Universal locking rules (ULR) UI is designed to manage filtering rules on multiple DPIs simultaneously using a graphical interface.

Equipment or virtual machines with the following characteristics are suitable for the subsystem:

1. CPU 2.5 GHz, 2-4 cores
2. RAM from 8 GB (mainly for sphinx)
3. Hard drive (HDD) 50 GB - 250 GB
4. Cent OS 7+ operating system (we do not recommend to not install minimal, because most of the dependencies will have to be installed manually)
5. Network Card (NIC) from 10 Mbps

The subnet configuration is handled with .env file.

/var/www/html/dpiui2/backend/.env

The file contents:

#Redirect URL for "White list" service
ULR_WHITE_LIST_REDIRECT_URL=https://google.com

#The period after Ulr tasks data is deleted (days)
ULR_QUEUE_DELETE_TASKS_DAYS_INTERVAL=1

#ASN for IP-exception rules
ULR_IP_EXCLUDE_ASN=64401

#The host for blocked resources list deployment. To connect the blocked resources server.
ULR_BLACK_LIST_DEPLOY_HOST=<IP address or host of global locks web-server>

#The port for blocked resources list deployment. To connect the blocked resources server.
ULR_BLACK_LIST_DEPLOY_PORT=22

#Username for blocked resources list deployment. To connect the blocked resources server.
ULR_BLACK_LIST_DEPLOY_USER=default

#Password for blocked resources list deployment. To connect the blocked resources server.
ULR_BLACK_LIST_DEPLOY_PASS=

#To use sudo for blocked resources list deployment. (0 - do not use, 1 - use)
ULR_BLACK_LIST_DEPLOY_SUDO=1

#Black lists saving path.
ULR_BLACK_LIST_DEPLOY_PATH=/var/www/html/blacklists/

#Log Detail Level (0 - info, 1 - debug, 2 - tracing).
ULR_LOAD_LOG_LEVEL=0

php /var/www/html/dpiui2/backend/artisan queue:restart

To use the Universal Locking Rules UI, you need to activate the ULR-license in DPIUI2 with a command:

dpiui2 ulr_lic --make=1

Next:

1. Enter license level: standard
2. Enter the license completion date in the Y-m-d format (e.g. 2099-12-31)
3. Enter the license password.

If the data is correct, a success message will be displayed:

dpiui2 ulr_lic --make=1
 Enter level:
 > standard

 Enter expire date in Y-m-d format:
 > 2099-12-31

 Enter password:
 > 

stdClass Object
(
    [success] => 1
)

In the DPIUI2 interface visit the Administrator → Roles section. Create a new role and set read and write permissions in the ulr_admin section:

Next, go to the Administrator→ Users section. Create a new user and set him the role that you created earlier.

After the user logs in, he is moved to the locking rules management section.

• Category Dictionary
• Regulators Dictionary

In the Locking Rules management interface go to the Dictionaries → Categories section.

Fill in the form with category name and description and click the "Add" button.

To edit: click on the category editing button in the categories table. In the form, change the name and/or description of the category, then click the "Save" button.

Сlick on the delete category button in the categories table. In the pop-up window confirm or cancel the action.

In the Locking Rules management interface go to the Dictionaries → Regulators section.

Fill in the form with regulator name and description and click the "Add" button.

To edit: click on the regulator editing button in the regulators table. In the form, change the name and/or description of the regulator, then click the "Save" button.

Сlick on the delete regulator button in the categories table. In the pop-up window confirm or cancel the action.

Change to the section "ISPS & IGWS Profiles" → "IGWs List".

To create new IGW profile change to the section "ISPS & IGWS Profiles"→"Add new IGW profile".

In the form specify:

• Profile name;
• Operation mode (Standalone/Cluster)
• Nodes for the profile (Node name, DPI from the list of available equipment and number of bridges)

In the "ISPS & IGWS Profiles" → "IGWs List" section click the button "Edit profile".

The IGW profile creation/editing form will open. Make the changes you need and click "Save Changes".

In the "ISPS & IGWS Profiles" → "IGWs List" section click the button "Delete" and confirm/cancel the operation.

