├── README.md └── src ├── Dockerfile ├── build.bat ├── build.sh ├── contents ├── apache2 ├── reload.sh ├── restart.sh ├── squid ├── squid.conf ├── websafety_license ├── websafety_update ├── wsgsbd ├── wsicapd ├── wsmond ├── wssyncd └── wsytgd ├── run.bat └── run.sh /README.md: -------------------------------------------------------------------------------- 1 | Web Safety 8.5 in Docker with Squid 5.7 2 | ======================================= 3 | 4 | This project provides a full Docker image for Web Safety, including Squid proxy rebuilt to enable SSL decryption and HTTPS filtering (version 5.7). 5 | 6 | Web Safety for Squid Proxy is the ICAP web filtering server that provides rich content and web filtering functionality to sanitize Internet traffic passing into an internal home/enterprise network. It may be used to block illegal or potentially malicious file downloads, remove annoying advertisements, prevent access to various categories of web sites and block resources with explicit content. The application is easily deployed and managed, requires minimal external dependencies, very robust and runs with the excellent performance. 7 | 8 | It supports all major Linux distributions (Ubuntu, Debian, RedHat). With the latest release of Docker it can also run on Microsoft Windows and Apple MacOS X. 9 | 10 | ***Check [the upgrade documentation](https://docs.diladele.com/administrator_guide_stable/upgrade/index.html) for more informaion about the changes and hints at a potential upgrade path from previous images.*** 11 | 12 | # Running the image from Docker Hub 13 | 14 | Please install docker from www.docker.com. 15 | 16 | If you had the image already deployed please see how you can [clean before updating to the newest version](#removing-existing-images-and-containers). 17 | 18 | In order to run the product please execute the following commands: 19 | ``` 20 | docker run --rm -dt --name websafety --dns=8.8.8.8 \ 21 | -p 8000:80 -p 8443:443 -p 3128:3128 \ 22 | -e TIME_ZONE="Europe/Berlin" diladele/websafety:8.5 23 | ``` 24 | After executing these commands, you can connect to the Admin Console typing [https://localhost:8443](https://localhost:8443) in your browser. Note that version 8.5 now runs using HTTPS. 25 | 26 | The Squid proxy is listening on port 3128. 27 | 28 | To stop the container, please run: 29 | 30 | docker stop websafety 31 | 32 | To start the container again, please run: 33 | 34 | docker start websafety 35 | 36 | The full tutorial explaining how to run this Docker container on Windows 10 can be found [here](https://docs.diladele.com/docker/docker_windows_10/index.html). 37 | 38 | # Removing existing images and containers 39 | 40 | In order to remove the previous version of websafety, please perform the following steps: 41 | * stop running container with the following command: 42 | ``` 43 | docker stop websafety 44 | ``` 45 | 46 | * remove data and runtime containers: 47 | ``` 48 | docker rm websafety 49 | ``` 50 | 51 | * remove outdated image (optional): 52 | ``` 53 | docker rmi diladele/websafety 54 | ``` 55 | See how you can [install the new version](#running-the-image-from-docker-hub). 56 | 57 | # Building the image on your machine 58 | 59 | Please install docker from www.docker.com. After cloning the project, build it with 60 | 61 | ./build.sh 62 | 63 | Run the container with 64 | 65 | ./run.sh 66 | 67 | Stop with 68 | 69 | docker stop websafety 70 | 71 | Start again with 72 | 73 | docker start websafety 74 | 75 | # Push to DockerHub 76 | 77 | ``` 78 | docker login --username=blabla 79 | docker push diladele/websafety:8.5 80 | 81 | docker tag diladele/websafety:8.5 diladele/websafety:latest 82 | docker push diladele/websafety:latest 83 | ``` 84 | 85 | # Licensing 86 | 87 | The docker image comes with a pre-installed license. If it expires, please request the license at support@diladele.com or purchase at https://www.diladele.com/licensing.html 88 | 89 | # Support 90 | 91 | In case of any questions, please contact support@diladele.com 92 | 93 | # References 94 | 95 | * If you need a native Microsoft Windows proxy, look at the [Web Filtering Proxy](https://webproxy.diladele.com/) project. 