Transparent Proxy with authorize & filter

[Azim]

Hi..i've been installed ebox 1.2, how do i set group profiles with transparent proxy ? coz when i try to enable Transparent proxy with authorize and filter, it's show up error "Transparent proxy option is not compatible with authorization policy".

Please help me with this. thanks

Azim

[Javier Amor Garcia]

Hello,
 this is not a error is a limitation of the HTTP authorization mechanism. The way HTTP authorization works makes that when the request is redirected to proxy port it thinks that it talks to a HTPP server instead of a proxy, so it is unable to authenticate correctly.

[Azim]

thanks for your reply, but how do i set group profiles then? i would like to create  a few groups with filter profiles and also limitation time access for some url address for each group.

Please tell me the step how to do it.
many thanks


Azim

[Javier Amor Garcia]

II am sorry but you can't; without authorization the proxy has not any mean to know to which group the user belongs so group profiles could not been used.

Of course, if you wcould change to no-transparent mode you could use authorization and group profiles

[Azim]

thanks for explanation, i already try not using transparent proxy with default policy "authorize and filter" and create some object and group policy with profile that I've been created.

in that profile i block youtube.com with policy "always deny", but when i try this, i still can access youtube.com.

is there something wrong or less with my step?

please need your kindly help. thanks

Azim

[Javier Amor Garcia]

 what is the object policy that you ar using?. Object policy take priority upo the dafualt policy so if you have a defualt policy of 'Authorize and filter' and a object policy of 'Always allow', the second is the policy enforced. Maybe you are in a similar situation

[Azim]

so what is your suggest to implement profiles filter for each user & group without enable transparent proxy?

Could you tell me the step? coz i try to find the documentation how to implement group and object policy, but i can find none.

please ..need your support team.

thanks

[Javier Amor Garcia]

ok, can you explain to me what you want and what are your actual default, object and group policies now?

[Azim]

ok.. what i want is to set a few group with specific filter profiles. the point is every object  has different access & rights.
sample :
there are 2 object : IT & limitedUser.
IT can browse anything without limitation, but Limiteduser only can access some website at specific time, and some website also can not be access.

Right know i already set object and group policy with profiles  "Authorize and filter".

So please, could you show me step by step how to implement that with ebox?

many thanks,

Azim

[Javier Amor Garcia]

I have the feleing that we are confusing between objects and users.
Object cannot change the fitler profile so they cannot be used to limit some domains.
However you can use objects to restrain access to some groups or to limit it to some hourrrrrs or to grant non'limited access.

Choose a default policy of "Authorize and filter"
So firstly you have to create a filter profile for LimitedUser in this profile go to the "Domain filter" tab and add the banned domains.
Then go to "Group policies" and add a policy for the group of LimitedUser (if limited user does not have any group, create and group and add him to it), select as fitler profile the one that you have created in the previous step, a policy of 'allow' and select the days of the week and hours in which he can access.

As for the IT user if you havent touched the default filter profile it allows all so not need to touch anything. If you have changed the default profile you must create another for IT without any restriction and assign to it using a group policy, like we have done before.

Then you must save the changes.

With this configuration:
- IT user does not     have any limitation
- Limited user cannot access to the websites you have listed in his filter profile and only can access in the timetable defined in his group policy

As you see I dont see the need to use objects, I am missing something?

[Azim]

Dear Javier,

thanks for quick reply, what i still confuse is how could i add group policy for a user by IP address? i try to add user on users menu but there are no ip address column. so how could i limited the user base on IP address? so i can group it and set into limited profiles?

sorry if I'm not clear enough by your explanation.

Thanks

[Javier Amor Garcia]

Selecting a filter profile by IP address (netowrk object) is not supported, only is supported to have different filter profiles by userś group.

The "Filter profiles" controls the settings of the content filter is a different thing than the access policy.
The access policy controls three things: whether access is allowed, wether authorization is required and whether the page is passed to the content filter.

However in network objects you can enforce the following things:
* Access policy that prevails upon the default police
* A timetable for the object's policy , out of the time it will revert to the default police
* You can denny or accept the access from the object to group of users and use a timetable too here.

In case I wasnt able to explain myself, please ask again

[Azim]

ok...i get the point..i hope someday ebox will have the module for rules access for object base on ip address, so it will be easier for administrator to limit access for user just like other router software.

thanks for your clearly explanation and support.
Rgrds,

Azim

[alemartini]

I'm facing the exact same issue reported by Azim a year ago (inability to set content filterting policies based on IP addresses).

I believe that there's no intrinsic limitation at the DansGuardian level that would prevent a setup like this. I'm running ebox 1.4.7, and I'd like to know if this feature has already been implemented.


Thanks in advance,
Alex

[Javier Amor Garcia]

The "filter profile by IP" feature is available since the version 1.4.4 of  ebox-squid .
 Go to HTTP Proxy ‣ Objects policy, here you could set a filter profile to any object which has a 'filter' policy.