block youtube app and facebook app on mobiles phones
-
@IT-ADMIN said:
actually facebook and youtube website are already blocked by squid proxy, this applied only to computer because the are configured to use proxy setting in their browsers, for the phones they are not connected to the proxy because they use app instead of browsers, so i set specific rule for mobile phones that allow all traffic
So "not really blocked" is the issue here. You are not using the proxy as a security measure but as a matter of convenience. To use a proxy for security it must be the only path between the LAN and the Internet. You are using the proxy as an optional path and anything without the proxy settings is bypassing it.
Put your proxy inline and everything will be solved immediately. Or simple block any other path. HTTP traffic should only be allowed to and from the proxy.
-
@IT-ADMIN said:
@IT-ADMIN how i can change this phone rule to block facebook and youtube app, knowing that i cannot force mobile traffic to pass through squid proxy because app not using proxy setting
No need for proxy settings if setup as inline and transparent. The standard use of a proxy does not require proxy settings on the end users devices.
-
@scottalanmiller said:
@IT-ADMIN said:
@IT-ADMIN how i can change this phone rule to block facebook and youtube app, knowing that i cannot force mobile traffic to pass through squid proxy because app not using proxy setting
No need for proxy settings if setup as inline and transparent. The standard use of a proxy does not require proxy settings on the end users devices.
thank you Dear Scott, but if i set my proxy as transparent it will allow only 80 port traffic and deny everything else, which cause https 443 port to be blocked, then mobiles cannot connect to gmail nor skype , nothing except web surfing (port 80)
-
@IT-ADMIN said:
thank you Dear Scott, but if i set my proxy as transparent it will allow only 80 port traffic and deny everything else, which cause https 443 port to be blocked, then mobiles cannot connect to gmail nor skype , nothing except web surfing (port 80)
Why is everything except for port 80 blocked?
-
-
That doesn't imply what you stated, though.
-
@IT-ADMIN because if you don't inform your browser which proxy to use, https will consider the proxy as a man in the middle, and will drop the connection
-
all 443 traffic will not be established because the app itself is unaware about which proxy to use
-
i set proxy setting for mobile, and i remark that facebook is blocked but youtube is not blocked, it seems that youtube app not using youtube.com to connect to the server,
-
@IT-ADMIN said:
@IT-ADMIN because if you don't inform your browser which proxy to use, https will consider the proxy as a man in the middle, and will drop the connection
No, you are thinking of the way that you are using a proxy "non-transparent." A transparent proxy you don't tell the browser about. That's what transparent means - that the proxy happens without anything needing to know about it.
-
@IT-ADMIN said:
all 443 traffic will not be established because the app itself is unaware about which proxy to use
It's transparent so everything goes through the proxy.
-
@IT-ADMIN said:
i set proxy setting for mobile, and i remark that facebook is blocked but youtube is not blocked, it seems that youtube app not using youtube.com to connect to the server,
You'll need to block all YouTube sites, which are many. Blocking by domain name is not very effective. There is always a way around that by IP address.
-
if i set a transparent proxy and block some URLs, users cannot access http://facebook.com, but if they just add s after http, they can access easily, i tried it !! i'm sure
-
@scottalanmiller said:
@IT-ADMIN said:
i set proxy setting for mobile, and i remark that facebook is blocked but youtube is not blocked, it seems that youtube app not using youtube.com to connect to the server,
You'll need to block all YouTube sites, which are many. Blocking by domain name is not very effective. There is always a way around that by IP address.
also blocking by IPs is not efficient, because IPs of servers keep changing, and it is difficult to know all IP range used by a specific server
-
in the begining i though that app can be blocked by closing some ports numbers, but it seem that almost all of the apps use either 80 or 443, and if close one of these port it is like i closed everything !!!
-
@IT-ADMIN said:
if i set a transparent proxy and block some URLs, users cannot access http://facebook.com, but if they just add s after http, they can access easily, i tried it !! i'm sure
Are you just clicking a box called "transparent proxy" or are you actually changing your network correctly to accommodate the change in architecture?
-
@IT-ADMIN said:
also blocking by IPs is not efficient, because IPs of servers keep changing, and it is difficult to know all IP range used by a specific server
Correctly, blocking like you are doing is effectively impossible. There is always a simple workaround.
-
@IT-ADMIN said:
in the begining i though that app can be blocked by closing some ports numbers, but it seem that almost all of the apps use either 80 or 443, and if close one of these port it is like i closed everything !!!
Yes, normal businesses block all traffic on all ports and only allow 80 and 443 (web ports) via proxies. So any app that used another port would be assumed to be always broken, even in many homes. You need to proxy all traffic, not just some traffic, and you need a proxy that can terminate SSL for the end users are you are wasting your time because basically every site supports SSL today and if you can't filter SSL the proxy is pointless.