How to audit visited pages with Squid Proxy/URL Filter

Hello everyone.

Any help is welcome.

How could it be possible to audit which pages Users browse to without blocking them?.

Doing it through Squid, it gives a lot of raw data but not by categories which is the interesting thing.

Using URL Filter, I don’t see the option to log the accesses allowing them.

If you can’t, it would be a good feature to put on.

Thanks a lot.

Greetings.

It would be great to be able to audit by IP/s and time:

Would it be very complicated ?.

Regards.

Hi Roberto,
do you mean something like this --> https://www.tecmint.com/sarg-squid-analysis-report-generator-and-internet-bandwidth-monitoring-tool/ ?

Best,

Erik

Good afternoon Erik. Thanks for answering.

The problem I see is that both SARG, Proxy LOGs and Proxy Reports of the IPFire give a lot of raw information and do not show you the navigation of a User by categories, such as Porn, Shopping, Travel, etc … (correct me if I’m wrong).

For a Manager or a Purchasing Manager, you cannot present him a RAW report, since he neither understands it nor wants to waste time.

I think that by adding this feature to the URL Filter, IPFire would have a good web page access auditing tool to make decisions.

In any case, I’ll look at SARG.

Thank you.

Good morning Roberto,

as i have understand you, you want to log users which are not blocked ? If so, the mentioned categories are only active and listed if a user runs into those blacklist, hence he was already blocked. For those listings you can get the information from the URL-Filter log viewer but for regular users which are not blocked there is no categorisation.

Sarg makes also formatted reports which you can also generate via command line but as far as i know this is all held in HTML.

A lot cheaper in my opinion can be something like this --> https://github.com/mezgani/sqview which is a Python script which includes the following arguments --> https://github.com/mezgani/sqview/blob/master/sqview and a simple view per IP looks like this -->

As an idea.

Best,

Erik

Hi Erik.

I have tried it but I see two problems. I tell you.

The Manager who wants to see where the Users navigate must access the Console as “admin” and from there navigate through all the menus until they find what they want. Isn’t there any way that you have restricted access to the logs? Or for example, a user named “user” that only shows what the admin wants the “user” to see.

Sarg offers a lot of data but does not categorize the pages and that takes a lot of time for the Manager to interpret the navigation data. To see the navigation of a User, a lot of time must be spent to interpret the data. But hey, if you can’t, you can’t, it’s a shame.

One question, since you cannot access the IPFire in a restricted way, is there any way to access Sarg through IP: Port? This would be nice.

Thanks a lot.

Hello Roberto,

yes, this is the already mentioned problem. If you do not have lists which categorize the domains like the blacklists in URL-Filter, you won´t get specific descriptions what categories the users has been to.

You can e.g. setup nginx as a Vhost for Sarg, for a real simple one:

  server {
    listen 9000;
    root /srv/web/ipfire/html/sarg;
        index index.html;

        server_name example.com www.example.com;

        location / {
                try_files $uri $uri/ =404;
        }
}

whereby nginx should show sarg via http://{IP-IPFire}:9000 .

Best,

Erik

1 Like

Good afternoon Erik.

You could put the instruction inside the file “ipfire-interface.conf” found in “/etc/httpd/conf/vhosts.d” and thus not have to install nginx ?.

In any case, I will try.

Thanks a lot.

Good afternoon Robert,
yes sure you can do this too. I use Nginx for such things cause i use also .htpasswd --> authentication (also other crypto) which is then also apart from the WUI configuration from Apache and cleaner separated.

Best,

Erik

I got it!!!. Whoever follows her, he gets her (el que la sigue, la consigue).

Create a file in “/etc/httpd/conf/vhosts.d” called “sarg.conf” and put the following:

Listen 9000

<VirtualHost *:9000>
    DocumentRoot /var/log/sarg/today
    DirectoryIndex index.html
</VirtualHost>

Restart Apache: /etc/init.d/apache restart

And putting the ip:9000 in the browser, the Today report appears.

I will keep improving it.

Thanks a lot Erik.

2 Likes

Your welcome :blush: .