Policy hierarchy?
26 views
Skip to first unread message
Steve Scotter
Jan 17, 2024, 12:24:10 PMJan 17
to Diladele Web Safety
Hi,
Steve
I'm currently trailing Diladele 8.7. I have a requirement to deploy a web proxy which blocks all web requests by default, and then allows certain domains to certain machines.
I started looking at this the tail end of last year, but ran out of time. I seem to recall receiving some advice to look at the Locked policy. I've compared that the default policy and spotted the "Block specific request URLs." is set to ".*", which makes perfect sense.. so I've copied that to my Default policy and it's having the desired effect.
Next, I created a new policy called Test Machine Policy and
- Set the member of a IP address of my test machine
- Added a a handful of test domains to Exclusions -> Domain Names.
The test machine could get to the test domains, but it could also get to all websites (with the exception of pornographic ones)
I updated the Test Machine Policy, setting "Block specific request URLs." is set to ".*". This had the desired effect of blocking all sites, bar the test domains. So far, so good.
Lastly, I created another policy called Update Server Policy and
- Set the member of IP Subnet(s), and added the class B the test machine was in (172.16.0.0/16)
- Added a a handful of update server domains (e.g. deb.debian.org and archive.ubuntu.com) to Exclusions -> Domain Names.
- Set "Block specific request URLs." to ".*"
The test machine could get to the update server domains listed in the last policy created, but was denied access to handful of test domains in the first policy created.
At the time Update Server Policy had a higher priority (3) than Test Machine Policy (2).
When I switched the priorities (Update Server Policy to 2, and Test Machine Policy to 3), the situation reversed... the test machine could get to the handful of test domains but not the update server domains.
This leads me to think policies are evaluated from top to bottom (highest number first) and the first policy which matches the request processes the request and no further policies are considered, which makes sense. This would however mean I'd need to add my update server domains to EVERY policy I create. While that's doable, it could prove painful if I need to add a domain to it at a later stage. I foresee us having 30+ policies.
Is there a better way for implementing what I'm trying to do? Ultimately, I'm after something akin to the following hierarchy
- All devices on the network allowed access to all the Debian and Ubuntu update servers (for example)
- Some devices to be able to access some specific websites.
- All over requests to be blocked.
Any help gratefully received!
Thanks
Steve
Steve Scotter
Jan 17, 2024, 1:12:51 PMJan 17
to Diladele Web Safety
Since posting I've done some further research and found Squid Proxy -> Exclusions -> Domain -> Name
One observation though, is under Squid Proxy -> Exclusions -> Advance Exclusions -> Custom Exclusion List, is WebUI tell me I can edit `/opt/websafety/var/spool/exclusion_lists/custom.json` and can enable the list and exclude domains listed from certain checks. This is great, but in some circumstances I'd like to exclude SSL inspection, and in other cases not.
This looks like it might fulfill the "All devices on the network allowed access to all the Debian and Ubuntu update servers" requirement, while then allowing me to have a per-device policy for additional device specific exclusions.
One observation though, is under Squid Proxy -> Exclusions -> Advance Exclusions -> Custom Exclusion List, is WebUI tell me I can edit `/opt/websafety/var/spool/exclusion_lists/custom.json` and can enable the list and exclude domains listed from certain checks. This is great, but in some circumstances I'd like to exclude SSL inspection, and in other cases not.
I tried making a /opt/websafety/var/spool/exclusion_lists/custom2.json, but the WebUI doesn't detect it. Is having addition custom lists that something which might be available at a later date?
Thanks
Steve
Steve Scotter
Jan 17, 2024, 1:18:22 PMJan 17
to Diladele Web Safety
Scratch that, I've realised by looking at exclusion_lists.json I can have multiple lists the custom.json file. This works a treat.
[
{
"id" : "custom_exclusion_list1",
"version" : 1,
"name" : "First Custom List",
"comment" : "Manually put here some custom exclusions as you require",
"rules" : {
"domain_name" : [
{ "value" :".example.com","comment" : ""},
{ "value" :".example.net","comment" : ""},
{ "value" :".bob.com", "comment" : "Testing"}
]
}
},
{
"id": "custom_exclusion_linux_update_servers",
"version": 1,
"name": "Linux update servers",
"comment": "",
"rules": {
"domain_name": [
{
"value": "deb.debian.org",
"comment": ""
},
{
"value": "archive.ubuntu.com",
"comment": ""
},
{
"value": "archive.canonical.com",
"comment": ""
}
]
}
}
]
{
"id" : "custom_exclusion_list1",
"version" : 1,
"name" : "First Custom List",
"comment" : "Manually put here some custom exclusions as you require",
"rules" : {
"domain_name" : [
{ "value" :".example.com","comment" : ""},
{ "value" :".example.net","comment" : ""},
{ "value" :".bob.com", "comment" : "Testing"}
]
}
},
{
"id": "custom_exclusion_linux_update_servers",
"version": 1,
"name": "Linux update servers",
"comment": "",
"rules": {
"domain_name": [
{
"value": "deb.debian.org",
"comment": ""
},
{
"value": "archive.ubuntu.com",
"comment": ""
},
{
"value": "archive.canonical.com",
"comment": ""
}
]
}
}
]
I think I have everything I need to move forward with my project and purchase a license. Apologies for the noise, hopefully it'll help someone else in the future though.
Steve
Reply all
Reply to author
Forward
0 new messages