Author Topic: Problem to stop https facebook...  (Read 13187 times)

christian

  • Guest
Re: Problem to stop https facebook...
« Reply #15 on: September 07, 2011, 07:47:51 am »
Sam,

I'm sure we will succeed at aligning our views.

1 - I do understand that goal is not to block all HTTPS traffic. This is clear to me.
2 - Test I made is blocking only Facebook, both HTTP and HTTPS, which is the goal if I understand well
3 - with transparent proxy enabled, this can NOT be achieved without firewall rules.

If you have Zentyal test platform, try the following:
- set up Zentyal as gateway with firewall and proxy
- configure proxy as "NON transparent"
- configure your browser to use proxy for all protocols (yes, including SSL/TLS, i.e. HTTPS)
- do not configure extra rules in FW and ensure HTTPS does not bypass proxy (when you stop proxy, access to internet should not work for HTTP nor HTTPS)
- ensure you can access Facebook with both HTTP and HTTPS.

So far so good  :)

Then go to HTTP proxy menu then filter profiles.
change configuration of default profile to add, in domains filtering, "facebook.com" in "domains and URL rules".
save then try to access facebook with either HTTP or HTTPS.
How to is behaves?

Sam Graf

  • Guest
Re: Problem to stop https facebook...
« Reply #16 on: September 07, 2011, 01:09:55 pm »
I'll try this, but I think the fact that Squid needs "help" at the client end to handle HTTPS traffic in the same way it can handle HTTP traffic without help at the client end more or less shows that in a practical, non-technical sense, it's correct to say that Squid can't get into the middle of HTTPS traffic on its own, at least in Zentyal's implementation. The client has to send the HTTPS traffic Squid's direction. Then, and only then, can the proxy selectively block HTTPS traffic, it seems.

The practical complications of this are significant for companies and organizations not tightly controlling the hardware side of things. But that remains discussion for another topic.

christian

  • Guest
Re: Problem to stop https facebook...
« Reply #17 on: September 07, 2011, 01:34:28 pm »
Unfortunately this is the way it works  :-[

Because of this, mechanisms have been deployed to help maintaining such config client side.
We were discussing in parallel in the "flash" related topic and I've also, BTW, launch poll to get better view of who is doing what here.

"proxy.pac" mechanism is the very first step.
Then WPAD (that is no more than an helper to find easily proxy.pac) is the second step.

Of course one will always have to ensure that browser is configured, client side, at least to automatically discover proxy. But it's like network: if you interface is configured in static mode, you will never benefit from DHCP isn't it?  ;D

Sam Graf

  • Guest
Re: Problem to stop https facebook...
« Reply #18 on: September 08, 2011, 02:33:26 am »
Some day we'll have to start a topic on the problems this approach creates for international business let alone SMBs. In the meantime, thankfully we at least have the transparent proxy option! ;D

christian

  • Guest
Re: Problem to stop https facebook...
« Reply #19 on: September 08, 2011, 07:06:36 am »
Sure.

I think we are now done with this never-ending thread: different approaches exist whether proxy is used in transparent or non transparent mode.

I hope pros and cons are well understood by everyone and also acknowledge that Zentyal platform doesn't provide, as of today, all the all the bells and whistles to ease "standard" proxy (meaning, from my side  ;) non-transparent)  deployment without some manual tricks in case automatic proxy detection is wished.

At least if our long discussion doesn't result in an clear deployment strategy, it has permitted to clearly share understanding of some technical aspects and why such setting like "FW rules" are required depending on your design.

TTFN.

Sam Graf

  • Guest
Re: Problem to stop https facebook...
« Reply #20 on: September 08, 2011, 03:08:20 pm »
One last comment ... Not to have the last word, but to tie this back to Zentyal.

"Standard" enterprise IT and "standard" SMB IT are almost certainly very different animals. In my 20 something years of working with non-profit and small business technology, the "path of least resistance" rule prevails more often than not. Today, that sort of "procedure" has been formalized in the concept of IT as a service.

IT as a service is playing out in at least two new ways in SMBs: BYOD and desktop or application virtualization. Today, virtualization software can run on a commodity infrastructure. Commodity servers, entry level gigabit switches, and plain old TCP/IP are pretty much all that's needed.

Zentyal itself is an excellent example of standard path-of-least-resistance SMB IT. Transparent this and transparent that are the right things to do in a traditional SMB context, and IMHO, Zentyal needs to stay on that course for now. Like Zentyal itself, this kind of transparency is going to be frowned on by at least some advocates of traditional, "old style" enterprise IT approaches, where IT isn't seen as a service.

The difficult task in front of Zentyal as an SaaS offering is balancing these two different approaches to IT, to optimize market potential. To me, this includes intentionally accounting for the new BYOD and virtualization trends taking place in the SMB market.

Anyway, finally ... I'm done.

AndrewGreen

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Problem to stop https facebook...
« Reply #21 on: March 28, 2012, 11:43:25 am »
Still we can find that services in IT is moving between BYOD and various applications. Saas provider cannot manage both things at a time.