Hey, Can you clarify what do you want to achieve eventually? If you want to block youtube or facebook I can recommend you on other solutions then in the application level. The next repository: https://github.com/vel21ripn/nDPI Implements some level of deep packet inspection without the existence of a full fledged proxy and does the filtering in the kernel level. Depends on the OS you are using you would be able to either compile or acquire the module and libraries that will allow you to block youtube and\or facebook. Take a peek at the wiki of the module at: https://github.com/vel21ripn/nDPI/wiki I have published a package for CentOS 7 named "kmod-xt_ndpi" at: http://ngtech.co.il/repo/centos/7/x86_64/kmod-xt_ndpi-2.0.1-2.el7.centos.x86_64.rpm And just notice that the 2.0.1 is the 1.7 stable nDPI module but the version number is for the package and not the module version. Another solution would be to maintain an iptables+ipset setup that detects access to facebook or youtube and block these. If you will give more details on the scenario we might be able to offer a more efficient solution. Also to block facebook and youtube traffic using ssl-bump you don't need to bump and run full MITM for all traffic but just for youtube or facebook requests. All The Bests, Eliezer * let me know if you need more help. ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of ivanleoncz Sent: Wednesday, September 27, 2017 23:02 To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Blocking HTTPS On Transparent/Interception Proxy Configuration Hello, Squid Users. I'm not an experienced user for advanced configurations on Squid, so I need some advice or help, which will be much appreciated. As I was watching some of the logs from my Proxy, I noticed that there are requests that are made first via HTTP, and the remote Web Server responds with a 302 redirect to a HTTPS site. I can use Facebook as an example: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1505162176.649 102 192.168.0.108 TCP_MISS/204 257 GET http://b-www.facebook.com/mobile/status.php - ORIGINAL_DST/31.13.66.37 text/plain 1505233881.293 176 192.168.0.149 TCP_MISS/302 387 GET http://www.facebook.com/ - ORIGINAL_DST/31.13.66.36 text/html 1505240198.118 162 192.168.0.149 TCP_MISS/302 387 GET http://www.facebook.com/ - ORIGINAL_DST/31.13.66.36 text/html 1505241490.335 203 192.168.0.149 TCP_MISS/302 387 GET http://www.facebook.com/ - ORIGINAL_DST/157.240.3.35 text/html 1505248976.884 173 192.168.0.54 TCP_MISS/302 562 GET http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/31.13.66.36 text/html 1505303537.048 144 192.168.0.152 TCP_MISS/302 382 GET http://www.facebook.com/ - ORIGINAL_DST/31.13.66.36 text/html 1505331296.129 181 192.168.0.108 TCP_MISS/302 635 GET http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/31.13.66.36 text/html 1505389662.830 144 192.168.0.152 TCP_MISS/302 382 GET http://www.facebook.com/ - ORIGINAL_DST/157.240.17.35 text/html 1505393796.724 187 192.168.0.165 TCP_MISS/302 387 GET http://www.facebook.com/ - ORIGINAL_DST/31.13.66.36 text/html 1505481730.533 145 192.168.0.74 TCP_MISS/302 484 GET http://www.facebook.com/plugins/fan.php? - ORIGINAL_DST/157.240.17.35 text/html 1505756711.632 221 192.168.0.76 TCP_MISS/302 671 GET http://www.facebook.com/plugins/likebox.php? - ORIGINAL_DST/31.13.66.36 text/html 1505849677.484 190 192.168.0.56 TCP_MISS/302 532 GET http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/31.13.66.36 text/html 1505913883.386 166 192.168.0.152 TCP_MISS/302 382 GET http://www.facebook.com/ - ORIGINAL_DST/157.240.17.35 text/html 1505926185.493 146 192.168.0.56 TCP_MISS/302 532 GET http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/31.13.66.36 text/html 1506089311.489 152 192.168.0.62 TCP_MISS/302 587 GET http://www.facebook.com/plugins/likebox.php? - ORIGINAL_DST/157.240.17.35 text/html 1506102859.349 171 192.168.0.41 TCP_MISS/302 528 GET http://www.facebook.com/plugins/follow.php? - ORIGINAL_DST/157.240.3.35 text/html 1506449027.644 126 192.168.0.72 TCP_MISS/302 567 GET http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/157.240.17.35 text/html 1506458858.890 244 192.168.0.54 TCP_MISS/302 562 GET http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/157.240.3.35 text/html 1506531664.419 137 192.168.0.152 TCP_MISS/302 382 GET http://www.facebook.com/ - ORIGINAL_DST/31.13.66.36 text/html ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ With these logs, I can understand that a first request is made via HTTP and a redirect is going to be performed. Am I right? Seems like the same applies for other sites like YouTube, for example: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1506454619.784 129 192.168.0.68 TCP_MISS/302 908 GET http://www.youtube.com/ - ORIGINAL_DST/172.217.7.46 text/html 1506454859.606 127 192.168.0.68 TCP_MISS/302 908 GET http://www.youtube.com/ - ORIGINAL_DST/172.217.7.46 text/html 1506455555.686 189 192.168.0.68 TCP_MISS/302 908 GET http://www.youtube.com/ - ORIGINAL_DST/172.217.5.174 text/html 1506455678.559 181 192.168.0.68 TCP_MISS/302 908 GET http://www.youtube.com/ - ORIGINAL_DST/172.217.7.46 text/html 1506455887.214 158 192.168.0.68 TCP_MISS/302 908 GET http://www.youtube.com/ - ORIGINAL_DST/216.58.193.14 text/html 1506456578.142 127 192.168.0.68 TCP_MISS/302 908 GET http://www.youtube.com/ - ORIGINAL_DST/172.217.5.174 text/html 1506457019.837 123 192.168.0.68 TCP_MISS/302 908 GET http://www.youtube.com/ - ORIGINAL_DST/172.217.7.46 text/html 1506457532.332 110 192.168.0.68 TCP_MISS/302 908 GET http://www.youtube.com/ - ORIGINAL_DST/216.58.193.46 text/html 1506457735.088 108 192.168.0.68 TCP_MISS/302 908 GET http://www.youtube.com/ - ORIGINAL_DST/216.58.193.46 text/html ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Since that the first request is via HTTP, I was wondering: /- Why I cannot just deny the access for a site like "www.facebook.com", "facebook.com", "youtube.com", etc.?/ If I cannot perform something like this, I'd like to know: /- Is there any way or mechanism that can be used on Squid for blocking HTTPS sites, that were originally accessed via 302 redirect?/ I know that there are tons of blogs, forums, etc., that they recommend theusage of SSLBump, but I also know that MITM is not a good choice, since that it's (or it could be) illegal, to eavesdrop a secure connection. So I believe that SSL Bump is not an option. Thank you all for the attention. Best Regards, @ivanleoncz -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
