|
unable to block https in squid
Greetings to All,
I want setup acl that will prevent access to limited websites but having issue to with https:// I tried https://facebook.com it opened that same gmail or orkut. here is my acl Code:
##Clients those are allowed to surfRegards Net_Spy |
yes you need to block https...
acl secure proto https http_access deny securehttp |
@Net_spy: Are you trying to deny access to all https or just a few select hosts over https?
|
Thanks for you response but it does not work for me I can still access to https://www.facebook.com or such other website . well I want to block such website like facebook , orkut , gmail these are the website that opens with https aswell .
Regards Net_Spy |
Something like this might do:
Code:
acl CONNECT method CONNECTKeep in mind that in the access control entries I posted above, dst will tell squid to resolve the hostnames to IP addresses at parse time. This means that if e.g. facebook or orkut should change IP info, squid will not know about the change. ------- edit: I was just doing some experimenting -- see if this works as well: Code:
acl CONNECT method CONNECT |
well that does not work too have checked that rule by yourself , hope it will be resolved soon.
Regards Net_Spy |
I tested both options with squid 3.0.STABLE18, and both worked OK.
Post the acl-related entries from your squid.conf here. (Use code tags, please.) |
Net_Spy, using dstdomain works for domains accessed with either HTTP or HTTPS. You should make sure you don't have some other ACL granting access. It's hard for us to tell what's going on since we don't have a complete view of the relevant section of your squid.conf. Also, keep in mind that stuff like this won't work for HTTPS:
Quote:
|
Following are the only acls that im using beside that ive safe port acl and virusport ssl thats it. Ive changed url_regex to dstdomain. but still same
I dont know what is wrong should. Code:
Code:
acl SSL_ports port 443 8443 563 8383 2095Regards Net_Spy |
I don't see any of our suggestions in your squid.conf.
|
anomie I've tried that suggestions aswell but it didnt work for me it is my
acl part in my squid.conf./ [CODE] ########################################### # ACL Rules To Allow/Block # Websites ########################################### acl myclnts src "/home/scripts/ncc.squid" acl flr-mgr src "/home/scripts/flr-mgr" acl alwurl dstdomain "/home/scripts/alwurl" acl CONNECT method CONNECT acl httpsfail dstdomain .facebook.com acl httpsfail dstdomain .orkut.com ## Following rule will allow only those site which are allowed for ncc.squid http_access allow alwurl myclnts http_access deny myclnts deny_info ERR_NCC myclnts http_access allow flr-mgr <== allow access to supervisors http_access deny httpsfail http_access deny CONNECT #acl webaccess1 url_regex .google.com .yahoo.com #acl youtube1 url_regex -i youtube facebook # This pattern wil be applied for all clients #http_access deny youtube1 ## This rule will block youtube for all clients #http_access deny all [CODE] Regards Net_Spy |
Try like this instead:
Code:
########################################### |
Quote:
Code:
acl totalfail dstdomain .facebook.com |
Ive tried that aswell but still I can access to it . using https://www.facebook.com or gmail or orkut. my squid version is 2.6 .
Regards Net_Spy |
You did stick those lines at the top of your file, right? Because otherwise, we'd still have doubts about another ACL granting access. Also, is this Squid running in transparent mode? If so, verify that the clients are configured to use Squid for HTTPS. I've seen many cases in which administrators forgot that only HTTP gets transparently proxied, while HTTPS would be getting SNATed if not filtered. BTW, what does the log file look like when you access, say, Facebook?
|
well onething ive noticed that when accessing https://www.facebook.com I didnt see its log in squid seems like it is bypassing squid although ive tried iptables -A FORWARD -p tcp --dport 433 -d www.facebook.com -j DROP nothing worked ?
Regards Net_Spy |
Quote:
I just re-read it, and I'm not 100% sure what he wants. @Net_spy: Apologies if I've misunderstood. Can you clarify in straightforward English? |
Quote:
Quote:
Code:
iptables -I FORWARD -p TCP --dport 443 -j REJECT |
yeah now you got it , well I think using iptables would be a bad idea .it will be fine to let squid to filter that. could you please tell me how do I configure squid to use https ?
Regards Net_Spy |
Quote:
EDIT: You could also simply disable forwarding entirely, so you can rest assured they won't bypass Squid for anything at all. This assumes, of course, that the Squid box is also functioning as the router for the LAN. |
Quote:
if you want to test a complete drop of https: Code:
iptables -A FORWARD -m tcp -p tcp --dport 443 -j DROPwhen you Code:
iptables -LCode:
Chain FORWARD (policy ACCEPT)then you can log, and make sure port 443 is being dropped.. Code:
iptables -A INPUT -j LOGDROP |
Thank you all for your valuable responses.
I don't want to block https for all I just want to block certain websites. blocking 443 via iptables will block all access and nobody will make connections to thier webmail or such other important things. Regards Net_Spy |
Quote:
|
I still did not get it .
