ipcop support

community support forum
It is currently Fri Aug 22, 2014 12:44 pm

All times are UTC [ DST ]




Post new topic Reply to topic  [ 6 posts ] 
Author Message
Unread postPosted: Sat Apr 12, 2008 6:04 am 
New User

Joined: Sat Apr 12, 2008 5:53 am
Posts: 2
Hi all!

I am new here so if I post this topic that has already been addressed, please forgive me and point me to the right direction.
I am a Network Administrator for a medium size company, I have installed IPCop 1.4.18 with Advance Web Proxy and URL filter, but lately I discovered that staff are using web proxy https sites (for example https://vtunnel.com and https://kproxy.com) to by pass IPCopy's Proxy and URL filter. A quick google search came back with over 30,000 of these sites that anyone can use to by pass a web proxy.

I have tried BOT (BlockOutTrafic 3.0.0) but can't get it to work. Any help or sugguestion to combat this will be appreciated.

Thank you all in advance.

Dan


Top
 Profile  
 
Unread postPosted: Sat Apr 12, 2008 12:33 pm 
Site Moderator

Joined: Wed Apr 28, 2004 1:27 am
Posts: 6967
Location: Beaumont, TX, USA
If you don't need HTTPS connections, then just block port 80 and 443 outbound from all computers. This will force the users to use your proxy to get to the internet.


Top
 Profile  
 
Unread postPosted: Sat Apr 12, 2008 12:58 pm 
Pro User

Joined: Thu May 08, 2003 4:24 am
Posts: 3808
Location: London, UK
The ipcop proxy can still be used for https connections, but remember each browser needs to know that it is being proxied**. This is a better approach, as there are usually good business reasons why https traffic is required.

I'd recommend then, that you use a blacklist of known proxies with advproxy/urlfilter, with a page that has a "request to whitelist" this site on it. Large blacklists require quite a lot of cpu on your firewall/proxy though, so be aware of possible performance issues if your firewall is underpowered.

You could also block all https traffic with the same technique, if you are prepared to deal with regular whitelist requests and occasional annoyance from your user base. This approach is cleaner, provided that your browsers are all configured to use the ipcop proxy for https traffic.

** See my earlier post regarding this.


Top
 Profile  
 
Unread postPosted: Sat Apr 12, 2008 4:34 pm 
New User

Joined: Sat Apr 12, 2008 5:53 am
Posts: 2
Thank you ds531 and up4fun for your responde.

I do need https to log in remotely and use the web gui. Actually, blacklisting and urlfilter were the first thing that I tried, but it did not filter or stop https websites. I also tried removing Transparent on Web Proxy, but when I do that, Urlfilter does not work at all. I will keep on trying using both of your advice and will update you with my progress.

Thank you.

Dan


Top
 Profile  
 
Unread postPosted: Sat Apr 12, 2008 7:52 pm 
Pro User

Joined: Thu May 08, 2003 4:24 am
Posts: 3808
Location: London, UK
Can't comment on urlfilter, cos I have not used it in a while, but requiring transparent use seems a bit strange to me.

The basic principle is 1) block all outgoing 80/443 traffic that does NOT originate from the proxy. That will prevent ANY users from directly accessing the web on those ports. You can do this with BOT, fairly easily, or with iptables directly. Then, 2) add a rule to allow ONLY the proxy to open 80/443, again with BOT or directly using iptables. That's all users forced to use the proxy without any transparent redirection shenanigans.

At this point, though, the users have no access to the web unless their browser config points to ipcop as their proxy server for http and https traffic. Once that is in place, they should have all access as before.

Only at this point do you have control. Advproxy and urlfilter can then be used to apply your required policy.


Top
 Profile  
 
Unread postPosted: Fri Apr 25, 2008 3:56 pm 
New User

Joined: Tue Jan 10, 2006 8:30 pm
Posts: 10
I don't know how reasonable this is for your situation, but I've had some success by hardcoding the proxy settings into the web browser instead of using a transparent proxy.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group