Solution to block some HTTPS URLs

Dear guru,

I need a solution to block some HTTPS URLs (as a part of parental control). DNS blocking doe not work since it is not acceptable to block the whole web site, but few URLs only. I tried to use tinyproxy but failed to get it worked over HTTPS (should it?). Could you please advice whether some solutions exist for that?

I am using OpenWRT on NetGear3700:
OpenWrt 18.06.2 r7676-cddd7b4c77 / LuCI openwrt-18.06 branch (git-19.020.41695-6f6641d)

Thanks in advance,
Vadim

Unfortunately it's not possible on router.

Under HTTPS device can't "sniff" what URL users are trying to visit. You can leave it as-is or block everything.

4 Likes

Thank you for the response. I don't need caching proxy. Moreover I need to filter traffic from single device only so proxy is not expected to be overloaded. Generally, tinyproxy works quite well on WNDR3700. The only problem is that I was not able to get it working as needed (filtering HTTPS URLs), probably because of lack of experience ... Do you know non-caching proxy software that is able to block https traffic per url basis?

1 Like

No go. Unless you are able to install squids cert on the client (device).
HTTPS is designed to avoid such "man in the middle attack".
Only possible to block whole domain, using squid. But that is easier to be done with DNS.

2 Likes

No go. See below ...

While I don't have a solution for OpenWrt you could solve this with Squid and Diladele Web Safety ICAP. This setup is quite complex and I would not recommend to try to install this on a router (even if possible). I've setup this in past for someone. But we came to the conclusion that it is to much work to maintain things for private person (but you have a Web-GUI). Here you can find a guide:

I don't know if this guide is up-to-date.

EDIT: Diladele is not free anymore (as it was in the past). It now costs 24.99 € per year.
And you can run it directly on VMWare or HyperV.

1 Like

No go, as I wrote already.
squid running as an explicit proxy just tunnels (via CONNECT) the encrypted data to the destination server. But the URL is already encrypted.

So you need intercept (transparent) squid to decipher the URL. Which requires cert on the client.
However, even this does not always work in the age of goggles HSTS, cert pinning etc. to protect their revenue from advertising.

3 Likes

Squid-4.x is the only way forward here.

You can add Google, Facebook (that use HSTS, certificate pinning) etc to no-bump list (only splice) while bump rest of the traffic. You would also need to block requests to external DNS - both proxy and client should use the same DNS server for ssl-bump with minimal problems.

Catch here is that you need to import the self-signed CA that squid uses to your clients. If your client is a blackbox where certificate import is not possible, then you can only splice and can't bump, which means, you can only apply access control on the basis of domains and ports instead of URLs.

3 Likes