Version History

5.3.0.BA07 October 19, 2017

  • Added support for haproxy’s PROXY protocol, now it is possible to know the user’s IP in cluster deployments. Policies can be applied by the IP address/range/subnet and not by only Active Directory.
  • Kerberos REALM field is moved to UI/Squid/Auth/Kerberos. Now is possible to use NTLM or LDAP authentication without configuring any Kerberos setting at all.

Download Links: October 18, 2017

  • Added management sections for Squid cache (refresh patterns) and logging submodules to Admin UI.
  • New version of definition files database.
  • Added support for “brotli” transfer encoding, greatly improving filtering on YouTube and other Google services.
  • Improved correctness of traffic monitoring reports built over the Squid access logs.

Download Links: August 9, 2017

  • Added ability to bypass blocked page for designated policies. Bypass can also be done using tokens (passwords).
  • Added missing intermediate certificate storage management. It is now easy to implement HTTPS filtering for incorrectly configured HTTPS sites.
  • Web UI now generates only Peek-N-Splice HTTPS filtering directives for Squid. If you still have Squid 3.3.8 - DO NOT use this version. Peek-N-Splice requires at least Squid 3.5.23 (this version is used in our Virtual Appliance).

Download Links: May 30, 2017

  • Breaking changes: installation folder is now /opt/websafety instead of /opt/qlproxy, ICAP web filtering daemon and traffic monitor runs as websafety user instead of qlproxy user.
  • Added SSL Server Test tool that allows administrator to check for problems with HTTPS filter configuration in Squid. February 16, 2017

  • This version contains support for integration with Cisco ASA firewalls/routers using WCCP protocol and ability to automatically synchronize configuration among several filtering nodes.
  • Django updated from 1.6.11 to 1.8.17 (breaking change).
  • Added proxy authentication based on list of users (htpasswd) and pseudo proxy authentication by mapping IP addresses or MAC addresses of proxy clients to labels. December 10, 2016

  • This version contains new categorization database with a couple of new categories added and a little reorganized existing categories. It is finally also possible to re-categorize domains according to your wishes.
  • We have also added the ability to block all non categorized sites although this is not so much useful given the small number of entries in our categorization database. Hopefully when it grows with the help of fellow admins who enable re-categorization sync it will be much better.
  • Our final goal is fully functional Squid Web UI and this version brings the foundation to reach it. Now all Squid configuration is ready to be managed from Web UI (we have added all template generators for all squid configuration sections) but it will last a while until we are able to add all sections into Web UI. Please share which Squid settings you’d like to see first. November 10, 2016

  • Reimplemented YouTube Strict and Moderate filtering to match changes announced by Google
  • Added various reports based on Squid logs
  • Added ability to send reports to administrators e-mail.

4.6.0.CFA8 September 19, 2016

  • New Web UI to integrate your Squid proxy with Active Directory, with support for Kerberos, NTLM and LDAP (basic) authentication schemes. NTLM authenticator does not require Samba to be installed and transparently redirects NTLM requests to LDAP protocol on domain controllers.
  • Advanced policy schedules. It is now possible to specify several schedules for a given policy with granular time intervals. June 7, 2016

  • Added support for latest Peek-N-Splice HTTPS filtering on Squid 3.5+. This should ease deployment of the appliance in intercept (transparent) HTTPS filtering schemes.
  • The application now is capable of servicing PROXY.DAY and WPAD proxy autodetection files from Web UI.
  • Monitoring and reporting subsystem is further improved. It is now possible to store more monitoring events in the database before it reaches its limits. It is possible to store generated reports as PDF files.
  • Fixed several minor bugs in Web UI when deploying on pfSense 2.3 and FreeBSD 10.

4.4.0.C405 April 11, 2016

  • We have completely redesigned and reimplemented reporting subsystem. We now have several tens of various reports some of which support drill down. Each report can be scheduled and built independently of others. Default reports give a nice overview of top browsing IPs and users, top visited domains and number of processed requests and consumed bandwidth (with limitations).
  • This version also supports the blocking of HTTPS connect tunnels with user friendly messages, global SSL and ICAP exclusions, ability to import plain text files into configuration database and much more.

