URL/Web Filtering

Hi RGK,

Here is a simple one that blocks access based on hosts using a datagroup

 
 class blocked_hosts { 
   "wwwa.example.com" 
   "wwwb.example.com" 
   "wwwc.example.com" 
 } 
  
  
 when HTTP_REQUEST { 
    if {[matchclass [HTTP::host] eq $::blocked_hosts ] } { 
         HTTP::respond 404 
       } 
 } 
 

I hope this helps

CB

CB's suggestion would work if you add an HTTP profile to the outbound HTTP virtual server. For HTTPS, you would need a cert--which all clients accept as valid for any external domain--in order to decrypt, inspect and modify the HTTP. I would be very curious to hear whether you have such a certificate and key...

 

 

And I'm not sure I like the idea of helping a country's major backbone provider block access to external sites for the country. There are numerous ways to bypass such attempts as seen with the great firewall of China and the Iranian attempts at censorship.

 

 

Aaron

Aaron, if you are talking about ssl interception then as per my understandings bluecoat can do this job very well and have no idea about the F5 ADC, Although l would say proxySG that it can transparently proxy the https traffic and send its own cert - key to all clients.

 

 

For all clients, proxySG will be the destination server and if the destination is allowed then proxy will create new connection to the OCS on behalf of request sent to in-line proxySG. If the requested OCS is not allowed then ProxySG will deny the request. This is how ProxySG breaks the ssl tunnel.

 

 

I have no idea yet that F5 LTM can do the same job as I elaborated above for Bluecoat ProxySG. If I am wrong then request you to correct my understandings.

 

 

I also request both of you and all of you to help me for the same task which has given to me today that what solution is best for url filtering ,

 

I know that bluecoat and its BCWF can do this job for me but due to throughput constraints we are not interested to buy bluecoat ProxySG appliances and Load balancers to block very few websites from the traffic of millions of websites.

 

 

Thanks

 

 

RGK

 

Have you ever thought of using SquidProxy?

 

 

CB

If I use proxySG for URL filtering and traffic redirection from LTM then will it be okay for us to block all blacklisted https or http traffic?

Sure. if everything passes through the ProxySG then you can do filtering blocking, etc, etc.

 

 

CB

Yes, we are not thinking to use Squid proxy and have the proposal in hands, can you let me answer below?

 

 

ULL Filtering http/80 we can do this via iRule and squid both.

 

Is URL Filtering for https/443 via Squid possible?

 

 

Thanks

 

 

Rehan

Yes it's possible to do it on the both - but for the sake of simplicity it's better to do it on the proxy.

 

 

Bhattman