Title: https://facebook.com not blocked by proxy Post by: djtzar on Friday 27 February 2009, 10:39:02 pm I block facebook.com , but it seems there is a workaround where users change to https://facebook.com and then can access. It blocks again on the http://facebook.com/home.php? but then they just change it to https and it works! Is there some way to block the whole range of IPs for facebook? I've tried with the Block List on the Content Filter but doesn't seem to be able to block https traffic.
Any suggestions? Title: Re: https://facebook.com not blocked by proxy Post by: gyp_the_cat on Saturday 28 February 2009, 02:44:27 am I'm not sure why this isn't working for you to be honest, we have
Quote from: /etc/dansguardian/blacklists/socialnetworking/domains facebook.com and it works fine.You could always update your /etc/hosts to the following I guess if that still doesn't work: Quote from: /etc/hosts 127.0.0.1 www.facebook.com 127.0.0.1 facebook.com Title: Re: https://facebook.com not blocked by proxy Post by: djtzar on Tuesday 03 March 2009, 02:54:34 am I guess I didn't explain myself correctly , facebook.com get's blocked fine , it's the secure https that's posing the problem.
Title: Re: https://facebook.com not blocked by proxy Post by: martec on Wednesday 04 March 2009, 01:48:08 am Hi,
after read your post i try... it's true! No block httpS traffic...(all traffic in https bypass the content filter ?!?!?)... I add facebook.com in blacklist: if in adress browser i write http://facebook.com, or http://www.facebook.com the endian BLOCK that, but if write https://facebook.com ... the browser open the site... This is a BIG problem!!! The workaround it's ok if nobody must have access on the site, but if someone need the access??? Title: Re: https://facebook.com not blocked by proxy Post by: npeterson on Wednesday 25 March 2009, 05:50:24 am it works fine for myself. What are your Allowed SSL ports? Are the clients in a bypass list?
Title: Re: https://facebook.com not blocked by proxy Post by: djtzar on Friday 27 March 2009, 09:19:59 pm No clients are not in the bypass list , here are my allowed ports :
443 # https 563 # snews 3001 # ntop Problem is I do need https access for certain sites. I've also added the whole IP block for facebook yet still https traffic get's passed. Title: Re: https://facebook.com not blocked by proxy Post by: npeterson on Saturday 28 March 2009, 07:34:53 am And you are placing just "facebook.com" into the Block the following sites on the content filtering page. Each entry on its own line with no comment (#) lines infront of the address?
Title: Re: https://facebook.com not blocked by proxy Post by: martec on Monday 30 March 2009, 08:56:36 pm facebook.com it's in block list (tab proxy - content filer) without # at front...
The SSL port configure are (tab Proxy, Configuration, line "Allowed Ports and SSL Ports") : 443 # https 563 # snews 3001 # ntop https://facebook.com it's NOT blocked... Title: Re: https://facebook.com not blocked by proxy Post by: npeterson on Tuesday 31 March 2009, 08:21:09 am What version of endian do you run?
Have you made any manual changes to squid.conf? Are you blocking port 443 on the firewall? And setting the clients to use proxy port 8080 for its SSL proxy? Title: Re: https://facebook.com not blocked by proxy Post by: jpgillivan on Wednesday 29 April 2009, 12:16:37 am I tired this also and the https site let me in. However, everytime I tried to do something it seemed that the web site kept reverting back to http:
If I place a S in there and make it https: then the page loads, but I have to do it almost every page change. It might be enought to be a pain in the arse and defer users from going to that site. Title: Re: https://facebook.com not blocked by proxy Post by: jpgillivan on Tuesday 05 May 2009, 04:30:47 am Apparently this does not apply to just facebook but I tried http://www.plentyoffish.com and it was blocked by my blocked sites list in the content filter but again when using HTTPS it allows the site to load. My guess is that this is becuase port 443 is allowed in PROXY > HTTP > CONFIGURATION > ALLOWED PORTS AND SSL PORTS the web page is bypassing the content filter.
