-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP dynamic domain matching module? #34
Comments
I do not quite understand what I want to get in the end?
|
@vel21ripn I am not talking about https but plain http(1.x) such as:
Which basically will make admins life easier in general to handle a strict http\https access policy without going to the depth of a full http proxy installation. The dream would be to be able to send something like the src ip and the current destination domain to some local in ram Filtering DB and the response will decide if the connection is allowed or not but it's a dream and requires from someone to put some cash on the it. From what I remember suricata-ids have such a feature but it was so complex for me to install and configure that I left it and continued to work with a custom tproxy. |
I solved common problems with migration to dev-2.3, now I can try to add this functionality. |
I think, for this feature best functional is 'sets', like: # create set
iptables -t mangle -A POSTROUTING -m ndpi --http-domain --set name0 -j DROP
iptables -t mangle -A PREROUTING -m ndpi --http-domain --set name0 -j DROP
# add domain
echo +google.com > /proc/net/ndpi_http_domain/name0
# delete domain
echo -google.com > /proc/net/ndpi_http_domain/name0
# add multiple domain
echo +google.com,google.co.jp > /proc/net/ndpi_http_domain/name0 This is just a copy-paste - functional was already implemented int aabc/ipt-ratelimit. |
@k0ste No! In "nDPI" there is a comparison for domains. You need to add the ability to override it without recompiling. It works with the ssl, http and dns protocols. |
Why this:
Better than this:
The case: I need to filter 3 different clients:
All domains is different. |
All this is already in nDPI. You need to add an interface to load the list of domains. |
See 16d3ab3 |
I changed the procedure for loading hostnames. Theoretically, there are no restrictions on the number of host names. Updates take place atomically. |
Commit 0b5ec1e fixed critical error. |
I have seen this nice project:
https://github.com/Lochnair/xt_tls
Which actually is based on this project code.
I was wondering if it would be possible to either create or extend the current http/1.x module to be able to match more then just it but also a dynamic domain such as "rule --domain x.y.net -j DROP".
The text was updated successfully, but these errors were encountered: