Centos – squidguard not blocking https sites.

centosPROXYsquid

Trying to get squidguard to block https sites.

Setup. ( This is the basic config http://thejimmahknows.com/proxy-wccp-cisco-asa-squid-3-4/)

Server running centos 7.
squid + squidguard installed.

Squid running as transparent. Talking to our ASA via wccpv2.

What is working:
Blocking of http sites by name. IE disney.com
HTTPS proxying seems to be working. Getting access log entries of

1447775591.689 408846 192.168.203.110 TCP_MISS/200 63828 CONNECT 104.16.92.254:443 - HIER_DIRECT/104.16.92.254 -

What isn't working.

Filtering of https sites.

I get no errors, just nothing happens. I can get to the site just fine. I'm not sure if it's a problem with my squid or squidguard.

Best Answer

The log indicates your HTTPS connection gets passed to SquidGuard as IP address and not domain name; this is expected behavior as browser always connects by IP in transparent deployments. Please use the latest Squid that is capable of passing SNI info to the external filters and find out how to adjust squid guard to use this info.

If you need to look into SSL content - setup SSL bump as for example in http://docs.diladele.com/administrator_guide_4_3/https_filtering/index.html; then let the ICAP web filter (qlproxy) block the next request from the browser (the domain name will be taken from Host request header).

Related Solutions

Linux – Blocking HTTPS and P2P Traffic

For 1) and 2) I think you should look into OpenDNS.

For 3) and 4) look into snort's inline mode or you can try PacketFence which I recommend if you have network and linux experience (it does way more than only block p2p).

How To Enable URL Filtering With Just Squid & C-ICAP

I'm trying to do the same. I got success configuring c-icap to block a request.

Your srv_url_check.conf seems to be incomplete. Mine is configured as follows:

Service urlcheck /usr/lib/x86_64-linux-gnu/c_icap/srv_url_check.so
url_check.LookupTableDB denyhosts url hash:/etc/c-icap/denyhosts.txt "Denied Host"
url_check.Profile denyProfile block denyhosts
url_check.ProfileAccess denyProfile all

The file denyhosts.txt, is a simple text file. Each line should contain a host to be block, such as:

mp3.com.au
xvideos.com
sex.com

And finally, you should uncomment line acl all src 0.0.0.0/0.0.0.0 into c-icap.conf.

Start your c-icap server like /usr/bin/c-icap -D -N -d 1 (adjust the log level (-d) as you wish) and test it using /usr/bin/c-icap-client -s url_check -req http://sex.com -v -d 1.

As a response, you will receive:

ICAP HEADERS:
    ICAP/1.0 200 OK
    Server: C-ICAP/0.4.2
    Connection: keep-alive
    ISTag: CI0001-XXXXXXXXX
    X-ICAP-Profile: denyProfile
    X-Attribute: denyhosts
    X-Attribute-Prefix: 7
    X-Response-Info: BLOCKED
    X-Response-Desc: URL category denyhosts is BLOCKED
    Encapsulated: res-hdr=0, res-body=108

RESPMOD HEADERS:
    HTTP/1.0 403 Forbidden
    Server: C-ICAP
    Content-Type: text/html
    Connection: close
    Content-Language: en

This is what I did so far...

Best Answer

Related Solutions

Linux – Blocking HTTPS and P2P Traffic

How To Enable URL Filtering With Just Squid & C-ICAP

Related Topic