Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: xscorpion on May 15, 2012, 03:31:17 pm

Title: Web Filter to block HTTP & HTTPS
Post by: xscorpion on May 15, 2012, 03:31:17 pm
Dear All,

I am testing the web filter role to block sites, I had blocked facebook.com but it seems that users are able to browse facebook through https://www.facebook.com, So my question is how to block HTTP & HTTPS as well together.

Thanks in advance guys.
Title: Re: Web Filter to block HTTP & HTTPS
Post by: christian on May 15, 2012, 05:53:14 pm
my question is "how did you block HTTP"  ???
BTW, are you using transparent proxy  ;D
Title: Re: Web Filter to block HTTP & HTTPS
Post by: Escorpiom on May 15, 2012, 11:14:16 pm
Exactly, you probably are using transparent proxy. There are a number of posts about blocking https Facebook or https in general, and it is still work in progress.
You may get workable results without using transparent proxy (in fact Christian has written a lot about it), but using tranpsarent proxy requires you to block at the firewall level.
As Facebook is using several IP's you would have to create blocklists, but there's a bug in 2.2 that hangs the firewall if using objects with IP ranges.

Either way, it may be better to combine all those separate topics into one. The blocking Facebooks https questions pops up every once in a while.
At my end I'm using transparent proxy and no Facebook blocking at the moment  :(

Cheers.
Title: Re: Web Filter to block HTTP & HTTPS
Post by: christian on May 16, 2012, 07:37:59 am
Exactly, you probably are using transparent proxy. There are a number of posts about blocking https Facebook or https in general, and it is still work in progress.

I may be wrong but I don't think there is anything "in progress":
- with transparent proxy, HTTPS flow control has to be done at FW level and this is not going to change because this is constraint due to the way transparent proxy work.

So today, you have no choice:
- either explicit proxy and HTTPS control at proxy level
- or transparent proxy and HTTPS control at FW level

What one may dream for is FW permitting to set rules based on FQDN... but I'm afraid this is not that simple  :(
Title: Re: Web Filter to block HTTP & HTTPS
Post by: Escorpiom on May 16, 2012, 12:06:36 pm
I may be wrong but I don't think there is anything "in progress":
- with transparent proxy, HTTPS flow control has to be done at FW level and this is not going to change because this is constraint due to the way transparent proxy work.

Sadly, you may be right - There is perhaps no work in progress. Maybe I should ask Zentyal staff.
Setting up FW rules to block Facebook HTTPS is currently NOT 100% effective because of the number of IP ranges involved.
If you create rules to block all IP ranges that Facebook currently uses, the FW will hang and connectivity will be temporarily lost every time while saving.
That's what I meant with "work in progress".

You are correct about explicit proxy but that's not what I'm after, perhaps the OP might consider it.

I gave up on blocking HTTPS Facebook until 3.0 comes out.
On a side note, github seems to be inaccessible for some days now so it's difficult to see if there will be an update.       

Cheers.
Title: Re: Web Filter to block HTTP & HTTPS
Post by: christian on May 16, 2012, 12:13:26 pm
Interesting:
- what do you expect from 3.0 regarding this HTTPS filtering
- why are you not comfortable with explicit proxy? is it because Zentyal do not provide easy way to deploy WPAD?
Title: Re: Web Filter to block HTTP & HTTPS
Post by: Sam Graf on May 16, 2012, 02:49:54 pm
- why are you not comfortable with explicit proxy?
As a side question, would it be useful to start a topic in tips that addresses real-world scenarios for Zentyal's proxy implementation? For example, in my experience (as I mentioned before), explicit proxy breaks HTTPS connectivity with stuff not using port 443. According to my reading here, that's pretty easily solved by hand, but I'm looking at the big picture, the total package--exactly how many things would a person have to maintain by hand, and exactly what that looks like at software update time, for a Zentyal admin to be able to deploy the proxy as explicit? Maybe ignorance of the exact nature of the task is keeping some simple admins from enjoying the benefits of an explicit proxy?

