Install Web Safety for Squid Proxy
HTTPS decryption alone is not enough to block questionable web content. We also need the filtering server that could be paired with Squid. We will use Web Safety ICAP Server for the filtering and blocking part. This server is capable of integrating with existing Squid proxy and provides rich content filtering functionality out of the box. It may be used to block illegal or potentially malicious file downloads, remove annoying advertisements, prevent access to various categories of the web sites and block resources with explicit content.
We will use the version 6.3 of Web Safety. It was designed specifically with HTTPS filtering in mind and contains rich web administrator console to perform routine tasks right from the browser.
By default, Web Safety comes with 4 polices preinstalled. The strict policy contains web filter settings put on the maximum level and is supposed to protect minors and K12 students from inappropriate contents on the Internet. The relaxed policy blocks only excessive advertisements and was supposed to be used by network administrators, teachers and all those who do not need filtered access to web but would like to evade most ads. The third policy is tailored to white list only browsing and the last group contains less restrictive web filtering settings suitable for normal web browsing without explicitly adult contents shown.
Web Safety uses websafety user and group to run. Normally it creates those upon installation but for some reason they are not saved during reboots so we must create required user and group manually. Go to System / User Manager select Groups Tab and add a new group websafety.
Click Save and then select the Users tab to add a new user websafety. Do not forget to make in a member of websafety group. Enter some arbitrary password.
Again click Save.
In order to install all required libraries and programs, we will use two scripts - the first one for all dependencies and the second one for the actual installation of the Web Safety filter. Both scripts are present in
Run the following prerequisites.sh script in the console of pfSense box as
/bin/tcsh prerequisites.sh (please note the path to /bin/tcsh is important). This script installs all prerequisites for Apache web server and configures it to serve Web Safety’s Admin UI on port 8080 (as standard port 80 is already taken by pfSense UI).
The command should be run from the pfSense command like (e.g. using Putty). You might need to enable SSH access to pfSense box to upload scripts. Please watch out for possible errors!
#!/bin/tcsh # in pfsense 2.4 a lot of packages were removed from default repository setenv REPOURL http://pkg.freebsd.org/FreeBSD:11:amd64/release_1/All # install apache 24 pkg add $REPOURL/gdbm-1.13_1.txz pkg add $REPOURL/db5-5.3.28_6.txz pkg add $REPOURL/apr-188.8.131.52.5.4_2.txz pkg add $REPOURL/apache24-2.4.26.txz pkg add $REPOURL/ap24-mod_wsgi4-4.5.15.txz pkg add $REPOURL/sudo-1.8.20p2_2.txz # install django and sqlite modules for python pkg add $REPOURL/py27-setuptools-36.0.1.txz pkg add $REPOURL/py27-sqlite3-2.7.13_7.txz pkg add $REPOURL/py27-django111-1.11.2.txz pkg add $REPOURL/py27-pytz-2016.10,1.txz pkg add $REPOURL/python2-2_3.txz pkg add $REPOURL/py27-pyasn1-0.2.2.txz pkg add $REPOURL/py27-pyasn1-modules-0.0.9.txz pkg add $REPOURL/py27-ldap-2.4.39.txz pkg add $REPOURL/py27-six-1.10.0.txz pkg add $REPOURL/py27-enum34-1.1.6.txz pkg add $REPOURL/py27-pycparser-2.10.txz pkg add $REPOURL/py27-cffi-1.7.0.txz pkg add $REPOURL/py27-idna-2.5.txz pkg add $REPOURL/py27-ipaddress-1.0.18.txz pkg add $REPOURL/py27-cryptography-1.7.2.txz pkg add $REPOURL/py27-openssl-16.2.0.txz # numpy and pandas pkg add $REPOURL/binutils-2.28,1.txz pkg add $REPOURL/gcc-ecj-4.5.txz pkg add $REPOURL/mpfr-3.1.5_1.txz pkg add $REPOURL/mpc-1.0.3.txz pkg add $REPOURL/gcc5-5.4.0_2.txz pkg add $REPOURL/blas-3.5.0_3.txz pkg add $REPOURL/cblas-1.0_6.txz pkg add $REPOURL/openblas-0.2.19_1,1.txz pkg add $REPOURL/lapack-3.5.0_2.txz pkg add $REPOURL/suitesparse-4.0.2_6.txz pkg add $REPOURL/py27-numpy-1.11.2_3,1.txz pkg add $REPOURL/py27-bottleneck-1.2.1.txz pkg add $REPOURL/py27-dateutil-2.6.0_1.txz pkg add $REPOURL/py27-numexpr-2.6.2.txz pkg add $REPOURL/py27-pandas-0.20.1.txz # in order to correctly start up apache at boot time init script needs to be renamed cp /usr/local/etc/rc.d/apache24 /usr/local/etc/rc.d/apache24.sh # make apache autostart sed -i '' 's/apache24_enable=\"NO\"/apache24_enable=\"YES\"/' /usr/local/etc/rc.d/apache24.sh # load wsgi module sed -i '' 's/\#LoadModule wsgi_module libexec\/apache24\/mod_wsgi.so/LoadModule wsgi_module libexec\/apache24\/mod_wsgi.so/' /usr/local/etc/apache24/modules.d/270_mod_wsgi.conf # make apache listen on 8080 port sed -i '' 's/Listen 80$/Listen 8080/' /usr/local/etc/apache24/httpd.conf # and include the virtual hosts sed -i '' 's/\#Include etc\/apache24\/extra\/httpd-vhosts.conf/Include etc\/apache24\/extra\/httpd-vhosts.conf/' /usr/local/etc/apache24/httpd.conf
Now run the websafety.sh script by typing
/bin/tcsh websafety.sh in pfsense console (again the /bin/tcsh is here important). It will download latest stable build of Web Safety and adjust Apache configuration for the Web UI.
#!/bin/tcsh # see if websafety group exists echo "Searching for group websafety..." getent group websafety >/dev/null if ($status != 0) then echo "Group websafety is not found, please add it through pfSense Web UI." exit 1 else echo "Group websafety already exists." endif # see if websafety user exists echo "Searching for user websafety..." getent passwd websafety >/dev/null if ($status != 0) then echo "User websafety is not found, please add it through pfSense Web UI." exit 2 else echo "User websafety already exists." endif # how to check user websafety is in websafety group??? # get latest version of diladele icap server fetch http://packages.diladele.com/websafety/184.108.40.2066A/amd64/release/freebsd11/websafety-6.3.0-amd64.txz # and install it pkg install -y websafety-6.3.0-amd64.txz # copy default apache virtual hosts file just in case cp -f /usr/local/etc/apache24/extra/httpd-vhosts.conf /usr/local/etc/apache24/extra/httpd-vhosts.conf.default # virtual hosts file needs to contaion only web safety virtual host echo "Include /usr/local/etc/apache24/extra/websafety_virtual_host" > /usr/local/etc/apache24/extra/httpd-vhosts.conf # restart apache /usr/local/etc/rc.d/apache24.sh restart
Finally reboot your pfSense box and login to http://10.0.0.1:8080 using root and Passw0rd credentials to see the Admin UI of Web Safety filter.