Endian banner

HTTP

The HTTP proxy employed in the Endian Hotspot Appliance is squid, whose primary ability is to cache web requests to speed up future requests of the same page, though it has many more functionalities that allows its seamless integration with the other services described in the remainder of this section. The HTTP proxy settings page is organized in tabs from which it is possible to configure all the options.

Configuration

A click on the Enable HTTP Proxy switch swoff enables the HTTP proxy. After some seconds, necessary to start all required services, a number of controls appear in the Configuration tab, grouped into six panels: Each panel has a title, followed by a ? that shows a tooltip, and can be expanded or collapsed by clicking on the expand or collapse icons located on the left of the labels.

Completely transparent protection throught the HTTP proxy.

The HTTP proxy will work in a completely transparent way. This means that users that are connected to the Endian Hotspot Appliance’s BLUE zone do not need to change the configuration of their devices as all the traffic will automatically go through the proxy and be scanned for viruses or filtered there in any case.

When enabling the proxy please note that it will be enabled for the BLUE WiFi zone only and the configuration will not be applied to the management network (GREEN zone). This means that filtering the content or scanning for viruses in the GREEN zone is not possible.

Proxy settings

In the Proxy settings panel there are some global configuration options for the proxy services:

Port used by proxy

The TCP port on which the proxy server is listening for connections, which defaults to 8080.

Error Language

The language in which error messages are displayed, which defaults to the one chosen in Menubar ‣ System ‣ GUI settings.

Visible Hostname used by proxy

The hostname assumed by the proxy server, also reported at the bottom of error messages.

Email used for notification (cache admin)

The email address shown by the proxy server in error messages.

Maximum download size (incoming in KB)

The limit for HTTP file downloads. 0 means unlimited.

Maximum upload size (outgoing in KB)

The limit for HTTP file uploads (e.g., those used by HTML forms with file uploads). 0 means unlimited.

Allowed ports and ssl ports

Configuration option for the ports the clients are allowed to use when browsing:

Allowed Ports (from client)

The TCP destination ports to which the proxy server will accept connections when using HTTP. One port or one port range per line are accepted, comments are allowed and start with a #.

Allowed SSL Ports (from client)

The TCP destination ports to which the proxy server will accept connections when using HTTPS. One port or port range per line are accepted, comments are allowed and start with a #, ending at the end of the line.

Log settings

Configuration option to enable the logging facility and choosing what to log.

HTTP proxy logging

Log all the URLs being accessed through the proxy. It is a master switch, hence the following four options are enabled and can be configured only if logging is enabled, which is not by default (recall that the more is logged, the more space on the Endian Hotspot Appliance’s hard disk is needed).

Query term logging

Log the parameters in the URL (such as ?id=123)

Useragent logging

Log the user agent sent by each browser.

Contentfilter logging

Log when the content of web pages is filtered

Firewall logging (transparent proxies only)

Let the firewall log the outgoing web accesses, i.e., those directed through the RED interface to the Internet. This options only works for transparent proxies.

Bypass transparent proxy

In this panel some exception to the transparent proxy can be defined, i.e., which sources (i.e., clients) and destinations (i.e., remote servers) should be ignored by the proxy, even if it is enabled in that zone.

Bypass transparent proxy from SUBNET/IP/MAC

The sources that should not be subject to the transparent proxy.

Bypass transparent proxy to SUBNET/IP

The destinations that are not subject to the transparent proxy.

Hint

Use CIDR notation to enter subnets.

Cache management

Configuration options for the space occupied on disk by the cache and the size of the objects stored.

Cache size on harddisk (MB)

The amount in megabytes that the proxy should allocate for caching web sites on the harddisk.

Cache size within memory (MB)

The amount in megabytes of memory that the proxy should allocate for caching web sites in the system memory.

Maximum object size (KB)

The upper size limit in megabytes of a single object that should be cached.

Minimum object size (KB)

The lower size limit in megabytes of a single object that should be cached.

Note

Objects whose size does not fall within the above defined ranges will never be stored on disk, but downloaded each time they are requested by some client.

Enable offline mode

When this option is enabled (i.e., the checkbox is ticked), the proxy will never try to update cached objects from the upstream web server - clients can then browse cached, static websites even after the uplink went down.

Warning

This option proves useful to surf the Internet while the uplink is down, if the page requested has been cached before. However, this option may cause some trouble when trying to refresh a page, even with a working uplink, since the HTTP proxy would always serve the cached page. The only possibility to have a refreshed copy of a web page is in this case to clear the cache of the proxy server.

Clear cache

When this button is clicked, the cache of the proxy is erased.

Do not cache these destinations

The domains whose resources should never be cached.

Upstream proxy

If there is another proxy server in the LAN, it can be contacted before actually requesting the original resource. This panel contains configuration options for the connection between the Endian Hotspot Appliance and the upstream proxy.

Upstream proxy

Tick this checkbox to enable an upstream proxy and show more options. When enabled, before retrieving a remote web page that is not already in its cache, the Endian Hotspot Appliance’s proxy contacts the upstream proxy it to ask for that page.

