Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to allow and deny websites (HTTPS)

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    7 Posts 3 Posters 442 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RCC_CT
      last edited by

      Hi there!

      I need allow and Deny HTTPS websites.

      My question is, how can I allow some HTTPS sites and deny others. Ex: deny all HTTPS internet sites and allow only forum.netgate.com for example.

      What I already did:

      • Squid proxy filter and squid guard packages installed - OK
      • Local cache applied (squid) - OK
      • Transparent proxy active - OK
      • HTTPS filtering (with local CA selected) active - OK
      • Download blacklist (squid guard, for HTTP sites) - OK
      • Create an CA Certificate - OK
      • Export CA certificate and put in most trustfull certificates on clients- OK

      And here I am, I can allow or deny sites based on categories, but only for HTTP sites, all HTTPS sites are blocked.

      Thank you for help, and I'm sorry if this topic already exists.

      Regards,

      Robert

      boukeB C 2 Replies Last reply Reply Quote 0
      • boukeB
        bouke @RCC_CT
        last edited by bouke

        @RCC_CT

        I would try the following:

        1. Create alias with allowed domain names.
        2. Create rule on LAN: Action: Pass | Protocol: TCP | Destination: Single host or alias: YOUR ALIAS | Destination Port Range: 443
        3. Create rule on LAN under the above rule: Action: Reject | Protocol: TCP | Destination: ANY | Destination Port Range: 443

        Make sure to move these rule in the correct order (very important).

        Besides that you might want to change the interval "Aliases Hostnames Resolve Interval" at "System Advanced Firewall & NAT" (eg set it to 30).

        R 1 Reply Last reply Reply Quote 0
        • R
          RCC_CT
          last edited by

          Thanks @bouke!

          I'll try it and post the result later!

          1 Reply Last reply Reply Quote 0
          • R
            RCC_CT @bouke
            last edited by

            @bouke Thanks man, your tip works very well!

            boukeB 1 Reply Last reply Reply Quote 0
            • boukeB
              bouke @RCC_CT
              last edited by

              @RCC_CT You are welcome.

              Please keep in mind that this is not a "perfect" solution as "other" domains will still be reachable when such a domain shares the same IP address as an allowed domain. This is the case with "shared webhosting".

              1 Reply Last reply Reply Quote 0
              • C
                chrispeddler @RCC_CT
                last edited by

                @RCC_CT Hi. Have you found any solutions that works here? I am also looking for best solutions blocking HTTP sites and found this thread too. they have good suggestions too:
                https://forum.netgate.com/topic/39870/how-to-block-https-website/14

                So far no updated feedbacks if it worked too.

                1 Reply Last reply Reply Quote 0
                • R
                  RCC_CT
                  last edited by

                  Hi @chrispeddler!

                  Your topic is the same solution of bouke, here works well. You need create aliases and create a firewall rule with the alias to block or allow HTTPS sites. Here I use squid guard to block HTTP.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.