers would not have to be be reconfigured to make use of the proxy. This is called //transparent proxying// - the proxy will intercept the browser requests without the end users knowing their traffic is monitored - until they hit a censored page of course! | Ideally, you would want a solution where such a filtering proxy server is installed on the Internet Gateway Server, and the desktop computers would not have to be be reconfigured to make use of the proxy. This is called //transparent proxying// - the proxy will intercept the browser requests without the end users knowing their traffic is monitored - until they hit a censored page of course! |
| |
| I will show you how you can use [[http://tinyproxy.sf.net/|tinyproxy]] and [[http://dansguardian.org/|dansguardian]] in combination with a few iptables firewall rules, to accomplish such a transparent proxy. I chose tinyproxy because it is small and very fast in comparison with the more widely used Squid proxy. Tinyproxy is just fine for small to medium-sized networks. For larger networks, you can just replace tinyproxy with Squid and it will still work (if you configure Squid right). But I will concentrate on tinyproxy. | I will show you how you can use [[http://tinyproxy.sf.net/|tinyproxy]] and [[http://dansguardian.org/|dansguardian]] in combination with a few iptables firewall rules, to accomplish such a transparent proxy service. I chose tinyproxy because it is small and very fast in comparison with the more widely used Squid proxy. Tinyproxy is just fine for small to medium-sized networks. For larger networks, you can replace tinyproxy with Squid without much effort and it will still work (if you configure Squid right). But I will concentrate on tinyproxy for now. |
| |
| <note>Tinyproxy and Squid are licenced under the GPL. Dansguardian is licenced under the GPL, with the addition that it is free for non-commercial use.</note> | <note>Tinyproxy and Squid are licenced under the GPL. Dansguardian is licenced under the GPL, with the addition that it is free for non-commercial use.</note> |
| |
| <note tip>This article focuses on the configuration of a transparent proxy on a gateway/router for **small networks**. Another scenario is that of the **family computer** with a single network interface, running Linux, where you want to restrict the children in their Internet browsing while still being able to have unrestricted Internet access for your own account (assuming //you// are the parent) or as the root user.\\ I have a FIXME [[:slackware:parentalcontrol|Wiki page]] that points out the differenct steps you need to take compared to this very page here.</note> | <note tip>This article focuses on the configuration of a transparent proxy on a gateway/router for **small networks**. Another scenario is that of the **family computer** with a single network interface, running Linux, where you want to restrict the children in their Internet browsing while still being able to have unrestricted Internet access for your own account (assuming //you// are the parent) or as the root user.\\ I have a FIXME [[:slackware:parentalcontrol|Wiki page]] that points out the different steps you need to take compared to this very page here.</note> |
| |
| ===== How it works ===== | ===== How it works ===== |
| ->(contentfilter -> proxy) _| | ->(contentfilter -> proxy) _| |
| |
| The browser request is again routed through the default gateway as in the first picture, only now we have an ''iptables'' rule in place that detects the traffic targeted at an external web server (ports 80 or 443). The iptables rule causes this traffic to be //re-directs// to the port where our content filter is listening (''192.168.2.1:8080'')!\\ The browser is unaware of this "hi-jacking" process. Browser requests will be filtered and pages retrieved by the proxy will be examined and scanned just like happens in the second picture. | The browser request is again routed through the default gateway as in the first picture, only now we have an ''iptables'' rule in place that detects the traffic targeted at an external web server (ports 80 or 443). The iptables rule causes this traffic to be //re-directed// to the port where our content filter is listening (''192.168.2.1:8080'')!\\ The browser is unaware of this "hi-jacking" process. Browser requests will be examined by the contentfilter and URLs that appear in a blacklist will trigger an immediate //access denied// page to be returned to the browser. Other page requests are retrieved by the proxy and then examined and scanned, just like was shown in the second picture. |
| |
| <note> I touched on the issue of scanning for viruses and malicious HTML code - dansguardian can not do this by itself, but if compiled with the appropriate support (see [[#building_dansguardian|below]]) and configured to actually use it, dansguardian will ask an available ClamAV virus scanning daemon to do the scanning.</note> | <note> I touched on the issue of scanning for viruses and malicious HTML code - dansguardian can not do this by itself, but if compiled with the appropriate support (see [[#building_dansguardian|below]]) and configured to actually use it, dansguardian will contact an available ClamAV virus scanning daemon and let it do the scanning.</note> |
| |
| ===== Network layout ===== | ===== Network layout ===== |
