I have a Debian server running at the gateway level on a LAN.
This runs squid for creating block lists of websites - for eg. blocking social networking on the LAN. Also uses iptables.

I am able to do a lot of things with squid & iptables, but a few things seem difficult to achieve.

1) If I block http://www.facebook.com, people can still access https://www.facebook.com because squid doesn't go through https traffic by default. However, if the users set the gateway IP address as proxy on their web browser, then https is also blocked. So I can do one thing - using iptables drop all outgoing 443 traffic, so that people are forced to set proxy on their browser in order to browse any HTTPS traffic. However, is there a better solution for this.

2) As the number of blocked urls increase in squid, I am planning to integrate squidguard. However, the good squidguard lists are not free for commercial use. Anyone knows of a good squidguard list which is free.

3) Block yahoo messenger, gtalk etc.
There are so many ports on which these Instant Messenger softwares work. You need to drop lots of outgoing ports in iptables. However, new ports get added, so you have to keep adding them. And even if your list of ports is current, people can still use the web version of gtalk etc.

4) Blocking P2P. Haven't been able to figure out how to do this till now.


Yeah, I know I shouldn't be censoring people, but my boss wants me to do it & in the current job market I can't afford to lose my job :-(

You can deny the https traffic with squid sslbump and icap server.

That is sslbump decrypt the https url details and send to icap server .. where icap server u can do script to block the url


Thanks
-Viswa

1) you shouldn't need sslbump or anything, it sounds like you've set up a network that, for a standard commercial environment is too open in the first place. It's the norm to drop all outbound client network traffic by default, so you should absolutely be blocking https by default and making clients use a proxy explicitly. Transparent proxies, as you guess you are currently using for hrtp are very very over rated, and have so many limitations. Doing https mitm's by design is a really dubious thing to do, and can potentially have all sorts of legal issues in terms of you theoretically spring on your users online banking sessions without their knowledge etc. use a proxy properly and these problem disappear.

3) deny by default, not by exception.

4) deny by default, not by exception.

Excellent Idea ... It will work

Thanks
-Viswa

P2P is very difficult to deny - if you deny other ports it will use port 80 & you cannot deny port 80.
Likewise for some IM clients.

Yes, but that has nothing to do with what you asked about. There you're largely down to blocking destination ip's and user agent $