twitter |   ||  email | PGP --> harshal @ harshdevx.comharshdevx:~#
harshdevX:~#r00t  |  analyt1cs   |  st1lls  |  ab0ut m3
updating...
safe kids | safe home | diy - web content filtering
for months now i was wondering how to have a robust home web content filter. we have kids and we want to ensure that they browse safely. there are two ways either keep on purchasing anti-virus solutions, pay subscriptions or just built something simple at home with a old pc lying around. i chose latter.

with chrome/firefox ramping up security and privacy it was getting difficult to do content filtering reason was "SSL". the purpose of ssl is to ensure that all content flows through encrypted tunnel and is protected at all times. however with ssl proxy you are trying to break the whole purpose of ssl encryption. without decrypting this traffic you cannot do web content filtering and therefore we need to put a proxy that can decrypt the traffic sent to it perform the filtering and then re-encrypt and send it out to the internet.

take a look at following diagram. this is a simple network layout of your home. if you remove the proxy in between thats how our home network looks like. all the devices within you home network directly talk to outside world through your router+firewall. but with that setup you cannot do web content filtering. therefore lets put our man in the middle popularly known as "mitm".
Click to englarge me

so for the starters i created a virtual machine with following specs. its always good to start with a virtual machine so that if anything goes wrong we can quickly start from scratch.

Click to englarge me
once your virtual machine is ready do the following steps.

Step 1: install ubuntu server which is a standard process there are many tutorials available, once the server is up and running go to step 2
Step 2: sudo apt-get update; sudo apt-get upgrade -y; sudo apt-get dist-upgrade -y;
Step 3: sudo apt-get install build-essentials openssh-server squid3 squid3-common git git-core build-dep dansguardian -y
Step 4: find out the ip address of your newly created box by running command ifconfig and you should see something like

Step 5: note the ip address in Step 4 you will need that later.
Step 6: mkdir ~/src; cd ~/src
Step 7: git clone https://github.com/e2guardian/e2guardian.git
Step 8: cd e2guardian
Step 9: ./autogen.sh
Step 10: ./configure '--prefix=/usr' '--enable-clamd=yes' '--with-proxyuser=e2guardian' '--with-proxygroup=e2guardian' '--sysconfdir=/etc' '--localstatedir=/var' '--enable-icap=yes' '--enable-commandline=yes' '--enable-email=yes' '--enable-trickledm=yes' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' 'CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' '--enable-pcre=yes' '--enable-dnsauth=yes' '--with-filedescriptors=1000' '--enable-sslmitm'
Step 11: make
Step 12: sudo make install
Step 13: this will install the e2guardian [your web content proxy] to the system. Steps 5 - 12 are very important to get the web content filter working. see that i have --enable-mitm as bold. if you miss this flag web content filter will not work over https connections.
Step 14: once the content filter proxy is installed you can now start configuring it.
Step 15: cd /etc/e2guardian/
Step 16: use your favourite editor to edit the configuration parameters of the "e2guardian.conf" file in this directory
Step 17: sudo cp /etc/e2guardian/e2guardian.conf /etc/e2guardian/e2guardian.conf.original
Step 17: sudo nano ./e2guardian.conf
Step 18: i have attached my configuration file here you can download and save as e2guardian.conf -> link
Step 19: next we jump to content filtering. the content filtering is done using file "e2guardianf1.conf"
Step 17: copy the original file so that even if you mess up something you can get the original file back
sudo cp /etc/e2guardian/e2guardian.conf /etc/e2guardian/e2guardian.conf.original
Step 18: i have attached my filter configuration file here you can download and save as e2guardianf1.conf -> link
Step 19: if you want to read what each line item does just open the original files all the notes for each configuration are clearly and nicely written. but for starters this file would do. a couple of changes now to the configuration file you just downloaded.
Step 20: e2configuration.conf
remember you installed squid3 in step 3. by default squid runs on port 3128. therefore we put that port here and the proxy ip will be the local ip where you are running squid. if your ip address is different change these.
proxyip = 127.0.0.1
proxyport = 3128
Step 21: from 21 to 34 are the most important steps elevate your privileges by typing "sudo su", type your password. [corrected]
Step 22: mkdir /etc/e2guardian/ssl_certs
Step 23: cd /etc/e2guardian/ssl_certs
Step 24: Create request for root CA: openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out myCA.pem
Step 25: Create the private key file and self signed certificate: certtool --generate-privkey --outfile ca-key.pem; certtool --generate-self-signed --load-privkey ca-key.pem --outfile myCA.pem
Step 26: Create a DER format version of root certificate: openssl x509 -in myCA.pem -outform DER -out myCA.der; openssl x509 -in myCA.pem -outform DER -out myCA.crt
Step 27: Generate a key for use with upstream SSL conections: openssl genrsa 2048 > private_cert.pem
Step 28: your folder ssl_certs must look like below:

Step 29: Now at the prompt create e2guardian by typing command
useradd -r -s /usr/sbin/nologin e2guardian
Step 30: Create a directory called generatedcerts to store the generated certificates. This directory must be writable by the e2guardian user
Step 31: mkdir /etc/e2guardian/generatedcerts
Step 32: chown -R e2guardian:e2guardian /etc/e2guardian/generatedcerts [corrected]
Step 33: mkdir /var/log/e2guardian
Step 34: chown -R e2guardian:e2guardian /var/log/e2guardian/*
Step 35: your e2guardian box is now ready. make final checks for the certificates see e2guardian.conf and look for following lines
cacertificatepath = '/etc/e2guardian/ssl_certs/my_rootCA.crt'
caprivatekeypath = '/etc/e2guardian/ssl_certs/private_root.pem'
certprivatekeypath = '/etc/e2guardian/ssl_certs/private_cert.pem'
generatedcertpath = '/etc/e2guardian/generatedcerts/'
Step 36: open e2guardianf1.conf file, the two changes you may need to make is change the ip address to your ip address that was noted in Step 4. rest everything keep as it is.
accessdeniedaddress = 'http://10.0.1.20/cgi-bin/e2guardian.pl'
sslaccessdeniedaddress = 'http://10.0.1.20/denyssl.htm'
[update]
Step 37: add lan ip address of your e2guardian host in /etc/hosts file e.g.
one thing we have to keep in mind this works today in explicit proxy mode only. what it means is that you will have to set this up at each end user machine. you cannot have this setup in transparent mode.
browser: firefox
setup: preferences->advanced->network->settings
see pictures below






concept and design: harshdevX