How to completely blacklist a domain + subdomains, including HTTPS?
Locked
How to completely blacklist a domain + subdomains, including HTTPS?
 
|
Hey,
I have found a lot of outdated or conflicting information about this online, and since this is a really important matter, I wanted to make sure I am doing this correctly. I am attempting to block some websites completely, including all HTTPS traffic and subdomains. Squid.conf:
/etc/squid/domain_blacklist.txt:
.ph - will block all websites that have the .ph TLD including subdomains. .facebook.com - will block all traffic to FB including subdomains. Am I doing this the right way? Thanks _______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
|
|
I am currently using: ###blocked websites### acl blockedsites dstdomain .domain1.com .domain2.com .domain3.com ###end blocked websites### http_access deny blockedsites Simple and working ;) -- Diese Nachricht wurde von meinem Android Mobiltelefon mit WEB.DE Mail gesendet. Am 09.03.21, 12:58 schrieb roee klinger <[hidden email]>:
_______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
Re: How to completely blacklist a domain + subdomains, including HTTPS?
|
Administrator
|
In reply to this post by Roeeklinger60
On 10/03/21 12:57 am, roee klinger wrote:
> Hey, > > I have found a lot of outdated or conflicting information about this > online, and since this is a really important matter, I wanted to make > sure I am doing this correctly. > > I am attempting to block some websites completely, including all HTTPS > traffic and subdomains. > Basically there are two protocols that need to be considered for this. HTTP and TLS. In HTTP the "website" is identified by a domain name in the request-target (aka URI, sometimes called URL). * The 'dstdomain' ACL type matches URI domain name. * The http_access directive is where that domain name becomes available for Squid to check. In TLS the "website" is identified by the TLS SNI sent by the client, or a field in the server X.509 certificate. * The 'ssl::server_name' ACL type matches those details. * The ssl_bump directive Next thing is to be aware that there are many ways to layer protocols. Do expect to see vastly different proxy behaviours for each permutation of those. * port 443 "HTTPS" is TLS then HTTP * port 80 "HTTPS" is HTTP then TLS (quite rare) * forward-proxy "HTTPS" is HTTP then TLS then HTTP > Squid.conf: > > acl domain_blacklist dstdomain "/etc/squid/domain_blacklist.txt" > http_access deny all domain_blacklist The "all" here is pointless. > http_reply_access deny domain_blacklist Use of reply access directive for blacklisting by request details is not useful. The request already got blocked. So any response reaching here is just the error page saying forbidden. Blocking that error page would just change it to a slightly different error page saying the *response* was forbidden - which is a bit confusing for any user trying to understand why their request didn't work. > http_access deny CONNECT domain_blacklist > This line is useless here. squid.conf lines are interpreted top-down. The "deny all domain_blacklist" already stopped all requests that could possibly match the second condition of this line. > > /etc/squid/domain_blacklist.txt: > > .ph > .somepornwebsite.com > .facebook.com > ... > > Am I doing this the right way? Sort of. Your http_access denial will catch all the HTTP and decrypted HTTP(S) traffic. It will not be able to block any HTTP(S) requests that are not able to decrypt. To catch and block these domains without needing the decrypt you should also use: acl server_blacklist ssl::server_name "/etc/squid/domain_blacklist.txt" ssl_bump terminate server_blacklist Of course there is always the failure case where traffic cannot decrypt and the TLS details use different server names. Amos _______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
Re: How to completely blacklist a domain + subdomains, including HTTPS?
|
|
Thanks, Amos. I tried implementing the configuration you suggested but I am getting an error message: I tried reading the documentation but can't find anything wrong in my config file, I used the 2 lines exactly like they are in your suggestion, and I am running Squid 4.10. On Tue, Mar 9, 2021 at 2:48 PM Amos Jeffries <[hidden email]> wrote: On 10/03/21 12:57 am, roee klinger wrote: _______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
Re: How to completely blacklist a domain + subdomains, including HTTPS?
|
Administrator
|
On 11/03/21 1:28 am, roee klinger wrote:
> Thanks, Amos. > > I tried implementing the configuration you suggested but I am getting an > error message: > > FATAL: Invalid ACL type 'ssl::server_name' > FATAL: Bungled /etc/squid/squid.conf line 36: acl server_blacklist > ssl::server_name "/etc/squid/domain_blacklist.txt" > That means your Squid lacks OpenSSL support (--with-openssl build option) required to do SSL-Bump related things. I assumed from previous threads you had that enabled. Amos _______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users |
«
Return to Squid - Users
|
1 view|%1 views
| Free forum by Nabble | Edit this page |