Upstream server

The hostname or IP address of the upstream server.

Upstream port

The port on which the proxy is listening on the upstream server.

Upstream username / password

If authentication for the upstream proxy is required, specify the credentials here

Client username forwarding

Tick the checkbox to forward the username to the upstream proxy.

Client IP forwarding

Tick the checkbox to forward the client IP address to the upstream proxy.

Access policy

The accesses policies are applied to every client that is connecting through the proxy, regardless of its authentication. An access policy rule is a time-based scheme that permits or prohibits accesses depending on diverse parameters about the user (e.g. the source or destination of the traffic), and the client used or the content downloaded (e.g., the user agent, the mime types, virus scanning, and content filtering).

A list of the already defined rules is displayed on the page. Any rule can specify if the web access is blocked or allowed, and in the latter case a filter type can be activated and selected. The table carries the following information for every rule listed therein: The progressive identification number (#), the name (``), the source and destination interested, the authentication type, if required, the periods in which is active, the user agents matched, and the available actions:

  • edit - modify the policy.

  • delete - remove the policy.

  • up down - move the policy upwards or downwards in the list.

  • on off - enable or disable the policy.

To add a new access policy rule, simply click on Add Access policy: A form will open, in which to configure all the parameters:

Source Type

The sources of the traffic to which this rule applies. It can be <ANY>, a zone, a list of networks, IP addresses or MAC addresses.

Destination Type

The destinations of the traffic to which this rule will be applied. This can be either <ANY>, a zone, or a list of networks, IP addresses, or domains.

Time restriction

Decide whether the rule has effect on specific days and/or a time period. By default a rule is always active, but its validity can be limited to either an interval or to some days of the week. By ticking the checkbox, the following options become available:

Active days

Select one ore more days of the week.

Hint

To select two or more days, hold the CTRL keys and click the mouse button on the name of the day.

Start hour, Stop hour, Start minute, Stop minute

To fine-tune the interval of the day during which the access policy is active, select the start and end times from the drop-down menus.

Useragents

The allowed clients and browsers, as identified by their user agent, i.e., their identification string.

Mimetypes

A list of the MIME types of incoming files that should be blocked, one per line. MIME types can only be blocked (i.e., blacklisted) but not allowed (i.e., whitelisted), therefore this option is only available in Deny access policies. This option allows to block any files not corresponding to the company policy (e.g., multimedia files).

Note

The list of the available MIME types can be found in the /etc/mime.types file on any Linux box, on the official IANA web page, and also in RFC 2045 and RFC 2046.

Access policy

Select whether the rule should allow or deny the web access from the drop-down menu . If set to Deny, the Mimetypes option above is activated.

Filter profile

This drop-down menu, available when the Access policy has been set to Allow access, allows to select what type of check should the rule perform. Available options are: none for no check and virus detection only to scan only for viruses. Moreover, if any content filter profile has been created (see below), it can be applied to the rule.

Policy status

Whether the rule is enabled or disabled. Disabled rules will not be applied, the default is to enable the rule.

Position

The place where the new rule should be inserted: Lower positions have higher priority.

The available actions allow to change priority, edit, enable/disable or delete each rule from the list of rules.

Web filter

The Endian Hotspot Appliance’s content filter abilities are based on the Cyren URL filtering solution, that uses two filtering techniques which can be defined per filter profile.

The first one consists of an advanced method of web pages categorisation, based on their content, while the second method uses a combination of white- and blacklists URLs and domains: All the URLs requested by a client are looked up in this list and are only served if they are found in the whitelist.

Note

If the system has not yet been registered to Endian Network, the URL filter lists can not be downloaded. In this case, an informative message appears: By clicking on it, the registration form will open.

A profile is needed to be able to use the content filter. There is a Default profile available, which allows access to every web page and shall not be deleted. Additional profiles, that are needed in the definition of an Access policy, can easily be created. Hence, an access policies requiring a specific profile can be created only after that profile.

On the page, there is a list of the existing profiles, accompanied by a remark and by the available actions:

  • edit - edit a profile.

  • delete - delete a profile.

Above the table, there is a Create a profile link: When clicked, the link is replaced by the Profile Editor, that is used to configure a new profile, with the list of existing profiles shifting to the bottom of the page. The following settings can be defined:

Profile name

The name given to the profile.

Activate antivirus scan

Enable the antivirus in the content filter.

SafeSearch Enforcement

In this section it is possible to enable the SafeSearch Enforcement functionality for the supported search engines. At the moment these are:

  • Google

  • Bing

  • Yahoo

  • Yandex

  • DuckDuckGo

SafeSearch Enforcement

With the standard web filtering functionality it is already possible to filter inappropriate web sites for children or students. However, this does not affect results such as preview images that are coming from the search engines.

Since search engines are caching images it is impossible to know from which website they are coming and therefore they cannot be blocked based on their category. To still be able to block inappropriate or offensive content many search engines include a SafeSearch functionality that, when enabled, will simply not include these results.

