User Page Block

[haim9080]

Hello everyone i want to know how i can do a UserPage Block for users in my network try to access the Blocking WebSite.
I using on the opnsense about AdGuard Home.
And i want to do if some user log in to block website for example he get a Page Block ..

Like really Fw: Forti/Checkpoint.
Sorry about me english if its not good a lot :)

[meyergru]

Adguard Home is not designed for that purpose - normally, it is supposed to just return a DNS error for "advertisements" that drops requests for advertisement URLs, such that ad content image parts will be left out from your normal pages.

Of course you can use blocklists that also block certain sites and you can specify the IP that AGH returns. You can then install a webserver on that IP that answers with a block notice for any URL. Yet, if the original URL was HTTPS, you would get an error because your block notice cannot produce a valid certificate for the original page called for. Thus, you need to create a certificate on-the-fly, the CA for that must be imported on your clients.

Here is a project that does that, but as I said, this is not how AGH is intended to be used, so it is a lot of manual work. Also, I assume that every advertisement on each page would be replaced by a small picture of the block site.

[sopex8260]

Unbound blocklists :)

[meyergru]

Which has the same problem when you try to redirect to a HTTPS site.

Denying a request for a DNS name and redirecting to another site is not the same thing and even if you return a specific IP, the site behind it cannot easily fake being the original one called for.

[haim9080]

Adguard Home is not designed for that purpose - normally, it is supposed to just return a DNS error for "advertisements" that drops requests for advertisement URLs, such that ad content image parts will be left out from your normal pages.

Of course you can use blocklists that also block certain sites and you can specify the IP that AGH returns. You can then install a webserver on that IP that answers with a block notice for any URL. Yet, if the original URL was HTTPS, you would get an error because your block notice cannot produce a valid certificate for the original page called for. Thus, you need to create a certificate on-the-fly, the CA for that must be imported on your clients.

Here is a project that does that, but as I said, this is not how AGH is intended to be used, so it is a lot of manual work. Also, I assume that every advertisement on each page would be replaced by a small picture of the block site.

So if I understand you correctly, can I set the ADGUARD settings to give it an NGINX server address or some server with a white page or a design that says it's blocked and ADGUARD will redirect it to it every time??
The question is, if I don't give it a CA, what can happen?

[meyergru]

You will not see the blocking page first, because the certificate is not trusted, so instead, your browser will warn you like this:

You cannot view this attachment.

You cannot prevent that from happening other than with certificate generation & CA import, because a single exemption will not cover all potential blocks.

[nero355]

And i want to do if some user log in to block website for example he get a Page Block

If you are looking for something like this : https://duckduckgo.com/?q=pi-hole+website+blocked+page&ia=images&iax=images

Then you could check if the current version of Pi-Hole still has that webpage when changing the default block mode to one of the alternatives :
- https://docs.pi-hole.net/ftldns/configfile/#mode
- https://docs.pi-hole.net/ftldns/blockingmode/

This use to be available in Pi-Hole version 5.x.x and older but due to being deprecated step-by-step throughout the versions I am not sure if it's still available by default...

The screenshots shown by the DuckDuckGo Images Search are also mainly the old .php page(s) served by LigHTTPd which has been replaced by CivetWeb in Pi-Hole version 6.x.x and the use of PHP in general has been removed since that version.

So fire up a LXC or VM or spare Raspberry Pi and test the current options if you need such a webpage for your users :)

[meyergru]

I repeat: This approach does not work for HTTPS sites, which nowadays is the default for most sites.

Just think it through:

1. You request any URL, like https://www.badsite.com/url1.
2. No matter what you are using: Unbound, AGH or Pi-Hole see that "www.badsite.com" is on their blocklist.
3. You configure your DNS blocker to NOT deliver a "NOT FOUND" error, but a different IP than the real one for www.badsite.com.
4. The webserver behind that IP accepts the request on port 443. If it can present a certificate for www.badsite at all (for the purpose of which it has to be able to dynamically generate those), it will not be trusted by your browser per se (unless you import the generating CA first).
5. Therefore, your browser will bark and NOT show you the blocking notice, but instead a warning that something fishy is going on (which it is).

Result: You cannot have a blocking notice page (as requested per thread title) without dynamic certificates that your browser trusts.

[haim9080]

I repeat: This approach does not work for HTTPS sites, which nowadays is the default for most sites.

Just think it through:

1. You request any URL, like https://www.badsite.com/url1.
2. No matter what you are using: Unbound, AGH or Pi-Hole see that "www.badsite.com" is on their blocklist.
3. You configure your DNS blocker to NOT deliver a "NOT FOUND" error, but a different IP than the real one for www.badsite.com.
4. The webserver behind that IP accepts the request on port 443. If it can present a certificate for www.badsite at all (for the purpose of which it has to be able to dynamically generate those), it will not be trusted by your browser per se (unless you import the generating CA first).
5. Therefore, your browser will bark and NOT show you the blocking notice, but instead a warning that something fishy is going on (which it is).

Result: You cannot have a blocking notice page (as requested per thread title) without dynamic certificates that your browser trusts.

So it try to understand what i need to do? 

[meyergru]

If you do not know by now, I cannot help you, sorry.

In AGH or Unbound, you have to redirect bad sites to the IP of your blocking webserver.

I gave a link to a project that can handle the blocking webserver (including certificates) part. It needs docker, but if you do not have that or know how to use docker-compose or do it another way, you are stuck.

OpnSense has no means to do it and it is complex by nature. Note that OpnSense is not your average consumer router that will handle these things automagically for you (actually, what you request cannot be done on OpnSense alone).

[haim9080]

If you do not know by now, I cannot help you, sorry.

In AGH or Unbound, you have to redirect bad sites to the IP of your blocking webserver.

I gave a link to a project that can handle the blocking webserver (including certificates) part. It needs docker, but if you do not have that or know how to use docker-compose or do it another way, you are stuck.

OpnSense has no means to do it and it is complex by nature. Note that OpnSense is not your average consumer router that will handle these things automagically for you (actually, what you request cannot be done on OpnSense alone).

So i can to build up LXC in proxmox and give the solution to Production??

[meyergru]

If you know the least thing about Proxmox, you should know that while Docker can be used in an LXC, this is not the preferred way.

What do you mean by "give the solution to Production"? The way you put it sounds like you are the solution architect and tell production personnel to implement it? What is your role?