I have a teenage substance abuse campus for boys 13-18 years old that I am attempting to assist with their schooling of the boys. They are switching to a new curriculum that has a white list of URLs and paths which consist of about 2500 URLs. They need to only allow the boys to access the exact path for a URL for most sites. They only have a few that I can use wildcards to allow an entire site to be accessed.
I first attempted to use the transparent web-proxy only to find out that it does not support https: It works fine for http: sites, but not https.
So, the next step was to attempt to use Hotspot with a Walled Garden setup however I am running into issues with as it also does not support https. It does work great for http sites.
I realize that the Walled Garden IP List table supports https however, it is not usable for this purpose as it does not support a path like the Walled Garden table does and many of the URLs are just one page on a website, or multimedia. Walled Garden IP works great for just a https URL but not at all for a URL with a path after the URL.
If what I have read is correct web-proxy, not transparent web-proxy would work, but I am doing my best to provide a configuration that the computer does not have to be changed. Some of these students are very computer savvy and had successfully defeated some minor security that the admin had enabled. The new system I have installed consist of Ubiquiti UniFI APs with 4 SSIDs with a VLAN for each SSID, one SSID for students, and is working very well but now they want a White List system enabled.
Any suggestions or tricks or am I missing something?
I recommend that you use the proxy feature as you originally planned.
Just configure the web browsers to explicitly use the Mikrotik as a proxy server, and this way you can also filter SSL connections.
Since this is a highly-controlled environment, you should be able to configure the proxy settings on the browsers. Finally, block ports 80 and 443 in the filter table so the browsers can’t go directly to the Internet.
If you really want to tighten things up, you could create a L7 filter which recognizes HTTP and SSL and block connections matched by these as well (so the kids can’t connect to websites running on non-standard ports).
I have implemented the proxy on my test router and all is working well with most sites. However, I am having issues with sites that use other locations for the website page. Such as fonts from Google aps.. fonts.googleapis.com
It appears that I must go through all the urls and add anything that is on the webpage which is external to the url. Is there a shortcut to solve this issue? If not this is going to be a major pain with 2500 sites!!!
Well, in general, it seems there could be allow linked content kind of rule and a value for how many “hops” it would allow… but of course that’s a slippery slope - what if an allowed page links to a resource from something you really would want blocked? There’s no real fire-and-forget solution to filtering the Internet. That’s why content filtering services charge money - it’s a full time job. Obviously there’s no such thing in the Web Proxy in ROS - perhaps a squid server would give more of these features. You might want to spend a day playing with squid just to see if it can make your life easier.
Perhaps you could shift the onus of this problem onto the maintainer of the white list - i.e. the curriculum provider.
Obviously there’s no such thing in the Web Proxy in ROS - perhaps a squid server would give more of these features. You might want to spend a day playing with squid just to see if it can make your life easier.