1. Prepare a machine with CentOS7+ installed

2. Create a sudo user without password as described in Dpiui2: DPI connection details section

3. Run the script:

rpm --import http://vasexperts.ru/centos/RPM-GPG-KEY-vasexperts.ru
rpm -Uvh http://vasexperts.ru/centos/6/x86_64/vasexperts-repo-1-0.noarch.rpm
yum install dpiutils -y
yum install httpd -y
yum install unzip -y

mkdir /var/www/html/blacklists
chmod -R 777 /var/www/html/blacklists

echo "
<VirtualHost *:80>
    DocumentRoot \"/var/www/html/blacklists\"

    <proxy *>
    Order deny,allow
    Allow from all
    </proxy>
</VirtualHost>
" > /etc/httpd/conf.d/bl_lists.conf

firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload

systemctl enable httpd.service
systemctl restart httpd.service

4. In dpiui2 configuration specify the web-server access parameters in ULR settings section

5. Specify the path to Custom lock list in the settings of all connected FastDPI servers:

# URL dictionary for blocking by HTTP (custom_url_black_list)
custom_url_black_list=http://<IP address of Web-server>/blacklist.dict

# Names dictionary for blocking HTTPS protocol by certificate (custom_cname_black_list)
custom_cname_black_list=http://<IP address of Web-server>/blacklistcn.dict

# IP addresses dictionary for blocking HTTPS by IP (custom_ip_black_list)
custom_ip_black_list=http://<IP address of Web-server>/blacklistip.dict

# Host names dictionary for blocking HTTPS by SNI (custom_sni_black_list)
custom_sni_black_list=http://<IP address of Web-server>/blacklistsni.dict

Change to "Applications and policings" section → "DSCP Rules".

In the form of rule creating:

• Enter the name of application protocol and choose one from the list;
• Choose the priority from the list.

Save the rule by clicking on "Set DSCP" button.

In the list of DSCP rules click on "Edit rule" button. In the popup editing form set the necessary priority and save changes by clicking on "Set DSCP" button.

In the DSCP rules list click the button “Delete rule” and confirm/cancel the operation.

Change to the "ASN Filter" section.

In the form of rule creating:

• Specify the number of AS;
• Choose the priority from the list;
• Enter the rule name;
• Enter the rule description.

Save the rule by clicking on "Set DSCP" button.

In the list of DSCP in ASN direction rules click on the "Edit rule" button. If necessary, in the popup editing form:

• choose the priority from the list;
• Enter the rule name;
• Enter the rule description.

Save the changes by clicking on "Set DSCP" button.

In the list of DSCP in ASN direction rules click the button “Delete rule” and confirm/cancel the operation.

Change to the "IP & ASN Excludes" section.

Change to the "IP & ASN Excludes" section → "IP Excludes".

In the form of rule creating:

• Specify IP/CIDR;
• Enter the rule name;
• Enter the rule descriptuin;

Save the rule by clicking on "Set exclusion" button.

Click on the button "Edit exclusion". In the form of rule editing you can change:

• name of the rule;
• its description.

Save the changes by clicking on "Set DSCP" button.

In the list of exclusions click the button “Delete exclusion” and confirm/cancel the operation.

Change to the "IP & ASN Excludes" section → "ASN Excludes".

In the form of rule creating:

• Specify AS number;
• Enter the rule name;
• Enter the rule descriptuin;

Save the changes by clicking on "Set Exclusion" button.

Click on the button "Edit exclusion". In the form of rule editing you can change:

• name of the rule;
• its description.

Save the changes by clicking on "Set DSCP" button.

In the list of exclusions click the button “Delete exclusion” and confirm/cancel the operation.

VIP Subscriber is a special subscriber whose traffic is passed with a dedicated priority (default is cs0) regardless of the priority settings for application protocols. The allocated priority is set by the special_dscp configuration parameter. See section Configuration. The subscriber is connected through the installation of service 15 on DPI.

Privilege:

• Unlimited access to applications and resources that are subject to restrictions on use.

This section is purpose to manage VIP Subscribers.

Open section "IP & AC Exclusion"→"VIP Subscribers".

In the VIP Subscriber`s creating form:

• Select the type from the drop-down list (IP/Login);
• Enter IP or Login in the Subscriber field, depending on what you have chosen in the drop-down list;
• You can apply the rule to an ISP from the list and select multiple ISPs or click on the "Select All" button. If you accidentally clicked the "Select All" button, then click on the "Uncheck All" button;
• If your slider is disabled on apply to specific ISPs, then the new rule will be set globally to all ISPs.

Save the VIP Subscriber by clicking the "Add" button.

Click on the "Edit VIP Subscriber" button. In the rule editing form, you can change:

• Application to certain ISPs from the list;
• Remove or add ISP.

Save your changes by clicking the "Save" button.

In the VIP Subscribers list, click on the "Delete VIP Subscriber" button and, in the window that appears, confirm or cancel the deletion.

Change to the "ISPS & IGWS Profiles" → "ISPs List".

To create new IGW profile go to the "ISPS & IGWS Profiles" section → "Add new ISP Profile".

