.. title:: Web Filtering Web Filtering ============= Administrators can limit access to websites by defining **Web Filter Policies**. Once a policy is created it can be assigned to any number of groups via `Group Setting <../guide/groups.html#group-settings>`_ or directly to :doc:`Images <../guide/custom_images>` . Policies set on the Images take priority over those assigned to Groups. .. figure:: /images/web_filtering/denied.png :width: 90% :align: center Denied Request Configuration ------------- .. figure:: /images/web_filtering/policy.png :width: 80% :align: center Filter Policy .. figure:: /images/web_filtering/policy2.png :width: 80% :align: center Filter Policy Contd. .. note:: Use of the **Categorization** requires a license. Kasm Workspaces must also have live internet access to communicate with the categorization service. Please contact your Kasm Technologies representative for details. .. table:: :widths: 100 +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | **Property** | **Description** | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Name | A name for the policy | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Description | A description for the policy | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Deny By Default | If checked, all requests will be **denied** unless the domain is added to the **Domain Whitelist**, or the category of the domain is set to **allow**. | | | | | | If unchecked, all requests will be **allowed** unless the domain is added to the **Domain Blacklist**, or the category of the domain is set to **deny**. | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Domain Blacklist | A list of domains to reject. Enter one domain per line. Sub-domains are automatically matched unless explicitly defined elsewhere. | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Domain Whitelist | A list of domains to allow. Enter one domain per line. In the event of a conflict, the blacklist takes priority. Sub-domains are automatically matched unless explicitly defined elsewehere. | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Enable Safe Search | When enabled, *Safe Search* for popular search engines will enforced using the **Safe Search Patterns**. Google, Bing, Yandex, DuckDuckGo, and Yahoo are supported by default. | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Enable Categorization | If checked, requested domains will be checked against Kasm's url categorization service. Each category can be set to **Allow**, **Deny**, or **Inherit**. Inherited categories will utilize the **Deny By Default** setting. | | | | | | Domains specified in the **Domain Whitelist** or **Domain Blacklist** take priority over categorization. | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | URL Categories | Administrators can choose to **Allow**, **Deny** or **Inherit** the default rule for each category. If **Inherit** is selected, the category will be allowed/denied based on the **Deny By Default** setting | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Disable Logging | When enabled, no access related logs will be produced. | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Safe Search Patterns | A data structure containing the URL rewrite rules used to apply **Safe Search**. | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | SSL Bypass Domains | Web Filtering uses SSL inspection technology to enforce policy. In some cases, this technology will not be compatible with a website. Administrators can enter a list of domains that will bypass this inspection to restore | | | functionality. Enter one domain per line. To match all subdomains domains, prefix a period before the domain :code:`.google.com` | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | SSL Bypass IPs | Web Filtering uses SSL inspection technology to enforce policy. In some cases, this technology will not be compatible with a website. Administrators can enter a list of IPs that will bypass this inspection to restore | | | functionality. Enter an IP or CIDR notation one per line. | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ .. note:: Web Filtering does not support websites that use WebSockets. To allow these sites to function while Web Filtering is enabled, add the domain to the **SSL Bypass Domains** list.