Question is now, how to block the https sites that are listed in the content filter but allow all others to pass? Title: Re: https://facebook.com not blocked by proxy Post by: MAllam on Thursday 28 May 2009, 02:24:16 am Hi,
Can I just say we are suffering from this too, whatever address we block can simply be overcome by typing in https://blockedomain.com instead ... really annoying! Title: Re: https://facebook.com not blocked by proxy Post by: jpgillivan on Thursday 28 May 2009, 03:27:25 am Ok. So, were are experiencing problems with Endian so I put our old Netgear firewall back in play. It has site blocking by keyword. If I block facebook I cannot go to http://www.facebook.com but I can still go to https://www.facebook.com. &%$*#^&* UGHHHHH. So...... my deduction is that this is not and Endian specific issue but more of a HTTPS (port 443) issue.
Title: Re: https://facebook.com not blocked by proxy Post by: npeterson on Friday 05 June 2009, 02:52:35 am Hmm. I suspect that port 443 is open on your firewalls, thus bypassing your proxies. Endian ships with a rule to allow the green interface out by default. Make sure this is shut off(number 2 on mine). Firewall -> Outgoing traffic. there should not be a check mark in the box on the right. or change the rule to deny.
Title: Re: https://facebook.com not blocked by proxy Post by: jpgillivan on Friday 05 June 2009, 04:26:46 am mpeterson, that doesn't make sense. port 443 is tied to the https protocol just like port 80 is tied to http. Using your methodology then if I wanted to block http://www.facebook.com then I should disable port 80. Then all web sites would be blocked. Your suggestion is unacceptable. http://www.facebook.com is blocked using the content filter with port 80 enabled. There are many legit sites where one would have to use HTTPS (port 443), banking for example. This question is how to force Endian to filter HTTPS (port 443) traffic content.
Title: Re: https://facebook.com not blocked by proxy Post by: npeterson on Friday 05 June 2009, 05:51:05 am Squid is endians proxy agent. It proxy's HTTP (80) and HTTPS(443) traffic. If you leave ports 80 and 443 open on the firewall, you are not going through squid, or through the content filter dansguardian. You are going strait out to the internet unfiltered. period. Squid and dansgaurdian does the filtering, Not the operating system.
Your clients need to be set to use the proxy port 8080 for all traffic, not just http traffic. Title: Re: https://facebook.com not blocked by proxy Post by: jpgillivan on Friday 05 June 2009, 07:32:05 am Then can you explain to me why http://www.facebook.com is blocked even though port 80 (FIREWALL>OUT GOING) is enabled and https://www.facebook.com is not?
I did set the my web browser to the proxy 8080 and it did prevent the web site from displaying, but it didn't display the Endian page saying it was blocked when accessing the https site, just a 403 forbidden error. But it does display the endian message when going to http. ??????? Any way around having to set the web browsers to use the proxy 8080? Can I safely set the proxy on Endian to port 80? Title: Re: https://facebook.com not blocked by proxy Post by: npeterson on Wednesday 10 June 2009, 01:34:00 am Then can you explain to me why http://www.facebook.com is blocked even though port 80 (FIREWALL>OUT GOING) is enabled and https://www.facebook.com is not? Your using transparent proxy. Linux( not the proxy) looks at the packets desination, and see's it port for 80, it then has a rule to redirect that request to the proxy service. I did set the my web browser to the proxy 8080 and it did prevent the web site from displaying, but it didn't display the Endian page saying it was blocked when accessing the https site, just a 403 forbidden error. But it does display the endian message when going to http. ??????? No It doesnt. There may be a way to generate a message, but i havent looked into it. Any way around having to set the web browsers to use the proxy 8080? Can I safely set the proxy on Endian to port 80? Yes, its called Web Proxy Autodiscovery protocol (Wpad) http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol (http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol) Its not hard, and theres 2 methods to setting this up. DNS or DHCP. the good thing is that the script is already made for you, endian does it. the script is hosted on your fw as http://<fw name>/wpad.dat So all that is left for you to do is create a DNS entry for wpad that points to your firewall or/and create a DHCP Scope option of #252 to http://<fw name>/wpad.dat Heres some reading from microsoft: http://technet.microsoft.com/en-us/library/cc713344.aspx (http://technet.microsoft.com/en-us/library/cc713344.aspx) Its talking about ISA firewall, but halfwat down the page its starts into how to configure microsoft dns and dhcp options for wpad under Configuring WPAD Entries. Title: Re: https://facebook.com not blocked by proxy Post by: pkraus109 on Thursday 14 January 2010, 08:23:40 am Not to perform some necromancy an this thread but what a solution ever found as to how to display a page when https was blocked rather than it just erroring?
