How to block https://www.facebook.com

[kavirajan]

Hi Friends,

I came across too many blogs and threads that how to block facebook.com https but nothing is helped.
Really is there any chance to block facebook tell me, don't tell too many threads are opened for this, because i came across threads.

Please reply anyone is there any tutorial for this or any documentation for this, otherwise this product totally waste from my point of view.

[christian]

  This product does much more than HTTP/HTTPS filtering, thus assuming blocking facebook would not work, it will still not be totally wasted isn't it  

Joke aside, I just can't believe you really tried to find some existing solution at least within this forum.
I just typed "facebook" in the search section and found 63 posts related to something similar to your question.
OK, some are not in English... 

Anyway, adding facebook.com in the list of denied domains will block it, this is as simple as this. It obviously assumes you are not using transparent but explicit proxy. If you use transparent proxy, thne you can block HTTP access to facebook but not HTTPS, at least using proxy features.
Then you may try to implement some workarounds. This has been discussed at length in this forum.
I know search engine is not very powerful but it nevertheless should help you.

[kavirajan]

Yes I am using  transparent proxy, So no chance to block facebook isn't.

So is there any change chance to forward or redirect to some other web address.
Otherwise add 127.0.0.1 facebook.com to host file anything in squid file.

Is that it will work.

Please help or otherwise suggest me anything.

[Sam Graf]

If you want to test a redirect, I think you'll have to combine at least two Zentyal 3.0 features: transparent DNS cache and denying Internet access by IP address using the HTTP proxy. If you want to redirect to an internal webserver, you can use the Zentyal webserver module.

In any case, you will want to set your redirect up and then look carefully across your network for any negative side effects and unintended consequences of your server's configuration. Regrettably, there is no method of blocking sites that I know of that blocks sites only and has no potential impact on workflow for the network's users. It may take trial and error to find the best solution for your particular situation.

[kavirajan]

christian,

You have to work alot and do practice with Zentyal. I think you are not in moderator stage, you are like a newbie.

I succeed if you need to my help ping me I will show step by step of blocking https site.

[christian]

I know I still need to learn. Who doesn't 
I try to practice with Zentyal as much as possible but I only use it at home, thus I suppose it limits my progresses in this area.

If you know how to do it using transparent proxy, then feel fre to explain. I think it will help a lot of people here.

This said, if you read carefully what I wrote  I explained that using transparent proxy, you can't do this using proxy and have to implement workarounds.
But I believe you understood this already and come with solution I don't know yet. Please feel free to explain 

[christian]

kavirajan,

Few additional inputs that may help you to understand why controlling HTTPS doesn't work when is used in transparent mode (except if "man-in-the-middle" is implemented but as far as I know, this is not yet done with Zentyal 3.0)

- have a look here.
- if you don't want to read document written by a newbie, just look at this picture. It clearly shows that when using transparent proxy, HTTPS is redirected at FW level and does ot use proxy

[kavirajan]

So you are telling me we are not able to block https sites along with transparent proxy, Is that right.

[christian]

Sorry, I realize that you don't get me. Let me rephrase it:

If you are using transparent proxy, then controlling HTTPS can not be done using proxy but workaround like fake DNS entry or FW rules.

I though my drawing was explicit enough but it is perhaps too simplistic and do not show the very detail.

Then if you want to know everything, ensuring 100% that you do control HTTPS (or even HTTP BTW) is just impossible. Like for viruses, you will have to fight forever in order to block all the external so called "free proxy" but this is another story isn't it 

[kavirajan]

Hey thanks christian,

your flow chart helped me to understand.
Actually its worked, but refreshing or after 10 mins https facebook is working.

Please anyone help me,

66.220.149.88   www.facebook.com        
66.220.152.16   www.facebook.com        
69.171.234.21   www.facebook.com        
69.171.237.16   www.facebook.com        
69.171.247.21   www.facebook.com

If these ips are added to Clinet host file perfectly worked https facebook is blocked.
So my question is if I added this ips into Zentyal Os host or squid file, Is that will help to block.
My only drawback will be facebook https access. Please help i need to implement this weekend.

[christian]

So my question is if I added this ips into Zentyal Os host or squid file, Is that will help to block.

As you ask this, it shows that my drawing is not clear enough or at least that you don't understand it 
Unfortunately, I'm not skilled enough to explain better or differently 
Let me try once more however: with transparent proxy, HTTPS flow does not go through proxy (here Squid) but is handled by FW only, reason why you have to implement workaround like fake DNS entries.

hint from newbie  : it obviously depends on which DNS your clients are using... look carefully at this drawing again. Use of DNS is different whenever you use transparent or explicit proxy.

[kavirajan]

Hi Christain,

Then please help how to create fake dns or Fw rules, facebook is only drawback.

Please explain with real time example, its so helpful for us.

Is there any chance or not atleast using fake dns or Fw. Please tell me directly.

[Escorpiom]

There have been a couple of discussions about blocking Facebook, some solutions may work to some extend.
There is a topic that suggests blocking complete subnets with the firewall, at the risk of blocking legitimate sites.
Fake DNS may work but then again, you can surf to some proxy site and enter facebook from there...
And what about using other DNS servers? Is the Zentyal transparent DNS a catch-all solution?

Cheers.
 

[christian]

The only way to block any web site that is using HTTPS is to block HTTPS at FW level and also prevent use of external "free proxy" (which is almost impossible  ).
This will quickly lead you toward another approach that is to authorize only sites explicitly and deny what is not authorized.
This does work but there is no such thing a a free lunch isn't it? 

So, at the end, this is a balance between tightly controlled web access but few added value for end-users (perhaps this may fit your own expectation) and reasonably controlled access but not 100%.

For sure, use of transparent proxy make this slightly less easy but this is another discussion.

[Sam Graf]

Is there any chance or not atleast using fake dns or Fw. Please tell me directly.

You've probably already understood this from what christian and Escorpiom have already said, but there is no chance that you can do any one or two things and completely block access to Facebook. Using an explicit proxy may make that particular task easier, but at the possible or probable expense of complicating several other things on your network.

There really is no free lunch here. There is no simple step-by-step recipe to follow to block Facebook that will work for everybody, to my knowledge.