From 9a04c5abf4f2b7f961975ee61aede4ec9e99b565 Mon Sep 17 00:00:00 2001 From: kmpm Date: Sun, 20 Jan 2019 12:11:31 +0100 Subject: services in own folder * spitting services into multiple files in it's own folder * making image links absolute * some linting --- docs/services/webproxy.rst | 123 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 123 insertions(+) create mode 100644 docs/services/webproxy.rst (limited to 'docs/services/webproxy.rst') diff --git a/docs/services/webproxy.rst b/docs/services/webproxy.rst new file mode 100644 index 00000000..b739e479 --- /dev/null +++ b/docs/services/webproxy.rst @@ -0,0 +1,123 @@ +Webproxy +-------- + +The proxy service in VyOS is based on Squid3 and some related modules. + +Squid is a caching and forwarding HTTP web proxy. It has a wide variety of +uses, including speeding up a web server by caching repeated requests, +caching web, DNS and other computer network lookups for a group of people +sharing network resources, and aiding security by filtering traffic. Although +primarily used for HTTP and FTP, Squid includes limited support for several +other protocols including Internet Gopher, SSL,[6] TLS and HTTPS. Squid does +not support the SOCKS protocol. + +All examples here assumes that your inside ip address is ``192.168.0.1``. +Replace with your own where applicable. + +URL Filtering is provided by Squidguard_. + +Configuration +^^^^^^^^^^^^^^ + +.. code-block:: sh + + # Enable proxy service + set service webproxy listen-address 192.168.0.1 + + # By default it will listen to port 3128. If you wan't something else you have to define that. + set service webproxy listen-address 192.168.0.1 port 2050 + + # By default the transparent proxy on that interface is enabled. To disable that you simply + set service webproxy listen-address 192.168.0.1 disable-transparent + + # Block specific urls + set service webproxy url-filtering squidguard local-block myspace.com + + # If you want to you can log these blocks + set service webproxy url-filtering squidguard log local-block + + +Options +******* + +Filtering by category +^^^^^^^^^^^^^^^^^^^^^ + +If you wan't to use existing blacklists you have to create/download a database +first. Otherwise you will not be able to commit the config changes. + +.. code-block:: sh + + vyos@vyos# commit + [ service webproxy ] + Warning: no blacklists installed + Unknown block-category [ads] for policy [default] + + [[service webproxy]] failed + Commit failed + +* Download/Update complete blacklist + + :code:`update webproxy blacklists` + +* Download/Update partial blacklist + + :code:`update webproxy blacklists category ads` + + Use tab completion to get a list of categories. + +* To auto update the blacklist files + + :code:`set service webproxy url-filtering squidguard auto-update update-hour 23` + +* To configure blocking add the following to the configuration + + :code:`set service webproxy url-filtering squidguard block-category ads` + + :code:`set service webproxy url-filtering squidguard block-category malware` + +Authentication +^^^^^^^^^^^^^^ + +TBD: https://wiki.vyos.net/wiki/Web_proxy_LDAP_authentication + +Adjusting cache size +^^^^^^^^^^^^^^^^^^^^ + +The size of the proxy cache can be adjusted by the user. + +.. code-block:: sh + + set service webproxy cache-size + Possible completions: + <0-4294967295> + Disk cache size in MB (default 100) + 0 Disable disk caching + 100 + +Bypassing the webproxy +^^^^^^^^^^^^^^^^^^^^^^ + +Some services don't work correctly when being handled via a web proxy. +So sometimes it is useful to bypass a transparent proxy: + +* To bypass the proxy for every request that is directed to a specific + destination: + + :code:`set service webproxy whitelist destination-address 1.2.3.4` + + :code:`set service webproxy whitelist destination-address 4.5.6.0/24` + + +* To bypass the proxy for every request that is coming from a specific source: + + :code:`set service webproxy whitelist source-address 192.168.1.2` + + :code:`set service webproxy whitelist source-address 192.168.2.0/24` + + (This can be useful when a called service has many and/or often changing + destination addresses - e.g. Netflix.) + + +.. _Squid3: http://www.squid-cache.org/ +.. _Squidguard: http://www.squidguard.org/ -- cgit v1.2.3 From 1ac4afa392eb4c077507cf3866ebc1b8b3cb1793 Mon Sep 17 00:00:00 2001 From: kmpm Date: Sun, 20 Jan 2019 16:13:07 +0100 Subject: