Hi,
At our university, we are using the Moodle LMS. Now we want to shift the student exam to a computer-based exam. Students will conduct the exam inside the university using their own devices.
Here is our requirement.
1- We will whitelist certain number of https domains URLs. ( around 30 domains )
2- We want only these domains to be opened; the rest of the all traffic should be blocked/denied
3 - Around 400 students simultaneously will conduct the exam
How can we achive this using opensource technologies in Linux.
We dnot want any caching or proxying etc , prime objective is to allow only certain sites and block rest of all traffic
student will conduct the exam using Respondus locked down browser
So if not blocking and controlling access via a proxy, easiest way is to do it by restricting the DNS queries. Configure your DNS server to only allow certain domains, and reject all the others. Or another way, just remove the ability for the computers to resolve DNS at all, and then add all the entries you want to resolve to /etc/hosts. Since the user will only have normal user rights, they will not be able to edit /etc/hosts or even /etc/resolv.conf to enable DNS resolution, either of these options would be a valid way of doing it. Since your machine is most likely going to be an image to be loaded onto the computer or VM, then you won’t need to repeat configuring this manually. Also you can use ansible to do that anyway by running it against all the computers to populate /etc/hosts or configure the network appropriately.
You can find plenty of how-to’s for configuring Bind DNS on Linux by doing a search with google, as well as restricting such queries. Using the second option of using /etc/hosts, won’t require you to configure DNS and thus will save you the google search.
So if it’s their own devices, are you planning to mess with those devices, or are you saying those devices will only be able to connect to XYZ (via wirelesss, what about some other wireless access point nearby?)
Be careful you know exactly which ones, for example this forum might look like it’s running on ‘rockylinux.org’, but most of the requests are to ‘discouse-cdn.com’
I didn’t catch what @gerry666uk did. Nice spotting that Gerry. Yeah, if they are going to be using their own computers, then some of what I wrote doesn’t apply. You can do it with DNS still though, but you will need to ensure your firewall blocks DNS queries to any other servers other than your own. Otherwise the student devices could just change their DNS and get around your solution. The other problem is any DNS entries that may CNAME to something else, could cause pages not to load properly unless those entries are also added - again what Gerry mentioned relating to CDN, etc.
You don’t want a proxy, but in reality it is probably the best one to actually do this that would actually make it far easier to achieve. Because you whitelist what you want to allow, and everything else is automatically blocked. If no internet access exists other than via the proxy, then they cannot get around it.