Can I block HTTPS site with proxy?

David1234 · June 5, 2017, 12:09pm

Hello,
I have a router in our office and we want to block all kind of xxx sites
I have proxy on the router and I have added this line :

/ip proxy access> add action=deny comment="" disabled=no dst-host=*porn*

I have notice that if I enter site name with “porn” inside it block me
but if I write the full address :
https://www.porn.com
it will allow me to enter it

so - how can I block this sites in the proxy ?
or only in the firewall?

Thanks ,

baragoon · June 5, 2017, 12:14pm

No. HTTPS isn’t supported by mikrotik proxy.

Отправлено с моего iPhone используя Tapatalk

David1234 · June 5, 2017, 12:25pm

mm…
any idea how can I block it?

and redirect it?

so when someone will try to get to a forbidden page we will redirect ?

baragoon · June 5, 2017, 5:18pm

Layer 7 or DNS regexp mb.

Отправлено с моего iPhone используя Tapatalk

j2sw · June 5, 2017, 7:23pm

https, by design, is very hard to introduce something in the middle, such as a proxy. The protocol has mechanisms in it to prevent man in the middle hijacking, which is essentially what a re-direct proxy does. If you have ever been to a hotspot that complains about the security certificate when it tries to re-direct your web-traffic to their secure site you have experienced this

SilverNodashi · October 6, 2017, 12:04pm

Layer 7 will use quite a lot of memory. How would you block porn with DNS regexp?

normis · October 6, 2017, 12:07pm

You should filter by DNS.

L7 will not help against HTTPS, because the traffic is encrypted. Just redirect all DNS requests to your router and set some filters in the DNS static list.

SilverNodashi · October 6, 2017, 12:15pm

How would you get all porn site’s IP’s? There are literally hundreds and thousands of them.

normis · October 6, 2017, 12:27pm

There are probably sites that have such lists. He doesn’t need IP addresses, just the DNS names.
You would need a very powerful machine if you want to keep a DNS static entry list of 10000 names or more.

reinerotto · October 8, 2017, 5:59pm

Only correct, when you talk about mikrotik.
I did a (better) clone of openDNS on an average ubuntu server, blocking about 1.2Mio porno sites.
Theoretically, could be done on MT, too. In case, it were open (for mods).

Jotne · October 8, 2017, 6:30pm

Blocking porn is nearly impossible.
HTTPS goes trough most block. Not easy to stop.
DNS blocker using remote or local servere help some as long as user does not change local DNS to some other. (you may block other external DNS)
But if you like porn picture, just use google.com. Type in what you like and click picture. Would you block google and all other search engine?
Then you can use ultrasurf. An exe file that you can have one a memory stick and run without install anything.
It will pass all your proxy and DNS filter. Not easy at all to stop.