Web-Proxy stops working in some time

iDen · May 29, 2012, 9:39am

Hello everyone.

I need your help. Before posting i did search but found nothing.

I have to block facebook youtube etc. For these purposes i went with transparent web proxy. But it works only few minutes after router restarted. and then it again allows everyone acces to blocked sites.
Any suggestions, tuning? Connection limits ?

Configs:

ip proxy print 
                 enabled: yes
             src-address: 0.0.0.0
                    port: 8080
            parent-proxy: 0.0.0.0
       parent-proxy-port: 0
     cache-administrator: webmaster
          max-cache-size: none
           cache-on-disk: no
  max-client-connections: 600
  max-server-connections: 600
          max-fresh-time: 3d
   serialize-connections: no
       always-from-cache: no
          cache-hit-dscp: 4
             cache-drive: system

/ip proxy access
add action=deny comment=fb-blc disabled=no dst-host=facebook.com dst-port=80
add action=deny comment=fb-blc disabled=no dst-host=.facebook.com dst-port=80
add action=deny comment=youtube-blc disabled=no dst-host=youtube.com dst-port=80
add action=deny comment=youtube-blc disabled=no dst-host=*tube*.com dst-port=80

Ether5 is my LAN interface gateway for lan… i think everything is correct …

/ip firewall nat
add action=redirect chain=dstnat comment="WebProxy redirect" disabled=no dst-port=80 in-interface=ether5 protocol=tcp src-address-list=!Exception to-ports=8080

merrywt · May 29, 2012, 2:07pm

We use the web proxy on all of our systems and have not experienced this issue with it.

But what we do differently to your configuration is to use a parent or up stream proxy which implments the content filtering.

The reasoning behind this is that there is a very easy way to bypass the filtering that you are trying to implement - use HTTPS which you cannot transparently proxy. To get round this issue we provide a proxy pac file that the users PCs download and have also implemented WCCP on our cisco core to redirect HTTPS for those devices that don’t / won’t support proxy auto configuration e.g. Android, Kindle etc.

Facebook has allowed users the ability to carry out all of their session now by HTTPS which makes blocking access harder than it used to be but not impossible.

Our up stream proxy is a pair of load balanced WebSense V10000 appliances but we are support circa 15K concurrent users on the end of our ROS devices.

WebSense in not cheap but is reliable in it’s web site categorisation and up time (next to zero downtime). There are others out there providing the same sort of appiance and service e.g. Fortinet.

THIERA · June 12, 2016, 11:19am

i have problem user the mikrotik can’t block the youtube i config
enabled: yes
src-address: ::
port: 8080
anonymous: no
parent-proxy: ::
parent-proxy-port: 0
cache-administrator: webmaster
max-cache-size: 2048KiB
max-cache-object-size: 2048KiB
cache-on-disk: yes
max-client-connections: 600
max-server-connections: 600
max-fresh-time: 3d
serialize-connections: no
always-from-cache: no
cache-hit-dscp: 4
cache-path: web-proxy

firewall configuration
0 chain=srcnat action=masquerade log=no log-prefix=“”
1 chain=dstnat action=redirect to-ports=8080 protocol=tcp src-address=0.0.0.0 dst-port=80