1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

Proxy Server for URL/Service Whitelisting

Discussion in 'Other Operating Systems' started by hollstar, Jul 9, 2021.

  1. hollstar

    hollstar Member

    Joined:
    Dec 14, 2002
    Messages:
    446
    Location:
    Brisbane
    Hi All,
    I was looking at different proxy servers like Squid and Privoxy to do fairly basic whitelisting of a handful of URLs or services (like Team Viewer) for a limited number of MAC or IP addresses on a network that already has a Draytek router in place.

    It would appear the Draytek can easily route a group of machines to this internal proxy meaning I don't need it to sit between the WAN and the LAN as would normally be the case and could in theory get away with one network card, but with everything being HTTPS these days, both Squid and Privoxy don't seem to like this.

    Setting it up and specifically pointing a users browser to the proxy works without issue, but when you try and use it in the transparent/intercepting sense, I can't seem to come up with the secret sauce of iptables to get around this for HTTPS.

    I'm curious to know what other people are doing when it comes to Internet access control?

    I was really hoping to run a basic Linux VM to handle this and then avoid trying to apply proxy settings to Windows clients via GPO.
     
  2. OMGguru

    OMGguru Member

    Joined:
    Apr 1, 2003
    Messages:
    3,488
    Location:
    CFS
    It will literally break https - this is design of https.

    You're options are:

    Deep Packet Inspection (most commercial grade Firewalls utilise this for the most part I believe for 'transparent' stuff)
    This simply reads the cleartext header for the request to block the connection (from my understanding)

    Invalid Cert
    Every https site would show an invalid certificate error - but it would go through the proxy

    Root Cert trust
    Create self-signed certs that are trusted on the client side so you can do the above but with no errors (You are hijacking SSL at this point)

    But if you are already doing client side work:
    Proxy configuration (GPO, DHCP PAC, Manually)
    Find ways to auto-supply Proxy information for the required hosts (We use a combo of DHCP options delivering a PAC file, and GPO for onboarded hardware)
    Once its configured then the computer somewhat 'trusts' the proxy and you can at least filter by the host-header (but still not by querystrings/full URLs, i.e. 'facebook.com' as a whole not 'facebook.com/BadPage' only).


    We fight this battle most days/weeks with a client that wants the best of both worlds, i.e. BYO devices that we can't install trust things on, and ultimate control of their internet and other behaviors with an iron fist. There's always going to be some pain points for someone in that scenario - you need to find the balance for you and your users.
     
  3. phreeky82

    phreeky82 Member

    Joined:
    Dec 10, 2002
    Messages:
    9,827
    Location:
    Qld
    Client policy has the advantages of not breaking HTTPS and also working regardless of how it connects (i.e. take a laptop home and the policy is still effective). This also aligns better with zero-trust approaches to security.

    The Squid/Firewall solution has the advantage of being enforced for a whole network without having to deal with policies, but as above you need to manage two situations:
    - Most web services where your proxy/firewall breaks the HTTPS encryption, applies its policies then signs with its own cert and you need that cert added to all of your clients (this is done in some corp networks)
    - Web services where there is a client-side technique used to check the cert and/or use its own cert store

    IMO, treat the problem has a 2021 problem - people are mobile, BYO is a thing, your network perimeter cannot be trusted anymore, etc. By all means still apply network security, but not for this sort of stuff.
     
  4. OP
    OP
    hollstar

    hollstar Member

    Joined:
    Dec 14, 2002
    Messages:
    446
    Location:
    Brisbane
    Thanks everyone.

    All valid points and you're 100% right Primus, I didn't want to go down the road of either invalid or root certificates because of the issues that in itself creates. In the end I did end up using Squid to essentially block everything and target this with GPO's to a segment of devices/users. This combined with blocking MACS or IPs at the router level appears to be a good mix. I don't recall the exact model of router, but according to Draytek it can be configured to work with a local proxy. I looked on their website, the internet at large and reached out to them but I never actually got a solid answer about how this was possible.
     
  5. elvis

    elvis OCAU's most famous and arrogant know-it-all

    Joined:
    Jun 27, 2001
    Messages:
    46,810
    Location:
    Brisbane
    Another option is tackling this at the DNS level instead of the proxy level. Build it yourself or farm it out to OpenDNS/Umbrella type mobs.
     
  6. OMGguru

    OMGguru Member

    Joined:
    Apr 1, 2003
    Messages:
    3,488
    Location:
    CFS
    This is becoming cumbersome to block with things like DoH - it can definitely help in cohorts with a proxy but things as simple as adding DNS to your host file (if your dedicated enough) will bypass it.
     
  7. elvis

    elvis OCAU's most famous and arrogant know-it-all

    Joined:
    Jun 27, 2001
    Messages:
    46,810
    Location:
    Brisbane
    Understood, but hacking your hosts file shouldn't be a thing standard user accounts can do in business.

    And while not optimal, blocking known DoH hosts is currently quite achievable.

    With or without other options, I would ALSO recommended DNS security for businesses. I've found it particularly effective as part of a toolkit against drive by attacks, malware and ransomware in smaller businesses that don't have the big dollars for complex security options.
     
  8. OMGguru

    OMGguru Member

    Joined:
    Apr 1, 2003
    Messages:
    3,488
    Location:
    CFS
    And this is my personal experience main problem - the country I mostly consult in has a weird mindset about things and ultimately 0 understanding of tech (to be expected) but are not easily convinced they are wrong. Most common issue is a hybrid BYO environment. They want 100% security without 100% control, so we have a mix of devices that are corporate owned, can GPO and block and everything else, then mid-level manager and above using BYO out of 'necessity' and sometimes stupid things like one staffer saying the HAVE to have an iMac (not their personal macbook, but we ended up with a corporate owned iMac on a desk somewhere) just because they don't want to be 'told' what to do sigh

    Anyways - we end up with these people downloading and installing VPNs, DoH browsers etc then executive team come crying when they notice a staffer on youtube, but we can't block it (all of it) without full control.

    /rant
     
  9. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    10,532
    Location:
    Briz Vegas
    Squid as transparent proxy
    Pi-Hole as DNS for the proxy.
     
  10. XiTatiON

    XiTatiON Member

    Joined:
    Dec 25, 2001
    Messages:
    102
    Location:
    Melbourne
    Most enterprise proxy solutions that do transparent redirection use WCCP or ICAP to redirect clients to the proxy that is doing Man in the Middle (MITM) tls decryption with internal subca signed certs.
    Unless you have Cisco gear that can do WCCP redirections or other solutions that can hand off to proxies using ICAP suggest you might want to look at my suggestion instead.

    Honestly, the easiest way to do this:
    Build a squid proxy farm, e.g. enough hosts to handle your load on Linux, be because squid on windows sucks.
    Tune your TCP stack to handle lots of half open and quick tcp connections google for Netflix EC2 host optimisation and use their TCP sysctl tuneables.
    Build an internal CA.
    Sign a SubCA from your root internal CA, and use this SubCA to enable SSL-Bump on Squid.
    Configure your squid whitelist policy in squid.conf.
    Install Nginix onto your squid servers and host a wpad.dat file in the root of the web directory so the url would be something like http://proxy.company.com/wpad.dat.
    Create a wpad.dat file that routes whatever traffic you want via your X number of proxy servers, wpad config syntax is Javascript so you can do scripting functions like rudimentary load balancing within the pac file.
    Add a wpad dns entry which points to at least one of the squid proxy boxes
    Add a DHCP client option to configure wpad
    Add GPO to enable auto discovery proxy settings on all clients and or add a static wpad.dat entry to all windows hosts.
    Linux use ansible or something to drop http_proxy and https_proxy environment varaibles into /etc/environment on all your servers/hosts pointing at the proxies.

    Get a coffee and pat yourself on the back for building an enterprise proxy solution for free :)
     

Share This Page

Advertisement: