Answer the question
In order to leave comments, you need to log in
V
V
von_toster2018-05-24 10:52:11
von_toster, 2018-05-24 10:52:11
Can squid block https sites?
It is necessary to block in a corporate environment, let 's say https://www.youtube.com/, https://www.vk.com, https://www.ok.ru for all AD users of the block group through squid, for example, on debian.
Does squid block 100% https protocol?
If not, then how do admins in their offices cope with access to the Internet when one user is restricted, another is blocked, and the third is full access?
In general, what solution to choose for blocking specific sites running the https protocol for individual users in a corporate environment?
2 answer(s)
@CityCat4
Blocks. But under a certain set of conditions.
- You can block the entire vk.com, for example, blocking CONNECT to it
- If you want to not only block, but also know where you went - you need to set up bumping, issue certificates. It's actually not that difficult, but you'll have to work your head.
Access for different user groups is, generally speaking, a separate and rather big issue that everyone deals with in different ways, including through groups in AD :)
@quality
Now I have squid 3.5.27 + ssl_bump with dynamic generation + AD roles in my office at the moment, to differentiate rights. As statistics sarg + ad, for a "readable" look. There are no problems. Any change in rules, access lists takes a couple of seconds and immediately starts working.
If certificate substitution is not needed, then simply "terminate" the connection to https sites in the blacklist. But in this case, there will be no "beautiful page" - access is denied, however, as well as the "details" of the https connection, too. This option is suitable for office or free Wi-Fi, for identification only by IP. If Active Directory is running on the network, it's beautiful. By the way, the squid is spinning on KVM, holding about 200 users without any problems. Yes, and the cache plays a very good role.
C
CityCat4, 2018-05-25 @CityCat4
Does squid block 100% https protocol?
Blocks. But under a certain set of conditions.
- You can block the entire vk.com, for example, blocking CONNECT to it
- If you want to not only block, but also know where you went - you need to set up bumping, issue certificates. It's actually not that difficult, but you'll have to work your head.
Access for different user groups is, generally speaking, a separate and rather big issue that everyone deals with in different ways, including through groups in AD :)
A
Alexander Lipatov, 2018-06-16 @quality
Does squid block 100% https protocol?
Now I have squid 3.5.27 + ssl_bump with dynamic generation + AD roles in my office at the moment, to differentiate rights. As statistics sarg + ad, for a "readable" look. There are no problems. Any change in rules, access lists takes a couple of seconds and immediately starts working.
If certificate substitution is not needed, then simply "terminate" the connection to https sites in the blacklist. But in this case, there will be no "beautiful page" - access is denied, however, as well as the "details" of the https connection, too. This option is suitable for office or free Wi-Fi, for identification only by IP. If Active Directory is running on the network, it's beautiful. By the way, the squid is spinning on KVM, holding about 200 users without any problems. Yes, and the cache plays a very good role.
Similar questions
S
F
B
S
V
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question