Exploring the SafeSquid filter proxy
Safety Filter
If you are looking for a secure option for home surfing and want to protect your children against questionable web content, you need a filtering proxy. SafeSquid is a commercial proxy tool, but it comes with a free version for private users.
SafeSquid acts as a proxy for home users and small to medium-sized networks. The software sits between the browser and the Internet and provides a number of content filters (including for Flash) to make surfing more secure by defining domain blacklists and scanning for malware. Additionally, SafeSquid provides access control in the form of website categories and profiles, as well as an image recognition feature for blocking pornographic material.
Thanks to a cache for web pages and images, in combination with intelligent prefetching for web pages, the SafeSquid also accelerates the surfing experience. A convenient web interface lets users evaluate logs and generate reports. Although the name might make you think otherwise, SafeSquid does not actually use the open source Squid proxy under the hood; instead, it uses a C/C++ in-house alternative developed by the vendor Office Efficiencies. SafeSquid also relies on Bash and Perl scripts for various application cases.
The vendor provides a free version and several commercial alternatives. The free Composite edition is likely more interesting for home users. One difference between the free and commercial variants is that the free version is limited to a maximum of three users. If more than three users access the network filter suite that is centrally installed on your home network, you need the commercial version [1].
Installation
SafeSquid is very picky about which version of Linux you are using. I tried, unsuccessfully, to install the software on Ubuntu 13.10. As the vendor later confirmed in a live chat, some packages are missing that cover all the dependencies of the installation scripts.
On Fedora 19, the setup worked well without any preparation, but SafeSquid failed to launch – the installation script had simply copied the init.d
script incorrectly. A manual launch of SafeSquid also failed because of follow-up errors. Because a supporter suggested Ubuntu 12.04 in the live chat, I used the 64-bit Ubuntu 12.04 variant for testing. Further research showed that SafeSquid works seamlessly with openSUSE 12.3 (64-bit).
The command
sudo su -
lets you extend your privileges for administrative access; you then need to change to the /root/
directory. For the setup to work smoothly, you need to install libgmp3c2
via apt-get
up front. The libraries it contains meet some of the installation script's dependencies. Next, download the SafeSquid tarball from the download page [2] and unpack it.
Change to the newly created directory, /root/safesquid/
, and type ./install.sh
to launch the installer (Figure 1). The installer sets up the proxy in the /opt/safesquid/safesquid/safesquid
directory. Go through the individual steps of the setup routine until SafeSquid confirms the successful installation. Pressing S starts the proxy.
Alternatively, you can start SafeSquid manually with the command /etc/init.d/safesquid start
. The service is now running in the background and listening on port 8080. You can use the lsof -ni:8080
command to confirm that the proxy can be reached on the appropriate port. If everything worked, entering update-rc.d safesquid default
will ensure that the proxy is loaded automatically at every reboot.
The manufacturer requires you to activate the free SafeSquid on the Internet. You can use the web interface for this step, as well as for advanced configuration. Launch a browser and configure it to use the SafeSquid proxy (Figure 2) by specifying localhost and port 8080 as the proxy address and port. (Figure 2 shows the configuration dialog for Firefox. Other browsers are similar – see your browser's documentation.)
Enter http://safesquid.cfg as the URL in the browser and press About in the SafeSquid Interface (Figure 3). In the About window, you need to enter your email address and confirm the auto-generated activation key. Pressing Submit transfers the data to the manufacturer and thus activates the proxy installation. After successful activation, SafeSquid prompts you to reboot.
Administrative Apparatus
One benefit of a proxy is the option of setting up a blacklist. To configure a blacklist in SafeSquid, click the Config link on the SafeSquid interface start page. You will find a drop-down menu with many configuration categories. The first of these, Access restrictions, controls access to the proxy itself.
On the basis of various criteria, you can specify which users or which systems are allowed to use SafeSquid. The two predefined rules allow access for the local client and all other network nodes and users. To specify your own rules, you must delete these two default rules. However, for use on a home network, you will not usually need any additional access rules.
