Working of SafeSquid-SWG ( Application Configuration Working Perspective )

Tell everybody, what you think about SafeSquid!
Speak your mind!
India aashish97
Posts: 117
Joined: Sat Jul 06, 2019 10:45 am

Working of SafeSquid-SWG ( Application Configuration Working Perspective )

Post by aashish97 » Tue Apr 21, 2020 10:21 am

Hello All,

Today I am going to explain you the working of SafeSquid-SWG. I am going to explain how the policy Configuration works internally so that any one using SafeSquid-SWG can easily configure their own set of policy Configuration as per their requirement.
Any one who wants to create granular policy
Comprising of The below aspects for good business logic implementation.

Beginning with the SafeSquid Configuration format.

SafeSquid-SWG policy Configuration is stored in XML formats which makes it very easy to read and understand and also to make changes directly in the config XML file itself.

SafeSquid policy config XML has different Sub Sections defining different Sections of the Policy Making.

The Sub Sections are Explained in Detailed in the below link:

https://docs.safesquid.com/wiki/Configuration


Clients generally ask alot about the realtime Configuration changes and how it works.


Questions/Queries that they come up with are

How can SafeSquid Config Works in Real-time?
OR
Any changes made in SafeSquid-SWG are Real-time ?

Let me try to explain you the backend working of the Configuration.

Each Section of SafeSquid-SWG is Parsed by the SafeSquid-SWG XML parser and are stored in Memory which makes it very easy and very fast for SafeSquid-SWG to apply the config logic.

The whole Safesquid config XML is Parsed by the SafeSquid-SWG and stored in Memory at the start of the SafeSquid services.
Then any changes made in the Configuration via the Dashboard are made in the SafeSquid's Memory.

The whole XML file is stored in memory in a hierarchical format ( in a group of objects ) which then makes it easy to do the conditional logic depending upon the Configuration.

--------------
Working
--------------

Explaination of one Typical Scenario.

When a Request is made by the Client to the Remote Server VIA SafeSquid-SWG
SafeSquid will first capture the Time of the System and then Traverse it through the Time Profiles Sections, in This section if any Time Profile Matches then the Respective Time Profiles Name is Added and Stored in a List.

Then the Request Headers are processed which are traversed through the Request Profiles & Application Signatures.

Note: They both are almost same, the only difference is Application Signatures are Created and Managed by the SafeSquid Team and the Request Profiles can be created, managed, removed by the Respective Client.


And the Request Profiles which matches the condition of the header all those Request Profiles name are added to a list.
Note: It is Basically a Set which means each repetitive names are not added again to the List.

The Recieved Host in the Headers are the taken and a category request for that site is made to the Respective Enabled Categorisation Engine as well as the the Local Category Cache Engine.

Depending upon the client IP, It is then Processed through the UserGroup Section and
Privilege like

A. Config
B. HTTP Proxy Use.
C. HTTPS ( SSL ) Proxy Use.
D. Transparent Proxy Use.
E. URL command for Troubleshooting

Etc are applied.

This Sections then adds user to the Respective UserGroup. The UserGroup Group Name ( Mentioned in Add To UserGroup ) is Applied to thwt Client Request which either matches client IP or the config is a wildcard.

Note: In this Section The traversing happens till a Single Match is found, once a single Usergroup matches the rest Usergroup Section is not processed.
Few Sections in SafeSquid-SWG work in the above way. Like Image Filtering Policy, Virus Scanning Policy etc.

Depending upon the host , Time Profiles, Request Profiles, Application Signatures, UserGroup.
The Processing of the Access Profiles ( Policies ) are done.
This then Creates a Set of all Applied Policy for the User which ACTUALLY does the Blocking / Allowing of a particular Request

Note: This Approach helps Client, Developers, Business To Manage SafeSquid in a Proper Way.
This Approach of FIRST Identifying The Request and then Applying Restrictions helps to solve complex business problem in EASY WAY.

Once the Access Profiles ( Policies ) are applied, it is basically a list of Policy with The Respective Action mentioned in the config.


---------------------------------
Very Very Important.
----------------------------------
_____________________________________________

SafeSquid Policy or Most of the SECTION works from Top To Bottom order. i.e if the policy says to block adult sites at the top of the Configuration and then a policy says allow adult sites at the bottom of the Configuration, then the result is, adult sites will be allowed.

This Approach helps us to create Policy in the way that we First can reconfigure the policy at the bottom.

Example: if due to any policy at the top if a website is blocked, then without touching or making any changes to the current policy a new policy can be created at the bottom to allow a particular site.

This helps in ordering the policy in a proper order.

_____________________________________________


Coming Back to the Rest of the Policy Working

Once the Request is checked through the Policy and

IF
the Result Says BLOCK
then
SafeSquid will Send a block Template to the user.

IF
the Results Says ALLOW
then
a Remote Connection is made to the respective server and the client request is send.

And Safesquid will wait for the Remote Server to Respond with the Response.

Once the response headers are received by SafeSquid, then it is traversed through the Response Profiles And matching Response Profiles are then Added to a list.

Note: Few more Sections are traversed

And after that the Access Profiles ( Policies ) are traversed again and depending upon the access policy the response is blocked of provided to the client

The above is a quick glimpse of the internal working of SafeSquid policy Configuration.