kwitsch
commented
10 months ago You already could define a custom IP as block type.
Therefore this can be achieved by hosting your custom page as a separate service and setting it's IP as block type.
Closed kapilsingh421 closed 10 months ago
kwitsch
commented
10 months ago You already could define a custom IP as block type.
Therefore this can be achieved by hosting your custom page as a separate service and setting it's IP as block type.
ThinkChaos
commented
10 months ago Also note that this won't work with HTTPS (unless you have a root cert on each device), so in most cases, if the user visited the site in the past they'll just see a "bad cert" error.
kwitsch
commented
10 months ago What if we add a block type cname which forwards the request to another domain?
Wouldn't that fix the SSL issue? π€
ThinkChaos
commented
10 months ago CNAME won't do a HTTP redirect, so the hostname used for TLS is still the original one :slightly_frowning_face:
0xERR0R
commented
10 months ago No, it won't work with cname record. Browser will still use https
kwitsch
commented
10 months ago Was thinking about something like: if the CNAME url has a valid certificate for itself and provides the same content on http and https it should work ... π€
But was just a quick idea... π
ThinkChaos
commented
10 months ago The browser will still do TLS cert verification with the blocked domain, not the one from CNAME. So it's just impossible to fix without a cert for the blocked domain.
0xERR0R
commented
10 months ago Maybe we should drop this feature since over 90 percent of sites use https?
ThinkChaos
commented
10 months ago I think someone recently had questions about using this but didn't find it.
And IMO it's really just a small amount of code so I don't mind keeping it if it's useful to someone. Maybe the docs should warn about the limitation and say it's pretty much useless if you don't run your own certificate authority.
EDIT: Just to be clear I also don't mind removing it!
kwitsch
commented
10 months ago Was looking into DNS based url redirects and came across the HTTPRED record type.
Would this maybe as option solve the SSL problem? π€
ThinkChaos
commented
10 months ago Didn't know about that, but looks like a non standard hack supported by only a couple DNS providers. So it's actually not a solution for us because it still uses a normal A record + web server, so needs a cert for the A record/blocked domain. For those DNS providers that's easy to get since they are the NS for the real domain, but that's not our case.
See https://support.constellix.com/support/solutions/articles/47000860091-http-redirection-record:
When you create an HTTP redirection record, youβre actually making an A record that points to that web server
kapilsingh421
commented
10 months ago Thanks you
kwitsch
commented
10 months ago @ThinkChaos Ah sorry didn't read it through. π
I would like to raise an issue regarding domain blocking. Instead of displaying the default page when a domain is blocked, I want a custom page to be shown