Welcome, Guest. Please login or register.
Did you miss your activation email?
Monday 25 November 2024, 03:06:33 am

Login with username, password and session length

Visit the official Endian Community Mailinglist  HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  EFW SMTP, HTTP, SIP, FTP Proxy Support
| | |-+  https://facebook.com not blocked by proxy
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: 1 [2] 3 Go Down Print
Author Topic: https://facebook.com not blocked by proxy  (Read 336857 times)
npeterson
Full Member
***
Offline Offline

Posts: 90


« Reply #15 on: Friday 05 June 2009, 05:51:05 am »

Squid is endians proxy agent. It proxy's HTTP (80) and HTTPS(443) traffic. If you leave ports 80 and 443 open on the firewall, you are not going through squid, or through the content filter dansguardian.  You are going strait out to the internet unfiltered. period. Squid and dansgaurdian does the filtering, Not the operating system.

Your clients need to be set to use the proxy port 8080 for all traffic, not just http traffic.
Logged
jpgillivan
Full Member
***
Offline Offline

Posts: 31


« Reply #16 on: Friday 05 June 2009, 07:32:05 am »

Then can you explain to me why http://www.facebook.com is blocked even though port 80 (FIREWALL>OUT GOING) is enabled and https://www.facebook.com is not? 

I did set the my web browser to the proxy 8080 and it did prevent the web site from displaying, but it didn't display the Endian page saying it was blocked when accessing the https site, just a 403 forbidden error. But it does display the endian message when going to http.  HuhHuh?

Any way around having to set the web browsers to use the proxy 8080?  Can I safely set the proxy on Endian to port 80?
Logged
npeterson
Full Member
***
Offline Offline

Posts: 90


« Reply #17 on: Wednesday 10 June 2009, 01:34:00 am »

Then can you explain to me why http://www.facebook.com is blocked even though port 80 (FIREWALL>OUT GOING) is enabled and https://www.facebook.com is not? 

Your using transparent proxy. Linux( not the proxy) looks at the packets desination, and see's it port for 80, it then has a rule to redirect that request to the proxy service.

I did set the my web browser to the proxy 8080 and it did prevent the web site from displaying, but it didn't display the Endian page saying it was blocked when accessing the https site, just a 403 forbidden error. But it does display the endian message when going to http.  HuhHuh?

No It doesnt. There may be a way to generate a message, but i havent looked into it.

Any way around having to set the web browsers to use the proxy 8080?  Can I safely set the proxy on Endian to port 80?

Yes, its called Web Proxy Autodiscovery protocol (Wpad) http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol  Its not hard, and theres 2 methods to setting this up. DNS or DHCP. the good thing is that the script is already made for you, endian does it. the script is hosted on your fw as http://<fw name>/wpad.dat

So all that is left for you to do is create a DNS entry for wpad that points to your firewall or/and create a DHCP Scope option of #252 to http://<fw name>/wpad.dat

Heres some reading from microsoft: http://technet.microsoft.com/en-us/library/cc713344.aspx Its talking about ISA firewall, but halfwat down the page its starts into how to configure microsoft dns and dhcp options for wpad under Configuring WPAD Entries.
Logged
pkraus109
Jr. Member
*
Offline Offline

Posts: 2


« Reply #18 on: Thursday 14 January 2010, 08:23:40 am »

Not to perform some necromancy an this thread but what a solution ever found as to how to display a page when https was blocked rather than it just erroring?
Logged
a4tech2010
Jr. Member
*
Offline Offline

Posts: 1


« Reply #19 on: Saturday 05 March 2011, 10:16:07 pm »

is endian firewall a port based firewall? if yes, then maybe it can't or wont be able to filter those who are using / hiding ssl/443 ports. Now maybe this is what the box/solution lacks of. There are firewalls out there that based their sessions/policy using applications instead of ports, which other apps / sites can tunnel. To name a few , we have palo alto networks, juniper and sonicwall. But hoping that endian can fix this soon.
Logged
laythingy59
Full Member
***
Offline Offline

Posts: 40


« Reply #20 on: Tuesday 15 March 2011, 02:26:16 am »

surely these is a way to proxy https traffic and filter out the sites causing issues like facebook. Im having the same issue and i have also setup site filterng using a netgear router. sure enough it lets https traffic through.

Logged
hickmanr
Full Member
***
Offline Offline

Posts: 17


« Reply #21 on: Tuesday 15 March 2011, 06:39:58 am »

Please see the below topic for a work around and more information.

http://www.efwsupport.com/index.php?topic=2443.0
Logged
phyrexian
Jr. Member
*
Offline Offline

Posts: 1


« Reply #22 on: Wednesday 23 March 2011, 03:37:35 am »

To anyone who comes across this thread:
The problem your experiencing is with your methodology.  someone a few comments back has said:

Quote
that doesn't make sense.  port 443 is tied to the https protocol just like port 80 is tied to http. Using your methodology then if I wanted to block -website- then I should disable port 80.  Then all web sites would be blocked.  Your suggestion is unacceptable.

