Hello all,

Using squid-2.6-stable on CentOS5.4 final for proxying. And for content filtering got dansguardian 2.10.1.1.
There does is this option in bannedsitelist where in https requests can be blocked but this is not working.
But dansguardian is blocking other sites that are http.
For information:

Installed dans by compiling it from source and downloaded it from the official site.

you can't block individual patterns on https. only the site to which you are connected, as this is the only visible thing when an explicit non-terminating https proxy. if you are doing it's transparently, you can't even do that, only block on IP address as the SSL connection is created before any HTTP requests are made, making it impossible to see what's being requested.

So in short it is impossible to block the https request when it I am using squid in transparent mode even though I am using dansguardian. It would really be a bad idea to block requests on the ip addresses. They tend to change. So it would be really not an option though if needed I could do that.
Ok. I am out of options of blocking https requests.

Yes, a direct https connection just starts with pure SSL. The client opens a TCP socket and starts negotiating SSL cipher specs and the likes. So it's not until this secure channel, which could be used to carry *ANY* traffic at all, that a web page is requested with the conventional HTTP protocols, which the proxy has no chance of seeing.

Okay, so it is not possible using squid. But is there ANY way that https requests can be blocked for certain machines? Well the squid is running in transparent mode. And it would not be too possible to change it to normal operation (non transparent mode) unless the only solution. And also need to know if ISA can do that?
And if I remove squid from transparent mode, will it block the requests?

In either mode you can filter on the IP address. But nothing that doesn't terminate SSL itself can do any more than block on hostname / IP, so can never filter urls, content etc.

Okay. Now this is getting tougher and tougher. Though there are company policies and tough decisions could be taken but there is still this possibility of getting through to any site just by using https instead of http. And this is what is creating issues right now. I will try removing squid from transparent mode and then integrate it with dansguardian, the latest version. There is this option of blocking https requests in dans. But it has not worked for me as yet. I will keep my fingers crossed on this one. Saturday seems to be fine for this change. Let me see and keep you updating. Do not stop following the thread just right now.

I want to now have you get any success in blocking https requests in dans

Why are you digging this old dead year old thread without any positive and helpful inputs?
I have had success by not implementing it in transparent mode. Done. Thank you.

the dig was ok, because you didn't specify the solution before.

so you've set Squid into non-tranparent mode and forced all users to set their browser to use your proxy, is that correct?

That's what he said. Can we let the thread go back to sleep now?

yes. this has been an informative thread, unfortunally it ended up choosing the "last resort" solution and forcing all users to setup their browsers to use proxy.

now, users can bring Memory-stick with Standalone Firefox thus bypassing my proxies.

I tend to configure serverside only and avoid managing each workstation, so I'll keep blocking all https sites by default and allow good https sites on firewall (iptables) level.

You have a badly designed network. Congratulations.

please point me to any keywords that would lead to better designed network, that would prevent the problems you mentioned.

this was a fictional case with Proxies and standalone browsers, as now all control is performed at iptables level.

Sorry... my bad...

keywords? You don't need keywords, you need proper knowledge about network security.