4.3.0.B716 December 6, 2015

  • Monitoring information is now collected and processed by a specific standalone monitoring server wsmgrd. It is responsible for upload of monitoring information into configured database and generation of Surfing Now real time information, Surfing History and reports. Report upload was heavily optimized so hopefully the ever running Python upload scripts are now history. Please take into account the report generation is still being done by Python so it may still be slow on huge traffic. We plan to concentrate on this in version 4.4.
  • We now added the Web UI for management of Root CA certificates for the Squid proxy. It is now very simple to generate your own trusted root SSL decryption certificate, back up or upload your own pre-generated certificate.
  • Web UI has a new and remastered dashboard with charts of CPU activity, RAM and SWAP used, various system information and history of last connections processed by Squid. Surfing Now and Surfing History allow searching for not only incident id as before but also for host, address, user name, etc.
  • New licensing scheme, please contact to convert your license key from KEY format to PEM.

4.2.0.CBF4 August 1, 2015

  • The reporting functionality was completely re-implemented. Now we have 5 groups of reports – bandwidth, policies, categories, users, ips and domains.
  • Administrative console was reorganized to match the improved reporting. Now the traffic monitoring module is a separate top level visual part of the UI.
  • Report generation code was moved to daily schedule to lower the stress of CPU and RAM during normal working hours.
  • Reporting now stores the approximate size of the request/response. Based on this we build our bandwidth reports. Please note this is an approximate size only taken from Content-Length field of HTTP.
  • Report now runs much faster.
  • It is now possible to exactly specify what verdicts need to be saved in monitoring database. We recommend saving only ‘blocked’ verdicts to lower the disk space requirements.
  • Added ability to block responses > N bytes long for a given policy.
  • Startup scripts of qlproxyd daemon are now upstart on Ubuntu 14.04 LTS and CentOS 6.
  • Added support for Debian 8 x86_64 Jessie based on systemd.
  • Fixed error in installer in CentOS 6. March 31, 2015

  • Ability to automatically exclude specific categories of sites from HTTPS filtering
  • Ability to do the HTTPS filtering for configured groups of users (policies) only
  • Ability to configure the lists of trusted categories and SSL exclusion categories
  • It is now possible to exclude from SSL filtering by IP address, domain name and IP subnet (useful for transparent HTTPS filtering deployment schemes).
  • Improved upload of monitoring data into SQLite / MySQL (now it works with URLs containing non Unicode symbols)
  • Now the program can be installed on Microsoft Windows to enable HTTPS / SSL filtering on the latest Squid 3.5 for Windows ( This is still experimental!
  • Ability to block requests based on User-Agent HTTP header.
  • A lot of small changes and improvements in the Web UI

4.0.0.FD85 January 20, 2015

  • Fixed ICAP error when filtering headers of HTTP response. It is still recommended to have the icap_service_failure_limit -1 line in your squid.conf file (just in case).
  • Fixed incorrect purging of stale monitoring data in SQLite deployments.
  • New and very much improved Web UI that will serve as a basis for all future additions. We now have place to implement most (if not all) features for managing not only qlproxy’s settings but also Squid’s settings from the Web UI. Hopefully in future you will seldom need to manually change the conf files.
  • Improved management of policies. It is now possible to clone existing policy when creating a new one. It is also possible to manage list of blocked categories, adblock and privacy subscriptions from within one page, reducing the overall number of clicks required to fully configure a policy.
  • New image filtering module (experimental). It is now possible to analyze JPEG pictures for skin color and block most of explicit images. Status of this feature is experimental so please do not use it in production environments yet. We are very eager to hear your ideas about quality of detection and still adjusting the heuristics to lower false positives.
  • Improved Surfing Now and Monitoring page. It is now possible to filter and group the monitoring records by user, domain, ip and top level domains. More info is stored in the monitoring database that acts as the basis for improvements in reports planned for 4.1 or 4.2 versions.
  • HTTP/HTTPS requests are now scanned too. This allows for filtering of explicit adult search terms in all search engines (including Google images).
  • Added support for viewing only school approved YouTube images using YouTube for Education subscription id.
  • Added support for using only specific domains in Google Apps for Business and Google Mail.
  • Various improvements in HTML deep inspection module (less false positives)
  • Support for Django 1.6.8 September 23, 2014

