Love my job | TheaterFire

[-]

Sucralan@reddit

Easy tasks with some NGFWs (I've send you a PM how to do that). If you are not using one it's a bit tricky but it could work.

Internal web-access:

configure DHCP to allocate a reserved adress for each of those laptops
configure the webserver to only allow those addresses to access the website
use a crohn job to set the webservers software based firewall (which is probably linux) to activate access from those ip addresses to a webserver from X to Y and deactivate access from X to Y (you can set it to do that daily)

External web-access:

Same steps without the IP-Adress struff. You should be able to implement this with certificate based authentication. Only allow machines to connect to the webserver if they have certificate X, that you roll out on those machines.

[-]

Tech88Tron@reddit

It's not a task some sysadmin would like to have.

Maybe I'm weird, but I love challenges like these! It's fun coming with creative ways to solve management problems.....and impresses management.

[-]

diodot@reddit (OP)

Duuuude... you're a life saver! How did I completely forgot about DHCP reservations, that alone will make the job a lot easier.

We use PfSense so we could just create a alias containg all of the endpoints end than schedule the rule.

I owe you a beer, thank you!

[-]

Puppy-love-@reddit

Can you serve the page with an SSO solution like Authentik?

[-]

'urgent' problems like this usually have costs involved for solutions. If they don't want to spend any money, maybe the manager(s) for the people with those laptops can just step up and 'manage' those employees for 4 hours a day ffs.

[-]

Ommco@reddit

Some of 'urgent' tasks can wait for a time when they are actually not needed.

[-]

jhaand@reddit

I don't know the English transalation for the German acronym DELLE: Durch Einfach Legen Lassen Erledigen.

But it could be something like this: Just park it down there and it will sort itself out. After that you can ask for budgets in time, people and money.

[-]

D0nM3ga@reddit

Whoa whoa whoa buddy. I don't know what it is you think these managers are doing all day they are way too busy to do something like manage employees.

[-]

eblaster101@reddit

Bitdefender can do content filtering based on time of day.

[-]

InactiveDirectory@reddit

Squid proxy could work. Your departments should be VLAN'd already.

Set the squid proxy via GPO for the machines. Configure squid for the VLANs how you see fit. Cron job to run at certain times to switch in and out the default .conf file with the "urgent" one you need at the times required.

[-]

xlandhenry@reddit

GPO preference schedule task to run a script to add the firewall rule on those computers and run a script to revert...

[-]

goldenzim@reddit

Custom DNS. Basically just a hosts file with one entry.

[-]

McPhilabuster@reddit

Window systems?

One hacky solution I've done in the past to block everything but one site or a couple of sites is to add a proxy server to the machine or user configuration and use the loopback address as the proxy server address. Nothing should be listening for traffic on the loopback address because your endpoints are generally not going to be running web servers. You then add whatever site or sites you need to work to the proxy bypass list. Any site not in the bypass list you just get an error message saying the site is unreachable.

Easy enough to implement, but certainly not good to manage at scale and it's not the kind of solution I would want to implement long-term. You could script things out and use your management system of choice or PowerShell remoting to turn this on and off at will. If it's only for a couple of people, and it is actually temporary, this may be enough for you.

[-]

ZombieJesus9001@reddit

SQUID sounds ideal for this.

[-]

adjunct_@reddit

Sounds like a good opportunity for you guys to get a real firewall.

[-]

Fire_Mission@reddit

You need more info. Understand the use case better and get some firm requirements.

[-]

icedcougar@reddit

Not a tech problem really but don’t do open source, provide a cost of a product that has support

Check out netskope/zscaler

You get some security benefits and can create policies based on categories for web blocking.

Provide that $ to the manager, if they say “no” than your answer is “can’t be done then”

Don’t make life hard for the sake of hard.

[-]

joshhelpsitpros@reddit

Sounds like that might be your only option…

But if I were you, I’d really breakdown the ask to understand why they are doing this, and then try to offer an easy solution that is much better and maneagable.

[-]

McThick069@reddit

Ummm...it's been a while since I've done much web stuff but, could a hosts file be used here? I know it's an easily changeable, security-by-obscurity solution...but it's also free.

[-]

TechCF@reddit

You could do this with the security suite on the devices. Enforce browser, sites, tamper protection.

[-]

Awesome_taco@reddit

I would use something like a pi hole for this. Block everything and create a whitelist. Might work and is free. You will be manually turning it on and off. Hope it helps.

[-]

ms4720@reddit

Why? What is the reason?

[-]

mercurygreen@reddit

90% sure it's about sports, and he's really just being a dick.

