Not displayed blockpage (HTTPS)

[nikolasap]

When accessing the site via https protocol is not displayed blockpage. Rule type "deny". Why is that?

[adrien]

Hi

this unfortunately is due to browser design.

It was decided that any response from a proxy to a CONNECT request (other than successful connection) can't be trusted, and so shouldn't be displayed.

We think the browser authors could have put some more effort and imagination into solving this issue, but they didn't, they adopted a very heavy handed approach which breaks block pages for https.

Adrien

[nikolasap]

Thanks for the info.
Is there a way around the problem means WinGate? Policy, rules, scripts, etc.? Or not?

[adrien]

Hi

The only way a browser will display anything for https is if it thinks it got it from the actual site it thinks it's connecting to.

So in this case, you could potentially do something but you would need to:

a) use https inspection (requires an enterprise license)
b) use flow-chart policy rather than web access control policy to block people.

This is because the tunnel setup (CONNECT request) is passed through the web access control rules, and you need to allow this to proceed (e.g. not block things in web access control rules), and then block after the browser has an encrypted tunnel to the server via the proxy and sends an http request - you'd need to block this instead of the tunnel setup request.

Flow-chart policy allows you to do this, since if you implement access control in the ProxyRequest event, it will catch http and inspected-https requests.

Regards

Adrien de Croy

[nikolasap]

Thanks, Adrien.
I will be thinking about upgrading a license to enterprise...

[adrien]

Hi

I thought a bit more about this, and decided I could make it easier.

So I'm just testing changes so that the web activity filter can know if the tunnel will be inspected, and if so, it won't block on tunnel creation, just the actual tunneled http(s) requests.

So I am now seeing block pages from web access control for https!

This will come out in WinGate 8.5 which is due out very soon.

Regards

Adrien

[nikolasap]

Хорошая идея и отличная новость, жду 8.5. :)

[adrien]

Hi

no prob, we just put it up on our site, you can find it at http://www.wingate.com/download/wingate/download.php

Regards

Adrien

[royjm22]

Can i change the display blockpage display message

[adrien]

Hi, yes you can.

In the Web Access Control > Access Rules section there is a settings option (in the task panel, bottom left). If you click that you can create new block pages and you can select which block page to use in your deny rules.

Regards

Adrien

[royjm22]

Can you please explain how to block https webpages properly because the way i follow ,when i try to open youtube or facebook it is not showing blockpage message it says proxy refusing connections please advice how to block https site properly

[adrien]

Hi

to convince a modern web browser to display a block page for an https site, you need to use SSL inspection.

Unfortunately a while ago, browser vendors decided it was unsafe to display block page for proxies when https was involved. This is because the browser vendors lacked the imagination and skill to display such a block page in a way that would not be confused with an actual page from an actual site, and so block pages were considered to be unsafe.

So you will need to

a) use an enterprise license to have SSL inspection available
b) import or generate an SSL certificate in WinGate for signing spoofed generated certificates for SSL inspection
c) deploy that certificate to all your users.
c) configure the WWW proxy to enable SSL inspection.

Then WinGate will defer blocking https requests until after the tunnel has been set up and the tunneled request has been issued.

Regards

Adrien