Configuring HTTP policy
IMPORTANT
Available in Kerio Control 8.1 and older. The new Content Filter is described in article Configuring the Content Filter.
Kerio Control provides a wide range of filters for HTTPHypertext Transfer Protocol - protocol for exchange of hypertext documents in HTML. protocol. You can block access to undesirable web sites and block certain types of files with this tool.
Here are the main purposes of HTTP content filtering:
- access limitations according to URL (substrings contained in URL addresses)
- blocking of certain HTML items (i.e. scripts, ActiveX objects, etc.)
- filtering based on classification by the Kerio Control Web Filter module (worldwide website classification database)
- limitations based on occurrence of denied words (strings)
Conditions for HTTP filtering
For HTTP content filtering, the following conditions must be met:
- Traffic must be controlled by the HTTP protocol inspector. The HTTP protocol inspector is activated automatically unless its use is denied by traffic rules.
- Kerio Control performs URL based filtering for encrypted traffic (HTTPSHypertext Transfer Protocol - version of HTTP secured by SSL. protocol). Learn more in the special article HTTPS filtering specifics.
Adding HTTP rules
- In the administration interface, go to HTTP Policy.
- On tab URL Rules, click Add.
- Type a name of the new rule.
- Double-click Action and select:
- Allow — traffic allowed, user does not even notice anything happening. In the Properties, you can add additional actions.
- Deny — user will be redirected to the firewall page with information that access is denied. In the Properties, you can add information about forbidden pages and you can check Users can unlock this rule. All unlocked pages are logged in the Security log.
- Drop — access is denied and the user will see the page as unavailable.
- Redirect — user will be automatically redirected to the specified URL.
- Double-click URL and set:
- Site — any URL starting with the
specified string. It is possible to use wildcards
*
(asterisk) and?
(question mark). Example: Blocking rule for*.kerio.com
blocks access tohttp://www.kerio.com/
,http://mail.kerio.com/
andhttp://kerio.com/
, yet not tohttp://www.mykerio.com/
orhttp://mykerio.com/
. - URL from the group — you can select from existing groups or you can go to Definitions > URL Groups and add a new one (see section URL Groups).
- URL rated by Kerio Control Web Filter rating system — all pages sorted in the selected categories by the Kerio Control Web Filter module.
- Any URL where server is specified by an IP address — this can be used only for unsecured traffic (HTTP).
- Also apply to secured connections (HTTPS) — Kerio Control will apply the domain part of the defined URL to this rule for secure websites.
- Double-click Users and decide to whom the rule will apply.
- Double-click MIME Type and select one option.
MIME type of downloaded files. It is possible to use wildcard
*
(asterisk) for any MIME type. - Double-click Valid Time and select a time range. You can create a new time range in Definitions > Time Ranges.
- Check Log. Logging of all HTTP queries matching this rule in the Filter log.
- Click Apply.
Rules are tested from the top of the list downwards. If a requested URL passes through all rules without any match, access to the site is allowed.
NOTE
URLs which do not match with any URL rule are available for any user (any traffic permitted by default). To reverse this policy, a rule denying access to any URL must be placed at the end of the rule list.
Applying rules also for local servers
HTTP rules can be applied to local WWW servers which are available from the Internet:
- In the administration interface, go to HTTP Policy.
- Check Apply filtering rules also for local servers placed at the bottom of the page.
- Click Apply.
URL Groups
URL Groups enable the administrator to define HTTP rules. For example, to disable access to a group of web pages, you can define a URL group and assign permissions to the URL group, rather than defining permissions to each individual URL rule. A URL group rule is processed faster than a greater number of separate rules for individual URLs.
The default Kerio Control installation already includes predefined URL groups:
- Ads/Banners — common URLs of pages that contain advertisements, banners, etc.
- Automatic Updates — URL of pages requested for automatic updates.
- Search engines — top Internet search engines.
- Windows Updates — URL of pages requested for automatic updates of Windows.
NOTE
These URL groups are used in predefined URL rules.
Defining a new URL group
- In the administration interface, go to Definitions > URL Groups
- Click Add.
- Type a name for the group.
- In Type, select URL. URL can be specified as follows:
- full address of a server, a document or a web page without
protocol specification (
http://
), - use substrings with the special
*
and?
characters. An asterisk stands for any number of characters, a question-mark represents one character.
Examples:
www.example.com/index.html
— a
particular page
www.*
— all URL addresses starting
with www.
*sex*
— all URL addresses containing
the sex
string
*sex??.cz*
— all URL addresses
containing such strings as sexxx.cz
,
sex99.cz
, etc.
- Save the settings.
You can use the URL group in URL rules.