Web Safety and Squid

We will first decrypt HTTPS requests using Squid proxy and then filter them using Web Safety ICAP web filter. Management of both proxy and web filter will be done using browser based Admin UI.

Note

Web Safety is a simple to manage and powerful web filtering server that provides rich content and web filtering functionality to sanitize Internet traffic passing into internal home/enterprise network. It may be used to block illegal or potentially malicious file downloads, remove annoying advertisements, prevent access to various categories of the web sites and block resources with explicit content.

HTTPS protocol was designed to provide secure means of communications between internet browsers and remote web servers. In order to achieve this goal HTTPS protocol encrypts data passing through established connections so that it cannot be decrypted in reasonable amount of time thus preventing anyone from sniffing the contents exchanged over such connections. This protocol was primarily invented to enable safe and secure communication between the user and financial sites or government institutions over the insecure medium such as the Internet.

Nowadays almost all web sites support HTTPS connections. Although there are no doubts that HTTPS encryption is a good thing for safety on the wire we must take into account that it also creates several problems for controlled networks typically found at home or offices. The main problem here is the essence of the HTTPS protocol itself - no one except the browser and the web server is able to see and thus filter transferred data. This may not always be desired. Contents that are usually blocked suddenly become accessible by anyone. As an example imagine a school network where minors can see questionable content by just mistyping a search term in Google. Moreover the law often forces administrators in educational institutions to block access to such content (e.g. CIPA for educational environments) and encrypted access to web sites makes it nearly impossible to fulfil such an obligation.

In order to overcome these limitations we will setup HTTPS decryption and filtering using SSL mimicking capabilities of Squid proxy server and filter the decrypted traffic using Web Safety web filter. The article How it Works explains exactly how this is implemented.

Go ahead download and deploy the Web Safety virtual machine from https://www.diladele.com/download.html page. Configure the static IP address in Admin UI as 10.0.0.10 with 255.255.255.0 netmask and gateway pointing to our pfSense firewall. Point DNS settings to the IP address of Dns Safety we have installed on the previous step (10.0.0.2) and reboot the machine.

../../_images/websafety_network_settings.png

After restart, point your browser to use the newly deployed filtering proxy and try browsing the web.

../../_images/browser_proxy_settings.png

You should be able to see the web requests in Traffic Monitor / Surfing Now section in the Admin UI.

../../_images/websafety_surfing_now.png

Final step is to enable HTTPS decryption as explained in article Enable HTTPS Filtering in Admin UI and install the trusted Root CA certificate as explained in article Install Trusted Certificates.