blob: d1c2ca2e11ba5108f7ce7aa2a3d5b706df313bda (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
Webproxy
--------
The proxy service in VyOS is based on Squid3 and some related modules.
Squid is a caching and forwarding HTTP web proxy. It has a wide variety of
uses, including speeding up a web server by caching repeated requests,
caching web, DNS and other computer network lookups for a group of people
sharing network resources, and aiding security by filtering traffic. Although
primarily used for HTTP and FTP, Squid includes limited support for several
other protocols including Internet Gopher, SSL,[6] TLS and HTTPS. Squid does
not support the SOCKS protocol.
All examples here assumes that your inside ip address is ``192.168.0.1``.
Replace with your own where applicable.
URL Filtering is provided by Squidguard_.
Configuration
^^^^^^^^^^^^^^
.. code-block:: sh
# Enable proxy service
set service webproxy listen-address 192.168.0.1
# By default it will listen to port 3128. If you wan't something else you have to define that.
set service webproxy listen-address 192.168.0.1 port 2050
# By default the transparent proxy on that interface is enabled. To disable that you simply
set service webproxy listen-address 192.168.0.1 disable-transparent
# Block specific urls
set service webproxy url-filtering squidguard local-block myspace.com
# If you want to you can log these blocks
set service webproxy url-filtering squidguard log local-block
Options
*******
Filtering by category
^^^^^^^^^^^^^^^^^^^^^
If you wan't to use existing blacklists you have to create/download a database
first. Otherwise you will not be able to commit the config changes.
.. code-block:: sh
vyos@vyos# commit
[ service webproxy ]
Warning: no blacklists installed
Unknown block-category [ads] for policy [default]
[[service webproxy]] failed
Commit failed
* Download/Update complete blacklist
:code:`update webproxy blacklists`
* Download/Update partial blacklist
:code:`update webproxy blacklists category ads`
Use tab completion to get a list of categories.
* To auto update the blacklist files
:code:`set service webproxy url-filtering squidguard auto-update update-hour 23`
* To configure blocking add the following to the configuration
:code:`set service webproxy url-filtering squidguard block-category ads`
:code:`set service webproxy url-filtering squidguard block-category malware`
Authentication
^^^^^^^^^^^^^^
TBD: https://wiki.vyos.net/wiki/Web_proxy_LDAP_authentication
Adjusting cache size
^^^^^^^^^^^^^^^^^^^^
The size of the proxy cache can be adjusted by the user.
.. code-block:: sh
set service webproxy cache-size
Possible completions:
<0-4294967295>
Disk cache size in MB (default 100)
0 Disable disk caching
100
Bypassing the webproxy
^^^^^^^^^^^^^^^^^^^^^^
Some services don't work correctly when being handled via a web proxy.
So sometimes it is useful to bypass a transparent proxy:
* To bypass the proxy for every request that is directed to a specific
destination:
:code:`set service webproxy whitelist destination-address 1.2.3.4`
:code:`set service webproxy whitelist destination-address 4.5.6.0/24`
* To bypass the proxy for every request that is coming from a specific source:
:code:`set service webproxy whitelist source-address 192.168.1.2`
:code:`set service webproxy whitelist source-address 192.168.2.0/24`
(This can be useful when a called service has many and/or often changing
destination addresses - e.g. Netflix.)
.. include:: references.rst
|