LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   how to deny block https sites for some users (https://www.linuxquestions.org/questions/linux-security-4/how-to-deny-block-https-sites-for-some-users-770358/)

Winanjaya 11-19-2009 11:03 PM
how to deny block https sites for some users
 
in squid, how to block some https sites for some users?

ie. I want to deny https://www.google.com and https://www.xyz.com
for 192.168.1.6-16

please help

thanks & regards

GlennsPref 11-20-2009 12:51 AM
Hi, I also use squid.

ref. Restricting Access to specific Web sites

Quote:
Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs. In this example we create to lists in files named /usr/local/etc/allowed-sites.squid and /usr/local/etc/restricted-sites.squid.

# Add this to the bottom of the ACL section of squid.conf
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid"
acl BadSites dstdomain "/usr/local/etc/restricted-sites.squid"

#
# Add this at the top of the http_access section of squid.conf
#
http_access deny BadSites
http_access allow home_network business_hours GoodSites
these addresses to the files need to be logical, and kept in a non-user space.

If you don't want to restrict the times, leave out that line...
eg. "acl business_hours time M T W H F 9:00-17:00"

These files may contain....another example from linuxhomenetworking
Quote:
# File: /usr/local/etc/allowed-sites.squid
www.openfree.org
linuxhomenetworking.com

# File: /usr/local/etc/restricted-sites.squid
www.porn.com
illegal.com
also see...www.linuxhomenetworking.com/wiki and
http://www.visolve.com/squid/squid30/contents.php

for a range of addresses, try this synopsis instead of the example...
Quote:
addr1-addr2/netmask

Like this, change...
Code:
acl home_network src 192.168.1.0/24 to...
acl home_network src 192.168.1.6-192.168.1.16/24
ref. http://www.visolve.com/squid/squid30...ntrols.php#acl

Read these sites for more info.

Hope this helps you, cheers Glenn

win32sux 11-20-2009 03:27 AM
Quote:
Originally Posted by Winanjaya (Post 3763457)
in squid, how to block some https sites for some users?

ie. I want to deny https://www.google.com and https://www.xyz.com
for 192.168.1.6-16

please help

thanks & regards
Have you searched LQ for previous threads about this issue? I know for a fact that there are several, because I have participated in some. In any case, what you want could be done like this:
Code:
acl clients src 192.168.1.6-192.168.1.16
acl https_sites dstdomain .www.google.com
acl https_sites dstdomain .www.xyz.com
acl CONNECT method CONNECT

http_access deny clients https_sites
http_access allow clients
http_access deny all
Keep in mind that you're matching by subdomain. If you want to block HTTPS for the entire domains do:
Code:
acl clients src 192.168.1.6-192.168.1.16
acl https_sites dstdomain .google.com
acl https_sites dstdomain .xyz.com
acl CONNECT method CONNECT

http_access deny clients https_sites CONNECT
http_access allow clients
http_access deny all

Winanjaya 11-20-2009 04:19 AM
but how to put the https site list into file?

win32sux 11-20-2009 06:08 AM
Quote:
Originally Posted by Winanjaya (Post 3763679)
but how to put the https site list into file?
Just stick them in a text file and specify it like:
Code:
acl clients src 192.168.1.6-192.168.1.16
acl https_sites dstdomain "/etc/squid/example.txt"
acl CONNECT method CONNECT

http_access deny clients https_sites CONNECT
http_access allow clients
http_access deny all

Winanjaya 11-30-2009 10:52 PM
I tried below .. but sometimes it doesnot work for some sites (such as https://facebook.com .. etc)

I have /etc/squid/src/freehttps

allowedhttps.domain1.com
allowedhttps.domain2.com

..

in squid.conf

acl clients src 192.168.1.0/24
acl freehttps url_regex -i "/etc/squid/src/freehttps"
acl CONNECT method CONNECT

http_access allow CONNECT freehttps
htto_access allow clients
http_access deny all


I still able to visit https://www.facebook.com

what I missed?

win32sux 11-30-2009 11:17 PM
Quote:
Originally Posted by Winanjaya (Post 3775186)
I tried below .. but sometimes it doesnot work for some sites (such as https://facebook.com .. etc)

I have /etc/squid/src/freehttps

allowedhttps.domain1.com
allowedhttps.domain2.com

..

in squid.conf

acl clients src 192.168.1.0/24
acl freehttps url_regex -i "/etc/squid/src/freehttps"
acl CONNECT method CONNECT

http_access allow CONNECT freehttps
htto_access allow clients
http_access deny all


I still able to visit https://www.facebook.com

what I missed?
Why are you using URL regular expressions? That wasn't suggested anywhere on this thread. Also, the second http_access (which is presumably spelled properly in your actual squid.conf) would give total access to all clients in 192.168.1.0/24, which makes the first http_access pointless.

Winanjaya 11-30-2009 11:24 PM
Although I changed it to

acl clients src 192.168.1.0/24
acl freehttps dstdomain "/etc/squid/src/freehttps"
acl CONNECT method CONNECT

http_access allow CONNECT freehttps
htto_access allow clients
http_access deny all

I still able to visit https://www.facebook.com


in "/etc/squid/src/freehttps" contains:

domain1.com
domain2.com

Winanjaya 11-30-2009 11:25 PM
and by the way .. I am running transparent proxy.. any comment?

Winanjaya 11-30-2009 11:35 PM
and in /var/log/squid/access.. I found the following..:

1954 POST http://204.11.16.115:80/toolbar/activate.php - NONE/- text/html


I dont know how to block such address?

win32sux 11-30-2009 11:36 PM
Quote:
Originally Posted by Winanjaya (Post 3775219)
Although I changed it to

acl clients src 192.168.1.0/24
acl freehttps dstdomain "/etc/squid/src/freehttps"
acl CONNECT method CONNECT

http_access allow CONNECT freehttps
htto_access allow clients
http_access deny all

I still able to visit https://www.facebook.com
If I'm properly understanding what you want, this should look like this instead:
Code:
acl clients src 192.168.1.0/24
acl freehttps dstdomain "/etc/squid/src/freehttps"
acl CONNECT method CONNECT

http_access allow CONNECT freehttps clients
http_access deny CONNECT clients
http_access allow clients
http_access deny all
Quote:
in "/etc/squid/src/freehttps" contains:

domain1.com
domain2.com
You need a dot before each of those domains, like:
Code:
.domain1.com
.domain2.com

Quote:
Originally Posted by Winanjaya (Post 3775220)
and by the way .. I am running transparent proxy.. any comment?
It doesn't really matter in this case, as AFAICT your problem is bad ACLs, not interception.


All times are GMT -5. The time now is 07:16 AM.