Web proxy question. Iam a proxy noob.



  • Hi.

    I have never used web proxy solutions before.

    But these are my needs:

    1. I want to track what URLs my youngest kid visiting.
    2. I migth want to force my kid to only be able to visit one page on internet.
    3. I have no interest into caching any webpages cos I got 1Gbit connection to Internet, speed is not a problem.
    (Just need a  ACL for URLs with log functionallity.)

    Iam using the latest pfsense version.

    My question is what web proxy sould I use? squid? Reverse proxy? Iam a noob about proxy stuff.

    /thanks.



  • Squide & lightsquid for logging & Squidguard to block or allow websites.



  • Will all computers on the network be forced to use the proxy for web traffic or can I just force one IP address to use the Proxy?



  • You could use rules to redirect traffic from only one client to the proxy but that is easily bypassed by altering the IP address of the device. Far better to put everything through squid in transparent mode and let the acls sort it all out.



  • @Gloom:

    You could use rules to redirect traffic from only one client to the proxy but that is easily bypassed by altering the IP address of the device. Far better to put everything through squid in transparent mode and let the acls sort it all out.

    Just note that transparent proxy does not filter https.

    This way if you block for example www.facebook.com a simple https://www.facebook.com will do the job.



  • Tried to install squid but it fails downloading it.

    Beginning package installation for squid…
    Downloading package configuration file... done.
    Saving updated package information... done.
    Downloading squid and its dependencies...
    Checking for package installation...
    Downloading http://files.pfsense.org/packages/8/All/squid-2.7.9_1.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/squid-2.7.9_1.tbz.
    of squid-2.7.9_1 failed!

    http://files.pfsense.org/packages/8/All/squid-2.7.9_1.tbz Is not responding at all
    http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/squid-2.7.9_1.tbz 404 Not found.



  • working now.



  • If you want a content analyzer, then you can try dansguardian together with squid.



  • From: marcelloc

    _"Just note that transparent proxy does not filter https.

    This way if you block for example www.facebook.com a simple https://www.facebook.com will do the job."_

    @marcelloc

    will Dansguardian be able to block https ? for example https://www.facebook.com

    is there any link on how to configure Dansguardian?

    thanks in advance :)



  • Https url can be blocked using squid,squidguard or dansguardian.

    The first step is to configure proxy on client's browser or WPAD on network.

    Dansguardian default config is applied on package install. You need to configure daemon tab and access lists to get it working. There is also a link to a dansguardian wiki that can you understanding how it works.



  • @Marcelloc

    I have successfully blocked https://facebook and other unwanted sites. only defined url are permitted. But by using proxy settings in browser, it also blocked FTP protocol. how do i configure that to allow my LAN users be able to access local FTP?

    Thanks alot !  ;D



  • You can include exclude range in proxy settings.

    On firefox default option is no proxy for: localhost,127.0.0.1,192.168.0.0/24



  • Well that worked marcelloc thanks alot. :)

    Now Is there anyway to set the users browser( Guest internet user) that there will be no internet connection at all if they will not use the defined proxy settings? although i have already setup the WPAD, for my guest users they can still alter the settings not to use proxy.



  • Yes you can do it via group policy on Windows or denying access on firewall to internet on dhcp ip range.

    The second way will enable access only for users using proxy.



  • While I am no linux nor proxy guru, I have set my network up pretty well, and actually for the very same reasons as the OP, to protect my kids from "accidentily" being exposed to the more adult side of the net.

    The first thing I did was to define a set of IP addresses that would be dedicated to machines that would have no filtering effects. I used the dhcp server service to do this. I declared a set of static dhcp mappings, matched via MAC address. So in my case, the first 20 were reserved. I then gave a 10 address buffer for actual dhcp "guests", from 21 to 30. And finally, I set up my kids addresses above that. I did map those as well.

    Next, I installed squid. I enabled transparent proxy. I set the proxy to exclude addresses 1-20.

    Next I installed squidguard. I create one ACL, which encompasses the entire subnet, addresses 1-254. So, all computers fall within this ACL except those excluded from squid itself. I set the default rule to deny.

    Then, I created my target categories, or whitelists. I segregated them out, creating a disney and starwars category individually, etc. I have one for java and other such stuff needed for some of the kids games.

    In order to find what was being blocked by the rules, I enabled logging on the ACL rule. I would load a page, see what displayed, and examine what the logs said. It took a bit, but was well worth it. Now I have a pretty good list of websites they can visit, and I really don't have to worry about much. I haven't played with HTTPS yet, but would imagine, since my kids don't need it, I could create a deny category for global HTTPS or change thier PC, although some of my goal is also to keep the guests IPODs from accessing everything as well without me approving it.

    I was also using captive portal, with MAC pass-throughs so that any guest client would have to ask for password, but figured the restricted nature of squidguard would work just as well.

    I did install lightsquid, which is very neat. I was using shallas blacklist at one time, but really found that I don't need it, since I know what sites I want them to visit. If they need to do homework or soemthing of the sort, then they do it on a computer that is visible to everyone (they each have thier own computer). It works really well. I can't say that my pfsense box is really any faster than my normal dlink router, but it sure gives a lot more flexibility and control!



  • Hey Marcelloc,

    URL Filtering works smoothly on HTTP/HTTPS. but as things go on, i cant seem to work out on how to enable captive portal, although it is enabled in the services. Is it possible to use this or not anymore? It only works out for me if im not using the proxy settings (transparent mode)

    Thank you so much in advance! :)




Log in to reply