Exploring the SafeSquid filter proxy

Safety Filter

Article from Issue 161/2014

If you are looking for a secure option for home surfing and want to protect your children against questionable web content, you need a filtering proxy. SafeSquid is a commercial proxy tool, but it comes with a free version for private users.

SafeSquid acts as a proxy for home users and small to medium-sized networks. The software sits between the browser and the Internet and provides a number of content filters (including for Flash) to make surfing more secure by defining domain blacklists and scanning for malware. Additionally, SafeSquid provides access control in the form of website categories and profiles, as well as an image recognition feature for blocking pornographic material.

Thanks to a cache for web pages and images, in combination with intelligent prefetching for web pages, the SafeSquid also accelerates the surfing experience. A convenient web interface lets users evaluate logs and generate reports. Although the name might make you think otherwise, SafeSquid does not actually use the open source Squid proxy under the hood; instead, it uses a C/C++ in-house alternative developed by the vendor Office Efficiencies. SafeSquid also relies on Bash and Perl scripts for various application cases.

The vendor provides a free version and several commercial alternatives. The free Composite edition is likely more interesting for home users. One difference between the free and commercial variants is that the free version is limited to a maximum of three users. If more than three users access the network filter suite that is centrally installed on your home network, you need the commercial version [1].


SafeSquid is very picky about which version of Linux you are using. I tried, unsuccessfully, to install the software on Ubuntu 13.10. As the vendor later confirmed in a live chat, some packages are missing that cover all the dependencies of the installation scripts.

On Fedora 19, the setup worked well without any preparation, but SafeSquid failed to launch – the installation script had simply copied the init.d script incorrectly. A manual launch of SafeSquid also failed because of follow-up errors. Because a supporter suggested Ubuntu 12.04 in the live chat, I used the 64-bit Ubuntu 12.04 variant for testing. Further research showed that SafeSquid works seamlessly with openSUSE 12.3 (64-bit).

The command

sudo su -

lets you extend your privileges for administrative access; you then need to change to the /root/ directory. For the setup to work smoothly, you need to install libgmp3c2 via apt-get up front. The libraries it contains meet some of the installation script's dependencies. Next, download the SafeSquid tarball from the download page [2] and unpack it.

Change to the newly created directory, /root/safesquid/, and type ./install.sh to launch the installer (Figure 1). The installer sets up the proxy in the /opt/safesquid/safesquid/safesquid directory. Go through the individual steps of the setup routine until SafeSquid confirms the successful installation. Pressing S starts the proxy.

Figure 1: The text-based installation script prompts you for the most important setup parameters.

Alternatively, you can start SafeSquid manually with the command /etc/init.d/safesquid start. The service is now running in the background and listening on port 8080. You can use the lsof -ni:8080 command to confirm that the proxy can be reached on the appropriate port. If everything worked, entering update-rc.d safesquid default will ensure that the proxy is loaded automatically at every reboot.

The manufacturer requires you to activate the free SafeSquid on the Internet. You can use the web interface for this step, as well as for advanced configuration. Launch a browser and configure it to use the SafeSquid proxy (Figure 2) by specifying localhost and port 8080 as the proxy address and port. (Figure 2 shows the configuration dialog for Firefox. Other browsers are similar – see your browser's documentation.)

Figure 2: To use SafeSquid, you must configure your browser accordingly.

Enter http://safesquid.cfg as the URL in the browser and press About in the SafeSquid Interface (Figure 3). In the About window, you need to enter your email address and confirm the auto-generated activation key. Pressing Submit transfers the data to the manufacturer and thus activates the proxy installation. After successful activation, SafeSquid prompts you to reboot.

Figure 3: The free version of the filter proxy requires you to register with the manufacturer.

Administrative Apparatus

One benefit of a proxy is the option of setting up a blacklist. To configure a blacklist in SafeSquid, click the Config link on the SafeSquid interface start page. You will find a drop-down menu with many configuration categories. The first of these, Access restrictions, controls access to the proxy itself.

On the basis of various criteria, you can specify which users or which systems are allowed to use SafeSquid. The two predefined rules allow access for the local client and all other network nodes and users. To specify your own rules, you must delete these two default rules. However, for use on a home network, you will not usually need any additional access rules.

The second configuration category, cProfiles, manages the website categorization. The rules are disabled by default, but you can activate them by selecting Enabled. Website manages cProfiles in different categories based on their content, allowing you, theoretically, easily to block access to adult content, for example.

In the lab, I tried to filter out sports pages, and the software failed to recognize any of the web pages I visited, thus allowing free access to all sports content. Language did not seem to be the problem, as the proxy continued to allow access to US football sites. In fact, in further tests with other categories, it was initially impossible to talk SafeSquid into detecting unwanted content. It was only in the Chat content that the software managed to deny access to sites.

