Page 1 of 1

is there a way to block specific URL in Microtik CCR ?

Posted: Mon Jan 25, 2016 9:41 am
by soamz
Hi, we need to block https://www.facebook.com/abs/ssd
from our microtik CCR1009.

How do we do that ?

is there a way to block specific URL in Microtik CCR ?

Posted: Thu Jan 28, 2016 6:16 pm
by scampbell
I would try using a L7 firewall rule but these are high CPU cost. Lucky you have a ccr :-)

Re: is there a way to block specific URL in Microtik CCR ?

Posted: Fri Jan 29, 2016 9:19 am
by soamz
I would try using a L7 firewall rule but these are high CPU cost. Lucky you have a ccr :-)
So possible to do with CCR ?
How ?

Re: is there a way to block specific URL in Microtik CCR ?

Posted: Fri Jan 29, 2016 10:57 am
by pe1chl
No it is not possible! Note the "https" which means "secure" communication.
The communication is encrypted and the router never sees the URL.

Even when you setup a proxy server, the router sees only the hostname not the part after it. So then you
can block entire facebook but not one specific page.

Re: is there a way to block specific URL in Microtik CCR ?

Posted: Fri Jan 29, 2016 11:09 am
by soamz
No it is not possible! Note the "https" which means "secure" communication.
The communication is encrypted and the router never sees the URL.

Even when you setup a proxy server, the router sees only the hostname not the part after it. So then you
can block entire facebook but not one specific page.
And possible to do specific URL block for http URLs ?

Re: is there a way to block specific URL in Microtik CCR ?

Posted: Fri Jan 29, 2016 6:41 pm
by pe1chl
Yes, with http the proxy sees the full URL.

Re: is there a way to block specific URL in Microtik CCR ?

Posted: Fri Jan 29, 2016 6:44 pm
by ZeroByte
Even when you setup a proxy server, the router sees only the hostname not the part after it. So then you
can block entire facebook but not one specific page.
Are you sure? I didn't know that - I have set up a URL blocker with proxy.
It wasn't transparent proxy but an explitly configured proxy in the browser.
The proxy seemed to "see" inside the SSL.
(granted I only tested it on hostnames)

I guess I learned something today.

Re: is there a way to block specific URL in Microtik CCR ?

Posted: Fri Jan 29, 2016 9:13 pm
by pe1chl
When you set a proxy in a browser and it connects to https://www.facebook.com/abc/def, you see this in the proxy:

CONNECT http://www.facebook.com:443

So you can match on the domainname and portnumber.
However, the proxy then connects that hostname and port and splices that connection to the incoming connection
to the client. The client itself will do the SSL handshake and when that is finished, it sends:

GET /abc/def HTTP/1.1
Host: http://www.facebook.com

over the encrypted connection. What the proxy sees is just the SSL negotiation and binary gibberish.

Of course, there are proxy servers who will not do the transparent splice, but they will insert a man-in-the-middle
that makes an encrypted connection to http://www.facebook.com, and make the client believe they are talking to that
server by presenting a locally generated SSL certificate. To make this work without the client immediately noticing
it, the fake certificate is signed by a root certificate that has been added to the client certificate store. That only
works in e.g. a company, where the IT staff can add that certificate while installing the machines. You cannot do
that in a normal customer WiFi network unless you are a state government or intelligence organisation, who have
trusted root certificates in the commonly used browsers.
Even then it is being detected in newer browsers like Google Chrome, who can detect that a presented certificate
is signed by an unusual root certificate.

Re: is there a way to block specific URL in Microtik CCR ?

Posted: Fri Jan 29, 2016 9:54 pm
by ZeroByte
Awesome - thanks for the proxy lesson. I like knowing things down at the atomic level. 8)


FWIW - I do understand the certificate stuff - I just didn't think about what the proxy was doing under the hood. It all makes more sense now.

Re: is there a way to block specific URL in Microtik CCR ?

Posted: Sat Jan 30, 2016 10:37 am
by pe1chl
Note that the forum software has inserted a couple of "http://" that I did not type and that should not be there...

Re: is there a way to block specific URL in Microtik CCR ?

Posted: Wed Feb 03, 2016 12:14 am
by scampbell
No it is not possible! Note the "https" which means "secure" communication.
The communication is encrypted and the router never sees the URL.

Even when you setup a proxy server, the router sees only the hostname not the part after it. So then you
can block entire facebook but not one specific page.
Thanks for the clarification. Your explanation is excellent :-) We can block www.facebook.com but not the specific pages due to https.