How to allow and deny websites (HTTPS)



  • Hi there!

    I need allow and Deny HTTPS websites.

    My question is, how can I allow some HTTPS sites and deny others. Ex: deny all HTTPS internet sites and allow only forum.netgate.com for example.

    What I already did:

    • Squid proxy filter and squid guard packages installed - OK
    • Local cache applied (squid) - OK
    • Transparent proxy active - OK
    • HTTPS filtering (with local CA selected) active - OK
    • Download blacklist (squid guard, for HTTP sites) - OK
    • Create an CA Certificate - OK
    • Export CA certificate and put in most trustfull certificates on clients- OK

    And here I am, I can allow or deny sites based on categories, but only for HTTP sites, all HTTPS sites are blocked.

    Thank you for help, and I'm sorry if this topic already exists.

    Regards,

    Robert



  • @RCC_CT

    I would try the following:

    1. Create alias with allowed domain names.
    2. Create rule on LAN: Action: Pass | Protocol: TCP | Destination: Single host or alias: YOUR ALIAS | Destination Port Range: 443
    3. Create rule on LAN under the above rule: Action: Reject | Protocol: TCP | Destination: ANY | Destination Port Range: 443

    Make sure to move these rule in the correct order (very important).

    Besides that you might want to change the interval "Aliases Hostnames Resolve Interval" at "System Advanced Firewall & NAT" (eg set it to 30).



  • Thanks @bouke!

    I'll try it and post the result later!



  • @bouke Thanks man, your tip works very well!



  • @RCC_CT You are welcome.

    Please keep in mind that this is not a "perfect" solution as "other" domains will still be reachable when such a domain shares the same IP address as an allowed domain. This is the case with "shared webhosting".



  • @RCC_CT Hi. Have you found any solutions that works here? I am also looking for best solutions blocking HTTP sites and found this thread too. they have good suggestions too:
    https://forum.netgate.com/topic/39870/how-to-block-https-website/14

    So far no updated feedbacks if it worked too.



  • Hi @chrispeddler!

    Your topic is the same solution of bouke, here works well. You need create aliases and create a firewall rule with the alias to block or allow HTTPS sites. Here I use squid guard to block HTTP.


Log in to reply