96 | * For standalone VMware ESXi/vSphere or Microsoft-HyperV virtual appliance visit [Web Safety Virtual Appliance](https://www.diladele.com/download.html). 97 | * Virtual Appliance can also be deployed from Microsoft Azure Market Place using the following link https://azuremarketplace.microsoft.com/en-us/marketplace/apps/diladele.websafety?tab=Overview or Amazon AWS https://aws.amazon.com/marketplace/pp/B07KJHLHKC?qid=1542298277826&sr=0-1&ref_=srh_res_product_title 98 | * Documentation for the project is [available online](https://docs.diladele.com) 99 | * Support requests should be directed to support@diladele.com. 100 | 101 | # Contributors 102 | 103 | Our big thanks go to Ian Bashford for his invaluable contributions. Also a lot of thanks to Johann Richard for moving to version 5.0. 104 | -------------------------------------------------------------------------------- /src/Dockerfile: -------------------------------------------------------------------------------- 1 | # 2 | # Docker file for running Diladele Web Safety in one container 3 | # 4 | FROM phusion/baseimage:master-amd64 5 | 6 | MAINTAINER support@diladele.com 7 | 8 | # set configuration variables 9 | ENV DEBIAN_FRONTEND noninteractive 10 | ENV TERM xterm 11 | ENV DDWS_VER 8.5.0.C85E 12 | ENV DDWS_UI_VER 8.5.0.3ECC 13 | ENV OSNAME "ubuntu20" 14 | ENV WEBSAFETY_IN_DOCKER "True" 15 | 16 | # install python libs and apache with modwsgi 17 | RUN apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \ 18 | apt-get install -y --no-install-recommends apt-utils \ 19 | apache2 libapache2-mod-wsgi-py3 iproute2 \ 20 | python3-pip python3-dev python3-setuptools \ 21 | sudo curl gnupg libsasl2-dev libldap2-dev libssl-dev g++ \ 22 | krb5-user \ 23 | sqlite && \ 24 | a2dissite 000-default && a2enmod ssl && \ 25 | curl https://packages.diladele.com/diladele_pub.asc -s -o diladele_pub.asc && \ 26 | APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add diladele_pub.asc && rm diladele_pub.asc && \ 27 | apt-get clean && rm -rf /var/lib/apt/lists/* && \ 28 | pip3 install --upgrade pip && \ 29 | pip3 install wheel && \ 30 | python3 -m pip install \ 31 | django==4.1.2 \ 32 | pytz \ 33 | requests \ 34 | pandas \ 35 | PyYAML \ 36 | psutil \ 37 | tld \ 38 | jinja2 \ 39 | msal pyOpenSSL cryptography google-auth google-auth-oauthlib && \ 40 | pip3 uninstall ldap ldap3 python-ldap || true && \ 41 | pip3 install python-ldap 42 | 43 | 44 | RUN echo "deb https://squid57.diladele.com/ubuntu/ focal main" > /etc/apt/sources.list.d/squid57.diladele.com.list && \ 45 | apt-get update && apt-get install -y --no-install-recommends \ 46 | libecap3 libecap3-dev \ 47 | squid-common \ 48 | squid-openssl \ 49 | squidclient && \ 50 | rm -rf /var/run/squid.pid && \ 51 | apt-get clean && rm -rf /var/lib/apt/lists/* 52 | 53 | # get latest web safety and install it 54 | RUN curl https://packages.diladele.com/websafety-core/${DDWS_VER}/amd64/release/${OSNAME}/websafety-${DDWS_VER}_amd64.deb -o websafety-core${DDWS_VER}_amd64.deb && \ 55 | curl https://packages.diladele.com/websafety-ui/${DDWS_UI_VER}/amd64/release/${OSNAME}/websafety-ui-${DDWS_UI_VER}_amd64.deb -o websafety-ui-${DDWS_UI_VER}_amd64.deb && \ 56 | dpkg --install websafety-core${DDWS_VER}_amd64.deb && \ 57 | dpkg --install websafety-ui-${DDWS_UI_VER}_amd64.deb && \ 58 | chown -R proxy:proxy /opt/websafety && \ 59 | chown -R websafety:websafety /opt/websafety-ui && \ 60 | rm -f websafety-core${DDWS_VER}_amd64.deb && \ 61 | rm -f websafety-ui-${DDWS_UI_VER}_amd64.deb && \ 62 | a2ensite websafety && \ 63 | mkdir -p /var/run/apache2 && \ 64 | mkdir -p /var/log/websafety && \ 65 | sudo -u proxy python3 /opt/websafety-ui/var/console/generate.py --core && \ 66 | sudo -u websafety python3 /opt/websafety-ui/var/console/generate.py --ui && \ 67 | chown -R websafety:websafety /opt/websafety-ui && \ 68 | touch /etc/crontab && mkdir -p /opt/websafety/var/reports && \ 69 | mkdir -p /usr/share/squid/errors/templates/opt/websafety/etc/squid && \ 70 | ln -s /opt/websafety/etc/squid/portal.html /usr/share/squid/errors/templates/opt/websafety/etc/squid/portal.html 71 | 72 | RUN echo "websafety ALL=(root) NOPASSWD: /opt/websafety/bin/reload.sh, /opt/websafety/bin/restart.sh, /opt/websafety/bin/cluster.sh, /opt/websafety-ui/bin/certmgr.py, /opt/websafety-ui/bin/cachemgr.py, /usr/bin/tail, /opt/websafety-ui/bin/timezone.py, /opt/websafety-ui/bin/hostname.py, /opt/websafety-ui/bin/resolve.py, /opt/websafety-ui/bin/netmgr.py, /opt/websafety-ui/bin/fsmgr.py, /opt/websafety-ui/bin/cronmgr.py, /opt/websafety-ui/bin/logrotatemgr.py, /opt/websafety-ui/bin/confmgr.py" >> /etc/sudoers 73 | 74 | # copy required files 75 | COPY contents/squid.conf /etc/squid/squid.conf 76 | COPY contents/websafety_update /etc/cron.daily 77 | COPY contents/websafety_license /etc/cron.daily 78 | COPY contents/wsicapd /etc/service/wsicapd/run 79 | COPY contents/wsgsbd /etc/service/wsgsbd/run 80 | COPY contents/wsytgd /etc/service/wsytgd/run 81 | COPY contents/wssyncd /etc/service/wssyncd/run 82 | COPY contents/wsmond /etc/service/wsmond/run 83 | COPY contents/squid /etc/service/squid/run 84 | COPY contents/apache2 /etc/service/apache2/run 85 | COPY contents/reload.sh /opt/websafety/bin/reload.sh 86 | COPY contents/restart.sh /opt/websafety/bin/restart.sh 87 | 88 | # reset owner of installation path 89 | RUN chmod +x /opt/websafety/bin/* && \ 90 | chmod +x /etc/cron.daily/websafety_update && \ 91 | chmod u+s /opt/websafety/bin/* && \ 92 | chmod +x /etc/service/squid/run \ 93 | /etc/service/wsicapd/run \ 94 | /etc/service/wsgsbd/run \ 95 | /etc/service/wsytgd/run \ 96 | /etc/service/wsmond/run \ 97 | /etc/service/apache2/run 98 | 99 | # assign volumes 100 | VOLUME ["/opt/websafety/etc"] 101 | VOLUME ["/opt/websafety/var/spool"] 102 | VOLUME ["/opt/websafety/var/console"] 103 | VOLUME ["/opt/websafety/var/db"] 104 | VOLUME ["/opt/websafety/var/log"] 105 | VOLUME ["/opt/websafety/var/reports"] 106 | VOLUME ["/etc/squid"] 107 | VOLUME ["/var/spool"] 108 | VOLUME ["/var/log/squid"] 109 | 110 | CMD ["/sbin/my_init"] 111 | -------------------------------------------------------------------------------- /src/build.bat: -------------------------------------------------------------------------------- 1 | REM rebuild our project 2 | docker rmi -f diladele/websafety:8.5 3 | docker build --force-rm --no-cache --rm=true -t diladele/websafety:8.5 . 4 | -------------------------------------------------------------------------------- /src/build.sh: -------------------------------------------------------------------------------- 1 | # rebuild our project 2 | docker rmi -f diladele/websafety:8.5 3 | docker build --force-rm --no-cache --rm=true -t diladele/websafety:8.5 . 4 | -------------------------------------------------------------------------------- /src/contents/apache2: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | wsicapstatus=`sv status wsicapd |cut -d ' ' -f 1` 4 | squidstatus=`sv status squid |cut -d ' ' -f 1` 5 | 6 | if [[ "$wsicapstatus" != "run:" ]] 7 | then exit 1 8 | fi 9 | if [[ "$squidstatus" != "run:" ]] 10 | then exit 1 11 | fi 12 | 13 | source /etc/apache2/envvars && exec /usr/sbin/apache2 -DFOREGROUND 14 | 15 | -------------------------------------------------------------------------------- /src/contents/reload.