LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-27-2009, 08:10 AM   #1
Net_Spy
Member
 
Registered: Nov 2006
Posts: 100

Rep: Reputation: 17
unable to block https in squid


Greetings to All,
I want setup acl that will prevent access to limited websites but having issue to with https:// I tried https://facebook.com it opened that same gmail or orkut. here is my acl

Code:
##Clients those are allowed to surf
acl myclnts src  "/home/scripts/ncc.squid"
acl alwurl url_regex -i "/home/scripts/alwurl"
## Following rule will allow only those site which are allowed for ncc.squid
http_access allow alwurl myclnts
http_access deny  test
http_access deny myclnts
deny_info ERR_NCC myclnts
Looking forward for your kind response.

Regards
Net_Spy
 
Old 08-27-2009, 08:28 AM   #2
evilted
Member
 
Registered: Aug 2009
Location: Ouagadougou, Burkina Faso
Distribution: centos
Posts: 92

Rep: Reputation: 18
yes you need to block https...

acl secure proto https
http_access deny securehttp
 
Old 08-27-2009, 11:21 AM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
@Net_spy: Are you trying to deny access to all https or just a few select hosts over https?
 
Old 08-27-2009, 11:33 AM   #4
Net_Spy
Member
 
Registered: Nov 2006
Posts: 100

Original Poster
Rep: Reputation: 17
Thanks for you response but it does not work for me I can still access to https://www.facebook.com or such other website . well I want to block such website like facebook , orkut , gmail these are the website that opens with https aswell .


Regards
Net_Spy

Last edited by Net_Spy; 08-27-2009 at 11:35 AM.
 
Old 08-27-2009, 12:00 PM   #5
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Something like this might do:

Code:
acl CONNECT method CONNECT

acl httpsfail dst www.facebook.com
acl httpsfail dst www.orkut.com

http_access deny httpsfail CONNECT
Denying access to specific https sites gets a little tricky.

Keep in mind that in the access control entries I posted above, dst will tell squid to resolve the hostnames to IP addresses at parse time. This means that if e.g. facebook or orkut should change IP info, squid will not know about the change.

-------

edit: I was just doing some experimenting -- see if this works as well:

Code:
acl CONNECT method CONNECT

acl httpsfail dstdomain .facebook.com
acl httpsfail dstdomain .orkut.com

http_access deny httpsfail CONNECT
Using dstdomain would be better, since it would additionally block https:/foo.facebook.com for example.

Last edited by anomie; 08-27-2009 at 12:12 PM. Reason: more stuff to add.
 
Old 08-27-2009, 12:36 PM   #6
Net_Spy
Member
 
Registered: Nov 2006
Posts: 100

Original Poster
Rep: Reputation: 17
well that does not work too have checked that rule by yourself , hope it will be resolved soon.


Regards
Net_Spy
 
Old 08-27-2009, 12:42 PM   #7
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
I tested both options with squid 3.0.STABLE18, and both worked OK.

Post the acl-related entries from your squid.conf here. (Use code tags, please.)
 
Old 08-27-2009, 02:31 PM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Net_Spy, using dstdomain works for domains accessed with either HTTP or HTTPS. You should make sure you don't have some other ACL granting access. It's hard for us to tell what's going on since we don't have a complete view of the relevant section of your squid.conf. Also, keep in mind that stuff like this won't work for HTTPS:
Quote:
Originally Posted by Net_Spy View Post
acl alwurl url_regex -i "/home/scripts/alwurl"
Squid doesn't see the URL when using HTTPS (only the host name and port number).
 
Old 08-27-2009, 04:03 PM   #9
Net_Spy
Member
 
Registered: Nov 2006
Posts: 100

Original Poster
Rep: Reputation: 17
Following are the only acls that im using beside that ive safe port acl and virusport ssl thats it. Ive changed url_regex to dstdomain. but still same
I dont know what is wrong should.

Code:
######################################################
# Always direct and don't cached local destinations ##
######################################################
acl directdsts dst 10.0.0.0/255.0.0.0
always_direct allow directdsts
no_cache deny directdsts



###########################################
#  ACL Rules To Allow/Block
#  Websites
###########################################
acl myclnts src  "/home/scripts/ncc.squid"
acl flr-mgr src  "/home/scripts/flr-mgr"
acl alwurl dstdomain "/home/scripts/alwurl"
## Following rule will allow only those site which are allowed for ncc.squid
http_access allow alwurl myclnts
http_access deny myclnts
deny_info ERR_NCC myclnts
http_access allow flr-mgr <== allow access to supervisors
#acl webaccess1 url_regex  .google.com .yahoo.com
#acl youtube1 url_regex -i youtube facebook # This pattern wil be applied for all clients
#http_access deny youtube1 ## This rule will block youtube for all clients
#http_access deny all
Code:
acl SSL_ports port  443 8443 563 8383 2095
acl Safe_ports port 2095                # http
acl Safe_ports port 80          # http
acl Safe_ports port 82          # http
acl Safe_ports port 4000        # chatpk
acl Safe_ports port 81          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 20          # ftp
acl Safe_ports port 8443        # https
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl VirusPorts port 69 135 137 138 139 153 707 445 9996 5554 4444 27374 31337 1214 6346 4444 10008 65535 12345 27374 31335-31337 5556 9996 8866 3127-3198 995-997 8998 1434


http_access deny VirusPorts
http_access allow manager localhost
http_access allow manager 
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access allow adminclients



http_access deny VirusPorts
http_access allow manager localhost
http_access allow manager 
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access allow adminclients


# And finally deny all other access to this proxy
http_access deny all

# http_reply_access allow all
http_reply_access allow all
Any idea ?

Regards
Net_Spy
 
Old 08-27-2009, 04:22 PM   #10
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
I don't see any of our suggestions in your squid.conf.
 
Old 08-27-2009, 06:00 PM   #11
Net_Spy
Member
 
Registered: Nov 2006
Posts: 100

Original Poster
Rep: Reputation: 17
anomie I've tried that suggestions aswell but it didnt work for me it is my
acl part in my squid.conf./


[CODE]

###########################################
# ACL Rules To Allow/Block
# Websites
###########################################
acl myclnts src "/home/scripts/ncc.squid"
acl flr-mgr src "/home/scripts/flr-mgr"
acl alwurl dstdomain "/home/scripts/alwurl"
acl CONNECT method CONNECT

acl httpsfail dstdomain .facebook.com
acl httpsfail dstdomain .orkut.com


## Following rule will allow only those site which are allowed for ncc.squid
http_access allow alwurl myclnts
http_access deny myclnts
deny_info ERR_NCC myclnts
http_access allow flr-mgr <== allow access to supervisors
http_access deny httpsfail
http_access deny CONNECT
#acl webaccess1 url_regex .google.com .yahoo.com
#acl youtube1 url_regex -i youtube facebook # This pattern wil be applied for all clients
#http_access deny youtube1 ## This rule will block youtube for all clients
#http_access deny all


[CODE]
Regards
Net_Spy
 
Old 08-27-2009, 06:03 PM   #12
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Try like this instead:
Code:
###########################################
# ACL Rules To Allow/Block
# Websites
###########################################
acl myclnts src "/home/scripts/ncc.squid"
acl flr-mgr src "/home/scripts/flr-mgr"
acl alwurl dstdomain "/home/scripts/alwurl"
acl CONNECT method CONNECT

# Following three lines added by friends at LQ
acl httpsfail dstdomain .facebook.com
acl httpsfail dstdomain .orkut.com
http_access deny httpsfail CONNECT

## Following rule will allow only those site which are allowed for ncc.squid
http_access allow alwurl myclnts
http_access deny myclnts
deny_info ERR_NCC myclnts
http_access allow flr-mgr <== allow access to supervisors
#acl webaccess1 url_regex .google.com .yahoo.com
#acl youtube1 url_regex -i youtube facebook # This pattern wil be applied for all clients
#http_access deny youtube1 ## This rule will block youtube for all clients
#http_access deny all
 
Old 08-27-2009, 06:21 PM   #13
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by anomie View Post
# Following three lines added by friends at LQ
acl httpsfail dstdomain .facebook.com
acl httpsfail dstdomain .orkut.com
http_access deny httpsfail CONNECT
I'm curious as to why you're explicitly denying the CONNECT method. That would imply that you actually do want to allow HTTP, wouldn't it? Something like this would take care of both HTTP and HTTPS:
Code:
acl totalfail dstdomain .facebook.com
acl totalfail dstdomain .orkut.com
http_access deny totalfail

Last edited by win32sux; 08-27-2009 at 06:58 PM.
 
Old 08-27-2009, 07:23 PM   #14
Net_Spy
Member
 
Registered: Nov 2006
Posts: 100

Original Poster
Rep: Reputation: 17
Ive tried that aswell but still I can access to it . using https://www.facebook.com or gmail or orkut. my squid version is 2.6 .

Regards
Net_Spy
 
Old 08-27-2009, 07:32 PM   #15
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
You did stick those lines at the top of your file, right? Because otherwise, we'd still have doubts about another ACL granting access. Also, is this Squid running in transparent mode? If so, verify that the clients are configured to use Squid for HTTPS. I've seen many cases in which administrators forgot that only HTTP gets transparently proxied, while HTTPS would be getting SNATed if not filtered. BTW, what does the log file look like when you access, say, Facebook?

Last edited by win32sux; 08-27-2009 at 07:33 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to block https sites through ACL in squid avi_tokade Linux - Newbie 5 04-12-2011 05:53 PM
how to block gmail & gtalk (https traffic)using squid satishmali1983 Linux - Server 4 06-25-2009 01:22 AM
unable to block all website except www.onlinesbi.com in squid nirmal1100 Linux - Newbie 0 03-30-2009 04:53 AM
How can I block HTTPS packets with iptables/Squid? sanjee Linux - Security 5 10-29-2008 04:52 PM


All times are GMT -5. The time now is 11:43 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration