enable https access if restriction is on

[xpender]

hello,
my config is 1043nd v2 gargoyle 1.8.0

In an large public hall only one site was allowed.
In Access Restrictions - All Network Access is blocked. good
In Exceptions tab, Website URL(s): Permit only: domains contains: jw.org
Everything was fine, I mean every part of jw.org was accessible until the all site was moved to https protocol.
Now, I have only access to tv.jw.org and wol.jw.org. Those addess is related to jw.org, but is not using https protocol.

My question is: how to enable https access to have access again ONLY to https://jw.org and of course to all domain?

Please, help me. I am stuck here and the problem is very urgent.
Kind regards.

[nworbnhoj]

I would like to see a screen shot of your page
Gargoyle - Firewall - Restrictions

[xpender]

http://s2.postimg.org/oe2lcoy4p/image.jpg
http://s2.postimg.org/8rbbzbkcp/image.jpg
http://s2.postimg.org/n98j7bbnt/image.jpg

Hope it can help you. Thanks!

[nworbnhoj]

My apologies - I have struck a profound moral dilemma.

[Lantis]

Hi xpender.

Please read the following posts;

viewtopic.php?f=6&t=1584
http://www.gargoyle-router.com/phpbb/vi ... =460#p2368

Basically the problem is that by the very nature of HTTPS, we cannot match by domain, it is encrypted. This isn't a bug, just the way it is.
Your best bet would be to change your approach to using IP address matching instead.

Please let me know if I can assist further.

[xpender]

okay,
you are telling me to filter internet access by ip range.
Thats mean in:
Gargoyle - Firewall - Restrictions - everything will be blocked.
Gargoyle - Firewall - white list - Remote IPs - here will be the ip range of the site I want to allow. Right?
But, since jw.org is a large ip range domain like facebook perhaps, whow can I find the right ip range of www.jw.org?
I tried nslookup and whois from here: http://www.gargoyle-router.com/phpbb/vi ... =460#p2368
No success, yet.
And 10x for your quick reply.

[Lantis]

I've never done this so bare with me.

You have the restriction policy correct, we just need the ip ranges to enter.
My understanding of the instructions is:
NSLOOKUP on Jw.org and we take all their "A" records
Jw.org IN A 54.191.45.214 300s (5m)
Jw.org IN A 54.191.118.141 300s (5m)
Jw.org IN A 54.88.155.189 300s (5m)
Jw.org IN A 54.84.219.225 300s (5m)

Now we do a Whois on each of those ip addresses to find the range they control.

So it looks like the ranges you need to allow are:
54.188.0.0/14
54.88.0.0/16
54.80.0.0/12
54.72.0.0/13

^ note that this is written in CIDR notation which defines a range and will be accepted by the whitelist.

[xpender]

Hello,
thanks for your replay.
Sorry to tell you that, but is not working. All internet access is blocked.
Bellow is a screens of my restriction:
http://i67.tinypic.com/5anmrp.png
http://i68.tinypic.com/2wqenbt.png

I have no ideeas what to do from now on. Sorry

[Lantis]

I'll try and play with it and get back to you. I set up a rule to only allow my website and it worked fine so we are either using the wrong IP address ranges (probable, but I don't know why) or something else is going on.

[Lantis]

Alright at this stage i think the best solution may be to create an opendns account, restrict all websites except for the one you want, and then set your opendns address on the router. You can also force users to use the router dns so that they cannot circumvent it.

I think this is going to be the easiest and most straight forward way.

https://www.opendns.com/