Author Topic: Problem to stop https facebook...  (Read 13188 times)

juppy

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Problem to stop https facebook...
« on: September 05, 2011, 09:50:51 pm »
I'm in trouble to configure this Zentyal because i cannot set Zentyal to block some https sites


I have created a non transparent http Proxy (on 3128 port) with user content filter dhcp dns ecc...end it works well.
...but when i try to stop some https sites (like facebook) my filter doesn't work!!!

I have created a object with the facebook ips
I have created the https service on port 443
I have configured the internal network of the firewall for blocking the outgoing facebook https requests
...but Nothing to do... the Zentyal didn't stop the https of facebook

Do you have some ideas? Help needed please.  :o


 



Sam Graf

  • Guest
Re: Problem to stop https facebook...
« Reply #1 on: September 05, 2011, 10:14:45 pm »
Because HTTPS should be a direct connection between client and server, it's correct behavior for a proxy to not be in the middle of HTTPS traffic.

This has been discussed a few times here. See this post (and the topic it's in) as an example, and for additional information.

juppy

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Problem to stop https facebook...
« Reply #2 on: September 05, 2011, 10:40:46 pm »
Yes i have understand but i have follow this documentation to buil my gateway but no way... it dosn't stop the https traffic.

The only thing that i didn't follow was the tipology of the proxy .... in my case is not transparent mode...but it' s no a real problem because i set manually the browser to use the gateway.

christian

  • Guest
Re: Problem to stop https facebook...
« Reply #3 on: September 05, 2011, 10:56:54 pm »
Sorry but I do not share the statement  :-[

I'm not saying it's wrong but at least a bit misleading.
Direct connection is one option, obviously  ;) another one is to use proxy "CONNECT request" method.

To me, proxy can and must still be in the middle between browser and server. what is not supposed to be done (and not done BTW except with proxy implementing "man in the middle" behaviour) is content content filtering and obviously caching.

As a result, if your browser is configured to use proxy including for SSL and if firewall doesn’t authorize direct connection (BTW, if DNS doesn't resolve internet names, direct connection doesn't work  ;D), then the only way to access HTTPS based server is proxy and it does work!!! reason why I say "statement is misleading".

Then as goal is to block access to some HTTPS sites, and because content filtering cannot be implemented, some other mechanisms have to be deployed  :P
this can be done by preventing... proxy to reach these IP addresses in IPtables.
using domain filtering in Zentyal works too  ;)
see attached picture  8) give a try yourself and let me know  :P
« Last Edit: September 06, 2011, 07:52:20 am by christian »

Escorpiom

  • Zen Hero
  • *****
  • Posts: 897
  • Karma: +25/-1
    • View Profile
Re: Problem to stop https facebook...
« Reply #4 on: September 06, 2011, 02:42:54 am »
christian, is it correct that we have to add BOTH the firewall block rule AND the proxy domain filter rule?
That would explain why many of us had trouble blocking these kind of sites.

Cheers.
Marcus' Rule:
Blanks & capitals = avoid it and you'll avoid problems...

Sam Graf

  • Guest
Re: Problem to stop https facebook...
« Reply #5 on: September 06, 2011, 03:42:22 am »
Christian's response has me a little confused. As the HowTo says,

Quote from: HowTo
As you can see you have blocked facebook.com (just as example) but have in mind that HTTP Proxy only filters HTTP on port 80. In this case users can still reach HTTPS version of the page, so we also create a firewall rule blocking that traffic. You will need an object (Objects menu) containing facebook.com address pool ...
In my experience that's how it actually works. And it would seem to me that if we deny a destination via the firewall that the proxy's rule becomes redundant.

So I'm looking forward to reading along and see where this conversation goes ...

christian

  • Guest
Re: Problem to stop https facebook...
« Reply #6 on: September 06, 2011, 06:58:31 am »
Sam,

Sure, if you deny destination in FW, proxy rule is redundant. I do not deny this  ;)
From this point, we will have mostly philosophical discussion  ;D because multiple ways exist to reach same (almost) behaviour that is, here, to block Facebook.
I will elaborate on this later (I definitely hardly write short posts  :-\ )but I do want first to clarify the misunderstanding about Squid not handling HTTPS, reason why filtering must be done in FW. This is not correct.