The second configuration category, cProfiles, manages the website categorization. The rules are disabled by default, but you can activate them by selecting Enabled. Website manages cProfiles in different categories based on their content, allowing you, theoretically, easily to block access to adult content, for example.
In the lab, I tried to filter out sports pages, and the software failed to recognize any of the web pages I visited, thus allowing free access to all sports content. Language did not seem to be the problem, as the proxy continued to allow access to US football sites. In fact, in further tests with other categories, it was initially impossible to talk SafeSquid into detecting unwanted content. It was only in the Chat content that the software managed to deny access to sites.
When I contacted the manufacturer of SafeSquid with a query, I learned that the filter lists might categorize many websites differently than expected. According to support, the website I used for the test (http://www.sport1.de) was more of a news page than a sports page. In such cases, you need to block both news and sports content.
The SafeSquid web interface offers users the ability to view the URL categorization (Test cProfiles), although this option rarely worked, at least for the URLs I used. Typically, the URL tests showed no associations, although SafeSquid might possibly assign them to a category internally.
If you want to try this yourself, enable categorization and press Add to add a new cProfile. Type Chat in the Comment box and, in the Category List, check the chat content category (Figure 4). Then, type blocked-category in the Added profiles text box.
Confirm your selection by pressing Submit and then navigate to the URL filter configuration category. Enable this module by the checking Enabled -> Yes and pressing Submit. In the Deny category, again follow the Add link to add a new rule with the following values:
Enabled: Yes Profiles: blocked-category
Confirm by pressing Submit and, in the browser, surf to the website on http://tinychat.com. Voilà – SafeSquid now denies access (Figure 5).
Warning: After restarting SafeSquid (thus, after each reboot), the specially created cProfiles and URL filtering disappear. A request for clarification confirmed my suspicions: SafeSquid only stores settings you save in RAM, which is why they are lost when you restart the software. As a remedy, you can back up the SafeSquid settings (link Save settings) on the main page. The application then saves the configuration in /opt/safesquid/safesquid/config.xml
. The Load settings section on the main page lets you load this file again later.
Another unpleasant side effect: The proxy does not filter websites that you have visited previously, although it would normally block them based on your settings. SafeSquid either seems to get confused here, or this is an undocumented feature.
If the SafeSquid cProfiles are not reliable enough for your liking, you can use the URL blacklist link for a configuration category to create your own blacklist. This feature is also useful for integrating external blacklists such as those offered, for example, by Shalla Secure Services [3], which is free for private users. You download the lists as a tarball, which you then integrate with SafeSquid (Listing 1).
Listing 1
Integrating Blacklists
In the URL blacklist category, check Enabled and enter the path as /opt/safesquid/BL. When you are done, press Submit. SafeSquid loads all the entries from the URL lists into RAM at launch time, which gives you the added benefit of being able to surf without sacrificing performance due to filtering. To use the blacklists, create the following new rule under Deny:
Enabled: true Comment: Podcasts Categories: podcasts
Under Categories, enter the folder name in which the blacklist in question is located. In this example, the URLs for the podcast category are listed below /opt/safesquid/BL/podcasts
.
If those surf control variants do not meet your requirements, the Keyword filter configuration category contains large collections of keywords, to which you can add your own, as needed. DNS blacklist lets you block pages by referencing external DNS blacklist providers.
Virus Free
To provide at least rudimentary protection against viruses from downloads, it is a good idea to integrate an antivirus scanner into the proxy. SafeSquid supports the free ClamAV, as well as several commercial products; ClamAV should be sufficient for most purposes.
Click on the Client for ClamAV antivirus configuration category and then check the Yes box next to Enabled. Set a value of /var/run/clamav/clamd.ctl
for the ClamAV hostname or socket path field and press Submit to confirm. Next, switch to a terminal window and install ClamAV using the commands in Listing 2. The antivirus solution is now ready for use (Figure 6).
Listing 2
Installing ClamAV
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.