dansguardian, squid and https question

cmorford · n00b Joined: 14 Nov 2005 Posts: 32

Is there a way to block requests for https://somedomain.com using the dansguardian/squid setup? I know that you cannot perform actual filtering on a page from a secure web server because it is encrypted, but how about blocking the site from say, when the user makes the initial request for the site. In dansguardian, it logs the initial CONNECT to the site, so it seems there should be a way to do this. I'd just like some ideas if any to find an easy solution, if not, I've been tempted to look at the DG code and figure it out.

Voorhees51 · Guru Joined: 05 Nov 2003 Posts: 358

Could you find the IP address of the sites and block them that way?
Could you setup a block rule to just block all connections to somedomain.com
reguardless of the protocol eg. ftp, http, https

... just my quick thoughts on it

Suicidal · l33t Joined: 30 Jul 2003 Posts: 959 Location: /dev/null

You could setup bind and hijack thier domain name (for your internal clients) like i do with alot of spyware domains. Also the hosts file might work in this regard.

cmorford · n00b Joined: 14 Nov 2005 Posts: 32

Great Idea. Don't know why I didn't think to just hijack the domain!!! Thanks for the help.

rev138 · l33t Joined: 19 Jun 2003 Posts: 848 Location: Vermont, USA

Dansguardian already has a built-in mechanism for this. Just add the site to to /etc/dansguardian/bannedsitelist

cmorford · n00b Joined: 14 Nov 2005 Posts: 32

This only works for http:// domains, not https:// domains. Unless this is a bug in DG, I do have the http://somedomain.com in my bannedsitelist, and sure enough, if I navigate to that site, it gets blocked, but if I turn around and navigate to the https://somedomain.com site, it lets it through.

Is there something else in the DG configuration that needs to be set in order to block https domains? On the DG website for version 2.4, it says "The URL filtering is able to filter https requests." However, I'm running 2.8.0.6-r1 and i'm having different behavior as described. Anyone else experience this?

rev138 · l33t Joined: 19 Jun 2003 Posts: 848 Location: Vermont, USA

I just tested it on my DG system, and it worked fine.

Are you putting the actual "http://" in the bannedsitelist? If so, try it without. And of course, make sure you restart DG after changing the conf.

cmorford · n00b Joined: 14 Nov 2005 Posts: 32

I'm entering it without the http://. As I take another look, its actually entered in multiple blacklists that I downloaded with dansguardian. All of them without the http://.

rev138 · l33t Joined: 19 Jun 2003 Posts: 848 Location: Vermont, USA

That's odd. I'm using dansguardian-dgav-6.4.3-r1 and it works fine.

cmorford · n00b Joined: 14 Nov 2005 Posts: 32

hehe, well the hijack serves as a work around until this can be ironed out. what do you think of dgav? I've thought about using it, but since we're mostly mac, there isn't too big of a need to scan internet traffic for virii.

rev138 · l33t Joined: 19 Jun 2003 Posts: 848 Location: Vermont, USA

DGAV works great. The extra setup over standard DG is negligable. Then again, my workplace is 99% Windows, so it's nice for catching spyware and the like.

cmorford · n00b Joined: 14 Nov 2005 Posts: 32

I may go ahead an upgrade. Not sure if there is a bug, but I also get these random blocked sites that reports denied, "Banned Phrase: gator". if I do a

rev138 · l33t Joined: 19 Jun 2003 Posts: 848 Location: Vermont, USA

What's odd about it?

cmorford · n00b Joined: 14 Nov 2005 Posts: 32

the fact that "gator" is not a banned phrase. Why is it blocking a phrase that isn't in any of the lists (shown by the grep statement)????