Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Using squid-2.6-stable on CentOS5.4 final for proxying. And for content filtering got dansguardian 2.10.1.1.
There does is this option in bannedsitelist where in https requests can be blocked but this is not working.
But dansguardian is blocking other sites that are http.
For information:
Installed dans by compiling it from source and downloaded it from the official site.
you can't block individual patterns on https. only the site to which you are connected, as this is the only visible thing when an explicit non-terminating https proxy. if you are doing it's transparently, you can't even do that, only block on IP address as the SSL connection is created before any HTTP requests are made, making it impossible to see what's being requested.
So in short it is impossible to block the https request when it I am using squid in transparent mode even though I am using dansguardian. It would really be a bad idea to block requests on the ip addresses. They tend to change. So it would be really not an option though if needed I could do that.
Ok. I am out of options of blocking https requests.
Yes, a direct https connection just starts with pure SSL. The client opens a TCP socket and starts negotiating SSL cipher specs and the likes. So it's not until this secure channel, which could be used to carry *ANY* traffic at all, that a web page is requested with the conventional HTTP protocols, which the proxy has no chance of seeing.
Okay, so it is not possible using squid. But is there ANY way that https requests can be blocked for certain machines? Well the squid is running in transparent mode. And it would not be too possible to change it to normal operation (non transparent mode) unless the only solution. And also need to know if ISA can do that?
And if I remove squid from transparent mode, will it block the requests?
In either mode you can filter on the IP address. But nothing that doesn't terminate SSL itself can do any more than block on hostname / IP, so can never filter urls, content etc.
Okay. Now this is getting tougher and tougher. Though there are company policies and tough decisions could be taken but there is still this possibility of getting through to any site just by using https instead of http. And this is what is creating issues right now. I will try removing squid from transparent mode and then integrate it with dansguardian, the latest version. There is this option of blocking https requests in dans. But it has not worked for me as yet. I will keep my fingers crossed on this one. Saturday seems to be fine for this change. Let me see and keep you updating. Do not stop following the thread just right now.
Okay. Now this is getting tougher and tougher. Though there are company policies and tough decisions could be taken but there is still this possibility of getting through to any site just by using https instead of http. And this is what is creating issues right now. I will try removing squid from transparent mode and then integrate it with dansguardian, the latest version. There is this option of blocking https requests in dans. But it has not worked for me as yet. I will keep my fingers crossed on this one. Saturday seems to be fine for this change. Let me see and keep you updating. Do not stop following the thread just right now.
I want to now have you get any success in blocking https requests in dans
Why are you digging this old dead year old thread without any positive and helpful inputs?
I have had success by not implementing it in transparent mode. Done. Thank you.
Why are you digging this old dead year old thread without any positive and helpful inputs?
I have had success by not implementing it in transparent mode. Done. Thank you.
the dig was ok, because you didn't specify the solution before.
so you've set Squid into non-tranparent mode and forced all users to set their browser to use your proxy, is that correct?
That's what he said. Can we let the thread go back to sleep now?
yes. this has been an informative thread, unfortunally it ended up choosing the "last resort" solution and forcing all users to setup their browsers to use proxy.
now, users can bring Memory-stick with Standalone Firefox thus bypassing my proxies.
I tend to configure serverside only and avoid managing each workstation, so I'll keep blocking all https sites by default and allow good https sites on firewall (iptables) level.
yes. this has been an informative thread, unfortunally it ended up choosing the "last resort" solution and forcing all users to setup their browsers to use proxy.
now, users can bring Memory-stick with Standalone Firefox thus bypassing my proxies.
I tend to configure serverside only and avoid managing each workstation, so I'll keep blocking all https sites by default and allow good https sites on firewall (iptables) level.
You have a badly designed network. Congratulations.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.