LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-23-2013, 04:33 AM   #1
ozid
LQ Newbie
 
Registered: Jul 2013
Posts: 2

Rep: Reputation: Disabled
Unable to block HTTPS squid3


Hello everyone.

After searching for hours on net im not able to block https connect on my squid.
I made some try on one computer wich have proxy's ip in parameters (so i guess squid is not in transparent mode)

Anyway, there is my squid.conf:

Code:
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow serveur
http_access allow localhost
http_access deny all



acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
And there is one of my acl rules to block https://youtube.com

Code:
acl yt dstdomain .youtube.com
http_reply_access deny  yt 
http_access deny CONNECT yt
With that rule http://youtube.com is blocked but not https.

Please, someone can figure out where is the problem? Thanks
 
Old 07-24-2013, 01:04 AM   #2
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,690
Blog Entries: 33

Rep: Reputation: 290Reputation: 290Reputation: 290
Hi! Welcome to LQ

I've done this lately for my system,


To drop incoming TCP connections on port 443 for a web server (HTTPS):
Code:
# iptables -A TCP -p tcp --dport 443 -j DROP
ref. http://www.frozentux.net/iptables-tu...l.html#TARGETS
Quote:
A packet that matches a rule perfectly and is then Dropped will be blocked.
Note that this action might in certain cases have an unwanted effect,
since it could leave dead sockets around on either host.
A better solution in cases where this is likely would be to use the
REJECT target
...
The REJECT target works basically the same as the DROP target,
but it also sends back an error message to the host sending the packet
that was blocked.
Note that all chains that use the REJECT target may only be called by
the INPUT, FORWARD, and OUTPUT chains, else they won't work.
Transparency

iptables end of
Code:
## --- FORWARD CHAIN --- ##
#

	# Stateful inspection -- Forward in connections already established

	$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
...
	# Forward out all traffic

	$IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT

#
## --- OUTPUT CHAIN --- ##
#	# Follows policy

#
## --- NAT --- ##
#

	# Enable masquerade

	$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -j MASQUERADE

#
## -- Transparent proxy to Squid --- ##

	$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128
squid config

Code:
...
# Squid normally listens to port 3128
#http_port 3128 transparent
#http_port 127.0.0.1:3128 intercept connection-auth=off
http_port 10.0.0.15:3128 intercept connection-auth=off
...
ref. https://fossies.org/linux/www/squid-...rc/cf.data.pre
Quote:
WARNING: authentication can't be used in a transparently intercepting
308 proxy as the client then thinks it is talking to an origin server and
309 not the proxy. This is a limitation of bending the TCP/IP protocol to
310 transparently intercepting port 80, not a limitation in Squid.
311 Ports flagged 'transparent', 'intercept', or 'tproxy' have
312 authentication disabled.
set browsers to not use a proxy! ;-)

Hope this gives you some info.

Regards Glenn
 
1 members found this post helpful.
Old 07-25-2013, 03:12 AM   #3
ozid
LQ Newbie
 
Registered: Jul 2013
Posts: 2

Original Poster
Rep: Reputation: Disabled
Lightbulb

Thanks Glenn, i now getting this work.
 
Old 07-25-2013, 03:33 AM   #4
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,690
Blog Entries: 33

Rep: Reputation: 290Reputation: 290Reputation: 290
Hi, I glad this info helped.

Please use the "thread tools" to mark your thread as "SOLVED"

Thank you and all the best, Glenn
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] unable to block https in squid Net_Spy Linux - Networking 48 05-25-2021 11:03 AM
[SOLVED] Need ACLs to block particular browser in Squid3 roopakl Linux - Newbie 4 05-05-2012 12:12 PM
how to block https for some ips Winanjaya Linux - Security 2 12-01-2009 12:13 AM
Can't See https pages with Squid3 pliqui Linux - Networking 16 04-13-2009 05:05 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration