How to block HTTPS website?

Metu69salemi · Dec 10, 2011, 11:52 PM

Glad if any of three same kind suggestions may help

marcelloc · Dec 11, 2011, 2:45 AM

an alias to apps.facebook.com can do the job also.

joako · Dec 11, 2011, 4:52 AM

Squid can't proxy https traffic. You have to block all https to force people to use the proxy.

You could block all https and then allow it only to sites you need.

As Metu69salemi suggested, create an alias containing all of facebook's IPs and block that.

Steve

Squid can indeed proxy HTTPS traffic. I think what you refer to is due to the design of the HTTPS protocol it is not possible (with any software) to setup a transparent HTTPS proxy.

stephenw10 · Dec 11, 2011, 4:13 PM

Hmm, I stand corrected.
I would think, though, that in this case it wouldn't be useful since as you say it can't be transparent.
This raises some interesting questions about the end-to-end encryption of https. :-
More reading required….

Steve

marcelloc · Dec 11, 2011, 10:25 PM

Squid can indeed proxy HTTPS traffic. I think what you refer to is due to the design of the HTTPS protocol it is not possible (with any software) to setup a transparent HTTPS proxy.

It could be done, but requires some 'nasty' configuration.

You have to create a local CA, install CA certificate on users machines and forward all https to your local web server with proxy mode, just like man-in-the-middle attack.

Imspector has this options to proxy msn_https communication and create self-signed certificates to match common-name client check.

sudo · Dec 12, 2011, 8:08 AM

Hi All,

Thank you so much for suggestions.

thx.

emel_punk · Sep 24, 2012, 6:45 PM

Well….

i have recently discover on linux how to block sites per contain so any string that contains facebook, will be block

iptables -A FORWARD -p tcp -m string --string "facebook" --algo kmp -j DROP

i works for me... i do not know if with ipfw will have some simillar parameter ... i hope seo because im about to migrate to pfsense

@sudo:

Hi All,

Anybody know how to block HTTPS base sites. (ex. https://facebook.com) without blocking only 443 port. because It block all the https base site. I want to block only mail sites.

Thanks in Advance

stephenw10 · Sep 24, 2012, 7:32 PM

pfSense uses pf(4) not ipfw. Though it does use ipfw for the captive portal function.
I think you may out of luck translating that from iptables. :-\

Steve

johnpoz · Sep 24, 2012, 7:40 PM

"This raises some interesting questions about the end-to-end encryption of https."

Depends on how your doing it – by default its just a Tunnel that squid passes the packets through - it has no understanding of what is inside the tunnel. Which is why it can be difficult to filter on https urls, etc.

here is a good read on how squid can handle https and or any other protocol you want to allow through the proxy
http://wiki.squid-cache.org/Features/HTTPS

rjcrowder · Sep 24, 2012, 8:02 PM

@stephenw10:

pfSense uses pf(4) not ipfw. Though it does use ipfw for the captive portal function.
I think you may out of luck translating that from iptables. :-\

Steve

If you don't mind setting up the rules manually, you can activate the portal and then create your own ipfw rules. The only trick is to make the last step in your rules skip over the portal rules (assuming you don't want captive portal functionality).