  • Trusted Categories - it is now possible to exclude categorized and well known domains from deep content inspection. If a domain is known to be part of a specific category then contents from this domain is not scanned for adult phrases. This greatly improves quality of web filtering on most educational and informational sites which are known to be free from adult only content (e.g. wikipedia will never be blocked now). Domains general in nature (like google search, youtube, bing, various blog platforms and social media) cannot be designated as trusted. It is possible to switch off this setting for locked or strict policies where no adult material should be allowed.
  • Redesigned and rewritten deep content inspection engine that now does better job of counting multiple instances of adult only words in text.
  • Redesigned categorization engine which now always does categorization for all domains. It is very easy to see what categories were assigned to a domain and what categories need to be blocked to prevent access to similar sites. The categorization database is much more compact, improving overall memory consumption of ICAP server.
  • Improved monitoring module allows grouping by users/IP addresses, domain names. It is now much easier to see what sites are browsed more often.
  • Added support for RedHat / CentOS 7 that now has HTTPS filtering capable Squid out of the box (with minor limitations)!

3.3.0.E807 August 11, 2014

  • Added support for custom categories. It is now very easy to add external blocking lists like URLBlackList or Shalla list.
  • Implemented advanced exclusions (gray listing in terms of Dansguardian). It is now possible to exclude searches from site categorization while leaving the adult phrase blocking in place.
  • Redesigned and much improved reporting subsystem, better support for single MySQL deployment of intercepted events and log aggregation from multiple filtering servers.
  • Redesigned Active Directory integration (LDAP groups in term of SquidGuard) and security group support checking from Web UI.
  • Added support for OpenSUSE 13.
  • Installation folder is now /opt/qlproxy. March 29, 2014

  • Microsoft Active Directory integration and support for using LDAP security groups as members of policy.
  • Updated online documentation instructions how to integrate qlproxy Virtual Appliance with Microsoft Active Directory using Kerberos and basic authentication.
  • Non office time filtering and lunch time filtering exclusions. It is now possible to setup different filtering levels for different hours, allowing for example for strict filtering during day and relaxed filtering during night hours.
  • Deployments with huge number of users and requirements to monitor all browsing history of users can easily store collected events in professional databases like MySQL.
  • Diladele Web Safety now is supported in transparent HTTP/HTTPS filtering setups. Our online documentation contains step-by-step instructions describing how to setup transparent SSL filtering without need to explicitly point browsers to Squid proxy. February 10, 2014

  • YouTube Safety Mode can be enforced for all browsers.
  • Safe Search can be enforced in Google, Microsoft Bing and Yahoo search engines.
  • It is now possible to mark domains and content types for ICAP bypass to speed up filtering.
  • Fixed startup dependency problems in CentOS and FreeBSD.
  • Improvements in file downloads mode, it is now better working with FTP over HTTP downloads.
  • Save and Restart/Reload page in Web UI is simplified.
  • Better integration with pfSense in Web UI.
  • HTTPS filtered domains are validated in Web UI preventing later Squid restart errors.
  • Squid related options in Web UI are now group into one tab.
  • Fixed a bug when default policy could be renamed.
  • Web UI checks for unsupported wildcard characters in domain names and exclusions.
  • Web UI now better validates configuration files by running /usr/sbin/squid -k parse. January 1, 2014

  • Numerous bug fixes and faster startup of the application
  • Fluid Web UI better looking and more convenient on desktop browsers
  • Dropped support for CentOS/RedHat 5
  • Added official support for Raspberry PI on ARM architecture December 6, 2013

  • Native support for 64-bit servers
  • Support for Debian 7 and Ubuntu 13.10
  • Support for FreeBSD 8 and FreeBSD 9 including FreeNAS and PfSense
  • Deep HTML inspection
  • Improved AdBlock module
  • Improved domain categorization module
  • Added Online Privacy module
  • Full featured Web Administrator Console
  • Numerous bug fixes and improvements

