Table of Contents
In some scenarios, cascading of proxy servers may be required. In such a setup, individual proxy servers access logically superordinate proxy servers when web sites are opened, which then fetch the requested data from the Internet. This allows creation of a hierarchical structure of proxy servers and, for example, the operation of a central cache in a company's headquarters that the proxy servers at the individual company sites can access.
The superordinate proxy server is referred to as a parent proxy
The parent proxy can be specified via the Univention Configuration Registry variables
squid/parent/host (IP address or hostname) and
squid/parent/port (port number).
Proxy requests from computers in the proxy server's local network are answered
directly and not forwarded to the parent proxy. If additional networks should be
excluded from forwarding to the parent proxy, these can be specified via the
Univention Configuration Registry variable squid/parent/directnetworks. When doing so, the CIDR notation
must be used (e.g. 192.168.2.0/24); several networks should be separated by blank spaces.
It is possible to configure Squid as a transparent proxy if you want to avoid that the proxy server to be used needs to be configured in the application programs (e.g., in the web browser). In this case, all web queries sent from a client are automatically rerouted to and answered by the proxy server.
The prerequisite for such a configuration is that the proxy server is entered as the standard gateway in the network configuration on all clients. The LDAP authentication on the proxy server must not be enabled.
If the Univention Configuration Registry variable squid/transparentproxy is set to
yes, packet filter rules are automatically included.
These rules redirect all queries for the ports specified in the Univention Configuration Registry variable
squid/webports which are routed over the UCS system to the proxy
server. After setting the variable the Univention Firewall component needs to be
restarted with
/etc/init.d/univention-firewall restart
Following the installation of univention-dansguardian, the virus scanner and the filter for web contents are activated. ClamAV is used as the virus scan engine
The filtering of web content and the virus scanner can be activated
separately. In order to deactivate the content filter, the
Univention Configuration Registry variable squid/contentscan must be set to no and Squid
restarted. To disable the virus scanner, the
Univention Configuration Registry variable squid/virusscan must be set to no.
If neither of the two variables is set to yes,
Dansguardian is not used. After changes to the variables Squid and Dansguardian
must be restarted.
The following variables can be used to configure the virus scan:
Table 1.1. UCR variables for filter rules
| UCR variable | Description |
|---|---|
dansguardian/virus/notifyemail
| If this value is set to a valid e-mail address, a notification is sent via e-mail as soon as a user attempts to download a file infected with a virus. |
dansguardian/virus/exception/extension
| Files which have a suffix specified in this variable are not scanned for viruses. This option should be employed with caution as file suffixes do not provide definitive information on the actual contents of a file. |
dansguardian/virus/exception/mimetypes
| MIME types specified in this variable are not scanned for viruses. This option should also be employed with caution. |
dansguardian/virus/exception/sites
| This can be used to exclude complete web sites from virus scans, e.g. by excluding the company's intranet. |
dansguardian/virus/exception/urls
| In contrast to the previous variable, this can be used to exempts only individual URLs from the virus scan. |
