How to Block Facebook on HTTPS on Squid proxy server without importing IPS/CIDR or configure Clients browsers for the Proxy settings using the WPAD Autodiscover for Squid feature
In order to block Facebook or any other website on HTTPs protocol on pfsense (SQUID) without finding all the CIDR or IPs to block facebook or any other website’s IPs we will have to use the Squid proxy’s Autodiscover feature which uses Wpad file .. Let’s say similar to how Exchange uses Autodiscover’s XML file.
- In order to block sites on HTTPS you will need to have SQUID Guard proxy installed and configured on Pfsense. If you don’t know how you can look it up here.
- In order to use this feature you will have to disable the transparent mode on Squid server, To do so navigate to proxy server under the Services Menu then Proxy Server then un-tick the Transparent HTTP proxy.
- You will need to have the DHCP server up and running and you will need to create a DHCP option 252 that will provide the HTTP path to the files that we will create further on.
- DNS Server configured for the domain in order to add a required A record value for the wpad. The clients are going to look that up through the DHCP option mentioned in step 3.
Then we will have to create the following files in Notepad and save each of them with a specific extension as in the below snapshot
Note: The IP 10.10.0.155 represents my proxy server (PFsense in this case) which has Squid installed and configured on it.
Once these files are saved, I will use a very simple HTTP server tool to host them on any of my servers on a specific port which clients can reach without any problem. My favorite tool is HFS which you can download from here
Web Server Configuration
After running the HFS appliaction I will run it on the port 8085 and load all the files as in the following snapshot
You can simply load the files by dragging and dropping them under the “Virtual File System” on the right pane.
Once this is done we will have to configure the WPAD record on our DNS server with A record pointing to the server where the files are hosted “In my case I have installed the HFS on the AD/DNS server” that has the IP 10.10.0.150
Next I will go the client and check if I can resolve this wpad …
I have tried to resolve the name but apparently the nslookup is not finding the record that I have created although it’s in the DNS, I have tried ipconfig /flushdns, tried restarting the DNS service but nothing solved the problem
Lastly I went to the DNS logs and checked if there’s anything worth noticing there and here’s what I got Error event ID 7600
Googling online with this error got me to this Microsoft KB
All I had was to open registry editor and delete the wpad key from the GlobalQueryBlockList value as following
Here is what it looks like after deleting the wpad
Click Ok and make sure you Restart the DNS Server.
On the client I will flush the DNS cache and do another nslookup attempt.
DHCP Server configuration
the DHCP server’s options as required in the prerequisites earlier. I have my DHCP configured on Pfsense server and now I will configure the DHCP as following.
Here I have clicked on Advanced next to the “Additional BOOTP/DHCP options and in Number I entered the DHCP option that I would like to configure and chose String since it’s WPAD. And on the value side I entered the path for the Wpad URL where I ran the HFS application and made sure it’s accessible by clients.
Next I saved everything and will go to both the HFS to monitor clients activity if they are requesting the file or not and I will go the client and request Facebook on HTTPS.
In order for the autodiscover (Wpad) feature to work your Internet explorer/Firefox must be set to use the Audo detect settings.
On the HFS Server (My AD) I will look up for any logs that will be reported once I start browsing. Now it’s empty
I will go back to the client and browse Google for example.
Here, I have tried on the client side to open Facebook on https but it didn’t work but other websites are working just fine!
What happened on the HFS server is that the client on Internet Explorer has requested the file “Proxy.pac” file for the settings which means that all of our settings are working properly.
The only thing I have done on the Proxy Filter to disable Facebook was to Socialnet which includes all the social media websites. In case you want to block only Facebook and leave twitter you will have to extract the blacklist and create your own facebook folder and text file to include all the facebook URLs and then upload it to your own FTP or web server.