Let's start some "philosophy" now  :-*
The way I perceive it (but no saying "I'm correct" and even less "I'm the only one correct"):
1 - HTTP PROXY module is deployed to handle and potentially filter HTTP and HTTPS protocols. Why, if there is no technical constraint, would you authorize to by-pass it for HTTPS?
2 - having to control HTTP(S) flow using 2 different interfaces (proxy and fw) whenever it's HTTP or HTTPS is a bit confusing isn't it?
3 - what if tomorrow Facebook moves to another IP? Will you adapt FW rule?

I you can do it, just try my way of achieving it and let me know...  ;)

christian

  • Guest
Re: Problem to stop https facebook...
« Reply #7 on: September 06, 2011, 07:05:49 am »
christian, is it correct that we have to add BOTH the firewall block rule AND the proxy domain filter rule?

As far as I understand (and just experimented for this purpose last night), no, it's not correct. Then I'm very open to further discussion in case I made a mistake.

As I answered to Sam, either you decide to authorize HTTPS through FW and then you MUST filter destination in FW or your approach is to make HTTP PROXY mandatory and then it's enough to filter in PROXY.
All come from a misconception that Squid (and HTTP PROXY in general) can NOT handle HTTPS. It can NOT perform anything based on content (because of the encrytption) but can definitely handle connection even for HTTPS.

Did you ever wonder why your browser permits to configure proxy even for SSL?

However, I'm still investigating, reading Squid documentation, to understand where blocking occurs in case of HTTPS.
For sure, if FW is needed, it's not because of client but because of prox accessing this site.
and I confirm it works for me without ANY specific FW rule  ;D ;D
« Last Edit: September 06, 2011, 07:55:56 am by christian »

christian

  • Guest
Re: Problem to stop https facebook...
« Reply #8 on: September 06, 2011, 08:03:01 am »
So I'm looking forward to reading along and see where this conversation goes ...

There is one point I would like to clarify asap: unless all HTTPS flow is denied, there is no way to block 100% user willing to access web site:
if user accesses, using HTTPS, open proxy (or "anonymizer") on internet that is not blocked in your local proxy (or FW  ;D  ), then access to Facebook will be possible.

christian

  • Guest
Re: Problem to stop https facebook...
« Reply #9 on: September 06, 2011, 08:13:52 am »
And just for the fun because this topic is really an interesting one, here is another (dirty) method to prevent (within the limit of above post) access to Facebook:

- browser being configured to use proxy
- NSS configured to rely first on file (i.e; /etc/hosts)
- configure, at Zentyal level, www.facebook.com as local address, e.g. localhost

when proxy will try to access it, it will access instead this address.

I do not promote this approach: goal is only to explain that multiple and different ways to achieve "almost" same behaviour exist  8)

nicolasdiogo

  • Forum Moderator
  • Zen Samurai
  • *****
  • Posts: 263
  • Karma: +3/-0
  • a pessimist, but trying out optimism
    • View Profile
    • BrainPowered Business Intelligence Consultancy - UK
Re: Problem to stop https facebook...
« Reply #10 on: September 06, 2011, 12:56:12 pm »
sorry if this does not work but


could you not create a DNS entry for

facebook.com

on your zentyal installation?  i believe this would intercept all DNS lookup within your network - and lock any dns queries to go through your firewall as well.


Nicolas
my opinions and suggestion expressed on this forum are my own as a user.
please note that i am not part of the Zentyal Development Team

www.brainpowered.net - supporting open-source Business Intelligence in Europe

christian

  • Guest
Re: Problem to stop https facebook...
« Reply #11 on: September 06, 2011, 01:20:11 pm »
could you not create a DNS entry for

facebook.com

OMG!!!! Christian, what did you do :o  ???  Opening Pandora box generates a lot of alternative proposal to solve something that is supposed to work out of the box (not the Pandora one) with proxy module only  ;D ;D ;D ;D

Sorry guys, I didn't aim to do this  :P :P :P

Joke aside, yes it might work but redefining you own facebook.com zone or even alias is really dirty isn't it?