Quote:
Quote:
Code:
##INTSUB contains my network rangesRegards Net_Spy |
Quote:
Code:
iptables -I FORWARD -p TCP --dport 443 -j DROP |
I wonder if you list me the running example here is my new acl but it doesnt seem to be work. and apply that iptbales rule but it block all requests.
Code:
acl SSL_ports port 443 8443 563 8383 2095 2092Net_Spy |
Quote:
|
Now how do i configure my clients to use ssl via squid since I've already discussed that how my squid is being configured. Looking forward for your kind response.
Regards Net_Spy |
Quote:
|
my o/s is cent os 5.3 .Im using squid in tranparent mode I don't need to specify it is alread auto discovery . I'm finding really hard to block few https based website with squid .
Regards Net_Spy |
Quote:
You already confirmed to us that your clients are NOT using Squid for HTTPS when you posted this: Quote:
Quote:
|
Thank you all for your support to helping me on this issue. since I fingure out ,it is not possible to track https in transparent mode of squid .
Regards Net_Spy |
Quote:
|
Thanks win32sux well I'm not going to do that , it isn't a good idea :) . well If I found any reliable solution I will add it in this thread .
Regards Net_Spy |
In my case, I been blocking facebook.com in pfsense server through squid. Although it is working perfectly , some users have found a way out by accessing the same url with https in place of http. To solve the problem I need to block https www.facebook.com in firewall rules.
Please click my simple tutorial on how to block https www.facebook.com |
Thanks for your valueable response. This is very old thread . One thing I would like to share is that there is not a way to block https via squid when you are running it in transparent mode . if your proxy isnt in transparent mode then there is easy to go with :) .
Regards Net_Spy |
@Net_Spy
Tested this on squid 2.6STABLE on centos 5.5 and although I don't get the usual error message of 'access denied' like when accessing http://www.facebook.com. when I access https://www.facebook.com; it shows a "proxy server refused connection" which also indirectly does what I want it to do.... did yours show similar behavior? EDIT: whops; my squid was NOT in transparent mode. that is why. ^^ |
Finally Ive solved my issue Im able to block https as well as streaming on facebook if it is allow :) . Im running squid in transparent mode so I had to use IPtables to block facebook completely :D.
If any one needs the solution let me know. Regards Net_Spy |
Urgent Help
Quote:
I am hopeless to block https traffic with some exception to allow some banking site. I have blocked https traffic with iptables. I am using squid dansguardian. Please suggest me, how you can block it. Please replay me on my personal mail id: kaustuvabedant@gmail.com Thanks and regards Kaustuva |
Quote:
Hi Kaustuva , I also need to resolve this problem , i use squid in transparent mode..i have read about iptables , you have resolved your problems ? P.S.:If anyone have found the solution contact me at gibbybia@hotmail.com ( sorry for the e-mail ) |
@Jambaz ,
This is very old thread , but yet I'm glad that it is useful to people who seeks the solution to block https :) . I will get back to you with solution. if you provide some details. Retards Net_Spy |
Quote:
Hi Net_Spy , me and Kaustuva are very happy to read your words :), I tell you all you need , i use squid in transparent mode , the version is the 2.7stable 9 ( on Ubuntu ) with squidGuard , the https if i put the settings in the browser the https don't function , but you know that is not a solution , first because the user can set the settings manually ( especially on Win client , edit some key ) , second because they can use some programs like ultrasurf and they resolve https links.....i can denied all https connections , but i need that for banking and other utilietis and so i need only to apply the filter on this connection , or redirecting the https on http...tell me my friend Net_Spy the solution that you have found :-) Regards |
Quote:
Quote:
As net_spy was told in this thread (and the OTHER thread opened with the same question), there are ways to perform some functions with https, but again you need to THINK about what https IS, and why a proxy server won't work for it. The suggestions in this thread are valid...follow them. May want to read the UPDATED thread: http://www.linuxquestions.org/questi...curity-930878/ |
Hey i use "SQUID 2.7.STABLE8" under windows for several reasons.
the Domain Blocking from the example here work. But how to block an SSL URL? like: Code:
acl badsites url_regex -i ^%%%%%%%%%/.*/opener.*.mp4thanks!!! (sorry i have to please the url with %) |
Quote:
They both *CLAIM* to have a 'solution', but (not surprisingly), haven't ever posted it, because it doesn't exist. Check the previous responses/links in this very thread, for why this won't work. |
now a days gmail chat worked on the following urls (update on 2/15/2017)
clients6.google.com hangouts.google.com its work for me Thank you |
Quote:
|
Need solution to block https sites
Quote:
You said, you found reliable solution. I am in urgent need of solution. Please let me know how you fixed and provide the solution. regards, Ankit |
Quote:
If you want to block https, then you can use iptables or any firewall to do it. There are abundant sets of documentation on how to do this, including links in this thread...have you looked at any of them? Beyond that, you have given us NO DETAILS about your system(s)/environment at all, and we aren't able to guess. Open your own thread for your own question, and when doing so, provide full details, including showing what you've done/tried so far. |
| All times are GMT -5. The time now is 12:10 PM. |