In the form specify:

• Name of ISP profile;
• Choose the border from the list;
• Login to be used on the DPI node;
• Prefix for lists on the DPI node (it will be used as the name of service profile on the node);
• Choose bridges of the border;
• Choose Network training to get the addresses of this profile;
• Specify address/networks of the ISP (if necessary).

Click on the button "Save changes" or "Save and Disable/Enable".

In the "ISPS & IGWS Profiles" section → "ISPs list" click on the button "Edit Profile".

A modal form for creating/editing ISP profile will pop up; make the chenges you need and click on the "Save changes" or "Save and Disable/Enable" button.

In the "ISPS & IGWS Profiles" section → "ISPs List" click on the "Delete" button and confirm/cancel the action.

Chenge to the "Applications and Policings" prfoile → "Policings Profiles".

Click on the "Edit policing" button.

In the popup editing form:

• Enter policing description;
• Choose policing type TBF/HTB (form with class values will look different depending on the type selected)

Th save the changes click on the button "Save profile" or "Save and disable/eneble".

There are two ways to delete the profile: by clicking "Delete profile" button in the list of policing profiles or the same button on Editing Profile page.

Change to the "WEB and IP Filter" section.

• To create new locking rule for a resource, change to the "WEB and IP Filter" section → "Add new rule";
• To edit an existing rule change to the "WEB and IP Filter" section and click on "Edit rule" button.

In the popup form:

• Choose the regulator;
• Choose the category;
• Enter rule public description;
• Enter rule hidden description;

In the resource validation form, enter the resource and choose its type:

• If it is not nesessary to validate the resourse, just click on "Add to the list" button;
• Click on the "Check" button. Information about the resource will be displayed. It can be added to the rule locking list. To do this, click the "Add to List" button.

In the subsection for binding rules to ISP profiles:

• If the option "Apply the rule to ISP from the list" is disabled, such rule will be global. Resources from this rule will be included in the global lists of blocked resources.
• If the option "Apply the rule to ISP from the list" is enabled, such rule will be applied only to those ISP profiles, which are noted in this rule. Resources from this rule will be included in the locking lists for these ISP profiles.

Change to the "WEB and IP Filter" section and click on the "Edit the rule" button.

Change to the "WEB and IP Filter" section → "Check domain".

In the "Resourse Check" field type in the URL of resourse to be checked. Then click on the "Check" button. Information about the specified resource will be displayed below the form:

• SSL/TLS, locking type;
• Certificate information;
• DNS list;
• Recommendations about the values to use to lock this resource.

Change to the "WEB and IP Filter" section → "Search Database".

In the "IP, CIDR, Domain, Notes" field enter the value in accordance with the prompts at the top of the page. Then choose type of search: Full Text, By Resources or By Description. Click on "Search" button.

As a result, all blocking rules that match the selected search parameters will be displayed.

Change to the "Whitelist" section.

• To create a new white list rule change to the "Whitelist" section → "Add new rule";
• To edit an existing rule change to the "White list" section and click on the "Edit rule" button.

In the popup form:

• Choose the regulator;
• Choose the caregory;
• Enter rule public description;
• Enter rule hidden description;

In the resource validation form, enter the resource and choose its type:

• If it is not nesessary to validate the resourse, just click on “Add to the list” button;
• Click on the “Check” button. Information about the resource will be displayed. It can be added to the rule locking list. To do this, click the “Add to List” button.

In the subsection for binding rules to ISP profiles:

• If the option “Apply the rule to ISP from the list” is disabled, such rule will be global. Resources from this rule will be included in the global lists of blocked resources.
• If the option “Apply the rule to ISP from the list” is enabled, such rule will be applied only to those ISP profiles, which are noted in this rule. Resources from this rule will be included in the locking lists for these ISP profiles.

Change to the “Whitelist” section and click on the “Edit the rule” button.

Change to the “Whitelist” section → "Mode".

• With the global whitelist mode enabled, the whitelist service is applied to all ISP profiles and resource lists are formed only from global whitelist rules;
• When the whitelist mode is enabled for a separate ISP profile, the service is applied only to ISP which has it enabled. The lists are formed only from white list rules which refer to this ISP profile;
• If both mode are enabled, global and separate ISP rules lists are concatenated. For other ISPs, the whitelist service is used with only the global whitelist rules.

Change to the "Database search" section.

In the "IP, CIDR, Domain, Comment" field enter the value in accordance with the prompts at the top of the page, choose search type: Full Text, By Resources or By Description. Click on “Search” button.

As a result, all blocking rules (with type specified) that match the selected search parameters will be displayed.

Change to the "State of the system" section.

This section displays the task queue, status and time.

To see the details of the task, click on "Task Details".

The logs for this section are stored in files:

/var/www/html/dpiui2/backend/storage/logs/ulr*.log