Did anyone test that what I did last night is working for you too (I'll try again this evening just to be sure)?

juppy

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Problem to stop https facebook...
« Reply #12 on: September 06, 2011, 05:15:08 pm »
In my case the Zentyal gateway is perfect as user domain filter but it's no way to stop https sites (like facebook).
I have tried to create a ojbect (facebbook with the ips), a service (on 443 port called https) and i have added the firewall roule (As suggested in the manual)...but Zentyal doesn't seems to work correctly.

Note:
I want to stop the https of facebook but not other https sites.


Tonight i will reinstall the system and then i hope to understand if it's only a my problem or it' s a Zenthyal bug that for same reason at this point didn't apply firewall roules correctly.
 ???

If some of you have any suggestion to solve the problem... i' m here !!





christian

  • Guest
Re: Problem to stop https facebook...
« Reply #13 on: September 06, 2011, 05:58:26 pm »
Juppy,

Do you mean that what I describe doesn't work for you?
I made another test right now: without domain rule in proxy settings, I can access Facebook. Adding such rule (as shown in my previous) prevent me to access.
I do NOT add anything at firewall level.

How is you browser configured for what concerns use of proxy?

Sam Graf

  • Guest
Re: Problem to stop https facebook...
« Reply #14 on: September 07, 2011, 01:43:04 am »
My head hurts ...

OK, let's see if we can sort this out:
There is one point I would like to clarify asap: unless all HTTPS flow is denied ...
But of course we aren't trying to block all HTTPS trafffic. Just some. What I'm saying is that Squid, it appears, can't discriminate about HTTPS traffic in the same way it can for HTTP traffic. I can block some HTTP traffic without having to block all HTTP traffic. So far, it seems HTTPS traffic cannot be handled in the same way using Zentyal. But maybe I'm just badly confused ... :'(

However, if the real point here is that we shouldn't be using a transparent proxy in the first place, we have other issues to hash out that are outside the scope of this topic. For to me, that brings us squarely back to the idea that Zentyal needs to find a home in a VDI world--where I might reasonably do away with transparent proxies for device-independent virtual desktops.

I will elaborate on this later (I definitely hardly write short posts  :-\ )but I do want first to clarify the misunderstanding about Squid not handling HTTPS, reason why filtering must be done in FW. This is not correct.
Again, what it seems that Squid cannot do is discriminate this HTTPS traffic from that HTTPS traffic. I'm not saying I know that for a fact, but I'm saying that I have yet to see clearly how I can parallel Zentyal's HTTP site blocking capability for HTTPS traffic. Maybe I'm just dumber than a stump? :D

1 - HTTP PROXY module is deployed to handle and potentially filter HTTP and HTTPS protocols. Why, if there is no technical constraint, would you authorize to by-pass it for HTTPS?
Because I don't seem to be able to block some HTTPS traffic. Out of the box, Zentyal simply blocks all HTTPS traffic when using a transparent proxy.

2 - having to control HTTP(S) flow using 2 different interfaces (proxy and fw) whenever it's HTTP or HTTPS is a bit confusing isn't it?
Well, at this point I'm more confused by where we're headed here than I am by Zentyal, but I'm not giving up. :D

3 - what if tomorrow Facebook moves to another IP? Will you adapt FW rule?
Well, why not? I am constantly editing the HTTP site rules (people legitimately need access to blocked sites, Zentyal delivers a false positive, etc.). So while the process is different, it all takes time, one way or another.

I you can do it, just try my way of achieving it and let me know...  ;)
I am dumber than a stump for sure, because I'm just not clear how even to try your way. I am really missing something here. :-[