For the IT administration of organizations with many users, typically also schools, it can be very useful to regulate the access to external websites. From a technical point of view, in order to improve performance when accessing frequently visited pages, but also in terms of restricting access to certain pages, e.g. for security reasons or to protect minors.
The web proxy, which is a central component of UCS@School, is used to improve performance and control data traffic. In this blog article I’ll show you how to configure Squid Proxy with SquidGuard and how to combine both with existing (youth protection) website filters. And with the “Shalla-List-Downloader” I would like to present you a Cool Solution, with which you can further round off this protection and which we have already successfully implemented in various school projects.
What is Squid?
Squid is a so-called “caching proxy”, primarily for web content delivered via the HTTP, HTTPS, or FTP protocols. This means that Squid can greatly reduce response times when retrieving web pages and at the same time reduce data volume by caching web pages and their contents and making them available to a large number of clients at the same time.
Squid can basically be used in two operating modes. This blog article is about Squid as a web proxy. In a previous blog article, we already described how Squid is configured as a reverse SSL proxy.
Squid as a Web-Proxy on School Servers
In the UCS default setting, each school server runs a proxy server based on Squid in conjunction with SquidGuard. This means that the clients in the school, i.e. all computers of the students and teachers, access the Internet via Squid. Squid thus becomes the central location from which the requested web content is retrieved, stored and delivered as a buffered version to all other clients who also want to access this web content. If the same website is accessed several times, it does not have to be queried again by the remote web server.
The clients automatically receive information about the proxy server to be used via DHCP, i.e. the school server on which Squid is installed. This is done using the WPAD option in DHCP, so that a proxy autoconfiguration file (PAC file) is delivered automatically. Unfortunately, this does not work equally well for all browsers out-of-the-box. For the implementation there are different approaches, such as using a central group policy via Samba. The UCS@School manual describes in detail how to manually configure a PAC file for Internet Explorer and Firefox.
Brief Introduction: DHCP and DNS
DHCP and DNS are two essential services in IT networks. While a DHCP server sends out information that clients need to communicate with other machines and services, DNS ensures that servers, clients, and services can be found by their names.
Integration Into Existing Youth Protection Filter Solutions
Some schools have already defined their own filter lists, or there are specifications that are controlled via a web proxy that is centrally available in the data center. If this external web proxy has been preconfigured to implement an existing youth protection filter, Squid can be adapted accordingly.
To do this, you configure Squid on the school server in a way, that requests for Web pages are passed on unfiltered to the other Web proxy, which filters the content for youth protection controls. With the following setting, you configure Squid so that all requests are not routed directly to the Internet, but to a downstream proxy server (e.g. 10.0.0.4 on port 80):
ucr set squid/parent/host=10.0.0.4 squid/parent/port=80
If, however, there is no separate youth protection control filter available, you may have to think about integrating external filter lists yourself in order to prevent access to the corresponding pages. How this works is described below.
Integration of External Filter Lists
If the school server itself is to filter requests to external websites, Squid can assign this task to SquidGuard. SquidGuard is an Internet filter that works in conjunction with the Squid Web Cache Proxy. UCS@school supports the integration of external blacklists, which must be available as text files. You can maintain these lists yourself, e.g. in order to meet the requirements for the protection of minors. Since some specific URLs are to be blocked, but sometimes also complete domains, a distinction is made during configuration. So you can create text files with only domain names or also with URLs, whereby you must always make sure to list one domain or URL per line.
In our manual we explain in detail how the integration of external blacklists works. It also explains which location you choose for storing the text file and how to configure the corresponding UCR variables.
Instead of Writing Your Own Black Lists, Simply Include Existing Black Lists Such As “Shalla“
There are many ready-to-use black lists on which there are websites that, for example, do not meet the youth protection requirements of the education sector and also numerous commercial providers of youth protection filter solutions.
As an example I would like to give you the Shalla list as a free variant which works directly with UCS@school and SquidGuard. Their use for private and public schools is allowed, and for other usage scenarios, e.g. for corporate use, a license can also be purchased for the Shalla list. The provided Shalla lists are grouped according to different categories and are structured by format into text files, which are available per category as one file for URLs and one file for domains to be blocked. So you can use these lists directly in UCS@school without any further effort.
In order to automate the download of the Shalla list and download filter lists that are updated daily, a Shallalist Downloader can be helpful for you to do the work for you. The basic steps for this are described in detail in the article Cool Solution – Shallalist Downloader.
I hope that this article has given you some useful suggestions and helpful application examples to make access to external web content or pages easier, safer and more efficient. If you have further good tips or questions regarding this article, feel free to use the comment function below.