How to block HTTPS website?
-
Yes, your list of IPs looks much better! ;)
Also happy to see our instructions seem to match up.Steve
-
but your answer is better, I don't have any screenshot… :D
we were answering in the same time... -
Glad if any of three same kind suggestions may help
-
an alias to apps.facebook.com can do the job also.
-
Squid can't proxy https traffic. You have to block all https to force people to use the proxy.
You could block all https and then allow it only to sites you need.
As Metu69salemi suggested, create an alias containing all of facebook's IPs and block that.
Steve
Squid can indeed proxy HTTPS traffic. I think what you refer to is due to the design of the HTTPS protocol it is not possible (with any software) to setup a transparent HTTPS proxy.
-
Hmm, I stand corrected.
I would think, though, that in this case it wouldn't be useful since as you say it can't be transparent.
This raises some interesting questions about the end-to-end encryption of https. :-
More reading required….Steve
-
Squid can indeed proxy HTTPS traffic. I think what you refer to is due to the design of the HTTPS protocol it is not possible (with any software) to setup a transparent HTTPS proxy.
It could be done, but requires some 'nasty' configuration.
You have to create a local CA, install CA certificate on users machines and forward all https to your local web server with proxy mode, just like man-in-the-middle attack.
Imspector has this options to proxy msn_https communication and create self-signed certificates to match common-name client check.
-
Hi All,
Thank you so much for suggestions.
thx.
-
Well….
i have recently discover on linux how to block sites per contain so any string that contains facebook, will be block
iptables -A FORWARD -p tcp -m string --string "facebook" --algo kmp -j DROP
i works for me... i do not know if with ipfw will have some simillar parameter ... i hope seo because im about to migrate to pfsense
Hi All,
Anybody know how to block HTTPS base sites. (ex. https://facebook.com) without blocking only 443 port. because It block all the https base site. I want to block only mail sites.
Thanks in Advance
-
pfSense uses pf(4) not ipfw. Though it does use ipfw for the captive portal function.
I think you may out of luck translating that from iptables. :-\Steve
-
"This raises some interesting questions about the end-to-end encryption of https."
Depends on how your doing it – by default its just a Tunnel that squid passes the packets through - it has no understanding of what is inside the tunnel. Which is why it can be difficult to filter on https urls, etc.
here is a good read on how squid can handle https and or any other protocol you want to allow through the proxy
http://wiki.squid-cache.org/Features/HTTPS -
pfSense uses pf(4) not ipfw. Though it does use ipfw for the captive portal function.
I think you may out of luck translating that from iptables. :-\Steve
If you don't mind setting up the rules manually, you can activate the portal and then create your own ipfw rules. The only trick is to make the last step in your rules skip over the portal rules (assuming you don't want captive portal functionality).