When using SafeSearch Enforcement this behaviour is being enforced for the selected search engines regardless of the user’s personal settings.

Since most search engines today are automatically using HTTPS it is necessary to enable the HTTPS Proxy.

URL Filter

The next settings come in form of panels, that can be expanded or collapsed by clicking on the expand or collapse icons to the left of their title. On the far right, a small arrow shows if the contained items are all, none, or partially allowed. Those arrows can be clicked to quickly toggle the status of all the contained items.

The categories to activate for applying the content filter. Each category contains additional sub-categories, that can be individually allowed or not. An arrow accept means that the (sub-)category is disabled and therefore its items are not used for content filter, while a drop icon means that those items are used to block content. A partial icon near the category name shows that only some of the sub-categories within it are used for content filtering.

Custom black- and whitelists

Here personalised lists of web pages can be added as always allowed (whitelist), i.e., they will always be served to the clients, or denied (blacklist), i.e., they will never be served to the clients.

Content filtering may cause both false positives and false negatives, hence list domains that should always be blocked or allowed can be entered here. This policy will be applied regardless of the results of the content filter’s analysis.

HTTPS Proxy

New in version 5.0.5: URL Filtering option.

In this page it is possible to configure the HTTPS proxy server and the way it intercepts and applies content filtering to SSL-encrypted traffic, i.e., traffic through the 443 port.

The page is initially divided in three panels, the first one to choose the operating mode of the HTTPS proxy, the other related to the certificate needed in the Decrypt and scan mode.

HTTPS proxy operating mode

Choose form the drop-down menu how the proxy should analyse the HTTPS encrypted traffic. The following options are available:

  • Disabled. The HTTPS proxy will not analyse the traffic.

  • URL filtering only. In this modality, described below, the HTTP proxy will only apply content filtering to the pages, but not decrypt them.

  • Decrypt and scan. The HTTPS proxy will decrypt and fully inspect the pages.

Once the modality has been chosen, click on Save, then on the Apply button in the green callout.

The URL Filtering mode

The URL Filtering mode allows to apply content filtering to HTTPS pages in a less invasive way compared to the Decrypt and scan mode; it is also easier to deploy, but it can be less effective. In details, this are the differences from the Decrypt and scan mode:

  • No need to install certificates on the clients. This means that the traffic will not be decrypted.

  • As a consequence, there will be no antivirus check on the HTTPS pages.

  • When a page is blocked by the proxy, the browser will receive a Connection refused error message.

  • Whitelists and Blacklists for both the HTTPS and HTTP Proxies are defined in the Access policy and Web filter tabs.

To correctly allow the URL Filtering mode to operate, the clients using the proxy must be configured to use the Endian Hotspot Appliance as their DNS server. If they do not, then the DNS Proxy must be enabled on the Endian Hotspot Appliance for all the zones that use the HTTP(S) Proxy.

When enabled as Decrypt and scan mode, squid will intercept all clients’ requests and forward them to the remote server, like in the case of HTTP requests. The only difference is that for HTTPS requests, an intermediate certificate is needed for the client to connect via HTTPS to the Endian Hotspot Appliance, which then can deliver the request, retrieve the remote resource, control it, and then send it to the client who requested it.

The following additional options are available for this mode:

Accept every certificate

This option allows the Endian Hotspot Appliance to automatically accept all the certificates from the remote server, even those that are not valid or outdated.

Forward HTTPS connections directly to the Upstream proxy

When this option is used, the HTTPS traffic will be managed directly by the upstream proxy, otherwise it is managed by the Endian Hotspot Appliance.

Note

This option only works if an upstream proxy has been defined in the upstream proxy (See Menubar ‣ Proxy ‣ HTTP ‣ Configuration ‣ Upstream proxy).

Bypass HTTPS proxy for destinations

Write in the textfield the IP address or domain names of remote web sites that should be not be checked by the HTTPS proxy, one per line.

The two panels at the bottom are used only for the Decrypt and scan mode and allow to manage the certificate that will be used by the Endian Hotspot Appliance.

Warning

The upload or the creation of a new certificate implies to invalidate any previously uploaded or created certificate. It will also be necessary to deploy the new certificate to all the clients.

Upload proxy certificate

To use an existent certificate, click on Browse…, choose the certificate on the local hard disk, then click on Upload to copy the certificate to the Endian Hotspot Appliance.

Create a new certificate

To create a new certificate from scratch, click on this button. A confirmation dialog box appears, requiring a confirmation. Click on OK to proceed or on Cancel to close the dialog box and go back.

After the certificate has been uploaded or created, a new option in the form of a hyperlink will appear next to the Upload proxy certificate label:

Download

Click this hyperlink to download the certificate, which will be needed by the the clients.

See also

In the knowledge base these tutorials are available:

How to set up the HTTPS proxy (only decrypt and scan mode),

URL Filtering For The HTTPS Proxy and

How to access HSTS-enabled sites

Table Of Contents

Previous topic

The Proxy Menu

Next topic

SMTP

Other products

Endian UTM Series
Endian 4i Edge Series