The problem with this concept is that the two protocols are NOT the same. A cache proxy CAN read the contents of an HTTP GET packet, it can take the "host" header and apply a rule to the session based on the contents.    HTTPS is not the same,  HTTPS packets are encrypted from the endpoint device all the way to the server.   because of this, a proxy has no idea what the packet contains.

Most of the workarounds for this are simply to read what you can from the packet, (the source/destination addresses) and try to reverse DNS lookup the IP.
IF the IP reverses properly your cache device can apply a rule, or can simply apply a rule based on the source/dest IP's,   but this will not prevent someone from sending their encrypted packets to a foreign proxy for further delivery.


If you are SERIOUS about what content your users need to be able to reach, you need to start approaching the situation as a whitelist rather then a blacklist. block everything, and only allow what people should be using.   (IMHO: user training is a MUCH better solution then blocking anything at all.)
Logged
TheEricHarris
Full Member
***
Offline Offline

Posts: 86


« Reply #23 on: Sunday 04 December 2011, 04:59:07 am »

So I also had smarter than average employees using httpS://facebook.com and other httpS:// URL's to get around my whitelist.

I am forcing IE to use my firewall's IP and port 8080 for the proxy settings.  This blocks the httpS:// sites that are not on my whitelist for their group of IP addresses.

Kinda lame but it works.
Logged
nicolethomson
Full Member
***
Offline Offline

Posts: 27


« Reply #24 on: Thursday 23 February 2012, 05:13:00 pm »

this could be a old thread, but i am having this issue

the transparent proxy stuff blocks only port 80, not the 443 stuff,

where if i do the manual changes in every browser "Use proxy for all protocal's" it does block them clearly.

then the issue comes back, when it comes to bigger network of laptop's "annoying users might say" i can't do this everyday at home and here ....

is there a way to achieve transparent https content filtering too?
nic
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #25 on: Friday 24 February 2012, 03:38:28 am »

It's a recurring question. Unless the very advanced ones, transparent proxies can't filter out HTTPS by default.
HTTPS is a secure channel, anything that intercepts it should be considered an attack.
HTTPS request are very different, they are encrypted packets going out to a numerical IP, there is no way the proxy can intercept the URL request without breaking the whole SSL security.
Having said that, I prefer this issue rather than a crippled HTTPS security that who-knows can sniff it.

Non-transparent proxy solves that problem. About configuring clients on non-transparent, with the proxy.pac they should be automatically configured, only you have to enable the automatic proxy config in IE. I barely need to tweak clients once you set up the system correctly. With Active Directory, users get through non-transparent proxy in a "transparent" way, the proxy don't ask about credentials, domain credentials are automatically used. So if you use Windows+Active Directory, non-transparent works great. There are some issues with pages with non-standard ports, but it's ok.

If you use transparent, your only way is to block/mask either DNS requests or IP's on forbidden webpages. Use Edit Hosts to block DNS and outgoing firewall to block IP's
Logged
almondpolintan
Jr. Member
*
Offline Offline

Posts: 5


« Reply #26 on: Friday 30 March 2012, 04:06:17 pm »

hey mrkroket help me

my question is here
any help ..

i used 2.5.1

transparent or not transparent proxy enable


i received this error when accesing any website using http

ERROR


The requested URL could not be retrieved
While trying to retrieve the URL:

The following error was encountered:
The request or reply is too large.


If you are making a POST or PUT request, then your request body
(the thing you are trying to upload) is too large. If you are
making a GET request, then the reply body (what you are trying
to download) is too large. These limits have been established
by the Internet Service Provider who operates this cache. Please
contact them directly if you feel this is an error.

Your cache administrator is webmaster.

Endian Firewall - Powered by Squid
Logged
kashifmax
Sr. Member
****
Offline Offline

Gender: Female
Posts: 108


« Reply #27 on: Wednesday 11 April 2012, 06:03:44 pm »

mrkroket is right.

This is not an EFW issue, you can not redirect SSL traffic by any means as it is called "Man in the middle". You can only use content filter to restrict traffic or use ssl bump flag in squid which is off course not recommended :-( For smaller organizations lets say 100-200 employees, set the proxy on their browsers by this way you can allow or block HTTP/HTTPS traffic. But larger than the specified numbers, use squidguard/dansguardian with squid (transparently) because setting proxy will be a headache...
Logged
dysmas
Full Member
***
Offline Offline

Posts: 28


« Reply #28 on: Monday 23 July 2012, 09:59:18 pm »

I think I understood the important posts by phyrexian and mrkroket.

The full answer to blocking https is non transparent proxy.
Detailed explanation here :

http://www.efwsupport.com/index.php?topic=525.msg9654#msg9654
Logged
nishith
Jr. Member
*
Offline Offline

Posts: 9


« Reply #29 on: Saturday 08 September 2012, 01:34:45 pm »

Use "Non Transparent" proxy. I am using the same & no one can access "facebook" from any angle.

Nishith
Logged
Pages: 1 [2] 3 Go Up Print 
« previous next »
Jump to:  

Page created in 0.203 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com