?
Solved

ACL

Posted on 2010-01-03
1
Medium Priority
?
461 Views
Last Modified: 2012-05-08
Hey Guys,

I am using IPCop-Linux based firewall like m0n0wall and moothwall for my firewall with various addons like advanced proxy, Block out Traffic and URL Filter.

URL filter works using the advanced proxy.
I am able to block domains and url and redirect users to where I want if they go to a restricted site.

Port 80 and 443 are open

Its a windows 2003 server environment, I have disabled all browsers except IE, and entered the proxy settings in the GPO.

Here is what I am trying to do now:
1) block certain domains for http and https access. Currently only http sites are only being blocked while using transparent proxy, https is open. When I disable transparent proxy and enter the proxy setting in the browser, http works like before but https completely stops working, I get a message, "you are not authorized to view this page"

So I would like to block "certain" domains for https and http access both.

2) These addons allow me to enter list of IP's if I want them to be unfiltered. That makes that IP completely free of the block list (access to everything). But I want to instate another list for those unfiltered IP's.

According to what I found on Google and IPCop's forum this is possible using ACL entries with Squid. I am not familiar with Squid ACL's so would like someone to help.

This are the two links I found:
http://www.dageek.co.uk/ipcop/squid/index.htm
http://www.linuxquestions.org/questions/linux-security-4/squid-and-https-sites-522138/
0
Comment
Question by:Shivtek
1 Comment
 
LVL 41

Accepted Solution

by:
noci earned 2000 total points
ID: 26167921
https & proxies are problematic.
basicly you cannot see what goes throught the pipeline (otherwise a man in the middle attack on https would be too easy...

https is encrypted from front (Browser) to end (webserver/ssl frontend to webserver).

You can effectively only block on ip address... but not on hostname as the hostname is only sent AFTER the ssl tunnels has been established as part of the HTTP request header.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question