How to allow and deny websites (HTTPS)

  • Hi there!

    I need allow and Deny HTTPS websites.

    My question is, how can I allow some HTTPS sites and deny others. Ex: deny all HTTPS internet sites and allow only for example.

    What I already did:

    • Squid proxy filter and squid guard packages installed - OK
    • Local cache applied (squid) - OK
    • Transparent proxy active - OK
    • HTTPS filtering (with local CA selected) active - OK
    • Download blacklist (squid guard, for HTTP sites) - OK
    • Create an CA Certificate - OK
    • Export CA certificate and put in most trustfull certificates on clients- OK

    And here I am, I can allow or deny sites based on categories, but only for HTTP sites, all HTTPS sites are blocked.

    Thank you for help, and I'm sorry if this topic already exists.



  • @RCC_CT

    I would try the following:

    1. Create alias with allowed domain names.
    2. Create rule on LAN: Action: Pass | Protocol: TCP | Destination: Single host or alias: YOUR ALIAS | Destination Port Range: 443
    3. Create rule on LAN under the above rule: Action: Reject | Protocol: TCP | Destination: ANY | Destination Port Range: 443

    Make sure to move these rule in the correct order (very important).

    Besides that you might want to change the interval "Aliases Hostnames Resolve Interval" at "System Advanced Firewall & NAT" (eg set it to 30).

  • Thanks @bouke!

    I'll try it and post the result later!

  • @bouke Thanks man, your tip works very well!

  • @RCC_CT You are welcome.

    Please keep in mind that this is not a "perfect" solution as "other" domains will still be reachable when such a domain shares the same IP address as an allowed domain. This is the case with "shared webhosting".

  • @RCC_CT Hi. Have you found any solutions that works here? I am also looking for best solutions blocking HTTP sites and found this thread too. they have good suggestions too:

    So far no updated feedbacks if it worked too.

  • Hi @chrispeddler!

    Your topic is the same solution of bouke, here works well. You need create aliases and create a firewall rule with the alias to block or allow HTTPS sites. Here I use squid guard to block HTTP.

Log in to reply