How to configure to allow only certain https domains and block rest of all traffic

Hi,
At our university, we are using the Moodle LMS. Now we want to shift the student exam to a computer-based exam. Students will conduct the exam inside the university using their own devices.

Here is our requirement.

1- We will whitelist certain number of https domains URLs. ( around 30 domains )
2- We want only these domains to be opened; the rest of the all traffic should be blocked/denied
3 - Around 400 students simultaneously will conduct the exam

How can we achive this using opensource technologies in Linux.
We dnot want any caching or proxying etc , prime objective is to allow only certain sites and block rest of all traffic

student will conduct the exam using Respondus locked down browser

So if not blocking and controlling access via a proxy, easiest way is to do it by restricting the DNS queries. Configure your DNS server to only allow certain domains, and reject all the others. Or another way, just remove the ability for the computers to resolve DNS at all, and then add all the entries you want to resolve to /etc/hosts. Since the user will only have normal user rights, they will not be able to edit /etc/hosts or even /etc/resolv.conf to enable DNS resolution, either of these options would be a valid way of doing it. Since your machine is most likely going to be an image to be loaded onto the computer or VM, then you won’t need to repeat configuring this manually. Also you can use ansible to do that anyway by running it against all the computers to populate /etc/hosts or configure the network appropriately.

You can find plenty of how-to’s for configuring Bind DNS on Linux by doing a search with google, as well as restricting such queries. Using the second option of using /etc/hosts, won’t require you to configure DNS and thus will save you the google search.

So if it’s their own devices, are you planning to mess with those devices, or are you saying those devices will only be able to connect to XYZ (via wirelesss, what about some other wireless access point nearby?)

Be careful you know exactly which ones, for example this forum might look like it’s running on ‘rockylinux.org’, but most of the requests are to ‘discouse-cdn.com

1 Like

I didn’t catch what @gerry666uk did. Nice spotting that Gerry. Yeah, if they are going to be using their own computers, then some of what I wrote doesn’t apply. You can do it with DNS still though, but you will need to ensure your firewall blocks DNS queries to any other servers other than your own. Otherwise the student devices could just change their DNS and get around your solution. The other problem is any DNS entries that may CNAME to something else, could cause pages not to load properly unless those entries are also added - again what Gerry mentioned relating to CDN, etc.

You don’t want a proxy, but in reality it is probably the best one to actually do this that would actually make it far easier to achieve. Because you whitelist what you want to allow, and everything else is automatically blocked. If no internet access exists other than via the proxy, then they cannot get around it.

I am able to get required scenario by using HTTPS squid tunne with SNI filtering

For few users its working fine, need to check the performance under high load ( 400+ concurrent users)

Below is document I followed,

using below acl in squid.conf


acl goodlist_ssl ssl::server_name "/etc/squid/goodsites.txt" 
acl step1 at_step SslBump1


ssl_bump peek step1
ssl_bump splice goodlist_ssl # allow everything not in the denylist
ssl_bump terminate all !goodlist_ssl  # block everything else
https_port 3129 intercept ssl-bump cert=/etc/squid/dummy.pem
http_port 3128
http_port 8080 intercept

http_access deny all

debug_options ALL,1 33,2

Then redirecting the traffic to proxy ports

iptables -t nat -A PREROUTING -i enp0s8  -p tcp --dport 443 -j REDIRECT --to-port 3129
iptables -t nat -A PREROUTING -i enp0s8   -p tcp --dport 80 -j REDIRECT --to-port 8080

If some one have better idea or experience with this kind of setup.kindly share the experiences.