Update on using squidGuard Webproxy for Ubiquity

For those who have read my previous blog post about getting my feet wet with the webproxy package installed on our EdgeOS based routers I have some updated notes to help out with a few things I didn't find well documented and readily available on the internet.

1) how to un-disable the webproxy url-filtering.
   If you needed to disable the webproxy for one reason or another it's not that difficult. The command to do so is built into the auto-complete command set:
  configure
 set service webproxy url-filtering squidguard disable
 commit

What isn't documented very well in my searching was how to UN-disable it after you've made your changes and are ready to get the webproxy back online. It took me some thinking on my own, as I'll often do when stuck on a problem, but my logic was sound and I had nothing to lose.
  configure
 delete service webproxy url-filtering squidguard disable
 commit

Success! The service was back online and I didn't have to rebuild my configuration.

2) how to save your /var/log/ mount point after turning on DPI.
After enabling DPI, outlined in my other post, a lot of logging is turned on. Logging is good if you're wanting to do some checking on your traffic but this gets excessive when you have a busy router. Your /var/log/messages logs will overrun the mount point quickly of some housekeeping isn't done to curb this. Via the GUI you'll want to go to your rulesets and unchecked logging for all of your accept rules. If you are special and you have a server to accept all of your logs for you need you not worry.

3) Making a separate proxy profile for separate subnets
Guest Wi-Fi subnets rarely need the same allowances as an internal network may so if a guest complains about not being able to get to break.com is not a big deal. However, maybe someone internal needs it. What do you do?

You could make exceptions for the entire router for individual sites but over time the list could grow and then you'd be opening it up for everyone. Lucky for you source-groups are able to handle the task. With a source group you can leave the default allows and blocks on for all but make changes by exception source-groups.

set service webproxy url-filtering squidguard source-group guests address 192.168.2.2-192.168.2.254

set service webproxy url-filtering squidguard rule 10 source-group guests

set service webproxy url-filtering squidguard rule 10 allow-category adult

Once this has been committed and saved you now have allowed the adult category, which is what category break.com belongs to, sites for those IPs in the internal network. This same method can be utilized for other exceptions and restrictions.

If you have questions or comments please leave them below.