Web Proxy and Filtering on Vyos Router

Web Proxy and Filtering on Vyos Router

The vyos router can be configured to act as a web proxy for web filtering and caching.

Web filtering is needed in almost all home and corporate network environment, to manage access to the web, and limit exposure to threats emanating from the web like downloading of malware or visiting questionable sites. managing bandwidth and increasing users productivity.

Web caching can be implemented to better user experience by improving resources response time.

We can configure webfiltering in transparent or non-transparent mode.

In transparent mode, web traffic pass throught the proxy without the need to configure the client browsers while in non-transparent mode, there is need to configure all client browsers so tnat they can pass through the proxy.

The problem with transparent mode is that, transparent mode does not handle https traffic well since the packets from the client machines are encrypted and the proxy doesn’t have the decyption key since it is not the intended destination. To solve this problem, we may have to install certificates on all client machines using active directory certificate service.

Non-transparent mode also has its problem. The most obvious is that of having to enter the proxy address in the browsers of all the client machines. This problem can also be solve by using the group policy management in windows server or samba server

to push proxy settings to client machines.

In this web proxy and filtering on vyos server guide, we will look at transparent mode and non-transparent mode and caching proxy server.

WEB PROXY AND FILTERING ON VYOS ROUTER – TRANSPARENT MODE.

Run this command in the configuration mode of vyos router to configure vyos to act as a transparent proxy server.

#set service webproxy listen-address 192.168.100.1. This start the squidguard process.

#commit

#save

The listen address is the ip address on the interface of the router that is connected to the client machines.

Now visit, bing.com, bbc.com and facebook.com. Use the command

#run show webproxy log to see the accessed site.

 

To block facebook and youtube, first install a default blacklist by typing,

#run update webproxy blacklists

ATTACHMENT DETAILS download-default-blacklist

After installing the blacklist, block porn, warez, proxy, malware e.t.c by

#set service webproxy url-filtering squidguard block-category malware

#set service webproxy url-filtering squidguard block-category warez

#set service webproxy url-filtering squidguard block-category porn

#set service webproxy url-filtering squidguard block-category proxy

You can also block specific sites like youtube and facebook using;

#set service webproxy url-filtering squidguard local-block facebook.com

#set service webproxy url-filtering squidguard local-block youtube.com

#commit

#save

ATTACHMENT DETAILS block-facebook-and-youtube

Now try to access youtube, facebook.com and you should be redirected to google.com when  you open youtube.com but the proxy still allows access to facebook.com. Why?

Note that at this point the proxy is working but only blocking http traffic and not https traffic.

To see your configuration so far, do #show service webproxy

My simple solution to solve this problem

To solve this problem, i have two option:

(a) Install certificates on client machines

(b) Manually enter in the ip address of proxy in client machines.

I will use the later since it is more easy to accomplish. Afterall, I am a lazy techie.

Go to your client machine and enter in the ip address of the proxy server. In Internet explorer, this can be found in TOOLS => INTERNET OPTIONS => CONNECTIONS =>

LAN SETTINGS.

Now try to access facebook, ads websites e.t.c and you get this familiar looking page.

To redirect users to a custom webpage, simply do

#set service webproxy url-filtering squidguard redirect-url “http://bing.com”

#commit

#save

WEB PROXY AND FILTERING ON VYOS ROUTER – NON-TRANSPARENT MODE.

The best approach in my opinion will be to use a non-transparent proxy. To achieve this, simply run the command,

#set service webproxy listen-address 192.168.100.1 disable-transparent

#commit

#save

Now download and install the default blacklist

#run update webproxy blacklists

Then block as many categories as you would like.

#set service webproxy url-filtering squidguard block-category malware

#set service webproxy url-filtering squidguard block-category warez

#set service webproxy url-filtering squidguard block-category porn

#set service webproxy url-filtering squidguard block-category proxy

You can also block specific sites like youtube and facebook using;

#set service webproxy url-filtering squidguard local-block facebook.com

#set service webproxy url-filtering squidguard local-block youtube.com

#commit

#save

Now try to access youtube and facebook, and you will be redirected to google.com.

You can access squid redirection page by:

#set service webproxy url-filtering squidguard redirect-url “http://192.168.100.1/cgi-bin/squidGuard-simple.cgi?targetclass=%t&url=%u”

You may find it hard typing the ? in the command above.

To resolve this, first exit the configure terminal to the operation terminal and type

#set terminal key query-help disable

Now go back to the configure terminal and type the redirect url command making sure to use the exact case as shown above.

Now access facebook or youtube or any of the blocked sites above and you should get the page presented below.

 

Did You Enjoy What You Read? Sign Up To Our News Letter
I agree to have my personal information transfered to MailChimp ( more information )
Join over 1.000 visitors who are receiving our newsletter and learn how to design networks that work using open source technology and commercial offerings. Also learn how to proactively defend against security threats.
We hate spam. Your email address will not be sold or shared with anyone else.
Share This.