Community discussions

MikroTik App
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Can I block HTTPS site with proxy?

Mon Jun 05, 2017 3:09 pm

Hello,
I have a router in our office and we want to block all kind of xxx sites
I have proxy on the router and I have added this line :
/ip proxy access> add action=deny comment="" disabled=no dst-host=*porn*
I have notice that if I enter site name with "porn" inside it block me
but if I write the full address :
https://www.porn.com
it will allow me to enter it

so - how can I block this sites in the proxy ?
or only in the firewall?

Thanks ,
 
User avatar
baragoon
Member Candidate
Member Candidate
Posts: 296
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:

Re: Can I block HTTPS site with proxy?

Mon Jun 05, 2017 3:14 pm

No. HTTPS isn't supported by mikrotik proxy.


Отправлено с моего iPhone используя Tapatalk
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: Can I block HTTPS site with proxy?

Mon Jun 05, 2017 3:25 pm

mm.....
any idea how can I block it?

and redirect it?

so when someone will try to get to a forbidden page we will redirect ?
 
User avatar
baragoon
Member Candidate
Member Candidate
Posts: 296
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:

Re: Can I block HTTPS site with proxy?

Mon Jun 05, 2017 8:18 pm

Layer 7 or DNS regexp mb.


Отправлено с моего iPhone используя Tapatalk
 
User avatar
j2sw
Member Candidate
Member Candidate
Posts: 131
Joined: Mon Sep 04, 2006 5:42 am
Location: Indiana
Contact:

Re: Can I block HTTPS site with proxy?

Mon Jun 05, 2017 10:23 pm

https, by design, is very hard to introduce something in the middle, such as a proxy. The protocol has mechanisms in it to prevent man in the middle hijacking, which is essentially what a re-direct proxy does. If you have ever been to a hotspot that complains about the security certificate when it tries to re-direct your web-traffic to their secure site you have experienced this
 
SilverNodashi
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Mon Sep 04, 2017 4:18 pm
Location: South Africa
Contact:

Re: Can I block HTTPS site with proxy?

Fri Oct 06, 2017 3:04 pm

Layer 7 or DNS regexp mb.


Отправлено с моего iPhone используя Tapatalk
Layer 7 will use quite a lot of memory. How would you block porn with DNS regexp?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26294
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Can I block HTTPS site with proxy?

Fri Oct 06, 2017 3:07 pm

You should filter by DNS.

L7 will not help against HTTPS, because the traffic is encrypted. Just redirect all DNS requests to your router and set some filters in the DNS static list.
 
SilverNodashi
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Mon Sep 04, 2017 4:18 pm
Location: South Africa
Contact:

Re: Can I block HTTPS site with proxy?

Fri Oct 06, 2017 3:15 pm

You should filter by DNS.

L7 will not help against HTTPS, because the traffic is encrypted. Just redirect all DNS requests to your router and set some filters in the DNS static list.
How would you get all porn site's IP's? There are literally hundreds and thousands of them.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26294
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Can I block HTTPS site with proxy?

Fri Oct 06, 2017 3:27 pm

There are probably sites that have such lists. He doesn't need IP addresses, just the DNS names.
You would need a very powerful machine if you want to keep a DNS static entry list of 10000 names or more.
 
reinerotto
Long time Member
Long time Member
Posts: 519
Joined: Thu Dec 04, 2008 2:35 am

Re: Can I block HTTPS site with proxy?

Sun Oct 08, 2017 8:59 pm

Only correct, when you talk about mikrotik.
I did a (better) clone of openDNS on an average ubuntu server, blocking about 1.2Mio porno sites.
Theoretically, could be done on MT, too. In case, it were open (for mods).
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Can I block HTTPS site with proxy?

Sun Oct 08, 2017 9:30 pm

Blocking porn is nearly impossible.
HTTPS goes trough most block. Not easy to stop.
DNS blocker using remote or local servere help some as long as user does not change local DNS to some other. (you may block other external DNS)
But if you like porn picture, just use google.com. Type in what you like and click picture. Would you block google and all other search engine?
Then you can use ultrasurf. An exe file that you can have one a memory stick and run without install anything.
It will pass all your proxy and DNS filter. Not easy at all to stop.

Who is online

Users browsing this forum: anav, JDF and 91 guests