2.0.0.d746b June 07th, 2012

  • Installation on Ubuntu 12.04 now runs correctly.
  • Better handling of user names with dashes and dots in reports section of Web UI of qlproxy.
  • Blocked third level domains now block parent second level domain too.
  • It is now possible to configure the maximum size of text/html pages for deep content inspection engine. Default value increased to 300 Kb.
  • Block downloads by real file contents is now working correctly. April 16th, 2012

Fixed incorrect parsing of a domain name in CONNECT requests from browsers to Squid. Now it is possible to enforce web filtering on HTTPS request passed through Squid proxy. Due to the nature of CONNECT transactions only domain name web filtering modules (ad block, adult URL heuristics and URL categorization) are able to utilize this new functionality.

2.0.0.bb01d February 28th, 2012

  • Added support for policies (different settings for different proxy users) greatly improving usability of the program in educational institutions and enterprises.
  • Virtual Appliance is built using VMWare Virtual Studio and can be deployed on VMWare Server, Player, Workstation as well as ESX/ESXi.
  • Added support for installing the application of Debian 5, OpenSUSE 12, Windows 8 CP.
  • Improved quality of installation package on Ubuntu / Debian.
  • Improved Ad Block module memory usage and performance.
  • Web UI now shows full configuration information (still read only for now).
  • Updated Apache integration information for Python, virtualenv and Django.
  • Simplified configuration settings.
  • Improved exception list (added domain and subdomain exceptions)
  • Windows installation uses tasks in system Task Scheduler component.
  • Update scripts rewritten in cross platform Python, no need to enable Powershell scripts in Windows now. November 21st, 2011

  • Added support for installing the application of Fedora 16.
  • Report generation subsystem is rewritten to produce the reports faster and in real time (report conversion and upload from access logs are still done once a day)
  • Number of available usage reports is increased. All reports are grouped into four categories that allows for simple overview of what was blocked and for which user.

1.4.1.f7c1c October 17th, 2011

  • New and improved content inspection engine, aimed at detection of explicit language in HTML pages. Enabled by default.
  • New RTA (restricted to adults) detection engine that prevents access to web sites with explicitly restricted to adults content.
  • Added a weekly cron script to periodically check for a new version of the application on the QuintoLabs web site. October 3rd, 2011

HotFix release to handle the problem of intermittent crushes in AdBlock module. September 6th, 2011

  • Added “File Type Filtering Module” that could be used to easily identify executables or other types of files by looking at real file contents (up to 4096 Kb).
  • Implemented brute-force content inspection module used to search contents of downloaded web pages for adult or explicit contents. It allows the administrator to filter web pages based on their real contents often faster than URL and Domain block modules did before.
  • The application now supports sophisticated “trickled” inspection logic to be able to scan contents of huge files being downloaded through Squid.
  • Two phase scanner is implemented. It allows an inspection module to skip scanning large number of files that are known to be safe and that do not need filtering.
  • AdBlock module is greatly improved. It now uses a transparent .gif file to imitate the blocked advertisement which in turn leads to better looking web pages without ads (most notably in Microsoft Internet Explorer).
  • Improved ICAP RFC compliance when qlproxy detects errors in ICAP transactions, unavailable resources or incorrect internal states.
  • Improved file name parsing algorithm for Microsoft IIS servers. The detect ratio for File Name Blocking Module is greatly improved.
  • ICAP mode of integration now supports ‘redirect’ action for a detected objects.
  • Objects with gzip transfer encoding are also inspected by all modules now.
  • Fixed a typo in the configuration parser module when disabling AdBlock also leads to disable Parental Controls module.
  • Tiny Proxy Virtual Appliance are now packed with README file.
  • Dropped support for Debian 5 and Fedora 13.
  • Added support for dumping inspected objects to temporary files in /var/opt/quintolabs/qlproxy/tmp to ease debugging scenarios.
  • Internal ICAP protocol tests are deployed with the application in /opt/quintolabs/qlproxy/bin/tests.