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Reloads Web Safety and Squid Proxy, usually called by the Web UI 4 | # 5 | # returns: 6 | # 0 - on success 7 | # !0 - on various errors 8 | # 9 | 10 | echo "Reloading Web Safety ICAP Daemon..." 11 | sv hup wsicapd 12 | 13 | echo "Reloading Web Safety GSB Daemon..." 14 | sv hup wsgsbd 15 | 16 | echo "Reloading Web Safety Youtube guard Daemon..." 17 | sv hup wsytgd 18 | 19 | echo "Reloading Web Safety Monitoring Daemon..." 20 | sv hup wsmond 21 | 22 | echo "Reloading Squid Proxy Server..." 23 | sv hup squid 24 | 25 | # dump success 26 | echo "Reload successful!" 27 | exit 0 28 | -------------------------------------------------------------------------------- /src/contents/restart.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Reloads Web Safety and Squid Proxy, usually called by the Web UI 4 | # 5 | # returns: 6 | # 0 - on success 7 | # !0 - on various errors 8 | # 9 | 10 | echo "Restarting Web Safety ICAP Daemon..." 11 | sv restart wsicapd 12 | 13 | echo "Restarting Web Safety GSB Daemon..." 14 | sv restart wsgsbd 15 | 16 | echo "Restarting Web Safety Youtube guard Daemon..." 17 | sv restart wsytgd 18 | 19 | echo "Restarting Web Safety Monitoring Daemon..." 20 | sv force-restart wsmond 21 | 22 | echo "Reloading Squid Proxy Server..." 23 | sv -w 15 restart squid 24 | 25 | # dump success 26 | echo "Restart successful!" 27 | exit 0 28 | -------------------------------------------------------------------------------- /src/contents/squid: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | chmod 755 ./supervise 4 | chown websafety ./supervise/ok ./supervise/control ./supervise/statusmod ./ 5 | 6 | # let websafety start before squid - exit script until they're running 7 | wsicapstatus=`sv status wsicapd |cut -d ' ' -f 1` 8 | 9 | if [[ "$wsicapstatus" != "run:" ]] 10 | then exit 1 11 | fi 12 | 13 | guardfile=/tmp/squidguard 14 | 15 | if [[ -f "${guardfile}" ]]; then 16 | echo "${guardfile} exists, no need to regenerate ceritifcate storage" 17 | else 18 | # re-initialize storage for mimicked ssl certificates 19 | SSL_DB=/var/spool/squid_ssldb 20 | if [ -d $SSL_DB ]; then 21 | rm -Rf $SSL_DB 22 | fi 23 | /usr/lib/squid/security_file_certgen -c -s $SSL_DB -M 4MB 24 | if [ $? -ne 0 ]; then 25 | echo "Error $? while initializing SSL certificate storage, exiting..." 26 | exit 1 27 | fi 28 | 29 | # relabel folder 30 | chown -R proxy:proxy $SSL_DB 31 | fi 32 | 33 | SQUID_NAME=squid 34 | SQUID_PATH=/usr/sbin/$SQUID_NAME 35 | SQUID_CONF=/etc/squid/squid.conf 36 | SQUID_PID=/run/squid.pid 37 | VAR_SQUID_PID=/var/run/squid.pid 38 | 39 | [[ -f "$SQUID_PID" ]] && rm -f "$SQUID_PID" 40 | [[ -f "$VAR_SQUID_PID" ]] && rm -f "$VAR_SQUID_PID" 41 | 42 | ulimit -n 65535 43 | exec $SQUID_PATH -N -YC -f $SQUID_CONF 44 | -------------------------------------------------------------------------------- /src/contents/squid.conf: -------------------------------------------------------------------------------- 1 | include "/opt/websafety/etc/squid/squid.conf" 2 | -------------------------------------------------------------------------------- /src/contents/websafety_license: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | LOGFILE="/opt/websafety/var/log/cron_license.log" 3 | 4 | if [ -f "$LOGFILE" ]; then 5 | echo "" >"$LOGFILE" 6 | fi 7 | 8 | # create log file 9 | touch "$LOGFILE" 10 | 11 | # run the wslicd daemon 12 | /opt/websafety/bin/licenser --deploy=azure --product=websafety --type=payg > "$LOGFILE" 2>&1 13 | 14 | # see what was the result 15 | ret=$? 