[-]

ms4720@reddit

To do this give him a nice expensive solution, with required annual support. Then a project time line and training costs, give him a nice written plan. Then wait for this to quietly disappear

[-]

vagueAF_@reddit

hahahah EVERY sysadmin felt that

[-]

illintent66@reddit

Cloudflare WARP/ZTNA with HTTP policies. Enforce WARP client enabled. Default block all. Allow permitted URL. (can’t recall if there are time of day selectors in policy builder 🤔 🤔)

[-]

Booshur@reddit

No Is a complete sentence. Even if it's technically feasible, you shouldn't be engaging in this silliness.

[-]

james-ransom@reddit

Use nginx proxy, that checks for a cookie. If the cookie isn't set run a python script. In this python script, look for a cookie, do whatever you want, "during a period of 3 weeks, only for 4 hours a day. It could be in the morning or afternoon, I'm not sure", you could add a new cookie, delete the cookie, send them to a "Oh no we only allow this webpage" text etc.

EG:

server { listen 80; server_name yourdomain.com;

location / {
    # Check if the "Cookie" header is missing
    if ($http_cookie = "") {
        # Redirect to the login Python page if no cookie is set
        return 302 /login;
    }

    # If a cookie is present, forward the request to the Python backend
    proxy_pass http://localhost:8000;  # Adjust to your Python server's address
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

# Define the /login route to serve the login page
location /login {
    proxy_pass http://localhost:8001;  # Python server handling the login page
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

}

[-]

yer_muther@reddit

I can't think of a reason a good proxy could not do what you want.

Some firewalls can also be used to filter by URL.

Cisco Umbrella could probably do this too.

[-]

oloruin@reddit

I think Umbrella, with a policy group to block everything. Then add the sites to a specific allow list attached to that policy group would accomplish this. Not free though.

And then you get to play whack-a-mole because sites link to things hosted on different CNAMEs that trigger the block instead of working because they're under the root of Site A.

[-]

Alcobob@reddit

The good reason why proxy servers can't do it is HTTPS, at least in what seems like the OPs environment to be.

The proxy needs to play man in the middle to filter the websites (and not just the server IP), which HTTPS specifically was designed to prevent. So the proxy needs to self sign the websites instead at which point you need your own root certificate installed on all computers that you wanna do that on. (If it isn't even prevented by certificate pinning)

So we are talking about quite some infrastructure for just 3 weeks.

Instead blocking it at the DNS level might be easier, but it isn't a 100% reliable solution.

[-]

Delta31_Heavy@reddit

That’s called SSL Decryption and this should be part of the design. If it’s not then there is a glaring hole in security

[-]

Alcobob@reddit

Yes, but SSL decryption is in itself also a security issue (not flaw) as badly designed solutions might then apply a valid certificate to websites with invalid ones. (And badly managed policies by our MSP wouldn't have required me to open tickets to undo their latest changes in the lists where suddenly SSL decryption was tried on connection with very highly confidential subject matters. Thankfully, instead of silently just accepting a fake SSL certificate, the software required fails safely by denying the connection, still stupid it took them one week to fix it...)

That aside and back to this topic, it doesn't sound like OP has such a gateway in place as then the we wouldn't even need to talk about a proxy (or its usefullness) in the first place and the solution to the question should be rather straight forward.

[-]

wezelboy@reddit

If they aren’t personal laptops, then installing a new root CA bundle should be doable.

[-]

Alcobob@reddit

Of course it is doable, but to set up such for 3 weeks for only a handful of people (and not all) essentially means you need a pretty powerful solution (feature wise) for very limited return.

Though I just checked our solution for that, it is only 400€ for the first year for 10 users, so it might be ok. Still the hours required to set it up are substantial.

So much so that our MSP wanted 4 figures to create a 3rd user group besides normal and admin, when our HR department was too lazy to have a talk with a game playing worker and asked if we can reduce his internet access. But that was a more complicated idea as they also wanted to block games sections from news websites (which would be insane to create a filter list containing full URLs instead of domains and sub domains)

[-]

daddy-dj@reddit

Yeah in my previous job we had SonicWalls that could filter by URL. It was a bit clunky because depending upon whether they were in the office or connecting via VPN then the authentication was slightly different (in the office authentication was via their device's MAC but using VPN they'd provide username & password + 2FA when establishing the tunnel). It was surprisingly quick and easy to implement and manage.

[-]

NiftyLogic@reddit

Authentication by MAC, seriously?

WTF!

[-]

yer_muther@reddit

I implemented a few SonicWall firewalls for a few schools in the recent past and I kinda dig them. I prefer the Checkpoints I work with now though. The interface is clean and easy to use and reporting is pretty simple. The price is attractive too. If you need to do crazy things they can do that too.

[-]

Inf1n1teSn1peR@reddit

It's not great and by no means secure, but you could set them up an a separate dns server that only resolves that website. It's easy to by pass with admin credentials and know how, but could get the job done. Don't expect internal stuff or updates to work.

