LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   Try to block https://facebook.com but cannot able to do this yet (http://www.linuxquestions.org/questions/linux-software-2/try-to-block-https-facebook-com-but-cannot-able-to-do-this-yet-921456/)

tanin007 01-01-2012 01:02 AM

Try to block https://facebook.com but cannot able to do this yet
 
Hi i add this line into my squid.conf file:
Code:

http_port 3128 transparent
http_port 80 defaultsite=192.168.20.1
acl port80 port 80
acl BLACKLIST_DOMAINS dstdom_regex -i "/etc/squid/blacklist_domains"
http_access deny BLACKLIST_DOMAINS
http_access allow port80
visible_hostname host.domain.com
acl localhost src 127.0.0.1/8
acl lan src 192.168.10.26 192.168.20.1/24
http_access allow localhost
http_access allow lan

In blacklist_domains file i add this:
Code:

.facebook.com
But yet i cannot able to block https://www.facebook.com. Can any one help me?

phil.d.g 01-01-2012 02:38 AM

The first step would be to have Squid proxy HTTPS traffic.

From the configuration it looks like Squid is only proxying for HTTP traffic.

tanin007 01-01-2012 02:41 AM

Thanks for your reply. Can you please tell me how can i configure squid so that it can block both https and http trafic for facebook. I add this :

Quote:

http_port 3128 transparent
http_port 80 defaultsite=192.168.20.1
acl port80 port 443
acl BLACKLIST_DOMAINS dstdom_regex -i "/etc/squid/blacklist_domains"
http_access deny BLACKLIST_DOMAINS
acl port80 port 80
acl BLACKLIST_DOMAINS dstdom_regex -i "/etc/squid/blacklist_domains"
http_access deny BLACKLIST_DOMAINS
#ssl_bump allow all
#acl bad_sites dstdomain .facebook.com
#http_access CONNECT deny bad_sites
http_access allow port80
visible_hostname host.domain.com
acl localhost src 127.0.0.1/8
acl lan src 192.168.10.26 192.168.20.1/24
http_access allow localhost
http_access allow lan

But yet it not working for https://www.facebook.com

phil.d.g 01-01-2012 02:58 AM

I will give you these tips:

1) You can't proxy SSL traffic transparently as you currently do with HTTP.
2) You may need to terminate the SSL connection to the remote server at Squid, and have an entirely different SSL connection from the browser to Squid for the filter to work. This I'm unsure about.

Resources:

http://wiki.squid-cache.org/Features/HTTPS
http://wiki.squid-cache.org/Features/SslBump
https://calomel.org/squid.html

This should get you started. If you get stuck post back. If you're lucky someone with more commitment may implement a configuration for you.

k3lt01 01-01-2012 02:59 AM

You could just add
Code:

127.0.0.1 www.facebook.com
to your hosts file after all the other entries.

tanin007 01-01-2012 03:03 AM

I tried in many way and post many times. But some person tell me that it is impossible to block https://www.facebook.com. So i need help to actually how can i do this? And in where of my configuration i need to change so that it block https://www.facebook.com

And 127.0.0.1 www.facebook.com is not applicable here because i had a proxy server and 20-30 people are connected to it. "127.0.0.1 www.facebook.com" is only block at host PC. Anyway thanks for your reply. But it not work anymore

phil.d.g 01-01-2012 03:09 AM

Quote:

Originally Posted by k3lt01 (Post 4563009)
You could just add
Code:

127.0.0.1 www.facebook.com
to your hosts file after all the other entries.

That would need to be added to all the client machines on the network, as the OP isn't currently using Squid for HTTPS.

tanin007 01-01-2012 03:26 AM

It's is not possible because no one give you the access of their PC. And even if they did, after some period of time when i am not in there they easily delete the entry and get full access. please if you do not know the proper solution please do not post something that looks very funny.

k3lt01 01-01-2012 03:34 AM

Quote:

Originally Posted by tanin007 (Post 4563011)
I tried in many way and post many times. But some person tell me that it is impossible to block https://www.facebook.com. So i need help to actually how can i do this? And in where of my configuration i need to change so that it block https://www.facebook.com

facebook can be blocked I have done it many times but not using squid.

Quote:

Originally Posted by tanin007 (Post 4563011)
And 127.0.0.1 www.facebook.com is not applicable here because i had a proxy server and 20-30 people are connected to it. "127.0.0.1 www.facebook.com" is only block at host PC. Anyway thanks for your reply. But it not work anymore

Quote:

Originally Posted by phil.d.g (Post 4563012)
That would need to be added to all the client machines on the network, as the OP isn't currently using Squid for HTTPS.

Yeah sorry about that. I thought the OP may be just learning squid on his own PC and while my answer wasn't much help it would work if my assumption was correct. However without knowing his network setup it is difficult, for me, to give any advice so I will watch and learn.

phil.d.g 01-01-2012 03:55 AM

Quote:

Originally Posted by k3lt01 (Post 4563015)
Yeah sorry about that. I thought the OP may be just learning squid on his own PC and while my answer wasn't much help it would work if my assumption was correct. However without knowing his network setup it is difficult, for me, to give any advice so I will watch and learn.

No need to apologise. I made the assumption there was a number of client computers and a proxy server, I guess I was lucky.

tanin007, I have linked to several resources including a tutorial to get you started. I'm not going to regurgitate that information. It would be a waste of my time, and some specifics may get left out.

Reading http://www.comfsm.fm/computing/squid/FAQ-1.html#ss1.12 and http://www.ietf.org/rfc/rfc2817.txt I would make the assumption that it isn't necessary to terminate the SSL connection at Squid in order to implement blocking Facebook. Following the previously linked to tutorial should be sufficient.

swappie 01-13-2012 08:09 AM

Ban Facebook SSL (iptables)
 
Hi! I had the same problem recently which made me starting working on a project named BAN FACEBOOK SSL. I've created a page which generates a bash script. It grabs the classes of Facebook.com and created the iptables OUTPUT rules on the fly for you. Once you run it on the gateway (if that's linux based) it should work. I know that it can be done with FORWARD or PREROUTING and stuff, but you have to specify the interfaces and so on. So, this was the simplest way to do it :). I will publish soon a bash script which grabs the classes of Facebook.com and applies the iptables rules straight away, created back-up of the initial firewall and so on. :) Use it with case: www.bfssl.tk (this is my project and don't forget to read the disclaimer).

If there's anyone having ideas or wants to contribute, please contact me. :)

Cheers,
Alex


All times are GMT -5. The time now is 11:48 PM.