HTTP Proxy advanced configuration¶
Configuration of filter profiles¶
You can configure the filter profiles in the HTTP Proxy ‣ Filter Profiles section.
Filter profiles
You can create and configure new filter profiles to be used by user groups or network objects.
The configuration options are exactly the same as those explained in the configuration of the default profile in the chapter HTTP Proxy Service, save for one important exception: it is possible to use the default profile configuration for the different values of the filter profiles. To do this, all you need to do is to click on Use default configuration.
Filter profile per object¶
You can choose a filter profile for a source object. The requests coming from this object will use the chosen profile instead of the default profile. This option is useful if you want to define different security policies for different computer classrooms or groups of hosts that access through Zentyal gateway. You could have, for example, a group of computers in a public access classroom that require authentication for browsing while in the offices with private hosts general network policies will be used. Or a classroom for students where the content is filtered while in teachers’ lounge all traffic is allowed.
You can also establish filtering policies by schedule, for example, establish stricter policies on work hours.
To add this type of configurations, you must go to the HTTP Proxy ‣ Object policy and click on Add new. Policy configuration form per object will be displayed. In each policy you can specify the network Object it will be applied to, Policy, Allowed time period and Filter profile.
Add a new object policy
The policies are the same as you already saw in the chapter HTTP Proxy Service; you must choose Filter if you wan the Filter profile to be applied.
The Allowed time period is the time during which the profile that you are configuring will be enabled. You can define the weekly hours and days during which it will be enabled. During other time periods, the default configuration will be applied.
To make things easier and to avoid overlaps, you are not allowed to create different policies for the same object.
User group based filtering¶
You can use the user groups in access control and filtering. In order to do that you need first to enable the module Users and groups in Module status. You can create a group from the menu Users and Groups ‣ Groups and add users to the system from the menu Users and Groups ‣ Users. While you are editing a group, you can choose the users that belong to it. The configuration options for users and groups are explained in detail in chapter Directory Service (LDAP).
In order to define user group based filtering, first you need to use one of the options that require Authorize as a global or network object policy. These policies force the proxy to require a valid user identification to allow access.
Once you are able to authenticate the users, you can also establish global group policies. These policies allow you to control the access of members of a specific group and assign them other filter profiles than the default profile.
Warning
You must consider that for a technical limitation in the HTTP authentication, you can’t apply the authentication policies if the proxy is being used in transparent mode.
The group policies are managed in the HTTP Proxy ‣ Group Policy section. These control only if the user can or can’t access the web. If you wish to apply a specific filter, you must set the global policy or the object policy from which they connect to Authorize and filter.
As in the case of network object policies, you can define a Policy for this group that can be either Allow or Deny, the Time period and the Filter profile to be applied in case the host from which the user authenticates has a filter policy or it is so established in the global configuration.
Global group policy
The priority of each group policy is reflected by its position in the list (the upper on the list, the higher priority). The priority is important because when you have users that belong to several groups, these will be affected only by the policies of the group with the highest priority.
User group based filtering for objects¶
Filtering policies per network objects have priority over the general proxy policy and global group policies.
In addition, in case you have chosen a policy with authorization, you can also define policies per group. As with the global group policies, these policies only affect the access and not filtering that will be determined by the policy of the object to which they belong. Likewise, the policies with authentication can’t be deployed if you’re using proxy in transparent mode.
Finally, it is important to notice that you can’t assign filtering profiles to groups in object policies. Therefore, a group will apply the filtering profile established in its global group policy, independently of the network object from which it access the proxy.
You can add these policies from the Group policy column, HTTP Proxy ‣ Object Policy list.
Object policies