Title: Re: https://facebook.com not blocked by proxy Post by: a4tech2010 on Saturday 05 March 2011, 10:16:07 pm is endian firewall a port based firewall? if yes, then maybe it can't or wont be able to filter those who are using / hiding ssl/443 ports. Now maybe this is what the box/solution lacks of. There are firewalls out there that based their sessions/policy using applications instead of ports, which other apps / sites can tunnel. To name a few , we have palo alto networks, juniper and sonicwall. But hoping that endian can fix this soon.
Title: Re: https://facebook.com not blocked by proxy Post by: laythingy59 on Tuesday 15 March 2011, 02:26:16 am surely these is a way to proxy https traffic and filter out the sites causing issues like facebook. Im having the same issue and i have also setup site filterng using a netgear router. sure enough it lets https traffic through.
Title: Re: https://facebook.com not blocked by proxy Post by: hickmanr on Tuesday 15 March 2011, 06:39:58 am Please see the below topic for a work around and more information.
http://www.efwsupport.com/index.php?topic=2443.0 (http://www.efwsupport.com/index.php?topic=2443.0) Title: Re: https facebook not blocked by proxy Post by: phyrexian on Wednesday 23 March 2011, 03:37:35 am To anyone who comes across this thread:
The problem your experiencing is with your methodology. someone a few comments back has said: Quote that doesn't make sense. port 443 is tied to the https protocol just like port 80 is tied to http. Using your methodology then if I wanted to block -website- then I should disable port 80. Then all web sites would be blocked. Your suggestion is unacceptable. The problem with this concept is that the two protocols are NOT the same. A cache proxy CAN read the contents of an HTTP GET packet, it can take the "host" header and apply a rule to the session based on the contents. HTTPS is not the same, HTTPS packets are encrypted from the endpoint device all the way to the server. because of this, a proxy has no idea what the packet contains. Most of the workarounds for this are simply to read what you can from the packet, (the source/destination addresses) and try to reverse DNS lookup the IP. IF the IP reverses properly your cache device can apply a rule, or can simply apply a rule based on the source/dest IP's, but this will not prevent someone from sending their encrypted packets to a foreign proxy for further delivery. If you are SERIOUS about what content your users need to be able to reach, you need to start approaching the situation as a whitelist rather then a blacklist. block everything, and only allow what people should be using. (IMHO: user training is a MUCH better solution then blocking anything at all.) Title: Re: https://facebook.com not blocked by proxy Post by: TheEricHarris on Sunday 04 December 2011, 04:59:07 am So I also had smarter than average employees using httpS://facebook.com and other httpS:// URL's to get around my whitelist.
I am forcing IE to use my firewall's IP and port 8080 for the proxy settings. This blocks the httpS:// sites that are not on my whitelist for their group of IP addresses. Kinda lame but it works. Title: Re: https://facebook.com not blocked by proxy Post by: nicolethomson on Thursday 23 February 2012, 05:13:00 pm this could be a old thread, but i am having this issue
the transparent proxy stuff blocks only port 80, not the 443 stuff, where if i do the manual changes in every browser "Use proxy for all protocal's" it does block them clearly. then the issue comes back, when it comes to bigger network of laptop's "annoying users might say" i can't do this everyday at home and here .... is there a way to achieve transparent https content filtering too? nic Title: Re: https://facebook.com not blocked by proxy Post by: mrkroket on Friday 24 February 2012, 03:38:28 am It's a recurring question. Unless the very advanced ones, transparent proxies can't filter out HTTPS by default.
