• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

I configured HTTPS introducion but people still go HTTPS facebook

Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
20 Posts 7 Posters 9.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    scornaky
    last edited by Aug 27, 2013, 9:14 AM

    @kejianshi:

    You are never going to get there this way…
    Please give the DNS option a shot.

    ok.. try it ..

    but ..  https://de-de.facebook.com/‎

    Bienvenido a Facebook en Español (España)!
    https://es-es.facebook.com/‎

    are working if u put by dns? yes it works. so you want to put all subdomain?

    Ofcourse you now that subdomain.facebook.com is not the same like facebook.com

    1 Reply Last reply Reply Quote 0
    • A
      aslanlargibi
      last edited by Aug 27, 2013, 11:34 AM

      here is the DNS shot

      and computers DNS i put  192.168.1.253 (my pfsense ip)

      http://img.ctrlv.in/img/521c8ea0ea25e.png

      any idea ?

      thanks

      1 Reply Last reply Reply Quote 0
      • K
        kejianshi
        last edited by Aug 27, 2013, 12:15 PM Aug 27, 2013, 12:10 PM

        Yeah - get yourself a free opendns account or DynDNS account.  Set up the dynamic DNS client in the pfsense menu.  Then put the DNS server IPs for the free account you set up in there in place of the IPs you currently have.  Uncheck the "Allow DNS list to be overridden" block.  Save that.  Then go into either the opendns account or DynDNS account you set up online.  Login.  Change your DNS options to filter whatever you like.

        Next, you will have to make sure that all of your client machines use ONLY pfsense to get their DNS.  That is done from the settings on each machine separately.  After all this is working, you can set up some rules that block the clients from getting to port 53 on any machine other than pfsense.

        GruensFroeschli also mentioned DNS overrides.  Not sure what he had in mind, but his idea may also be doable.

        1 Reply Last reply Reply Quote 0
        • A
          aslanlargibi
          last edited by Aug 27, 2013, 2:40 PM

          kejianshi i did what you say and now it works.

          thank you guys!

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi
            last edited by Aug 27, 2013, 2:50 PM Aug 27, 2013, 2:48 PM

            Ahhhh - Good.  I did write up how to do that a while ago, but virtually no one even looked at it.  I figured there was no interest.
            Yeah.  It worked for me too that way, but I really don't need the filtering now so I just run straight untampered DNS these days.

            1 Reply Last reply Reply Quote 0
            • G
              GruensFroeschli
              last edited by Aug 28, 2013, 8:59 AM

              @kejianshi:

              GruensFroeschli also mentioned DNS overrides.  Not sure what he had in mind, but his idea may also be doable.

              On the DNS forwarder page you can create a wildcard override as described here.
              http://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_Forwarder

              If you override *.facebook.com to 127.0.0.1 this should essentially block facebook.

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi
                last edited by Aug 28, 2013, 9:12 AM

                Would it be possible to override them and redirect to a specified HTTPS page that says something like "That page isn't allowed" or whatever?

                1 Reply Last reply Reply Quote 0
                • G
                  GruensFroeschli
                  last edited by Aug 28, 2013, 9:16 AM

                  Sure. As long as the webserver to which you resolve the domain to provides a page for this domain.

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  • K
                    kejianshi
                    last edited by Aug 28, 2013, 9:38 AM Aug 28, 2013, 9:33 AM

                    I was thinking maybe such a page could be rolled into a package for pfsense somewhere, perhaps in an add on package.  The idea being that you could use such a DHCP redirect to catch all the filtering that squid based filtering misses - pretty much just the https stuff.  Having a block/filter terminate in a pretty page makes admins smile.

                    I suppose such a page might even have to rest on the open web if 443 was already in use on pfsense.

                    Maybe just something that says "I'm sorry - Your administrator doesn't allow access to this site"

                    Followed by a series of banner ads to pay for bandwidth.  haha

                    1 Reply Last reply Reply Quote 0
                    • T
                      tyoungls
                      last edited by Apr 1, 2015, 11:36 AM

                      I realize this is a fairly dead thread, but it was one that came up when I was googling the topic.

                      My solution was a cross between a number of the ones given.

                      I made a wildcard DNS for the site youtube.com and pointed it to one youtube server:  74.125.230.167
                      (look up a current server instead of using this IP)

                      We have a rule to block https to that ip, and then we use squid-guard to limit youtube access during working-hours.

                      That seems to be working for the moment.

                      the down-side is that we will need to update our rules if that particular youtube server goes down…

                      1 Reply Last reply Reply Quote 0
                      • H
                        Harvy66
                        last edited by Apr 1, 2015, 3:42 PM

                        Also ignoring that you broke HTTPS in the process. You can't proxy HTTPS without breaking its security. Many exploits have been done around this, like forcing Windows update to install Malware. Amazing what you can do when you tell clients to trust fake CAs.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received