WebProxy Mikrotik

antiqued4 · June 9, 2021, 11:51am

Hello everyone, so I have a demand here at the company which is to block all sites, allow only a few, using the mikrotik webproxy, configuring on the machines, in the browsers, it worked perfectly, both http and https, but the problem is being in the cell phones, there’s no way I can configure the proxy on each cell phone, I tried that rule to redirect port 80.443 to port 8080, but dae the cell phone doesn’t navigate, does anyone have any solution for that?

rextended · June 9, 2021, 12:01pm

Yes:

Block all traffic on port 80 and 443 except the traffic directed to whitelist.

And block all VPN.
http://forum.mikrotik.com/t/port-443/149641/1

You do not have more problem with unproxable device, DoH, DoT, SSTP or OpenVPN working on port 443

And you do not lost time with useless proxy.

antiqued4 · June 9, 2021, 12:13pm

Unfortunately, it doesn’t work very well that way, I even tried it, but for example there are news sites, where they have more than one ip, and not just their domain ip, there are some materials, videos, hosted on amazon, so it turns out it’s infeasible, I tried to capture all the ip using TLS Host, but it’s not very functional, and if you do it that way, whatsapp will also be blocked.

rextended · June 9, 2021, 12:16pm

using proxy go worst: blocking https not work with mikrotik proxy

antiqued4 · June 9, 2021, 12:18pm

Using the proxy in the browsers of the machines, it worked perfectly, the only problem was in the cell phones, it is impossible to configure cell phone by cell phone.

rextended · June 9, 2021, 12:24pm

You are the first person I read about on the Internet and am aware of who managed to get the MikroTik HTTP proxy to work for HTTPS as well.

Please let us know how you did it!!!

antiqued4 · June 9, 2021, 12:26pm

I just configured the proxy in the computer's browsers, pointing to the mikrotik, and it blocked all sites and released only a few.

jvanhambelgium · June 9, 2021, 1:07pm

If you can control name-resolution, then you are already on track.
Blocking the actual datapaths to the final-server might then not be needed if you cannot look it up…
So

FORCE all DNS-lookups to go through something like “Pi-hole” on your device, so yes, you’ll need an additional VM/Docker or something.
Block indeed DoH, DoT,SSTP and other VPN stuff, block also QUIC-protocol (UDP/443)
“Intercept” (mangle) hardcoded 8.8.8.8/4 DNS lookups on Android devices and deliver them to your Pi-hole, there you can decide what URL’s are possible.