```{title} Web Filtering ``` # Web Filtering Administrators can limit access to websites by defining **Web Filter Policies**. Once a policy is created it can be assigned to any number of groups via [Group Setting](../guide/groups.md#group-settings) or directly to {doc}`Images <../guide/custom_images>` . Policies set on the Images take priority over those assigned to Groups. ```{figure} /images/web_filtering/denied.png :align: center :width: 90% Denied Request ``` ## Configuration ```{figure} /images/web_filtering/policy.png :align: center :width: 80% Filter Policy ``` ```{figure} /images/web_filtering/policy2.png :align: center :width: 80% Filter Policy Contd. ``` ```{note} Use of the **Categorization** requires a license. Kasm Workspaces must also have live internet access to communicate with the categorization service. Please contact your Kasm Technologies representative for details. ``` ```{eval-rst} .. table:: :widths: 100 +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | **Property** | **Description** | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Name | A name for the policy | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Description | A description for the policy | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Deny By Default | If checked, all requests will be **denied** unless the domain is added to the **Domain Whitelist**, or the category of the domain is set to **allow**. | | | | | | If unchecked, all requests will be **allowed** unless the domain is added to the **Domain Blacklist**, or the category of the domain is set to **deny**. | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Domain Blacklist | A list of domains to reject. Enter one domain per line. Sub-domains are automatically matched unless explicitly defined elsewhere. | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Domain Whitelist | A list of domains to allow. Enter one domain per line. In the event of a conflict, the blacklist takes priority. Sub-domains are automatically matched unless explicitly defined elsewehere. | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Enable Safe Search | When enabled, *Safe Search* for popular search engines will enforced using the **Safe Search Patterns**. Google, Bing, Yandex, DuckDuckGo, and Yahoo are supported by default. | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Enable Categorization | If checked, requested domains will be checked against Kasm's url categorization service. Each category can be set to **Allow**, **Deny**, or **Inherit**. Inherited categories will utilize the **Deny By Default** setting. | | | | | | Domains specified in the **Domain Whitelist** or **Domain Blacklist** take priority over categorization. | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | URL Categories | Administrators can choose to **Allow**, **Deny** or **Inherit** the default rule for each category. If **Inherit** is selected, the category will be allowed/denied based on the **Deny By Default** setting | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Disable Logging | When enabled, no access related logs will be produced. | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Safe Search Patterns | A data structure containing the URL rewrite rules used to apply **Safe Search**. | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | SSL Bypass Domains | Web Filtering uses SSL inspection technology to enforce policy. In some cases, this technology will not be compatible with a website. Administrators can enter a list of domains that will bypass this inspection to restore | | | functionality. Enter one domain per line. To match all subdomains domains, prefix a period before the domain :code:`.google.com` | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | SSL Bypass IPs | Web Filtering uses SSL inspection technology to enforce policy. In some cases, this technology will not be compatible with a website. Administrators can enter a list of IPs that will bypass this inspection to restore | | | functionality. Enter an IP or CIDR notation one per line. | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ``` ```{note} Web Filtering does not support websites that use WebSockets. To allow these sites to function while Web Filtering is enabled, add the domain to the **SSL Bypass Domains** list. ```