Hi guys! I have created this topic to share with you a quite simple and transparent way to block https sites by sni which I discovered making my research on this topic.
There is a software named “ratched”. It is available in OpenWRT repo:
It does not proxy https, it only rejects tls connections by sni, so you will not have problems with any sites. I know, that squid proxy can do the same, but it’s quite difficult to set up it. I think, that this small program with small bash script is much easier.
ratched -v -l 192.168.1.1:9999 --daemonize --defaults intercept=forward -i example.com,intercept=reject -i www.instagram.com,intercept=reject -o /dev/null
With this command you can block example.com and instagram sites, for example.
So all you need is just write small bash script which will construct and execute ratched command from the list of blacklisted domains, run this script on system startup and redirect all requests to 443 port to ratched port 9999. Like this:
eval "ratched -v -l 192.168.1.1:9999 --daemonize --defaults intercept=forward $domains -o /dev/null"
Where $domains variable looks like:
-i example.com,intercept=reject -i www.instagram.com,intercept=reject
The only problem with this tool — it does not have way to block all subdomains of specified domain, so you will need to specify every domain in the command itself
You can use it alongside with other filtering techniques, for example, with DNS blocking, Google Safe search and OpenDNS FamilyShield, VPN ports and IPs blocking. In complex you can achieve quite good blocking results. Just find large porn sites domains list in the internet and pass it to the ratched.
I want to leave this topic here for all users who will be googling for a transparent way to block sites by sni after me