Features
Caching proxy
NTLM authentication against Active Directory (users don't need to specify a username and password when they use Internet Explorer)
Web content logging, filtering, blocking and reporting
Antivirus scanning of web pages and downloads
Simple management system
Scheduled mailed reports and interactive website
Software
Gentoo Linux - operating system
Squid - proxy server
Samba - used for authentication against windows domain controllers via winbind
Dansguardian - content filter
ClamAV - used for gateway antivirus scanning
SARG - used for scheduled email of weekly usage reports
MySAR - interactive reporting website
IPTables - server security
Management
Overall management through webmin https://ukproxy
Caching proxy - Servers tab / Squid Proxy Server
Content filter - Servers tab / DansGuardian
Reports - Servers tab / Squid Analysis Report Generator
Antivirus - System tab / Clam Antivirus
Firewall - Networking tab / Linux Firewall
Configuration
Gateway antivirus scanning is configured in the dansguardian configuration files. You select one or numerous virus scanners which will scan any sites visited. This includes downloads like the example shown in this picture.
Sites are blocked based upon their content. In this instance we blocked sites in the categories of gambling, pornography and violence. Sites are also blocked as a result of their weighted phrase list score. Where words are given a cost in line with their profanity level. In this instance the limit was set to a score of 160.
A simple script was written for administrators to work out exactly which words caused the site to be blocked.
The actual words have been blurred out. The site visited above earned a score of 7223 which is quite a long way over the limit.
The weighted phrase lists caused some problems with google searches where results would sometimes be returned with costly language. We decided to explicitly allow the google.* websites. Any sites visited from google were of course still affected by the usual restrictions.
An ACL was setup to allow the training group to the corporate website only. This is achieved by configuring samba and a winbind perl script which queries if a user is in a specific windows group or not. Then squid was configured with a couple of lines of config.
acl Trainees external nt_group Trainees
http_access allow www.example.co.uk Trainees
Squid was configured to listen on port 8080. It authenticates users via NTLM with the domain controller (using winbind). If authenticated the requests are sent upstream to Dansguardian which listens on port 3130. Once scanned Dansguardian forwards the requests to another instance of squid which listens on port 3131. Only the second instance of squid does any caching.
Apache was configured to host a wpad script. A group policy object was setup to roll out the settings across all domain computers. After the testing phase was completed the firewall was configured to block all internet connections except those that originated from the proxy server.
Reporting
An interactive website allows a drilldown from a weekly view all the way down to what has been browsed a few minutes ago.
