Community discussions

 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

is there a way to block specific URL in Microtik CCR ?

Mon Jan 25, 2016 9:41 am

Hi, we need to block https://www.facebook.com/abs/ssd
from our microtik CCR1009.

How do we do that ?
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

is there a way to block specific URL in Microtik CCR ?

Thu Jan 28, 2016 6:16 pm

I would try using a L7 firewall rule but these are high CPU cost. Lucky you have a ccr :-)
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: is there a way to block specific URL in Microtik CCR ?

Fri Jan 29, 2016 9:19 am

I would try using a L7 firewall rule but these are high CPU cost. Lucky you have a ccr :-)
So possible to do with CCR ?
How ?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: is there a way to block specific URL in Microtik CCR ?

Fri Jan 29, 2016 10:57 am

No it is not possible! Note the "https" which means "secure" communication.
The communication is encrypted and the router never sees the URL.

Even when you setup a proxy server, the router sees only the hostname not the part after it. So then you
can block entire facebook but not one specific page.
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: is there a way to block specific URL in Microtik CCR ?

Fri Jan 29, 2016 11:09 am

No it is not possible! Note the "https" which means "secure" communication.
The communication is encrypted and the router never sees the URL.

Even when you setup a proxy server, the router sees only the hostname not the part after it. So then you
can block entire facebook but not one specific page.
And possible to do specific URL block for http URLs ?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: is there a way to block specific URL in Microtik CCR ?

Fri Jan 29, 2016 6:41 pm

Yes, with http the proxy sees the full URL.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: is there a way to block specific URL in Microtik CCR ?

Fri Jan 29, 2016 6:44 pm

Even when you setup a proxy server, the router sees only the hostname not the part after it. So then you
can block entire facebook but not one specific page.
Are you sure? I didn't know that - I have set up a URL blocker with proxy.
It wasn't transparent proxy but an explitly configured proxy in the browser.
The proxy seemed to "see" inside the SSL.
(granted I only tested it on hostnames)

I guess I learned something today.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: is there a way to block specific URL in Microtik CCR ?

Fri Jan 29, 2016 9:13 pm

When you set a proxy in a browser and it connects to https://www.facebook.com/abc/def, you see this in the proxy:

CONNECT http://www.facebook.com:443

So you can match on the domainname and portnumber.
However, the proxy then connects that hostname and port and splices that connection to the incoming connection
to the client. The client itself will do the SSL handshake and when that is finished, it sends:

GET /abc/def HTTP/1.1
Host: http://www.facebook.com

over the encrypted connection. What the proxy sees is just the SSL negotiation and binary gibberish.

Of course, there are proxy servers who will not do the transparent splice, but they will insert a man-in-the-middle
that makes an encrypted connection to http://www.facebook.com, and make the client believe they are talking to that
server by presenting a locally generated SSL certificate. To make this work without the client immediately noticing
it, the fake certificate is signed by a root certificate that has been added to the client certificate store. That only
works in e.g. a company, where the IT staff can add that certificate while installing the machines. You cannot do
that in a normal customer WiFi network unless you are a state government or intelligence organisation, who have
trusted root certificates in the commonly used browsers.
Even then it is being detected in newer browsers like Google Chrome, who can detect that a presented certificate
is signed by an unusual root certificate.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: is there a way to block specific URL in Microtik CCR ?

Fri Jan 29, 2016 9:54 pm

Awesome - thanks for the proxy lesson. I like knowing things down at the atomic level. 8)


FWIW - I do understand the certificate stuff - I just didn't think about what the proxy was doing under the hood. It all makes more sense now.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: is there a way to block specific URL in Microtik CCR ?

Sat Jan 30, 2016 10:37 am

Note that the forum software has inserted a couple of "http://" that I did not type and that should not be there...
 
scampbell
Trainer
Trainer
Posts: 457
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: is there a way to block specific URL in Microtik CCR ?

Wed Feb 03, 2016 12:14 am

No it is not possible! Note the "https" which means "secure" communication.
The communication is encrypted and the router never sees the URL.

Even when you setup a proxy server, the router sees only the hostname not the part after it. So then you
can block entire facebook but not one specific page.
Thanks for the clarification. Your explanation is excellent :-) We can block www.facebook.com but not the specific pages due to https.
MTCNA, MTCWE, MTCRE, MTCTCE, MTCSE, MTCINE, Trainer
___________________
Mikrotik Distributor - New Zealand
http://www.campbell.co.nz

Who is online

Users browsing this forum: No registered users and 80 guests