11.5. Web proxy for caching and policy management / virus scan#
The UCS proxy integration allows the use of a web cache for improving the performance and controlling data traffic. It is based on the tried-and-tested proxy server Squid and supports the protocols HTTP, FTP and HTTPS.
A proxy server receives requests about internet contents and verifies whether these contents are already available in a local cache. If this is the case, the requested data are provided from the local cache. If the data are not available, these contents are called up from the respective web server and inserted in the local cache. This can be used to reduce the answering times for the users and the transfer volume via the internet access.
Further documentation on proxy services - such as the cascading of proxy servers, transparent proxies and the integration of a virus scan engine - are documented in Extended IP and network management documentation .
Squid can be installed from the Univention App Center with the application Web proxy / web cache (Squid). Alternatively, the software package univention-squid can be installed. Additional information can be found in Installation of further software.
The service is configured with standard settings sufficient for operation so
that it can be used immediately. It is possible to configure the port on which
the service is accessible to suit your preferences (see Access port); port
3128 is set as default.
If changes are made to the configuration, Squid must be restarted. This can be performed either via the UMC module System services or the command line:
$ systemctl restart squid
In addition to the configuration possibilities via Univention Configuration Registry described in this
document, it is also possible to set additional Squid configuration options in
11.5.2. Caching of web content#
Squid is a caching proxy, i.e., previously viewed contents can be provided from a cache without being reloaded from the respective web server. This reduces the incoming traffic via the internet connection and can result in quicker responses of HTTP requests.
However, this caching function is not necessary for some environments or, in the
case of cascaded proxies, it should not be activated for all of them. For these
scenarios, the caching function of the Squid can be deactivated with the
Univention Configuration Registry Variable
squid/cache by setting this to
no. Squid must then be
11.5.3. Logging proxy accesses#
All accesses performed via the proxy server are stored in the log file
/var/log/squid/access.log. It can be used to follow which websites have
been accessed by the users.
11.5.4. Restriction of access to permitted networks#
As standard, the proxy server can only be accessed from local networks. If, for
example, a network interface with the address
192.0.2.10 and the network
255.255.255.0 is available on the computer on which Squid is installed,
only computers from the network
192.0.2.0/24 can access the proxy server.
Additional networks can be specified via the Univention Configuration Registry Variable
squid/allowfrom. When doing so, the CIDR notation must be used;
several networks should be separated by blank spaces.
$ univention-config-registry set squid/allowfrom="192.0.2.0/24 18.104.22.168/24"
Once Squid has been restarted, access is now permitted from the networks
22.214.171.124/24. If configured to
all, proxy access in
granted from all networks.
11.5.5. Configuration of the ports used#
126.96.36.199. Access port#
As standard, the web proxy can be accessed via port
3128. If another port is
required, this can be configured via the Univention Configuration Registry Variable
Univention Firewall is used, the packet filter configuration must also be
188.8.131.52. Permitted ports#
In the standard configuration, Squid only forwards client requests intended for
the network ports 80 (HTTP), 443 (HTTPS) or 21 (FTP). The list of permitted
ports can be changed via the Univention Configuration Registry Variable
squid/webports; several entries
should be separated by blank spaces.
$ univention-config-registry set squid/webports="80 443"
With this setting, access is only allowed to ports 80 and 443 (HTTP and HTTPS).
11.5.6. User authentication on the proxy#
It is sometimes necessary to restrict web access to certain users. Squid allows user-specific access regulation via group memberships. To allow verification of group membership, it is necessary for the user to authenticate on the proxy server.
To prevent unauthorized users from opening websites nonetheless, additional measures are required to prevent these users from bypassing the proxy server and accessing the internet. This can be done, for example, by limiting all HTTP traffic through a firewall.
The proxy authentication (and as a result the possible verification of the group memberships) must firstly be enabled. There are three possible mechanisms for this:
- LDAP server authentication
Direct authentication against the LDAP server. This is done by setting the Univention Configuration Registry Variable
yesand restarting Squid.
- NTLM authentication
Authentication is performed via the NTLM interface. Users logged in on a Windows client then do not need to authenticate themselves again when accessing the proxy. NTLM authentication is enabled by setting the Univention Configuration Registry Variable
yesand restarting Squid.
- Kerberos authentication
Authentication is performed via Kerberos. Users logged in on a Windows client which is a member of a Samba/AD domain authenticate themselves on the proxy with the ticket that they received when they logged in to the domain. The univention-squid-kerberos package must be installed on every proxy server for it to be possible to enable Kerberos authentication. Then the Univention Configuration Registry Variable
squid/krb5authmust be set to
yesand Squid restarted.
If NTLM is used an NTLM authentication is performed for every HTTP query as
standard. If for example the website
https://www.univention.com/ is opened,
the subsequent pages and images are loaded in addition to the actual HTML page. The NTLM
authentication can be cached per domain: If the Univention Configuration Registry Variable
squid/ntlmauth/keepalive is set to
yes, no further NTLM
authentication is performed for subsequent HTML queries in the same domain. In
case of problems with local user accounts it may help to set this variable to
In the standard setting all users can access the proxy. The Univention Configuration Registry Variable
squid/auth/allowed_groups can be used to limit the proxy access to one
or several groups. If several groups are specified, they must be separated by a