I need a solution to block some HTTPS URLs (as a part of parental control). DNS blocking doe not work since it is not acceptable to block the whole web site, but few URLs only. I tried to use tinyproxy but failed to get it worked over HTTPS (should it?). Could you please advice whether some solutions exist for that?
I am using OpenWRT on NetGear3700:
OpenWrt 18.06.2 r7676-cddd7b4c77 / LuCI openwrt-18.06 branch (git-19.020.41695-6f6641d)
Thank you for the response. I don't need caching proxy. Moreover I need to filter traffic from single device only so proxy is not expected to be overloaded. Generally, tinyproxy works quite well on WNDR3700. The only problem is that I was not able to get it working as needed (filtering HTTPS URLs), probably because of lack of experience ... Do you know non-caching proxy software that is able to block https traffic per url basis?
No go. Unless you are able to install squids cert on the client (device).
HTTPS is designed to avoid such "man in the middle attack".
Only possible to block whole domain, using squid. But that is easier to be done with DNS.
While I don't have a solution for OpenWrt you could solve this with Squid and Diladele Web Safety ICAP. This setup is quite complex and I would not recommend to try to install this on a router (even if possible). I've setup this in past for someone. But we came to the conclusion that it is to much work to maintain things for private person (but you have a Web-GUI). Here you can find a guide:
I don't know if this guide is up-to-date.
EDIT: Diladele is not free anymore (as it was in the past). It now costs 24.99 € per year.
And you can run it directly on VMWare or HyperV.
No go, as I wrote already.
squid running as an explicit proxy just tunnels (via CONNECT) the encrypted data to the destination server. But the URL is already encrypted.
So you need intercept (transparent) squid to decipher the URL. Which requires cert on the client.
However, even this does not always work in the age of goggles HSTS, cert pinning etc. to protect their revenue from advertising.
You can add Google, Facebook (that use HSTS, certificate pinning) etc to no-bump list (only splice) while bump rest of the traffic. You would also need to block requests to external DNS - both proxy and client should use the same DNS server for ssl-bump with minimal problems.
Catch here is that you need to import the self-signed CA that squid uses to your clients. If your client is a blackbox where certificate import is not possible, then you can only splice and can't bump, which means, you can only apply access control on the basis of domains and ports instead of URLs.