how to blocked facebook.com using http proxy

[Sam Graf]

In IT world, everything has potential side effect...

Not just in the IT world.

But that isn't my point. My point is that people need to be able to make reasonably informed decisions. So for my purposes, a side effect is problematic result (major or minor) or a result requiring further action.

I'm advocating for telling people up front what they're getting into rather than assume they know or can figure it out. Small business people don't like or need surprises, especially technical ones. At some point technical capability and practical outcomes have to merge in the small business conversation, as far as I'm concerned. It is at least sometimes the reluctance of technical people to do that--to get practical in a small business sense--that helps make many "debates" endless and useless. The conversation doesn't even have the same end goal, so how could it be otherwise?

Now we are officially off topic, but I've had my say.

[christian]

Sure but what is side effect for you is not perceived as such for me and vice-versa.
Some people feel painful to maintain DNS entries for their own servers while they agree to maintain external servers IP in network object.
Some may feel really painful to manually edit configuration file...
So what is really a side effect ?

All of this has been discussed already at length, therefore my initial answer: please rely on forum search feature and make you own opinion based on your own criteria.

Although I understand your point, I've absolutely no interest in any non-technical discussion 
Look at Squid documentation link I posted above. It contains some pros & cons, most having been discussed here and there.

Is it understandable for non-technical people ?  Perhaps not everything but "how to make technical choice for non-technical people" is another topic 
If you decided to go for Zentyal but have no clue about technical stuff behind, my strong advice is:
read the "Zentyal perfect gateway" document and apply.

[Sam Graf]

Sure but what is side effect for you is not perceived as such for me and vice-versa.

This I don't see given my definition of side effect.

Although I understand your point, I've absolutely no interest in any non-technical discussion 

I'm aware.

Is it understandable for non-technical people ?  Perhaps not everything but "how to make technical choice for non-technical people" is another topic 

What is not another topic is saying that it's really quite simple to block Facebook without telling people the whole story of the solution. That was and is my point. If people here really think that it's OK to provide "clever" solutions without helping people see how the solution actually shakes out in the real world, then I don't see the point of having anything but a purely technical forum. And I don't see at all how that helps make Zentyal a practical buisness solution for an ever wider group of customers.

Sigh ... I think I'll just too.

[ProNetic.dk]

You guys are absolutely right, i am very sorry if you feel that my "Its pretty easy" are offending the spirit of the forum/technical stuff.

I just started using Zentyal for about a month ago and ive tried out the different features and i really like what i see.

I am a network administrator, i currently hold a CCENT, CCNA, CCNP, CCNAS and CSSA, and i have 10 years of experience with infrastructure management, but primarily focused on Windows and Cisco. Therefore i have not looked at the deep technical details of all features, i have an understanding how proxy work but not the deep details.

I already ordered the Zentyal manual and i am also going to get certified, so i really try to apply my self because i really wanna learn.

I have always loved Open source and Linux, and when i came across Zentyal it seamed like the perfect solution for me.

I agreed that we have to find out why it works for me, to clarify what happens since the Squid documentation clearly states the HTTPs should not work.

My setup atm.

VDSL Modem -> Cisco ASA firewall -> Zentyal inside VMware ESXi and Clients. The Cisco ASA are the gateway/firewall, Zentyal running DNS, PDC and firewall(yet i am not using it as a firewall)

I am not using Zentyal as a gateway yet(waiting for hardware), just turned on the Proxy feature and set my Clients proxy settings to point on the Zentyal server. On the Clients i enabled "Use the same proxy server for ALL protocols"

When i access facebook via. HTTP i get a page "Access deny" when i use the HTTPs i just get "Page not found".

Sorry for the bad English

[christian]

This is as simple as what you describe if you have configured HTTP proxy in explicit mode. 

If for some reason you decided to go for transparent proxy, then, due to the way transparent proxy works (packets are intercepted at default gateway level and HTTP requests are transparently sent to proxy while HTTPS requests bypass proxy and go directly through firewall) then HTTPS can't filtered. 

As I explained in this previous post, indeed you can do it easily, as you do  BTW, when proxy is configured in explicit mode.

What doesn't work is when proxy is configured in transparent mode    therefore this discussion about potential workarounds 

[ProNetic.dk]

Okay so when you say explicit mode, and i have selected "transparent Proxy" in Zentyal, but my browser settings are "Use the same proxy server for all protocols" that will essentially override my "transparent proxy" in Zentyal?

[christian]

Transparent proxy is used only when you decide not to configure proxy at client level.
In its simplest design, it requires proxy to be also network default gateway.

As your Zentyal server is not defined as network default gateway, activating transparent proxy is useless because this is very unlikely that any packet reaches your Zentyal server on port 80. Therefore this is not matter of "overriding".

You are using proxy in its explicit mode and indeed blocking HTTPS "per domain" is straightforward.

Too bad there is no magic trick in your configuration.