[-]

NowThatHappened@reddit

Proxies are still very valid in 2024, manage a bunch. And a good proxy would do this just fine, you can classify the users by IP, subnet, or even with proxy credentials.

The other advantage of proxies, is filtering, blocking downloading of files, etc and caching, reducing internet load, and all the rest. Read up on proxies etc. I'm not going to suggest any, there are a good few to choose from and people always go nuts when you suggest any one solution.

[-]

pdp10@reddit

This. Proxies can't conventionally cache or filter by URL path or content when dealing with HTTPS URLs, but otherwise all of the traditional advantages remain. Proxies are the simplest and most-elegant way to filter by FQDN and destination port, as opposed to trying to filter on a myriad of IPv4 and IPv6 addresses and CDNs.

[-]

NowThatHappened@reddit

Well, not strictly true, a good proxy can operate a MITM to decode SSL traffic, screen it (including mime types) and then re-package it. Its not that common but it's used in a handful that I manage. HSTS is really the only stumbling block and that requires special handling.

However, its still the best option for what you need. imo.

[-]

ImmediateConfusion30@reddit

Fido2 is also not possible with a proxy when you don’t own the domain because it only talk with the endpoint FQDN, no middleman that don’t show as the endpoint domain set on the website (or have some lying DNS Server 😁)

[-]

7fw@reddit

Proxy seems like your answer. But understanding the need may add other options. I will often ask what the why is in order to make the most efficient and effective recommendation.

[-]

Delta31_Heavy@reddit

This is not an unreasonable task. It’s not too hard to set up either.

[-]

databeestjenl@reddit

If your Squid has auth you can do this, we had sites unblocked during lunch breaks and after hours.

Theoretically possible with specific IP addresses, but a bit more cumbersome.

[-]

nikster77@reddit

I read this as: for a specific group of users, only one specific URL should be available, during a specific time of the day.

If the clients are configured via DHCP and it's possible: set up a proxy on the gateway. Or use DHCP option for webproxy autodiscovery. Squid or any other proxy would then do the Trick. If thats not possible, just put the proxy settings in the Browsers, if you can configure them. Or use ip/nfttables on the gateway to force them through a proxy somewhere else.

And yes. Progress are still a thing everywhere.

[-]

Dexterus@reddit

Parental controls?

[-]

dontmessyourself@reddit

You can use browser policies (Edge and Chrome) to block and allow websites

[-]

Zahrad70@reddit

This has all the hallmarks of “Customer has defined a solution without discussing their problem with IT.”

Ask him why they need that, and what alternatives they considered.

A software based firewall template applied via scheduler comes to mind, if we’re on a shoestring budget.

[-]

Zarathustra_f90@reddit

Firewall solution: IP filtering or URL allowlisting

Server solution: Reverse proxy

IMHO firewall solution is the simplest one but reverse proxy is doable too. Have fun :)

[-]

asoge@reddit

Squid is actually perfect for this use case.

One time, at a small web company I used to work at, the president came to me panicking. "Our productivity stats are dropping!", "Block the internet!" I tried clarifying, his request, but that's what he literally meant, no internet access to everyone, not or web designers, not our web developers, of course not even our SEO guys.

So I did.

But after a while, he realized his request was "crazy" so I offered a solution to schedule access to social media only during lunch breaks and after hours. This worked with squid and ACL's.

[-]

bugglybear1337@reddit

You could do scheduled task on windows firewall remotely…however next gen firewall is better long term solution when these request come up.

[-]

capt_gaz@reddit

A new feature just came out in Entra called Global Secure Access. It will do what you require.

[-]

CapTraditional1264@reddit

Depends a lot on the website in question, and the firewall you have in place. For some websites (if they're not a major cloud service like m365) defining them by IP/target network shouldn't be too tough. NGFWs have pre-defined apps like m365 etc though, can't speak to how well these work for filtering though but they exist. Then you might to FQDN-like filtering in NGFWs too, like in proxies. Or you might consider doing the filtering at the endpoint side, or paying for something like opendns or cisco umbrella. If you're not too accustomed to configuring proxies / firewalls I might opt for trying to do this with DNS somehow. It should be the most straightforward way to configure it, and shouldn't cost too much for a short period of time (might even do with just some free trial license or something).

[-]

Roallin1@reddit

Deploy Cisco Umbrella

[-]

JerryRiceOfOhio2@reddit

a real firewall like a Palo (or other) can do all that. good luck buying it, installing it, and configuring it in 3 weeks though. if you have no experience with a real firewall, your best option might be to just call a vendor and hand the project to them, in which case, good luck getting it funded

[-]

Lynch_67816653@reddit

Squid can do it, including time based rules

Be aware that a single web page often requires many http objects, you need to allow all of them.

