1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
Webproxy
--------
The proxy service in VyOS is based on Squid3 and some related modules.
Squid is a caching and forwarding HTTP web proxy. It has a wide variety of
uses, including speeding up a web server by caching repeated requests,
caching web, DNS and other computer network lookups for a group of people
sharing network resources, and aiding security by filtering traffic. Although
primarily used for HTTP and FTP, Squid includes limited support for several
other protocols including Internet Gopher, SSL,[6] TLS and HTTPS. Squid does
not support the SOCKS protocol.
All examples here assumes that your inside ip address is ``192.168.0.1``.
Replace with your own where applicable.
URL Filtering is provided by Squidguard_.
Configuration
^^^^^^^^^^^^^^
.. code-block:: sh
# Enable proxy service
set service webproxy listen-address 192.168.0.1
# By default it will listen to port 3128. If you wan't something else you have to define that.
set service webproxy listen-address 192.168.0.1 port 2050
# By default the transparent proxy on that interface is enabled. To disable that you simply
set service webproxy listen-address 192.168.0.1 disable-transparent
# Block specific urls
set service webproxy url-filtering squidguard local-block myspace.com
# If you want to you can log these blocks
set service webproxy url-filtering squidguard log local-block
Options
*******
Filtering by category
^^^^^^^^^^^^^^^^^^^^^
If you wan't to use existing blacklists you have to create/download a database
first. Otherwise you will not be able to commit the config changes.
.. code-block:: sh
vyos@vyos# commit
[ service webproxy ]
Warning: no blacklists installed
Unknown block-category [ads] for policy [default]
[[service webproxy]] failed
Commit failed
* Download/Update complete blacklist
:code:`update webproxy blacklists`
* Download/Update partial blacklist
:code:`update webproxy blacklists category ads`
Use tab completion to get a list of categories.
* To auto update the blacklist files
:code:`set service webproxy url-filtering squidguard auto-update update-hour 23`
* To configure blocking add the following to the configuration
:code:`set service webproxy url-filtering squidguard block-category ads`
:code:`set service webproxy url-filtering squidguard block-category malware`
Authentication
^^^^^^^^^^^^^^
The embedded Squid proxy can use LDAP to authenticate users against a company
wide directory. The following configuration is an example of how to use Active
Directory as authentication backend. Queries are done via LDAP.
.. code-block:: sh
vyos@vyos# show service webproxy
authentication {
children 5
credentials-ttl 60
ldap {
base-dn DC=example,DC=local
bind-dn CN=proxyuser,CN=Users,DC=example,DC=local
filter-expression (cn=%s)
password Qwert1234
server ldap.example.local
username-attribute cn
}
method ldap
realm "VyOS Webproxy"
}
cache-size 100
default-port 3128
listen-address 192.168.188.103 {
disable-transparent
}
* ``base-dn`` set the base directory for the search
* ``bind-dn`` and ``password``: set the user, which is used for the ldap search
* ``filter-expression``: set the exact filter which a authorized user match in a ldap-search. In this example every User is able to authorized.
You can find more about the ldap authentication `here <http://www.squid-cache.org/Versions/v3/3.2/manuals/basic_ldap_auth.html>`_
Adjusting cache size
^^^^^^^^^^^^^^^^^^^^
The size of the proxy cache can be adjusted by the user.
.. code-block:: sh
set service webproxy cache-size
Possible completions:
<0-4294967295>
Disk cache size in MB (default 100)
0 Disable disk caching
100
Bypassing the webproxy
^^^^^^^^^^^^^^^^^^^^^^
Some services don't work correctly when being handled via a web proxy.
So sometimes it is useful to bypass a transparent proxy:
* To bypass the proxy for every request that is directed to a specific
destination:
:code:`set service webproxy whitelist destination-address 198.51.100.33`
:code:`set service webproxy whitelist destination-address 192.0.2.0/24`
* To bypass the proxy for every request that is coming from a specific source:
:code:`set service webproxy whitelist source-address 192.168.1.2`
:code:`set service webproxy whitelist source-address 192.168.2.0/24`
(This can be useful when a called service has many and/or often changing
destination addresses - e.g. Netflix.)
.. include:: references.rst
|