1.3.418.0 June 7th, 2011

  • Added alpha support for installing Content Security on Microsoft Windows Platforms. It is now possible to integrate Content Security as URL rewriter for Squid 2.7+ running on the same Windows box or deploy Content Security as standalone ICAP server for Squid 3+ running on separate boxes. The filtering functionality works fully but additional functionality remains to be implemented (automatic updates of definition files and reports generation).
  • Reports web page was redesigned, it now displays in read only mode the current configuration of the qlproxy, latest results of log rotation, cron daily jobs and URLs blocked.
  • Installation folders have been reorganized, the application is now installed in /opt and /var/opt according to Linux File System Standard.
  • Fixed SIGPIPE and daemon termination error under stress conditions.
  • Advertisement Blocking Engine is rewritten, it now supports more filters from AdBlock Plus based subscriptions and correctly processes domain exclusions and white lists.
  • File Name Blocking is improved as it parses more file names out of HTTP responses and thus quality of file name blocking is greatly increased.
  • Install package naming convention changed, it now contains the name of the Linux distribution (e.g. ubuntu, debian, suse).
  • QuintoLabs Virtual Appliance updated and is now based on Debian 6. The root is explicitly granted a P@ssw0rd that makes it easier for administrators to adjust the appliance to their needs.
  • Some minor changes in logrotate and cron scripts
  • The ‘URL is blocked’ page now contains the actual filter that blocked the URL in advertisement module. It greatly increases the efforts needed to understand the reasons of possible false positives.
  • The intercepted HTTP requests and responses could now be dumped into a temporary directory.
  • Created initial SELinux policy that confines qlproxyd daemon. It is installed in /opt/quintolabs/qlproxy/usr/share/selinux and must be compiled by the administrator manually. May 8th, 2011

Possible bug with incorrect URI scheme parsing is fixed. The bug occurred only under specific conditions and did not influence all installations. Only those affected by the bug are advised to upgrade. April 3rd, 2011

The serious bug of incorrect classification of URL as advertisement was fixed. The reason of the bug is incorrect parsing of one of the “easy list” filters that starts with http:// and should have been applied to one web site only and NOT to all web sites as did AdBlock module of Content Security. March 16th, 2011

  • Debian Linux 5 and 6 are now supported.
  • OpenSUSE 11.3 and SUSE Enterprise Linux are supported (as binary TGZ package).
  • Added support for ICAP RESPMOD (response modification).
  • Adjusted naming scheme for DEB and RPM packages. The previous versions of the program are now correctly detected as obsolete.
  • Updated installation instructions for RedHat 5+, !CentOS 5+ with !SELinux enabled
  • AdBlock module performance and accuracy are greatly improved.
  • Fixed possible endless loop in AdBlock module.
  • Fixed incorrect handling of * (star) filter in Easy Privacy module.
  • Content Blocking module is now active, allows blocking of downloads by Content-Type, Charset, Encoding and File Name.
  • Parental Control (Adult Block) Filter is now a separate module.
  • Configuration files for modules have been renamed to make it easy to find the configuration file for a given module.
  • Heuristics used in Parental Control module is enhanced to allow easy blocking of inappropriate Google Images.
  • Introduced a new module (HTTP method filtering) that lets administrator block the inappropriate HTTP methods (like DAV over HTTP).
  • Reports HTML are redesigned, allowing for easy incidents filtering.
  • Detection of reason for blocking is improved (incident id is displayed in the Blocked Page Template).
  • Access log statistics are now kept for the last 30 days only.
  • Pthread stack size is now 1Mb instead of 8Mb thus virtual memory requirements of the qlproxyd daemon is decreased. January 24th, 2011

  • Added support for ICAP REQMOD (request modification).
  • Improved performance due to use of multithreading in the qlproxy daemon.
  • Added support for ArchLinux operating system.
  • Log file access.log now contains the incident id that lets administrator easily find the reason why a specific URL was blocked.
  • Disk I/O is optimized if no log files are configured in the qlproxy.conf.
  • Uninstall removes orphan files from /etc.

1.0.950.0 November 28th, 2010

  • This is the first release of the application.