Then you have to force some clients to only access the internet through your proxy. Domain policy if they are fully managed, dedicated vlan otherwise

[-]

danstermeister@reddit

Many firewalls have schedules, but you could do this with iptables and a cron job to load one configuration at a predetermined time and then load the other after.

[-]

jmeador42@reddit

A quick and dirty way, since this is only temporary, is to use a proxy > hard code the site's IP > use a cron job to turn off the proxy during off hours. IF the site lives at one single IP, you're golden. But if it's behind a CDN you'll have to check it's IP every day and update the proxy. Not ideal, but workable.

[-]

bigdeezy456@reddit

If you can't trust your people to go to the correct sites then maybe you hired the wrong people. It's not a tech issue it's a management issue.

[-]

Comfortable_Seesaw30@reddit

Oof

[-]

LForbesIam@reddit

Do you have Group Policy?

We have Kiosk computers that only load one website and block everything else. It is done in Group Policy for Edge.

I say IE was a heck of a lot easier to do it but Edge is OK.

There is Kiosk mode for Edge or you can load a shortcut in Kiosk

You can set the proxy to loopback except for the one website too.

However a lot of sites rely on Google and AWS to function now with bootstrap and js and css so it does depend on the site.

Our sites are in house so they work fine.

[-]

Opposite_Ad9233@reddit

What a terrible requirement.

[-]

Zortrax_br@reddit

The problem with firewall rule is that if the IP of the page changes, you will need to update that rule. A proxy should work, I think even pfsense is able to do the work of webfiltering if you install some plugins (I highly recommend creating another server for this). But looking at the big picture, if you do not have any web filtering application till today you probably have much bigger security risks to take care. Here is a few:
Infrastructure hardening
MFA implementation for users and admins
Traffic inspection (IDS/IPS/NDR)
Log correlation (SIEM)
Least privilege implementation

It's quite possible your company isn't aware of the risks they have and that's why they don't want to spend money in tools, but at least you can do a lot only by following good practices and having a good architecture.

[-]

pdp10@reddit

Engineering-wise, a PAC file can return different proxying based on source and destination and time of day. Then back it up with whitelists or blacklists in the Squid. I'd choose this option based on what you know, but then this is very familiar ground for us.

Note how your boss is giving you a prescription instead of describing the business goals. Let's hope the boss doesn't also criticize you for lack of business alignment.

[-]

Sinister_Nibs@reddit

Sounds like trying to apply technical solutions to management problems

[-]

nickatnite83@reddit

Smoothwall did this stuff as of a couple of years ago. Pretty easy to manage.

We switched to Umbrella. I can't manage based on time periods with Umbrella like I could before.

[-]

Bedlemkrd@reddit

Sometimes managers ask us to fix with technology what should be do with policy and policing.

If someone keeps finding porn, no matter how much you block you don't keep chastising IT for not finding every obscure site, and blocking them with your tools and their built in filters....at some point you have to deal with the person spending 8 hours a day directly working against the company.

If they wanted departments limited to going to a specific site, OK. They want it for certain times of the day.....um maybe. Only certain machines not everyone in those departments and the rules are getting more convoluted.....okay why? Are we doing testing? Tell them they aren't allowed to go to other sites during the test and then just record the traffic to see if they go somewhere else, tell them ahead of time that will be done.... everyone go on with your lives.

[-]

funkyferdy@reddit

ask KI :)

To accomplish this selective access, you can use a combination of firewall rules, web filtering, and time-based policies. Here’s a step-by-step approach: 1. Firewall Configuration

Set up a firewall rule allowing access only to the specific URL/IP address of the web page.
Configure rules to block all other websites.
Ensure this rule is applied only to the target laptops based on IP, MAC address, or device group, depending on your firewall's capabilities.

User Identification & Grouping

Create a user group specifically for this rule (if your firewall or network supports user/group policies). Assign the laptops to this group for easy policy targeting.
Time-Based Access

On your firewall or network management tool, set a time-based policy. Define the access time window of 4 hours per day for a three-week period. Most firewalls allow scheduling rules, where you can specify start and end times (e.g., 9 AM to 1 PM or 1 PM to 5 PM). Schedule the rule for the exact dates over the 3 weeks to automate access.
Proxy or Web Filtering (Optional)

If further control is needed, you can implement a proxy or web filtering tool to enforce URL restrictions. Configure it to allow only the specified URL and block everything else.
Testing & Monitoring

Test the setup on a few devices to ensure it functions as expected. Monitor traffic to confirm the restricted access and track any potential attempts to bypass the policy.

So, do you have any of these posibilities in your firewall? Or generally speaking, you have the tools and knowhow or can get it? If not, to possible ATM. If is really needed ask what is this usecase worth, get budget and go shopping. as simple as that.