1

I would like to block/filter/censure certain social network users witch content may be offensive or violent, so that people inside my LAN ( say school ) will have access to the main site,

for example facebook.com

but not to for example to facebook.com/violentuser .

Is it even possible ? How can I do that ?

Need your help; thanks !

bashizip
  • 113
  • 4
  • It is only possible if the website is being accessed without https. Just put an http proxy in front of it and route all traffic to it. – Florin Asăvoaie Jul 25 '16 at 15:27
  • 2
    Do you realize how many Facebook/Twitter accounts you'd have to block in this manner? Tens of millions, if not more. – ceejayoz Jul 25 '16 at 15:50
  • @ceejayoz I know exactly the accounts I want to block; they are kind of spammers inside my domain. thank you ! – bashizip Jul 25 '16 at 23:55

1 Answers1

1

It is possible to block https sites on a URL-by-URL basis, but to do this you must use SSL Inspection (often called HTTPS inspection, or Man-in-the-middle / MitM).

Many proxies support this, it has a few deployment issues, the main one being that client computers must trust the SSL certificate that is used by the proxy to sign the new certificates that it creates (one per site). This requires adding that certificate to the trusted root store (and potentially other certificate stores, such as Firefox cert store) on the client computers / devices.

There may also be privacy issues and local jurisdiction issues about what is legal in your jurisdiction, so SSL inspection is not to be done lightly.

Once you are inspecting https traffic, then URL blocking is similar to the case for http.

Our product WinGate supports SSL inspection (need an enterprise license). Other products do as well, such as squid.

Disclaimer: I work for Qbik who are the authors of WinGate

Adrien
  • 267
  • 1
  • 6
  • thank you.I have already planned to test wingate among some other solutions. My only concern at this point is whether I can combine wingate / squid with **CAP + WPAD** to auto-configure the client machines and spare me the hard work manually configure each post. – bashizip Jul 26 '16 at 00:01
  • Yes, WinGate does, and I'm pretty sure Squid also supports WPAD. WinGate has a WPAD template file (auto-generated) which you can edit if required. – Adrien Jul 26 '16 at 00:07
  • I dont have enough permission but I would mark your answer as the good one. Hope I will have all the help needed from your team to setup a working environement, thanks – bashizip Jul 26 '16 at 01:39