LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-16-2015, 12:33 PM   #1
kohshan99
Member
 
Registered: Sep 2012
Posts: 50

Rep: Reputation: Disabled
How to Block HTTPS Traffic?


i'm using squid 3.1 transparent.. working fine. but i want to blockk https website not all but like https://facebook.com etc..
 
Old 10-16-2015, 01:12 PM   #2
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,200

Rep: Reputation: 397Reputation: 397Reputation: 397Reputation: 397
https happens on port 443
 
Old 10-17-2015, 02:06 AM   #3
kohshan99
Member
 
Registered: Sep 2012
Posts: 50

Original Poster
Rep: Reputation: Disabled
i know https use 443 port. i just want to know how can i block few websites like https://youtube.com https://facebook.com etc.
 
Old 10-17-2015, 02:36 AM   #4
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,200

Rep: Reputation: 397Reputation: 397Reputation: 397Reputation: 397
ok sorry misread, in that case the https is irrelevant, just set up an ACL to block by domain http://www.cyberciti.biz/faq/squid-p...sing-internet/
 
Old 10-17-2015, 12:21 PM   #5
kohshan99
Member
 
Registered: Sep 2012
Posts: 50

Original Poster
Rep: Reputation: Disabled
my squid is working fine. i can block websites. i just wan to block https://facebook.com if i open http://facebook.com i got msg that access denied.. mean i can block http site but not https sites.
 
Old 10-17-2015, 12:27 PM   #6
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,200

Rep: Reputation: 397Reputation: 397Reputation: 397Reputation: 397
Quote:
Originally Posted by kohshan99 View Post
my squid is working fine. i can block websites. i just wan to block https://facebook.com if i open http://facebook.com i got msg that access denied.. mean i can block http site but not https sites.
facebook is https only, you can browse to http://www.facebook.com until you're blue in the face, it automatically redirects you to https://www.facebook.com, you can't use facebook without https. the same goes for sites like google where any non https requests are simply redirected to https requests, this is by design of the sites in question, not your squid, therefore blocking https access to facebook for instance blocks facebook

don't believe me? click on the http link for facebook, you'll find yourself on https://www.facebook.com
 
Old 10-19-2015, 01:42 AM   #7
kohshan99
Member
 
Registered: Sep 2012
Posts: 50

Original Poster
Rep: Reputation: Disabled
Ok i agree with you. but now my question is how can i block some https websites?
 
Old 10-19-2015, 03:54 AM   #8
kohshan99
Member
 
Registered: Sep 2012
Posts: 50

Original Poster
Rep: Reputation: Disabled
right now finally i block https://facebook.com by using iptables. but still i can access on client side. just block facebook https traffic on my server. my iptables is

Quote:
root@Proxy:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere edge-star-shv-01-sea1.facebook.com tcp dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere edge-star-shv-01-sjc2.facebook.com tcp dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere edge-star-shv-01-ams3.facebook.com tcp dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere edge-secure-shv-01-ams3.facebook.com tcp dpt:https reject-with icmp-port-unreachable
REJECT tcp -- anywhere instagram-shv-12-prn1.fbcdn.net tcp dpt:https reject-with icmp-port-unreachable

Chain FACEBOOK (0 references)
target prot opt source destination
PHP Code:
iptables=/usr/sbin/iptables
iptables 
-F
iptables 
-t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables 
-A FORWARD -i eth0 -j ACCEPT
iptables 
-A OUTPUT -p tcp -d 31.13.76.102 --dport 443 -j REJECT
iptables 
-A OUTPUT -p tcp -d 31.13.77.6 --dport 443 -j REJECT
iptables 
-A OUTPUT -p tcp -d 31.13.91.2 --dport 443 -j REJECT
iptables 
-A OUTPUT -p tcp -d 31.13.91.17 --dport 443 -j REJECT
iptables 
-A OUTPUT -p tcp -d 69.171.237.16 --dport 443 -j REJECT
echo > /proc/sys/net/ipv4/ip_forward 

Last edited by kohshan99; 10-19-2015 at 03:56 AM. Reason: https
 
Old 10-24-2015, 03:06 AM   #9
kohshan99
Member
 
Registered: Sep 2012
Posts: 50

Original Poster
Rep: Reputation: Disabled
Facebook

An option is to blackhole routes to network blocks: (Listed are for FB)


Quote:
ip route add blackhole 69.171.224.0/19
ip route add blackhole 74.119.76.0/22
ip route add blackhole 204.15.20.0/22
ip route add blackhole 66.220.144.0/20
ip route add blackhole 69.63.176.0/20
ip route add blackhole 173.252.64.0/18
now facebook is blocked..
 
  


Reply

Tags
iptables firewall block, squid3


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
HTTPS & P2P traffic linboy70 Linux - Server 5 12-24-2010 07:58 AM
how to block https for some ips Winanjaya Linux - Security 2 12-01-2009 12:13 AM
Block https Traffic anu_here Linux - Security 8 10-30-2009 04:42 AM
how to block gmail & gtalk (https traffic)using squid satishmali1983 Linux - Server 4 06-25-2009 02:22 AM


All times are GMT -5. The time now is 01:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration