Install Web Safety for Squid Proxy

HTTPS decryption alone is not enough to block questionable web content. We also need the filtering server that could be paired with Squid. We will use Web Safety ICAP Server for the filtering and blocking part. This server is capable of integrating with existing Squid proxy and provides rich content filtering functionality out of the box. It may be used to block illegal or potentially malicious file downloads, remove annoying advertisements, prevent access to various categories of the web sites and block resources with explicit content.

We will use the latest version of Web Safety. It was designed specifically with HTTPS filtering in mind and contains rich web administrator console to perform routine tasks right from the browser.

By default, Web Safety comes with 4 polices preinstalled. The strict policy contains web filter settings put on the maximum level and is supposed to protect minors and K12 students from inappropriate contents on the Internet. The relaxed policy blocks only excessive advertisements and was supposed to be used by network administrators, teachers and all those who do not need filtered access to web but would like to evade most ads. The third policy is tailored to white list only browsing and the last group contains less restrictive web filtering settings suitable for normal web browsing without explicitly adult contents shown.

Web Safety uses websafety user and group to run. Normally it creates those upon installation but for some reason they are not saved during reboots so we must create required user and group manually. Go to System / User Manager select Groups Tab and add a new group websafety.

../../_images/group1.png

Click Save and then select the Users tab to add a new user websafety. Do not forget to make in a member of websafety group. Enter some arbitrary password.

../../_images/user.png

Again click Save.

../../_images/user1.png

In order to install all required libraries and programs, we will use two scripts - the first one for all dependencies and the second one for the actual installation of the Web Safety filter. Both scripts are present in this archive.

Run the following prerequisites.sh script in the console of pfSense box as /bin/tcsh prerequisites.sh (please note the path to /bin/tcsh is important). This script installs all prerequisites for Apache web server and configures it to serve Web Safety’s Admin UI on port 8080 (as standard port 80 is already taken by pfSense UI).

The command should be run from the pfSense command like (e.g. using Putty). You might need to enable SSH access to pfSense box to upload scripts. Please watch out for possible errors!

#!/bin/tcsh

# in pfsense 2.4 a lot of packages were removed from default repository
setenv REPOURL http://pkg.freebsd.org/FreeBSD:11:amd64/release_1/All

# install apache 24
pkg add $REPOURL/gdbm-1.13_1.txz
pkg add $REPOURL/db5-5.3.28_6.txz
pkg add $REPOURL/apr-1.5.2.1.5.4_2.txz
pkg add $REPOURL/apache24-2.4.26.txz
pkg add $REPOURL/ap24-mod_wsgi4-4.5.15.txz
pkg add $REPOURL/sudo-1.8.20p2_2.txz

# install django and sqlite modules for python
pkg add $REPOURL/py27-setuptools-36.0.1.txz
pkg add $REPOURL/py27-sqlite3-2.7.13_7.txz
pkg add $REPOURL/py27-django111-1.11.2.txz
pkg add $REPOURL/py27-pytz-2016.10,1.txz
pkg add $REPOURL/python2-2_3.txz
pkg add $REPOURL/py27-pyasn1-0.2.2.txz
pkg add $REPOURL/py27-pyasn1-modules-0.0.9.txz
pkg add $REPOURL/py27-ldap-2.4.39.txz
pkg add $REPOURL/py27-six-1.10.0.txz
pkg add $REPOURL/py27-enum34-1.1.6.txz
pkg add $REPOURL/py27-pycparser-2.10.txz
pkg add $REPOURL/py27-cffi-1.7.0.txz
pkg add $REPOURL/py27-idna-2.5.txz
pkg add $REPOURL/py27-ipaddress-1.0.18.txz
pkg add $REPOURL/py27-cryptography-1.7.2.txz
pkg add $REPOURL/py27-openssl-16.2.0.txz

# numpy and pandas
pkg add $REPOURL/binutils-2.28,1.txz
pkg add $REPOURL/gcc-ecj-4.5.txz
pkg add $REPOURL/mpfr-3.1.5_1.txz
pkg add $REPOURL/mpc-1.0.3.txz
pkg add $REPOURL/gcc5-5.4.0_2.txz
pkg add $REPOURL/blas-3.5.0_3.txz
pkg add $REPOURL/cblas-1.0_6.txz
pkg add $REPOURL/lapack-3.5.0_2.txz
pkg add $REPOURL/suitesparse-4.0.2_6.txz
pkg add $REPOURL/openblas-0.2.19_1,1.txz
pkg add $REPOURL/py27-numpy-1.11.2_3,1.txz
pkg add $REPOURL/py27-bottleneck-1.2.1.txz
pkg add $REPOURL/py27-dateutil-2.6.0_1.txz
pkg add $REPOURL/py27-numexpr-2.6.2.txz
pkg add $REPOURL/py27-pandas-0.20.1.txz

# in order to correctly start up apache at boot time init script needs to be renamed
cp /usr/local/etc/rc.d/apache24 /usr/local/etc/rc.d/apache24.sh

# make apache autostart
sed -i '' 's/apache24_enable=\"NO\"/apache24_enable=\"YES\"/' /usr/local/etc/rc.d/apache24.sh

# load wsgi module
sed -i '' 's/\#LoadModule wsgi_module        libexec\/apache24\/mod_wsgi.so/LoadModule wsgi_module        libexec\/apache24\/mod_wsgi.so/' /usr/local/etc/apache24/modules.d/270_mod_wsgi.conf

# make apache listen on 8080 port
sed -i '' 's/Listen 80$/Listen 8080/' /usr/local/etc/apache24/httpd.conf

# and include the virtual hosts
sed -i '' 's/\#Include etc\/apache24\/extra\/httpd-vhosts.conf/Include etc\/apache24\/extra\/httpd-vhosts.conf/' /usr/local/etc/apache24/httpd.conf

Now run the websafety.sh script by typing /bin/tcsh websafety.sh in pfsense console (again the /bin/tcsh is here important). It will download latest stable build of Web Safety and adjust Apache configuration for the Web UI.

#!/bin/tcsh

# see if websafety group exists
echo "Searching for group websafety..."
getent group websafety >/dev/null
if ($status != 0) then
    echo "Group websafety is not found, please add it through pfSense Web UI."
    exit 1
else
    echo "Group websafety already exists."
endif

# see if websafety user exists
echo "Searching for user websafety..."
getent passwd websafety >/dev/null
if ($status != 0) then
    echo "User websafety is not found, please add it through pfSense Web UI."
    exit 2
else
    echo "User websafety already exists."
endif

# how to check user websafety is in websafety group???

# get latest version of diladele icap server
fetch http://packages.diladele.com/websafety/6.3.0.456A/amd64/release/freebsd11/websafety-6.3.0-amd64.txz

# and install it
pkg install -y websafety-6.3.0-amd64.txz

# copy default apache virtual hosts file just in case
cp -f /usr/local/etc/apache24/extra/httpd-vhosts.conf /usr/local/etc/apache24/extra/httpd-vhosts.conf.default

# virtual hosts file needs to contaion only web safety virtual host
echo "Include /usr/local/etc/apache24/extra/websafety_virtual_host" > /usr/local/etc/apache24/extra/httpd-vhosts.conf

# restart apache
/usr/local/etc/rc.d/apache24.sh restart

Finally reboot your pfSense box and login to http://10.0.0.1:8080 using root and Passw0rd credentials to see the Admin UI of Web Safety filter.

../../_images/dash.png

Important

It may happen that at the time of installation the trial license that is built into the installer has already expired. In this case get the free trial license.pem file from support@diladele.com and install it as explained in article How to install the license key?