I'm not endorsing hand management of core services. I think it's a lot to ask of Linux noobs to hand manage half a dozen or so bits and pieces of Zentyal's core services to make their "special case" ;) work. At the same time, to my knowledge there is no detailed list of exactly what happens when Zentyal is configured to be an explicit proxy, let alone how to address each item on that list if the need arises. It seems to me that only when that kind of material is available that a simple Linux admin can make an intelligent choice about what kind of proxy to deploy. Otherwise, there is simply to much mystery around it all. IMHO.
Title: Re: Web Filter to block HTTP & HTTPS
Post by: christian on May 16, 2012, 04:08:35 pm
Sam,

If there is no need for HTTPS filtering, not need for profiling, well, to make it short "use of proxy cache" only, stay with transparent proxy if it fits your expectations.
I'm not always pushing for explicit proxy  :P  in some case, it may fit, but in such situation, there is no question because there is no specific needs and... it works.
Then as soon as something different is targeted, transparent proxy has side effects and you have to balance between potentially some changes to have explicit proxy working in your implementation on one hand and some changes to achieve you goal at FW level with transparent proxy on the other hand.
It's up to you  ;) (once you understand that transparent proxy will not allow authentication and therefore not allow user based profiling, but I'm sure you know this already)

You idea to build a list of tasks to be done depending on your configuration choice is a good idea, although I'm afraid it will take a while before we cover various needs expressed in this forum. However it doesn't prevent to start. Who's first ?
 
Title: Re: Web Filter to block HTTP & HTTPS
Post by: Sam Graf on May 16, 2012, 04:25:39 pm
Well, it seems to me that there are benefits to an explicit proxy (though true, not everyone will need it). So we could start with a list--too bad we can't do this wiki style, so people could edit everything--of benefits to both approaches. Since the transparent proxy just works, it's any mental fog probably starts with the explicit proxy.

So, I'll start ...
Title: Re: Web Filter to block HTTP & HTTPS
Post by: christian on May 16, 2012, 05:13:31 pm
 ;D ;D ;D ;D ;D
Transparent proxy just works if... you don't want to:
- filter HTTPS flow
- apply profiling or anything based on user authentication
- what's about parent proxy?

with such approach:
- explicit proxy works once... you've configured your browser to point to your proxy

so, this is obviously not the right approach ::)

What I mean is that debate is not matter of installation Zentyal side but alignment of what needs to be done server side with what needs to be done client side and what you may expect from this in term of feature or what such design permits and doesn't.
this is why I wrote that this is not as simple as it looks first.
I wrote the "HowTo" related to proxy because some users were convinced that with explicit proxy, this would mean to explicitly define it at browser level, which is obviously not true. However this doesn't cover all the pros & cons of each design.
Thus do we rather have to make a two steps documents:
- pros & cons of each design
- what to configure and were depending on chosen design
Title: Re: Web Filter to block HTTP & HTTPS
Post by: Sam Graf on May 16, 2012, 06:08:18 pm
;D ;D ;D ;D ;D
Transparent proxy just works if... you don't want to:
True. I think I'm referring to using the tools at hand. Transparent proxy just works in the sense that if I know nothing, it still just works using only the GUI. I can't say that about the alternative ... uncheck the box, set up the proxy in the client device, and boom ... almost certainly I will be scratching my head over something unexpected (to me). The boss's iPad works only in one office (duh, but teaching the boss how to set up the proxy per location doesn't look good in my annual performance review), this quits working, that behaves unexpectedly. I'm out of my depth sooner or later. Had I just stayed in the transparent proxy's shallow water, I would have been fine ... it just works. :D
Title: Re: Web Filter to block HTTP & HTTPS
Post by: Escorpiom on May 17, 2012, 02:39:04 am
Interesting:
- what do you expect from 3.0 regarding this HTTPS filtering

I expect to be able to add a number of IP ranges as network objects that can be used to block Facebook at firewall level, without the firewall hanging up or terminating connections.

- why are you not comfortable with explicit proxy? is it because Zentyal do not provide easy way to deploy WPAD?
Sam has said it already. I may have some experience with Zentyal and Linux as a whole, but my users only expect things to "just" work.
I'm afraid that explicit proxy requires configuration at the users end, which I want to avoid.
There is no need for authentication here, instead users want to use the net hassle free. Using WPAD will probably break some Internet applications if not configured correctly.
   
Perhaps the main problem is that my service includes some guest users but also some staff.
Some users will be blocked from using certain resources, where others can browse freely. 

Cheers.