fixed erroneous targets --- docs/services/dynamic-dns.rst | 3 +-- docs/services/index.rst | 2 ++ docs/services/lldp.rst | 6 +----- docs/services/references.rst | 13 +++++++++++++ docs/services/snmp.rst | 5 +---- docs/services/ssh.rst | 2 +- docs/services/tftp.rst | 2 -- docs/services/webproxy.rst | 4 +--- 8 files changed, 20 insertions(+), 17 deletions(-) create mode 100644 docs/services/references.rst (limited to 'docs/services/webproxy.rst') diff --git a/docs/services/dynamic-dns.rst b/docs/services/dynamic-dns.rst index dcb9c155..67de6471 100644 --- a/docs/services/dynamic-dns.rst +++ b/docs/services/dynamic-dns.rst @@ -149,5 +149,4 @@ address for the response. ddclient_ will skip any address located before the string set in `[skip]`. -.. _ddclient: http://sourceforge.net/p/ddclient/wiki/Home/ -.. _RFC2136: https://www.ietf.org/rfc/rfc2136.txt +.. include:: references.rst diff --git a/docs/services/index.rst b/docs/services/index.rst index a138c961..80405ef7 100644 --- a/docs/services/index.rst +++ b/docs/services/index.rst @@ -1,5 +1,7 @@ .. _services: +.. include:: references.rst + Services ======== diff --git a/docs/services/lldp.rst b/docs/services/lldp.rst index 88df9b20..6a3bee7b 100644 --- a/docs/services/lldp.rst +++ b/docs/services/lldp.rst @@ -94,8 +94,4 @@ Troubleshooting Use operationnal command ``show log lldp`` to display logs. - -.. _`Cisco Discovery Protocol`: https://en.wikipedia.org/wiki/Cisco_Discovery_Protocol -.. _`Foundry Discovery Protocol`: https://en.wikipedia.org/wiki/Foundry_Discovery_Protocol -.. _MIB: https://en.wikipedia.org/wiki/Management_information_base -.. _SNMP: https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol +.. include:: references.rst diff --git a/docs/services/references.rst b/docs/services/references.rst new file mode 100644 index 00000000..6e6e9595 --- /dev/null +++ b/docs/services/references.rst @@ -0,0 +1,13 @@ +.. _`Cisco Discovery Protocol`: https://en.wikipedia.org/wiki/Cisco_Discovery_Protocol +.. _ddclient: http://sourceforge.net/p/ddclient/wiki/Home/ +.. _`Foundry Discovery Protocol`: https://en.wikipedia.org/wiki/Foundry_Discovery_Protocol +.. _MIB: https://en.wikipedia.org/wiki/Management_information_base +.. _RFC2136: https://www.ietf.org/rfc/rfc2136.txt +.. _SNMP: https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol +.. _SNMPv2: https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Version_2 +.. _SNMPv3: https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Version_3 +.. _SSH: https://en.wikipedia.org/wiki/Secure_Shell +.. _Squid3: http://www.squid-cache.org/ +.. _Squidguard: http://www.squidguard.org/ +.. _TFTP: https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol + diff --git a/docs/services/snmp.rst b/docs/services/snmp.rst index ac79f700..e11e3969 100644 --- a/docs/services/snmp.rst +++ b/docs/services/snmp.rst @@ -177,7 +177,4 @@ After commit the resulting configuration will look like: } -.. _SNMP: https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol -.. _SNMPv2: https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Version_2 -.. _SNMPv3: https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Version_3 -.. _MIB: https://en.wikipedia.org/wiki/Management_information_base +.. include:: references.rst diff --git a/docs/services/ssh.rst b/docs/services/ssh.rst index a8da9154..4d96f8de 100644 --- a/docs/services/ssh.rst +++ b/docs/services/ssh.rst @@ -147,4 +147,4 @@ as the ``vyos`` user using their own keys. set system login user vyos authentication public-keys 'xrobau' type ssh-rsa -.. _SSH: https://en.wikipedia.org/wiki/Secure_Shell + diff --git a/docs/services/tftp.rst b/docs/services/tftp.rst index 524c8e5e..96b33a65 100644 --- a/docs/services/tftp.rst +++ b/docs/services/tftp.rst @@ -40,5 +40,3 @@ The resulting configuration will look like: listen-address 10.10.1.1 } - -.. _TFTP: https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol diff --git a/docs/services/webproxy.rst b/docs/services/webproxy.rst index b739e479..d1c2ca2e 100644 --- a/docs/services/webproxy.rst +++ b/docs/services/webproxy.rst @@ -118,6 +118,4 @@ So sometimes it is useful to bypass a transparent proxy: (This can be useful when a called service has many and/or often changing destination addresses - e.g. Netflix.) - -.. _Squid3: http://www.squid-cache.org/ -.. _Squidguard: http://www.squidguard.org/ +.. include:: references.rst -- cgit v1.2.3