Koozali.org: home of the SME Server
Obsolete Releases => SME 8.x Contribs => Topic started by: masotsha on February 02, 2015, 12:07:40 PM
-
Hello,
I'm using smeserver-webfilter. I notice users can bypass squidguard filtering to facebook by just typing https://www.facebook.com. How do I enforce filter of https to such sites?
-
search with google for "squid rule block facebook".. I remember the "connect" key but can't help you more..
then it's "only" a matter of creating the right fragment, come back here
-
ok..
mkdir -p /etc/e-smith/templates-custom/etc/squid/squid.conf
cd /etc/e-smith/templates-custom/etc/squid/squid.conf
nano 20ACL40bannedsites
the content must be:
acl bannedsites dstdomain .facebook.com
save and exit, then
nano 40http_access15denyconnectBannedsites
the content must be:
http_access deny CONNECT bannedsites
save and exit, then
signal-event proxy-update
tested on SME 8.1, working for me.. in the first fragment you can add, on the same line, as many domain as you need, separated with a space
-
I can confirm it works for me in SME 8 and SME 9
-
does this is referenced somewhere in the documentation ?
-
Isn't controlling web content the whole purpose of the Dansguardian contrib?
http://wiki.contribs.org/Dansguardian (http://wiki.contribs.org/Dansguardian)
and specifically:
http://wiki.contribs.org/Dansguardian#Configuring_your_system_to_force_Dansguardian_usage_.26_prevent_bypassing (http://wiki.contribs.org/Dansguardian#Configuring_your_system_to_force_Dansguardian_usage_.26_prevent_bypassing)
-
@stephdl: AFAIK no
@RequestedDeletion: AFAIK, neither squidguard nor dansguardian contrib can selectively deny access to https sites
-
masotsha
Here is one way:
Add whatever domain you wish to block access to eg facebook.com, as a virtual domain in the Domains panel of server manager.
Configure the panel to resolve DNS locally for that domain, & then when users access https://facebook.com they will be directed to your main domain website.
-
Stefano
AFAIK, neither squidguard nor dansguardian contrib can selectively deny access to https sites
In DG you can block access to the login site (check logs to see actual pages being accessed), if you cannot login you cannot access facebook etc.
-
masotsha
Here is one way:
Add whatever domain you wish to block access to eg facebook.com, as a virtual domain in the Domains panel of server manager.
Configure the panel to resolve DNS locally for that domain, & then when users access https://facebook.com they will be directed to your main domain website.
in this way you have some side effects.. let's say I want to block playboy.com (i.e. I don't want my user surf playboy's website).. if I add playboycom to my domains, I'll never be able to send an email to that domain.. and this can be an issue...
-
Stefano
In DG you can block access to the login site (check logs to see actual pages being accessed), if you cannot login you cannot access facebook etc.
AFAIK DG doesn't block https sites
-
Stefano
The OP wants workaround solutions, so sometimes there are consequences eg email issues you mention.
I have seperately advised OP to use DG if more control is required.
Re site login, typically/usually/often a site will access other sites during the https login process. You can see these in the access logs eg squid. If you block those (with DG or however), then you block access to the main site of concern.