When I contacted the manufacturer of SafeSquid with a query, I learned that the filter lists might categorize many websites differently than expected. According to support, the website I used for the test (http://www.sport1.de) was more of a news page than a sports page. In such cases, you need to block both news and sports content.

The SafeSquid web interface offers users the ability to view the URL categorization (Test cProfiles), although this option rarely worked, at least for the URLs I used. Typically, the URL tests showed no associations, although SafeSquid might possibly assign them to a category internally.

If you want to try this yourself, enable categorization and press Add to add a new cProfile. Type Chat in the Comment box and, in the Category List, check the chat content category (Figure 4). Then, type blocked-category in the Added profiles text box.

Figure 4: SafeSquid's cProfiles theoretically let you block websites with certain topics, such as chat.

Confirm your selection by pressing Submit and then navigate to the URL filter configuration category. Enable this module by the checking Enabled -> Yes and pressing Submit. In the Deny category, again follow the Add link to add a new rule with the following values:

Enabled: Yes
Profiles: blocked-category

Confirm by pressing Submit and, in the browser, surf to the website on http://tinychat.com. Voilà  – SafeSquid now denies access (Figure 5).

Figure 5: If you try to access a blocked page, the software only displays a message.

Warning: After restarting SafeSquid (thus, after each reboot), the specially created cProfiles and URL filtering disappear. A request for clarification confirmed my suspicions: SafeSquid only stores settings you save in RAM, which is why they are lost when you restart the software. As a remedy, you can back up the SafeSquid settings (link Save settings) on the main page. The application then saves the configuration in /opt/safesquid/safesquid/config.xml. The Load settings section on the main page lets you load this file again later.

Another unpleasant side effect: The proxy does not filter websites that you have visited previously, although it would normally block them based on your settings. SafeSquid either seems to get confused here, or this is an undocumented feature.

If the SafeSquid cProfiles are not reliable enough for your liking, you can use the URL blacklist link for a configuration category to create your own blacklist. This feature is also useful for integrating external blacklists such as those offered, for example, by Shalla Secure Services [3], which is free for private users. You download the lists as a tarball, which you then integrate with SafeSquid (Listing 1).

Listing 1

Integrating Blacklists

$ cd /opt/safesquid
$ wget http://www.shallalist.de/Downloads/shallalist.tar.gz
$ tar xzvf shallalist.tar.gz

In the URL blacklist category, check Enabled and enter the path as /opt/safesquid/BL. When you are done, press Submit. SafeSquid loads all the entries from the URL lists into RAM at launch time, which gives you the added benefit of being able to surf without sacrificing performance due to filtering. To use the blacklists, create the following new rule under Deny:

Enabled: true
Comment: Podcasts
  Categories: podcasts

Under Categories, enter the folder name in which the blacklist in question is located. In this example, the URLs for the podcast category are listed below /opt/safesquid/BL/podcasts.

If those surf control variants do not meet your requirements, the Keyword filter configuration category contains large collections of keywords, to which you can add your own, as needed. DNS blacklist lets you block pages by referencing external DNS blacklist providers.

Virus Free

To provide at least rudimentary protection against viruses from downloads, it is a good idea to integrate an antivirus scanner into the proxy. SafeSquid supports the free ClamAV, as well as several commercial products; ClamAV should be sufficient for most purposes.

Click on the Client for ClamAV antivirus configuration category and then check the Yes box next to Enabled. Set a value of /var/run/clamav/clamd.ctl for the ClamAV hostname or socket path field and press Submit to confirm. Next, switch to a terminal window and install ClamAV using the commands in Listing  2. The antivirus solution is now ready for use (Figure 6).

Listing 2

Installing ClamAV

# apt-get install clamav clamav-daemon
# freshclam
# service clamav-daemon start
Figure 6: Integrating ClamAV into SafeSquid denies access to potentially harmful web content.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Security Lessons – Squid Filtering

    Kurt describes how to use Squid's ACLs and ICAP when you want to limit Internet access, for whatever reason.

  • Squid Bridge

    Caching proxies remember web pages and serve them up locally, saving both money and time. The most intelligent members of this family also remove dangerous content and provide transparent bridging.

  • Squid at Home

    Are your children wearing out their eyeballs on the Internet? Squid will help you impose some time limits and filter out inappropriate content.

  • Squid proxy server

    A proxy server provides safer and more efficient surfing. Although commercial proxy solutions are available, all you really need is Linux and an old PC in the attic.

  • Filter Proxy for AD

    You might want to reap the benefits of active directory’s single sign-on for your virus scanning and content filtering. If you also use Squid to handle user access to the internet, you have a front-row seat for “when worlds collide.”

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95