Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: FBocuya on September 02, 2010, 12:43:54 PM
-
Guyz Im having problem with my Dansguardian..I block facebook.com if I will type http://www.facebook.com/ dansguardian will blocked but if I will put S in HTTP like https://www.facebook.com/ it it will pass through.
-
Guyz Im having problem with my Dansguardian..I block facebook.com if I will type http://www.facebook.com/ dansguardian will blocked but if I will put S in HTTP like https://www.facebook.com/ it it will pass through.
How did you define your filter to block facebook?
-
but if I will put S in HTTP like https://www.facebook.com/ it it will pass through.
Thats normal as you can not have a "man in the middle (squid/proxy)" for secure connections in this case 443 (https) otherwise https is not secure, you will need to route all https traffic another way to block completely. Google is your friend.
-
There is a directory of list were you can banned sites in dansguardian /etc/dansguardian/list/bannedsitelist
see attached text below........
*********BANNESITELIST CONTAINS BELOW********
#domains in banned list
#Don't bother with the www. or the http://
#The bannedurllist is for blocking PART of a site
#The bannedsitelist is for blocking ALL of a site
#As of DansGuardian 2.7.3 you can now include
#.tld so for example you can match .gov for example
#The 'grey' lists override the 'banned' lists.
#The 'exception' lists override the 'banned' lists also.
#The difference is that the 'exception' lists completely switch
#off *all* other filtering for the match. 'grey' lists only
#stop the URL filtering and allow the normal filtering to work.
#An example of grey list use is when in Blanket Block (whitelist)
#mode and you want to allow some sites but still filter as normal
#on their content
#Another example of grey list use is when you ban a site but want
#to allow part of it.
#To include additional files in this list use this example:
#.Include</etc/dansguardian/anotherbannedurllist>
#You can have multiple .Includes.
# Time limiting syntax:
# #time: <start hour> <start minute> <end hour> <end minute> <days>
# Example:
##time: 9 0 17 0 01234
# Remove the first # from the line above to enable this list only from
# 9am to 5pm, Monday to Friday.
# List categorisation
#listcategory: "Banned Sites"
#List other sites to block:
badboys.com
friendster.com
ebay.com
facebook.com
myspace.com
#youtube.com
#Blanket Block. To block all sites except those in the
#exceptionsitelist and greysitelist files, remove
#the # from the next line to leave only a '**':
#**
#Blanket SSL/CONNECT Block. To block all SSL
#and CONNECT tunnels except to addresses in the
#exceptionsitelist and greysitelist files, remove
#the # from the next line to leave only a '**s':
#**s
#Blanket IP Block. To block all sites specified only as an IP,
#remove the # from the next line to leave only a '*ip':
*69.63.189.11
#Blanket SSL/CONNECT IP Block. To block all SSL and CONNECT
#tunnels to sites specified only as an IP,
#remove the # from the next line to leave only a '*ips':
#*ips
*69.63.189.11
# The squidGuard advert domain/URL lists are now included by default.
# To work with advanced ad blocking & the logadblocks option, advert
# phrase/site/URL lists should have the string "ADs" in their listcategory.
.Include</etc/dansguardian/lists/blacklists/ads/domains>
#Remove the # from the following and edit as needed to use a stock
#squidGuard/urlblacklists collection.
#.Include</etc/dansguardian/lists/blacklists/adult/domains>
#.Include</etc/dansguardian/lists/blacklists/aggressive/domains>
#.Include</etc/dansguardian/lists/blacklists/artnudes/domains>
#.Include</etc/dansguardian/lists/blacklists/audio-video/domains>
#.Include</etc/dansguardian/lists/blacklists/beerliquorinfo/domains>
#.Include</etc/dansguardian/lists/blacklists/beerliquorsale/domains>
#.Include</etc/dansguardian/lists/blacklists/chat/domains>
#.Include</etc/dansguardian/lists/blacklists/childcare/domains>
#.Include</etc/dansguardian/lists/blacklists/clothing/domains>
#.Include</etc/dansguardian/lists/blacklists/culinary/domains>
#.Include</etc/dansguardian/lists/blacklists/dialers/domains>
#.Include</etc/dansguardian/lists/blacklists/drugs/domains>
#.Include</etc/dansguardian/lists/blacklists/entertainment/domains>
#.Include</etc/dansguardian/lists/blacklists/forums/domains>
#.Include</etc/dansguardian/lists/blacklists/frencheducation/domains>
#.Include</etc/dansguardian/lists/blacklists/gambling/domains>
#.Include</etc/dansguardian/lists/blacklists/government/domains>
#.Include</etc/dansguardian/lists/blacklists/hacking/domains>
#.Include</etc/dansguardian/lists/blacklists/homerepair/domains>
#.Include</etc/dansguardian/lists/blacklists/hygiene/domains>
#.Include</etc/dansguardian/lists/blacklists/jewelry/domains>
#.Include</etc/dansguardian/lists/blacklists/jobsearch/domains>
#.Include</etc/dansguardian/lists/blacklists/kidstimewasting/domains>
#.Include</etc/dansguardian/lists/blacklists/mail/domains>
#.Include</etc/dansguardian/lists/blacklists/news/domains>
#.Include</etc/dansguardian/lists/blacklists/onlineauctions/domains>
#.Include</etc/dansguardian/lists/blacklists/onlinegames/domains>
#.Include</etc/dansguardian/lists/blacklists/onlinepayment/domains>
#.Include</etc/dansguardian/lists/blacklists/personalfinance/domains>
#.Include</etc/dansguardian/lists/blacklists/pets/domains>
#.Include</etc/dansguardian/lists/blacklists/porn/domains>
#.Include</etc/dansguardian/lists/blacklists/proxy/domains>
#.Include</etc/dansguardian/lists/blacklists/publicite/domains>
#.Include</etc/dansguardian/lists/blacklists/redirector/domains>
#.Include</etc/dansguardian/lists/blacklists/ringtones/domains>
#.Include</etc/dansguardian/lists/blacklists/sportnews/domains>
#.Include</etc/dansguardian/lists/blacklists/sports/domains>
#.Include</etc/dansguardian/lists/blacklists/vacation/domains>
#.Include</etc/dansguardian/lists/blacklists/violence/domains>
#.Include</etc/dansguardian/lists/blacklists/virusinfected/domains>
#.Include</etc/dansguardian/lists/blacklists/warez/domains>
# You will need to edit to add and remove categories you want
-
FBocuya
Re blocking https access, dansguardian in a default install configuration, will not do that, as you have been advised. Dansguardian filters port 80 (http) requests.
The secure https request uses port 443. Other system wide approaches need to be taken to achieve that. One of the google searches indicates to block port 443 access for your whole server and then unblock (or allow) particular site access requirements eg server manager & webmail (probably best done in the firewall masq code using custom templates).
The masq custom template that the smeserver-dansguardian rpm adds, could probably be modified to block port 443, but doing that will block all other secure https access eg server manager, webmail and anything else you access via https. You will then need to put a workaround in place to allow access to those services (perhaps via a port redirect or by specifically allowing those service accesses).
It starts to get messy and fiddly and the implementation method will depend on how you want your server to behave and be used.
-
FBocuya
https://www.facebook.com/ it it will pass through.
Further to what has been said already, read this page
http://contentfilter.futuragts.com/wiki/doku.php?id=two_configuration_families&s[]=block&s[]=https
where it speaks of using different dansguardian configurations, transparent-intercepting and explicit-proxy.
Note part of that page says:
"In this configuration family, DansGuardian's “bannedsitelist” and “exceptionsitelist” will apply to not only to http: but also to https: (encrypted web traffic on port 443) connections. However, even in the explicit-proxy configuration DansGuardian will have access only to the hostname, not to the rest of the URL and not to page content. [This access to the hostname is similar to something called “connect()”.] So DansGuardian won't be able to do any “content filtering” or any URL filtering or any regular expression filtering. Still, the ease of blocking website access over both http: and https: all at once using the same mechanism might be very useful. "
Also read this:
http://contentfilter.futuragts.com/wiki/doku.php?id=preventing_skipping_around
and perhaps this as well:
http://contentfilter.futuragts.com/wiki/doku.php?id=network_billboard
The starting point to access all that is
http://dansguardian.org
-
Thanks guys, Problem solve I already block facebook.com....
-
Please let everyone know how you did this.
-
FBocuya
Problem solve I already block facebook.com....
Please advise what you did to achieve this.
This is a two way street, so please be prepared to give back to this forum.