HTTPS is a secure channel, anything that intercepts it should be considered an attack. HTTPS request are very different, they are encrypted packets going out to a numerical IP, there is no way the proxy can intercept the URL request without breaking the whole SSL security. Having said that, I prefer this issue rather than a crippled HTTPS security that who-knows can sniff it. Non-transparent proxy solves that problem. About configuring clients on non-transparent, with the proxy.pac they should be automatically configured, only you have to enable the automatic proxy config in IE. I barely need to tweak clients once you set up the system correctly. With Active Directory, users get through non-transparent proxy in a "transparent" way, the proxy don't ask about credentials, domain credentials are automatically used. So if you use Windows+Active Directory, non-transparent works great. There are some issues with pages with non-standard ports, but it's ok. If you use transparent, your only way is to block/mask either DNS requests or IP's on forbidden webpages. Use Edit Hosts to block DNS and outgoing firewall to block IP's Title: Re: https://facebook.com not blocked by proxy Post by: almondpolintan on Friday 30 March 2012, 04:06:17 pm hey mrkroket help me
my question is here any help .. i used 2.5.1 transparent or not transparent proxy enable i received this error when accesing any website using http ERROR The requested URL could not be retrieved While trying to retrieve the URL: The following error was encountered: The request or reply is too large. If you are making a POST or PUT request, then your request body (the thing you are trying to upload) is too large. If you are making a GET request, then the reply body (what you are trying to download) is too large. These limits have been established by the Internet Service Provider who operates this cache. Please contact them directly if you feel this is an error. Your cache administrator is webmaster. Endian Firewall - Powered by Squid Title: Re: https://facebook.com not blocked by proxy Post by: kashifmax on Wednesday 11 April 2012, 06:03:44 pm mrkroket is right.
This is not an EFW issue, you can not redirect SSL traffic by any means as it is called "Man in the middle". You can only use content filter to restrict traffic or use ssl bump flag in squid which is off course not recommended :-( For smaller organizations lets say 100-200 employees, set the proxy on their browsers by this way you can allow or block HTTP/HTTPS traffic. But larger than the specified numbers, use squidguard/dansguardian with squid (transparently) because setting proxy will be a headache... Title: Re: https://facebook.com not blocked by proxy Post by: dysmas on Monday 23 July 2012, 09:59:18 pm I think I understood the important posts by phyrexian and mrkroket.
The full answer to blocking https is non transparent proxy. Detailed explanation here : http://www.efwsupport.com/index.php?topic=525.msg9654#msg9654 Title: Re: https://facebook.com not blocked by proxy Post by: nishith on Saturday 08 September 2012, 01:34:45 pm Use "Non Transparent" proxy. I am using the same & no one can access "facebook" from any angle.
Nishith Title: Re: https://facebook.com not blocked by proxy Post by: dysmas on Saturday 08 September 2012, 07:24:54 pm When I use "non transparent proxy", I have instantly access to all the web. This means non transparent proxy will work only if a computer is specially configured to use the proxy. And what if a user is competent enough to change this configuration ? He will get access to anything.
Since you have made a configuration which is close to what I want, could you provide some explanations on where I must search to prevent what I just said : with not transparent, at first, any computer has access to Internet. Title: Re: https://facebook.com not blocked by proxy Post by: speccompsol on Sunday 09 September 2012, 03:07:29 am To use 'non-transparent' proxy, you must also disable (or delete) the outgoing firewall setting for port 80 for the zone that the 'non-transparent' proxy is assigned. By doing so a computer in the 'non-transparent' zone cannotaccess web pages without using the proxy.