16 | if [ $ret -eq 0 ]; then 17 | 18 | # activation was successful, reload the wsicap daemon 19 | bash /opt/websafety/bin/reload.sh 20 | fi 21 | 22 | if [ $ret -ne 0 ]; then 23 | # activation failed, admin will see it in the log, do nothing 24 | echo "activation failed" 25 | fi 26 | 27 | # just in case, reset the default owner 28 | chown websafety:websafety $LOGFILE 29 | -------------------------------------------------------------------------------- /src/contents/websafety_update: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | LOGFILE="/opt/websafety/var/log/cron_update.log" 3 | 4 | if [ -f "$LOGFILE" ]; then 5 | echo "" >"$LOGFILE" 6 | fi 7 | touch "$LOGFILE" && /bin/bash /opt/websafety/bin/update.sh > "$LOGFILE" 2>&1 8 | 9 | chown websafety:websafety $LOGFILE 10 | -------------------------------------------------------------------------------- /src/contents/wsgsbd: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | chmod 755 ./supervise 4 | chown websafety ./supervise/ok ./supervise/control ./supervise/statusmod ./ 5 | 6 | exec /opt/websafety/bin/gsbd --product=websafety --config=/opt/websafety/etc/antivirus/safe_browsing.json 7 | -------------------------------------------------------------------------------- /src/contents/wsicapd: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | chmod 755 ./supervise 4 | chown websafety ./supervise/ok ./supervise/control ./supervise/statusmod ./ 5 | 6 | guardfile=/tmp/regenerated 7 | 8 | if [[ -f "${guardfile}" ]]; then 9 | echo "${guardfile} exists, no need to regenerate ceritifcate storage" 10 | else 11 | /opt/websafety-ui/bin/certmgr.py --action="regenerate-certificate-storage" 12 | fi 13 | 14 | if ! [[ -z "$TIME_ZONE" ]]; then 15 | sed -i "s:TIME_ZONE = \".*\":TIME_ZONE=\"$TIME_ZONE\":" /opt/websafety-ui/var/console/console/settings.py 16 | fi 17 | 18 | cd /opt/websafety/var/spool 19 | 20 | mv adblock adblock.a && mv adblock.a adblock 21 | mv adult adult.a && mv adult.a adult 22 | mv categories categories.a && mv categories.a categories 23 | mv categories_custom categories_custom.a && mv categories_custom.a categories_custom 24 | mv privacy privacy.a && mv privacy.a privacy 25 | 26 | exec /opt/websafety/bin/wsicapd 27 | -------------------------------------------------------------------------------- /src/contents/wsmond: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | chmod 755 ./supervise 4 | chown websafety ./supervise/ok ./supervise/control ./supervise/statusmod ./ 5 | 6 | exec sudo -u websafety python3 /opt/websafety-ui/bin/realtime.py 7 | -------------------------------------------------------------------------------- /src/contents/wssyncd: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | chmod 755 ./supervise 4 | chown websafety ./supervise/ok ./supervise/control ./supervise/statusmod ./ 5 | 6 | exec /opt/websafety/bin/wssyncd 7 | -------------------------------------------------------------------------------- /src/contents/wsytgd: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | chmod 755 ./supervise 4 | chown websafety ./supervise/ok ./supervise/control ./supervise/statusmod ./ 5 | 6 | exec /opt/websafety/bin/ytguard --product=websafety --config=/opt/websafety/etc/safety/youtube.json 7 | 8 | -------------------------------------------------------------------------------- /src/run.bat: -------------------------------------------------------------------------------- 1 | docker run --rm -dt --name websafety --dns=8.8.8.8 -p 8000:80 -p 8443:443 -p 3128:3128 -e TIME_ZONE="Europe/Berlin" diladele/websafety:8.5 2 | -------------------------------------------------------------------------------- /src/run.sh: -------------------------------------------------------------------------------- 1 | docker run --rm -dt --name websafety --dns=8.8.8.8 -p 8000:80 -p 8443:443 -p 3128:3128 -e TIME_ZONE="Europe/Berlin" diladele/websafety:8.5 2 | --------------------------------------------------------------------------------