ACL

Hey Guys,

I am using IPCop-Linux based firewall like m0n0wall and moothwall for my firewall with various addons like advanced proxy, Block out Traffic and URL Filter.

URL filter works using the advanced proxy.
I am able to block domains and url and redirect users to where I want if they go to a restricted site.

Port 80 and 443 are open

Its a windows 2003 server environment, I have disabled all browsers except IE, and entered the proxy settings in the GPO.

Here is what I am trying to do now:
1) block certain domains for http and https access. Currently only http sites are only being blocked while using transparent proxy, https is open. When I disable transparent proxy and enter the proxy setting in the browser, http works like before but https completely stops working, I get a message, "you are not authorized to view this page"

So I would like to block "certain" domains for https and http access both.

2) These addons allow me to enter list of IP's if I want them to be unfiltered. That makes that IP completely free of the block list (access to everything). But I want to instate another list for those unfiltered IP's.

According to what I found on Google and IPCop's forum this is possible using ACL entries with Squid. I am not familiar with Squid ACL's so would like someone to help.

This are the two links I found:
http://www.dageek.co.uk/ipcop/squid/index.htm
http://www.linuxquestions.org/questions/linux-security-4/squid-and-https-sites-522138/
LVL 1
ShivtekAsked:
Who is Participating?
 
nociConnect With a Mentor Software EngineerCommented:
https & proxies are problematic.
basicly you cannot see what goes throught the pipeline (otherwise a man in the middle attack on https would be too easy...

https is encrypted from front (Browser) to end (webserver/ssl frontend to webserver).

You can effectively only block on ip address... but not on hostname as the hostname is only sent AFTER the ssl tunnels has been established as part of the HTTP request header.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.