Title: Re: https facebook not blocked by proxy Post by: Monty on Saturday 03 November 2012, 07:37:07 am Hi, sorry to reactivate this thread again. I understand fully the nature of the problem with HTTPS and transparent proxies, my question is about endian:
Most of the workarounds for this are simply to read what you can from the packet, (the source/destination addresses) and try to reverse DNS lookup the IP. IF the IP reverses properly your cache device can apply a rule, or can simply apply a rule based on the source/dest IP's, but this will not prevent someone from sending their encrypted packets to a foreign proxy for further delivery. Despite the remaining issues, this is actually what I am after (it is the right solution for the environment I want to deploy it into). Could anyone tell me how easy it is to implement this with endian? (I.e. just do reverse DNS on the destination address, if it resolves to facebook (etc) domain on a given list - block it.) Unless the very advanced ones, transparent proxies can't filter out HTTPS by default. Other than by reverse IP, what other methods are transparent proxies doing? The paid version of untangle webfilter seems to block HTTPS, but I think it is just doing reverse IP on the packets. Does anyone know for sure? And again, my main question is how easy is it to setup a reverse DNS block on HTTPS traffic using endian? Title: Re: https://facebook.com not blocked by proxy Post by: dysmas on Thursday 14 February 2013, 04:52:25 am Thanks to @nishith and @speccompsol : using Non transparent proxy is really the good solution to filter https. Just in case it can help others, here is what you have to do :
1) in Firewall/Outgoing traffic, remove the lines which allow traffic on ports 80 and 443. 2) Set proxy to Non transparent 3) in proxy/authentication click "Manage users" and add some users 4) If you want, click "Manage groups" and create some groups 5) In proxy/Access Policy, modify your policies : Set Authentication to user based or group based, and select one (or several) user(s) or group(s) Update. At this point, no one has access to Internet. To give access to Internet to a user, you must go to his computer and in Internet Properties / connections / Network settings [in Windows XP, or find equivalent in your OS], you MUST set a proxy, indicating the IP address of your EFW and the port 8080 (if you have kept this value which is the default in EFW). Now this user, when he want to connect to Internet will receive a small window asking for authentication. He has just to enter it, and he has access to the corresponding policies. https is perfectly blocked by this system. Well... it is so well blocked that presently I cannot access Skype ! Because when establishing a connection, Skype tries to connect to a site with an IP address, and there are hundreds of addresses, and I cannot add all of them to a policy. If I allow all destinations (with ANY as destination), then I access Skype, which is normal. But if I use a proxy, it is because I don't want to give full access. When the proxy was set to transparent, I didn't notice the problem because Skype at this point connects in https and for this reason it worked. But now it no longer works. This is a good proof that proxy when set to non transparent can block Skype, Facebook and so on. Once I have found the way to access Skype without giving full access to Internet, I will post it here. But if someone knows the answer, I am happy to hear it. Title: Re: https://facebook.com not blocked by proxy Post by: jeremycald on Saturday 16 February 2013, 01:50:27 am Would not transparent proxy also work so you don't have to visit every workstation?
Title: Re: https://facebook.com not blocked by proxy Post by: dysmas on Saturday 16 February 2013, 02:49:46 am I am unsure of the meaning of your question so the answer may be inaccurate.
Transparent proxy cannot block https (connections on port 443). To control https connections, non transparent proxy is necessary, with the consequence that you have to visit every workstation. If you are not interested in controlling https connections, then transparent mode is the good solution. Title: Re: https://facebook.com not blocked by proxy Post by: jeremycald on Tuesday 19 February 2013, 06:41:29 am I am unsure of the meaning of your question so the answer may be inaccurate. Transparent proxy cannot block https (connections on port 443). To control https connections, non transparent proxy is necessary, with the consequence that you have to visit every workstation. If you are not interested in controlling https connections, then transparent mode is the good solution. Learn something new everyday. Thanks for the non-flaming response. Title: Block https facebook in transparent proxy Post by: sourcebreak on Saturday 02 March 2013, 07:40:56 pm In Endian Firewall >> Firewall >> Outgoing firewall
create new rule to Deny port 443 for 173.252.0.0/16 69.0.0.0/8 31.13.0.0/16 72.246.0.0/16 124.0.0.0/8 This will block https facebook. Regards - Suresh Title: Re: https://facebook.com not blocked by proxy Post by: sree on Friday 10 May 2013, 11:19:06 pm Make a outgoing firewall rule giving the below ip and network (Facebook) to the port 443 and block it, your normal 443 works perfectly and https://facebook.com will get block.
173.252.0.0/16 69.0.0.0/8 31.13.0.0/16 72.246.0.0/16 124.0.0.0/8 69.63.184.142 69.63.187.17 69.63.187.19 69.63.181.11 69.63.181.12 Cheers~ Sree. Title: Re: https://facebook.com not blocked by proxy Post by: nicolethomson on Wednesday 23 October 2013, 11:06:44 pm thats pretty good info dear suresh and sree,
is there any ways to block youtube and gtalk in similar manner, apart from that video streaming needs tobe blocked i tried blocking the ip for youtube. 74.125.236.0/16 |